feat: Prevent role changing on yourself. (#1931)

* feat: Prevent role changing on yourself. Only allow changing roles on other users. Not much value in self changing at the moment
2025-07-03 16:13:58 +00:00 · 2022-05-31 15:50:38 -05:00
parent 4b0ed06a26
commit 7acb742218
3 changed files with 32 additions and 4 deletions
--- a/coderd/users.go
+++ b/coderd/users.go
@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	// User is the user to modify.
 	user := httpmw.UserParam(r)
 	roles := httpmw.UserRoles(r)
+	apiKey := httpmw.APIKey(r)
+
+	if apiKey.UserID == user.ID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "You cannot change your own roles.",
+		})
+		return
+	}

 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {