You shall not self demote

david-rocca · david-rocca · commit fc94c3a636d8 · 2025-06-09T20:13:29.000-04:00
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -885,6 +885,10 @@ async function updateUser (req, res, next) {
     const targetOrgLegUUID = await orgLegRepo.getOrgUUID(shortNameParams, { session })
     const targetOrgRegUUID = await orgRegRepo.getOrgUUID(shortNameParams, { session })
 
+    // Get requester UUID for later
+    const requesterUUID = await userRegRepo.getUserUUID(requesterUsername, targetOrgRegUUID, { session })
+    const targetUserUUID = await userRegRepo.getUserUUID(usernameParams, targetOrgRegUUID, { session })
+
     if (!targetOrgLegUUID || !targetOrgRegUUID) {
       logger.error({ uuid: req.ctx.uuid, message: `Target organization ${shortNameParams} not found in one or both collections.` })
       await session.abortTransaction(); await session.endSession()
@@ -1014,6 +1018,14 @@ async function updateUser (req, res, next) {
       }
     }
 
+    // Check to make sure we are NOT self demoting
+    if (removeRolesCollector.includes('ADMIN')) {
+      if (requesterUUID === targetUserUUID) {
+        await session.abortTransaction; await session.endSession()
+        return res.status(403).json(error.notAllowedToSelfDemote())
+      }
+    }
+
     let newTargetLegacyOrgUUID = targetOrgLegUUID
     let newTargetRegistryOrgUUID = targetOrgRegUUID
 
