diff --git a/backend/apps/web/routers/users.py b/backend/apps/web/routers/users.py index ce4cac77d..18c6c6202 100644 --- a/backend/apps/web/routers/users.py +++ b/backend/apps/web/routers/users.py @@ -32,9 +32,8 @@ async def get_users(skip: int = 0, limit: int = 50, user=Depends(get_admin_user) @router.post("/update/role", response_model=Optional[UserModel]) -async def update_user_role( - form_data: UserRoleUpdateForm, user=Depends(get_admin_user) -): +async def update_user_role(form_data: UserRoleUpdateForm, user=Depends(get_admin_user)): + if user.id != form_data.id: return Users.update_user_role_by_id(form_data.id, form_data.role) @@ -115,4 +114,3 @@ async def delete_user_by_id(user_id: str, user=Depends(get_admin_user)): status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACTION_PROHIBITED, ) - diff --git a/backend/utils/utils.py b/backend/utils/utils.py index 97b4afb25..c6d018145 100644 --- a/backend/utils/utils.py +++ b/backend/utils/utils.py @@ -58,7 +58,9 @@ def extract_token_from_auth_header(auth_header: str): return auth_header[len("Bearer ") :] -def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(bearer_security)): +def get_current_user( + auth_token: HTTPAuthorizationCredentials = Depends(bearer_security), +): data = decode_token(auth_token.credentials) if data != None and "id" in data: user = Users.get_user_by_id(data["id"]) @@ -75,17 +77,19 @@ def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(bearer_s ) -def get_verified_user(user: Users = Depends(get_current_user)): +def get_verified_user(user=Depends(get_current_user)): if user.role not in {"user", "admin"}: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) + return user -def get_admin_user(user: Users = Depends(get_current_user)): +def get_admin_user(user=Depends(get_current_user)): if user.role != "admin": raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) + return user