From 1e141006109c2bd38d03d3ac6f7ec8eea27d336c Mon Sep 17 00:00:00 2001
From: Tony Yang <t510599@gmail.com>
Date: Wed, 25 Sep 2019 16:47:05 +0800
Subject: [PATCH] update admin permission

---
 admin/ajax/user.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/admin/ajax/user.php b/admin/ajax/user.php
index bf9099d..7ed062c 100644
--- a/admin/ajax/user.php
+++ b/admin/ajax/user.php
@@ -33,6 +33,10 @@ if ($_SERVER["REQUEST_METHOD"] == "PATCH" || $_SERVER["REQUEST_METHOD"] == "POST
                 // create new user, but user exists
                 send_error(409, "userexists");
             }
+            // you cannot modify data of those with higher permission than you
+            if ($target_user->level > $user->level) {
+            	send_error(403, "nopermission");
+            }
         } catch (NoUserException $e) {
             if ($_SERVER["REQUEST_METHOD"] == "PATCH") {
                 // modify one that not exist -> error