From b499287f2347837bc885387bb5eb99b3fd841f63 Mon Sep 17 00:00:00 2001 From: Mani Chandra <84711804+ThisIsMani@users.noreply.github.com> Date: Mon, 7 Oct 2024 19:48:56 +0530 Subject: [PATCH] fix(user_role): Restrict updating user role to the same `EntityType` (#6224) --- crates/router/src/core/user_role.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/crates/router/src/core/user_role.rs b/crates/router/src/core/user_role.rs index 5973a20dd33a..9145706c10c0 100644 --- a/crates/router/src/core/user_role.rs +++ b/crates/router/src/core/user_role.rs @@ -153,6 +153,14 @@ pub async fn update_user_role( )); } + if role_info.get_entity_type() != role_to_be_updated.get_entity_type() { + return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!( + "Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}", + role_to_be_updated.get_entity_type(), + role_info.get_entity_type(), + )); + } + if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() { return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!( "Invalid operation, update requestor = {} cannot update target = {}", @@ -218,6 +226,14 @@ pub async fn update_user_role( )); } + if role_info.get_entity_type() != role_to_be_updated.get_entity_type() { + return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!( + "Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}", + role_to_be_updated.get_entity_type(), + role_info.get_entity_type(), + )); + } + if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() { return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!( "Invalid operation, update requestor = {} cannot update target = {}",