Merge pull request RocketChat#274 from assistify/hotfix/mrsimpson#65-…

…delete-admin fixed user with permission can delete admin
redlink-gmbh · Mar 19, 2018 · 7f23581 · 7f23581
2 parents 22719d4 + 757ee8c
commit 7f23581
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/packages/rocketchat-api/server/v1/users.js b/packages/rocketchat-api/server/v1/users.js
@@ -51,6 +51,10 @@ RocketChat.API.v1.addRoute('users.delete', { authRequired: true }, {
 
 		const user = this.getUserFromParams();
 
+		if (RocketChat.authz.hasRole(user._id, 'admin') && !RocketChat.authz.hasRole(this.userId, 'admin')) {
+			return RocketChat.API.v1.unauthorized();
+		}
+
 		Meteor.runAsUser(this.userId, () => {
 			Meteor.call('deleteUser', user._id);
 		});

diff --git a/server/methods/deleteUser.js b/server/methods/deleteUser.js
@@ -14,7 +14,14 @@ Meteor.methods({
 			});
 		}
 
+		if (RocketChat.authz.hasRole(userId, 'admin') && !RocketChat.authz.hasRole(Meteor.userId(), 'admin')) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed', {
+				method: 'deleteUser'
+			});
+		}
+
 		const user = RocketChat.models.Users.findOneById(userId);
+
 		if (!user) {
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
 				method: 'deleteUser'