From abedb9e7c8a2f429470704a1da443c1b9f10e04b Mon Sep 17 00:00:00 2001
From: okatu-loli <CN_QianShi@hotmail.com>
Date: Wed, 27 Aug 2025 19:37:35 +0800
Subject: [PATCH] feat(user): Enhanced role assignment logic

- Imported the `utils` package
- Modified the role assignment logic to prevent assigning administrator or guest roles to users
---
 server/handles/user.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/handles/user.go b/server/handles/user.go
index 01368bee..ac3a06e8 100644
--- a/server/handles/user.go
+++ b/server/handles/user.go
@@ -1,9 +1,10 @@
 package handles
 
 import (
-	"github.com/alist-org/alist/v3/pkg/utils"
 	"strconv"
 
+	"github.com/alist-org/alist/v3/pkg/utils"
+
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/server/common"
@@ -97,6 +98,14 @@ func UpdateUser(c *gin.Context) {
 			return
 		}
 	}
+
+	if !utils.SliceEqual(user.Role, req.Role) {
+		if req.IsAdmin() || req.IsGuest() {
+			common.ErrorStrResp(c, "cannot assign admin or guest role to user", 400, true)
+			return
+		}
+	}
+
 	if err := op.UpdateUser(&req); err != nil {
 		common.ErrorResp(c, err, 500)
 	} else {