From f8b8c36b2a92bfee435747ab5a0283924be76281 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 23 Jan 2018 09:15:36 +0100
Subject: Destroy user token when changing its role

---
 server/middlewares/validators/users.ts | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'server/middlewares/validators')

diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index d22a745b4..990311d6f 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -77,6 +77,13 @@ const usersUpdateValidator = [
     if (areValidationErrors(req, res)) return
     if (!await checkUserIdExist(req.params.id, res)) return
 
+    const user = res.locals.user
+    if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
+      return res.status(400)
+        .send({ error: 'Cannot change root role.' })
+        .end()
+    }
+
     return next()
   }
 ]
-- 
cgit v1.2.3