From 7bf8692753ba7a7b4a023059a3a16880b5c9af85 Mon Sep 17 00:00:00 2001
From: Tony Yang <t510599@gmail.com>
Date: Sun, 2 Jun 2019 14:09:48 +0800
Subject: [PATCH] Permission policy updated

---
 admin/ajax/user.php     | 4 ++++
 admin/component/user.js | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/admin/ajax/user.php b/admin/ajax/user.php
index 4ca88ca..bf9099d 100644
--- a/admin/ajax/user.php
+++ b/admin/ajax/user.php
@@ -75,6 +75,10 @@ if ($_SERVER["REQUEST_METHOD"] == "PATCH" || $_SERVER["REQUEST_METHOD"] == "POST
         } else if ($level < 0) {
             $level = 0;
         }
+        // you cannot promote user to level higher than youself
+        if ($level > $user->level) {
+            send_error(403, "lowlevel");
+        }
 
         $SQL->query("UPDATE `user` SET `muted`='%d', `level`='%d' WHERE `username`='%s'", array($muted, $level, $username));
 
diff --git a/admin/component/user.js b/admin/component/user.js
index a376c7b..63f5a2e 100644
--- a/admin/component/user.js
+++ b/admin/component/user.js
@@ -192,6 +192,9 @@
                 case "emailused":
                     pageManager.snackbar("信箱已被其他使用者使用");
                     break;
+                case "lowlevel":
+                    pageManager.snackbar("權限不足");
+                    break;
                 default:
                     pageManager.snackbar("發生錯誤");
                     break;