User's role is a property set on users mode, so It may be possible for the user change this role and make himself an admin. We want to prevent that.

Make it so a non-admin user cannot update his role attribute.

Use loopback's role resolver to create an admin permission

It's a work in progress, right now the Role.registerResolver for "admin" works fine, but since it's a property of user it's necesary to make impossible to the same user to make themself an admin.

@eduardomonforte Could you verify that this issue is happening?

As a normal user, try to update it's user information by setting it's role to admin. i.e: currentUser.role = 'admin'.

If this is possible, please fix it.