prevent admin role from managing owner role (backend)

2025-03-28 21:13:28 +00:00 · 2024-07-22 16:16:33 +01:00 · 2024-07-22 16:16:33 +01:00 · b4bc184cb3
commit b4bc184cb3
parent 109dbdbe02
1 changed files with 13 additions and 2 deletions
--- a/apps/server/src/core/workspace/services/workspace.service.ts
+++ b/apps/server/src/core/workspace/services/workspace.service.ts
@ -1,5 +1,6 @@
 import {
  BadRequestException,
+  ForbiddenException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
@ -217,11 +218,21 @@ export class WorkspaceService {
  ) {
    const user = await this.userRepo.findById(userRoleDto.userId, workspaceId);

+    const newRole = userRoleDto.role.toLowerCase();
+
    if (!user) {
      throw new BadRequestException('Workspace member not found');
    }

-    if (user.role === userRoleDto.role) {
+    // prevent ADMIN from managing OWNER role
+    if (
+      (authUser.role === UserRole.ADMIN && newRole === UserRole.OWNER) ||
+      (authUser.role === UserRole.ADMIN && user.role === UserRole.OWNER)
+    ) {
+      throw new ForbiddenException();
+    }
+
+    if (user.role === newRole) {
      return user;
    }

@ -238,7 +249,7 @@ export class WorkspaceService {

    await this.userRepo.updateUser(
      {
-        role: userRoleDto.role,
+        role: newRole,
      },
      user.id,
      workspaceId,