Merge pull request #3775 from felixrieseberg/iss3765

Ensure Owner's role isn't downgraded
2025-03-11 02:12:21 -05:00 · 2014-08-16 17:07:41 +01:00 · 2014-08-16 17:07:41 +01:00 · 9b7be32c0c
commit 9b7be32c0c
parent 7f4231c83d 47ba9a7385
2 changed files with 28 additions and 2 deletions
--- a/core/server/api/users.js
+++ b/core/server/api/users.js
@ -162,8 +162,14 @@ users = {
                                parseInt(options.id, 10) === parseInt(options.context.user, 10)) {
                            return when.reject(new errors.NoPermissionError('You cannot change your own role.'));
                        } else if (roleId !== contextRoleId) {
-                            return canThis(options.context).assign.role(role).then(function () {
+                            return dataProvider.User.findOne({role: 'Owner'}).then(function (result) {
-                                return editOperation();
+                                if (parseInt(result.id, 10) !== parseInt(options.id, 10)) {
                                    return canThis(options.context).assign.role(role).then(function () {
                                        return editOperation();
                                    });
                                } else {
                                    return when.reject(new errors.NoPermissionError('There has to be one owner.'));
                                }
                            });
                        }
--- a/core/test/integration/api/api_users_spec.js
+++ b/core/test/integration/api/api_users_spec.js
@ -852,6 +852,26 @@ describe('Users API', function () {
                        }).catch(done);
                });
            });
            it('CANNOT downgrade owner', function (done) {
                var options = _.extend({}, context.admin, {id: userIdFor.owner}, {include: 'roles'});
                UserAPI.read(options).then(function (response) {
                    response.users[0].id.should.equal(userIdFor.owner);
                    response.users[0].roles[0].name.should.equal('Owner');
                    return UserAPI.edit(
                        {users: [
                            {name: newName, roles: [roleIdFor.author]}
                        ]},
                        options
                    ).then(function (response) {
                        done(new Error('Author should not be able to downgrade owner'));
                    }).catch(function (error) {
                        error.type.should.eql('NoPermissionError');
                        done();
                    });
                });
            });
        });
        describe('Editor', function () {