From b4bc184cb3749a3faa5a00d5a1240faacd4b1035 Mon Sep 17 00:00:00 2001
From: Philipinho <16838612+Philipinho@users.noreply.github.com>
Date: Mon, 22 Jul 2024 16:16:33 +0100
Subject: [PATCH] prevent admin role from managing owner role (backend)

---
 .../core/workspace/services/workspace.service.ts  | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/server/src/core/workspace/services/workspace.service.ts b/apps/server/src/core/workspace/services/workspace.service.ts
index 8d243ea6..e81ba47b 100644
--- a/apps/server/src/core/workspace/services/workspace.service.ts
+++ b/apps/server/src/core/workspace/services/workspace.service.ts
@@ -1,5 +1,6 @@
 import {
   BadRequestException,
+  ForbiddenException,
   Injectable,
   NotFoundException,
 } from '@nestjs/common';
@@ -217,11 +218,21 @@ export class WorkspaceService {
   ) {
     const user = await this.userRepo.findById(userRoleDto.userId, workspaceId);
 
+    const newRole = userRoleDto.role.toLowerCase();
+
     if (!user) {
       throw new BadRequestException('Workspace member not found');
     }
 
-    if (user.role === userRoleDto.role) {
+    // prevent ADMIN from managing OWNER role
+    if (
+      (authUser.role === UserRole.ADMIN && newRole === UserRole.OWNER) ||
+      (authUser.role === UserRole.ADMIN && user.role === UserRole.OWNER)
+    ) {
+      throw new ForbiddenException();
+    }
+
+    if (user.role === newRole) {
       return user;
     }
 
@@ -238,7 +249,7 @@ export class WorkspaceService {
 
     await this.userRepo.updateUser(
       {
-        role: userRoleDto.role,
+        role: newRole,
       },
       user.id,
       workspaceId,