Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix(user_role): Restrict updating user role to the same EntityType #6224

Merged
merged 1 commit into from
Oct 7, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions crates/router/src/core/user_role.rs
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,14 @@ pub async fn update_user_role(
));
}

if role_info.get_entity_type() != role_to_be_updated.get_entity_type() {
return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
"Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}",
role_to_be_updated.get_entity_type(),
role_info.get_entity_type(),
));
}

if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() {
return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
"Invalid operation, update requestor = {} cannot update target = {}",
Expand Down Expand Up @@ -216,6 +224,14 @@ pub async fn update_user_role(
));
}

if role_info.get_entity_type() != role_to_be_updated.get_entity_type() {
return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
"Upgrade and downgrade of roles is not allowed, user_entity_type = {} req_entity_type = {}",
role_to_be_updated.get_entity_type(),
role_info.get_entity_type(),
));
}

if updator_role.get_entity_type() < role_to_be_updated.get_entity_type() {
return Err(report!(UserErrors::InvalidRoleOperation)).attach_printable(format!(
"Invalid operation, update requestor = {} cannot update target = {}",
Expand Down
Loading