From fe197dcb81564d99cb1297dd8417299ae3bfc91e Mon Sep 17 00:00:00 2001
From: Santo Cariotti <santo@dcariotti.me>
Date: Mon, 17 Oct 2022 08:49:19 +0200
Subject: Staffers can update user `is_staff` status

---
 src/routes/user.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/routes/user.rs')

diff --git a/src/routes/user.rs b/src/routes/user.rs
index 4b76423..31366a0 100644
--- a/src/routes/user.rs
+++ b/src/routes/user.rs
@@ -142,10 +142,11 @@ async fn get_user(Path(user_id): Path<i32>) -> Result<Json<UserList>, AppError>
 }
 
 /// Edit an user with id = `user_id`. Only staffers and owner of that account can perform this
-/// action
+/// action.
+/// Only staffers can update the user `is_staff` value
 async fn edit_user(
     Path(user_id): Path<i32>,
-    Json(payload): Json<UserEdit>,
+    Json(mut payload): Json<UserEdit>,
     claims: Claims,
 ) -> Result<Json<UserList>, AppError> {
     let mut user = match User::find_by_id(user_id).await {
@@ -168,6 +169,10 @@ async fn edit_user(
         }
     }
 
+    if !claimed.is_staff.unwrap() && user.is_staff != payload.is_staff {
+        payload.is_staff = user.is_staff;
+    }
+
     if user.email != payload.email && User::email_has_taken(&payload.email).await? {
         return Err(AppError::BadRequest(
             "An user with this email already exists".to_string(),
-- 
cgit v1.2.3-71-g8e6c