enforce the security of admin user creation

ncbo · Nov 28, 2023 · 09de2b0 · 09de2b0
1 parent cd8051e
commit 09de2b0
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/controllers/users_controller.rb b/controllers/users_controller.rb
@@ -81,6 +81,7 @@ class UsersController < ApplicationController
     # Update an existing submission of an user
     patch '/:username' do
       user = User.find(params[:username]).include(User.attributes).first
+      params.delete("role") unless current_user.admin?
       populate_from_params(user, params)
       if user.valid?
         user.save
@@ -109,6 +110,7 @@ def create_user
       params ||= @params
       user = User.find(params["username"]).first
       error 409, "User with username `#{params["username"]}` already exists" unless user.nil?
+      params.delete("role") unless current_user.admin?
       user = instance_from_params(User, params)
       if user.valid?
         user.save