feat: Prevent role changing on yourself. (#1931)

* feat: Prevent role changing on yourself. Only allow changing roles on other users. Not much value in self changing at the moment
2025-07-18 14:17:22 +00:00 · 2022-05-31 15:50:38 -05:00
parent 4b0ed06a26
commit 7acb742218
3 changed files with 32 additions and 4 deletions
--- a/coderd/members.go
+++ b/coderd/members.go
@ -20,6 +20,14 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 	organization := httpmw.OrganizationParam(r)
 	member := httpmw.OrganizationMemberParam(r)
+	apiKey := httpmw.APIKey(r)
+
+	if apiKey.UserID == member.UserID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "You cannot change your own organization roles.",
+		})
+		return
+	}

 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {
--- a/coderd/users.go
+++ b/coderd/users.go
@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	// User is the user to modify.
 	user := httpmw.UserParam(r)
 	roles := httpmw.UserRoles(r)
+	apiKey := httpmw.APIKey(r)
+
+	if apiKey.UserID == user.ID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "You cannot change your own roles.",
+		})
+		return
+	}

 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@ -409,11 +409,11 @@ func TestGrantRoles(t *testing.T) {
 	t.Run("UpdateIncorrectRoles", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
+		var err error
+
 		admin := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, admin)
 		member := coderdtest.CreateAnotherUser(t, admin, first.OrganizationID)
-		memberUser, err := member.User(ctx, codersdk.Me)
-		require.NoError(t, err, "member user")

 		_, err = admin.UpdateUserRoles(ctx, codersdk.Me, codersdk.UpdateRoles{
 			Roles: []string{rbac.RoleOrgMember(first.OrganizationID)},
@ -445,7 +445,7 @@ func TestGrantRoles(t *testing.T) {
 		require.Error(t, err, "member cannot change other's roles")
 		requireStatusCode(t, err, http.StatusForbidden)

-		_, err = member.UpdateUserRoles(ctx, memberUser.ID.String(), codersdk.UpdateRoles{
+		_, err = member.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
 			Roles: []string{rbac.RoleMember()},
 		})
 		require.Error(t, err, "member cannot change any roles")
@ -456,6 +456,18 @@ func TestGrantRoles(t *testing.T) {
 		})
 		require.Error(t, err, "member cannot change other's org roles")
 		requireStatusCode(t, err, http.StatusForbidden)
+
+		_, err = admin.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
+			Roles: []string{},
+		})
+		require.Error(t, err, "admin cannot change self roles")
+		requireStatusCode(t, err, http.StatusBadRequest)
+
+		_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, first.UserID.String(), codersdk.UpdateRoles{
+			Roles: []string{},
+		})
+		require.Error(t, err, "admin cannot change self org roles")
+		requireStatusCode(t, err, http.StatusBadRequest)
 	})

 	t.Run("FirstUserRoles", func(t *testing.T) {
@ -508,7 +520,7 @@ func TestGrantRoles(t *testing.T) {
 		require.NoError(t, err, "grant member admin role")

 		// Promote to org admin
-		_, err = member.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, codersdk.Me, codersdk.UpdateRoles{
+		_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, memberUser.ID.String(), codersdk.UpdateRoles{
 			Roles: []string{
 				// Promote to org admin
 				rbac.RoleOrgMember(first.OrganizationID),