From 09de2b088dbbc3cdc815ee775c4e00303bc6b72f Mon Sep 17 00:00:00 2001
From: Syphax bouazzouni <gs_bouazzouni@esi.dz>
Date: Tue, 28 Nov 2023 05:02:20 +0100
Subject: [PATCH] enforce the security of admin user creation

---
 controllers/users_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/controllers/users_controller.rb b/controllers/users_controller.rb
index b401ea8f..cac71d16 100644
--- a/controllers/users_controller.rb
+++ b/controllers/users_controller.rb
@@ -81,6 +81,7 @@ class UsersController < ApplicationController
     # Update an existing submission of an user
     patch '/:username' do
       user = User.find(params[:username]).include(User.attributes).first
+      params.delete("role") unless current_user.admin?
       populate_from_params(user, params)
       if user.valid?
         user.save
@@ -109,6 +110,7 @@ def create_user
       params ||= @params
       user = User.find(params["username"]).first
       error 409, "User with username `#{params["username"]}` already exists" unless user.nil?
+      params.delete("role") unless current_user.admin?
       user = instance_from_params(User, params)
       if user.valid?
         user.save