From 65d7f83ee724bad7afc07d0b17b51c8e93c56ac7 Mon Sep 17 00:00:00 2001 From: yasw175 Date: Wed, 31 Dec 2025 13:42:39 +0530 Subject: [PATCH] Fix: Prevent Admin from demoting their own role (#9326) --- .../syft/src/syft/service/user/user_service.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/packages/syft/src/syft/service/user/user_service.py b/packages/syft/src/syft/service/user/user_service.py index 47c41d1ab84..0ed8d1eb5b0 100644 --- a/packages/syft/src/syft/service/user/user_service.py +++ b/packages/syft/src/syft/service/user/user_service.py @@ -450,6 +450,17 @@ def update( # Get user to be updated by its UID user = self.stash.get_by_uid(credentials=context.credentials, uid=uid).unwrap() + # FIX: Prevent Admin from demoting themselves (Issue #9326) + if ( + updates_role + and user.verify_key == context.credentials + and user.role == ServiceRole.ADMIN + ): + if user_update.role != ServiceRole.ADMIN: + raise SyftException( + public_message="Admins cannot demote their own role!" + ) + immutable_fields = {"created_date", "updated_date", "deleted_date"} updated_fields = user_update.to_dict( exclude_none=True, exclude_empty=True @@ -599,12 +610,12 @@ def exchange_credentials(self, context: UnauthedServiceContext) -> SyftSuccess: and context.server.server_type == ServerType.ENCLAVE and user.role == ServiceRole.ADMIN ): - # FIX: Replace with SyftException + # FIX: Replacing with SyftException raise SyftException( public_message=UserEnclaveAdminLoginError.public_message ) else: - # FIX: Replace this below + # FIX: Replacing this below raise SyftException(public_message=CredentialsError.public_message) return SyftSuccess(message="Login successful.", value=user.to(UserPrivateKey)) @@ -729,4 +740,4 @@ def disable_notifications( TYPE_TO_SERVICE[User] = UserService -SERVICE_TO_TYPES[UserService].update({User}) +SERVICE_TO_TYPES[UserService].update({User}) \ No newline at end of file