Prevent rootAdmins from having other roles & being deleted via the API (#1699)

2025-09-18 23:14:52 +02:00 · 2025-09-11 12:56:21 +02:00 · 2025-09-11 12:56:21 +02:00 · 8f1ec20e96
commit 8f1ec20e96
parent 61dcb9a3ba
2 changed files with 24 additions and 14 deletions
--- a/app/Http/Controllers/Api/Application/Users/UserController.php
+++ b/app/Http/Controllers/Api/Application/Users/UserController.php
@ -102,12 +102,15 @@ class UserController extends ApplicationApiController
     */
    public function assignRoles(AssignUserRolesRequest $request, User $user): array
    {
-        foreach ($request->input('roles') as $role) {
-            if ($role === Role::getRootAdmin()->id) {
-                continue;
-            }
+        if (!$user->isRootAdmin()) {
+            $rootAdminId = Role::getRootAdmin()->id;
+            foreach ($request->input('roles') as $role) {
+                if ($role === $rootAdminId) {
+                    continue;
+                }

-            $user->assignRole($role);
+                $user->assignRole($role);
+            }
        }

        $response = $this->fractal->item($user)
@ -125,12 +128,15 @@ class UserController extends ApplicationApiController
     */
    public function removeRoles(AssignUserRolesRequest $request, User $user): array
    {
-        foreach ($request->input('roles') as $role) {
-            if ($role === Role::getRootAdmin()->id) {
-                continue;
-            }
+        if (!$user->isRootAdmin()) {
+            $rootAdminId = Role::getRootAdmin()->id;
+            foreach ($request->input('roles') as $role) {
+                if ($role === $rootAdminId) {
+                    continue;
+                }

-            $user->removeRole($role);
+                $user->removeRole($role);
+            }
        }

        $response = $this->fractal->item($user)
@ -169,8 +175,12 @@ class UserController extends ApplicationApiController
     */
    public function delete(DeleteUserRequest $request, User $user): JsonResponse
    {
-        $user->delete();
+        if (!$user->isRootAdmin()) {
+            $user->delete();

-        return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
+            return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
+        }
+
+        return new JsonResponse([], JsonResponse::HTTP_FORBIDDEN);
    }
 }
--- a/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
+++ b/app/Http/Requests/Api/Application/Users/AssignUserRolesRequest.php
@ -8,8 +8,8 @@ class AssignUserRolesRequest extends StoreUserRequest
    public function rules(?array $rules = null): array
    {
        return [
-            'roles' => 'array',
-            'roles.*' => 'int',
+            'roles' => 'required|array',
+            'roles.*' => 'integer|exists:roles,id',
        ];
    }
 }