Skip to content

[Bug] Prevent USER_ADMIN from downgrading existing SUPER_ADMIN accounts #562

Description

@kjken23

Summary

A user with the USER_ADMIN role can update the role of an existing SUPER_ADMIN account to USER or another non-super-admin role.

The current role update logic blocks non-SUPER_ADMIN users from assigning the SUPER_ADMIN role, but it does not check whether the target user already has SUPER_ADMIN. As a result, USER_ADMIN can remove super-admin privileges from another account through the admin user role update API.

Steps To Reproduce

  1. Prepare two platform users:
    • Actor user: has USER_ADMIN
    • Target user: has SUPER_ADMIN
  2. Sign in as the actor user.
  3. Call PUT /api/v1/admin/users/{targetUserId}/role with:
{
  "role": "USER"
}
  1. Observe that the request succeeds.
  2. Check the target user's platform roles. The target user no longer has SUPER_ADMIN.

Expected Behavior

Only users with SUPER_ADMIN should be allowed to mutate any SUPER_ADMIN role state.

A USER_ADMIN should not be able to:

  • assign SUPER_ADMIN;
  • remove SUPER_ADMIN;
  • replace an existing SUPER_ADMIN role with USER or another role.

USER_ADMIN should still be able to manage ordinary non-SUPER_ADMIN users.

Environment

Current mainline backend behavior.

Affected area:

  • Admin user management
  • Platform role mutation
  • RBAC authorization checks
  • PUT /api/v1/admin/users/{userId}/role

API Contract Impact

No API contract change is expected.

The existing endpoint and request body can remain unchanged. The fix should only tighten backend authorization behavior and return a forbidden error when a non-SUPER_ADMIN actor attempts to mutate a target user who currently has SUPER_ADMIN.

Implementation Scope

  • Update backend role mutation authorization.
  • Detect whether the target user currently has SUPER_ADMIN.
  • Require actor SUPER_ADMIN when the requested role is SUPER_ADMIN or the target user currently has SUPER_ADMIN.
  • Add regression test coverage for the demotion path.
  • No frontend or OpenAPI generated type changes are expected.

Acceptance Criteria

  • USER_ADMIN cannot assign SUPER_ADMIN.
  • USER_ADMIN cannot downgrade or replace the role of an existing SUPER_ADMIN.
  • SUPER_ADMIN can still manage SUPER_ADMIN role mutations.
  • USER_ADMIN can still manage ordinary non-SUPER_ADMIN users.
  • Rejected role mutation does not delete or alter existing role bindings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort/l大改动或高风险改动,需要 maintainer 负责 / Large or risky change requiring maintainer ownership.priority/p2中优先级 / Medium priority triage bucket.triage/needs-info需要补充更多信息后才能分流 / Issue needs more detail before it can be routed.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions