Closed rhythnic closed 5 years ago
The update for user seems to fail to check that the acting user is an admin if the target user is being updated to admin role.
It turns out that a user can't update themselves to admin. It happens implicitly, by not copying the role property from the request payload to the data object used to update the record.
The update for user seems to fail to check that the acting user is an admin if the target user is being updated to admin role.