From 84adba3acc2141dbe61663e4ec199ffc4333f76b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=8D=83=E7=9F=B3?= <CN_QianShi@hotmail.com>
Date: Thu, 28 Aug 2025 09:57:34 +0800
Subject: [PATCH] feat(user): Enhanced role assignment logic (#9297)

- Imported the `utils` package
- Modified the role assignment logic to prevent assigning administrator or guest roles to users
---
 server/handles/user.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/handles/user.go b/server/handles/user.go
index 01368bee..ac3a06e8 100644
--- a/server/handles/user.go
+++ b/server/handles/user.go
@@ -1,9 +1,10 @@
 package handles
 
 import (
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"strconv"
 
+	"github.com/alist-org/alist/v3/pkg/utils"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/server/common"
@@ -97,6 +98,14 @@ func UpdateUser(c *gin.Context) {
 			return
 		}
 	}
+
+	if !utils.SliceEqual(user.Role, req.Role) {
+		if req.IsAdmin() || req.IsGuest() {
+			common.ErrorStrResp(c, "cannot assign admin or guest role to user", 400, true)
+			return
+		}
+	}
+
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {