Prevent user to make himself an admin
martiuh opened this issue · comments
Tona González commented
User's role is a property set on users mode, so It may be possible for the user change this role and make himself an admin. We want to prevent that.
Make it so a non-admin user cannot update his role
attribute.
Use loopback's role resolver to create an admin permission
Tona González commented
It's a work in progress, right now the Role.registerResolver
for "admin" works fine, but since it's a property of user
it's necesary to make impossible to the same user to make themself an admin.
Josué Comoto commented
@eduardomonforte Could you verify that this issue is happening?
As a normal user, try to update it's user
information by setting it's role to admin
. i.e: currentUser.role = 'admin'
.
If this is possible, please fix it.