fix(user.set): cannot change self permission (#353)

2016-06-28 13:28:31 +02:00 · 2016-06-28 13:28:31 +02:00 · 687809db9d
commit 687809db9d
parent 1127ec3a90
1 changed files with 4 additions and 1 deletions
--- a/src/api/user.js
+++ b/src/api/user.js
@ -22,7 +22,7 @@ create.params = {
 // Deletes an existing user.
 async function delete_ ({id}) {
  if (id === this.session.get('user_id')) {
-    throw new InvalidParameters('an user cannot delete itself')
+    throw new InvalidParameters('a user cannot delete itself')
  }

  await this.deleteUser(id)
@ -58,6 +58,9 @@ getAll.permission = 'admin'
 // -------------------------------------------------------------------

 export async function set ({id, email, password, permission}) {
+  if (permission && id === this.session.get('user_id')) {
+    throw new InvalidParameters('a user cannot change it\'s own permission')
+  }
  await this.updateUser(id, {email, password, permission})
 }