Staffers can update user `is_staff` status

author: Santo Cariotti <santo@dcariotti.me> 2022-10-17 06:49:19 +0000
committer: Santo Cariotti <santo@dcariotti.me> 2022-10-17 06:49:47 +0000
commit: fe197dcb81564d99cb1297dd8417299ae3bfc91e (patch)
tree: 3ae329b12ec42cd4ad4c0f257e67185712c61695 /src/routes/user.rs
parent: 346dc0f85a02c5352767e1ca7de57c96df4c39f6 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/src/routes/user.rs b/src/routes/user.rs
index 4b76423..31366a0 100644
--- a/src/routes/user.rs
+++ b/src/routes/user.rs
@@ -142,10 +142,11 @@ async fn get_user(Path(user_id): Path<i32>) -> Result<Json<UserList>, AppError>
 }
 
 /// Edit an user with id = `user_id`. Only staffers and owner of that account can perform this
-/// action
+/// action.
+/// Only staffers can update the user `is_staff` value
 async fn edit_user(
     Path(user_id): Path<i32>,
-    Json(payload): Json<UserEdit>,
+    Json(mut payload): Json<UserEdit>,
     claims: Claims,
 ) -> Result<Json<UserList>, AppError> {
     let mut user = match User::find_by_id(user_id).await {
@@ -168,6 +169,10 @@ async fn edit_user(
         }
     }
 
+    if !claimed.is_staff.unwrap() && user.is_staff != payload.is_staff {
+        payload.is_staff = user.is_staff;
+    }
+
     if user.email != payload.email && User::email_has_taken(&payload.email).await? {
         return Err(AppError::BadRequest(
             "An user with this email already exists".to_string(),
author	Santo Cariotti <santo@dcariotti.me>	2022-10-17 06:49:19 +0000
committer	Santo Cariotti <santo@dcariotti.me>	2022-10-17 06:49:47 +0000
commit	fe197dcb81564d99cb1297dd8417299ae3bfc91e (patch)
tree	3ae329b12ec42cd4ad4c0f257e67185712c61695 /src/routes/user.rs
parent	346dc0f85a02c5352767e1ca7de57c96df4c39f6 (diff)