Permission policy updated

admin/ajax/user.php

@@ -75,6 +75,10 @@ if ($_SERVER["REQUEST_METHOD"] == "PATCH" || $_SERVER["REQUEST_METHOD"] == "POST
         } else if ($level < 0) {
             $level = 0;
         }
+        // you cannot promote user to level higher than youself
+        if ($level > $user->level) {
+            send_error(403, "lowlevel");
+        }
 
         $SQL->query("UPDATE `user` SET `muted`='%d', `level`='%d' WHERE `username`='%s'", array($muted, $level, $username));
 

admin/component/user.js

@@ -192,6 +192,9 @@
                 case "emailused":
                     pageManager.snackbar("信箱已被其他使用者使用");
                     break;
+                case "lowlevel":
+                    pageManager.snackbar("權限不足");
+                    break;
                 default:
                     pageManager.snackbar("發生錯誤");
                     break;