feat(user): Enhanced role assignment logic (#9297)

- Imported the `utils` package - Modified the role assignment logic to prevent assigning administrator or guest roles to users
2025-08-28 09:57:34 +08:00 · 2025-08-28 09:57:34 +08:00 · 84adba3acc
parent 3bf0af1e68
commit 84adba3acc
1 changed files with 10 additions and 1 deletions
--- a/server/handles/user.go
+++ b/server/handles/user.go
@ -1,9 +1,10 @@
 package handles

 import (
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"strconv"

+	"github.com/alist-org/alist/v3/pkg/utils"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/server/common"
@ -97,6 +98,14 @@ func UpdateUser(c *gin.Context) {
 			return
 		}
 	}
+
+	if !utils.SliceEqual(user.Role, req.Role) {
+		if req.IsAdmin() || req.IsGuest() {
+			common.ErrorStrResp(c, "cannot assign admin or guest role to user", 400, true)
+			return
+		}
+	}
+
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {