fix: prevent users from changing their own role during updates

NoOne7135 · NoOne7135 · commit b3f13f7ca20e · 2025-05-20T15:37:47.000+03:00
diff --git a/adminforth/commands/createApp/templates/adminuser.ts.hbs b/adminforth/commands/createApp/templates/adminuser.ts.hbs
@@ -93,8 +93,11 @@ export default {
       }
     },
     edit: {
-      beforeSave: async ({ updates, adminUser, resource }: { updates: any, adminUser: AdminUser, resource: AdminForthResource }) => {
+      beforeSave: async ({ oldRecord, updates, adminUser, resource }: { oldRecord: any, updates: any, adminUser: AdminUser, resource: AdminForthResource }) => {
         console.log('Updating user', updates);
+        if (oldRecord.id === adminUser.dbUser.id && updates.role) {
+          return { ok: false, error: 'You cannot change your own role' };
+        }
         if (updates.password) {
           updates.password_hash = await AdminForth.Utils.generatePasswordHash(updates.password);
         }

Original file line number	Diff line number	Diff line change
`@@ -93,8 +93,11 @@ export default {`
`93`	`93`	`}`
`94`	`94`	`},`
`95`	`95`	`edit: {`
`96`		`- beforeSave: async ({ updates, adminUser, resource }: { updates: any, adminUser: AdminUser, resource: AdminForthResource }) => {`
	`96`	`+ beforeSave: async ({ oldRecord, updates, adminUser, resource }: { oldRecord: any, updates: any, adminUser: AdminUser, resource: AdminForthResource }) => {`
`97`	`97`	`console.log('Updating user', updates);`
	`98`	`+ if (oldRecord.id === adminUser.dbUser.id && updates.role) {`
	`99`	`+ return { ok: false, error: 'You cannot change your own role' };`
	`100`	`+ }`
`98`	`101`	`if (updates.password) {`
`99`	`102`	`updates.password_hash = await AdminForth.Utils.generatePasswordHash(updates.password);`
`100`	`103`	`}`