From 7a5057f02de5ecac9b73cdca5e1362938b7bf105 Mon Sep 17 00:00:00 2001
From: JustSong <quanpengsong@gmail.com>
Date: Fri, 28 Apr 2023 09:47:03 +0800
Subject: [PATCH] fix: check user's role when manage user (#30)

---
 controller/user.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/controller/user.go b/controller/user.go
index 02580dd..bebece0 100644
--- a/controller/user.go
+++ b/controller/user.go
@@ -539,9 +539,23 @@ func ManageUser(c *gin.Context) {
 	switch req.Action {
 	case "disable":
 		user.Status = common.UserStatusDisabled
+		if user.Role == common.RoleRootUser {
+			c.JSON(http.StatusOK, gin.H{
+				"success": false,
+				"message": "无法禁用超级管理员用户",
+			})
+			return
+		}
 	case "enable":
 		user.Status = common.UserStatusEnabled
 	case "delete":
+		if user.Role == common.RoleRootUser {
+			c.JSON(http.StatusOK, gin.H{
+				"success": false,
+				"message": "无法删除超级管理员用户",
+			})
+			return
+		}
 		if err := user.Delete(); err != nil {
 			c.JSON(http.StatusOK, gin.H{
 				"success": false,
@@ -557,6 +571,13 @@ func ManageUser(c *gin.Context) {
 			})
 			return
 		}
+		if user.Role >= common.RoleAdminUser {
+			c.JSON(http.StatusOK, gin.H{
+				"success": false,
+				"message": "该用户已经是管理员",
+			})
+			return
+		}
 		user.Role = common.RoleAdminUser
 	case "demote":
 		if user.Role == common.RoleRootUser {
@@ -566,6 +587,13 @@ func ManageUser(c *gin.Context) {
 			})
 			return
 		}
+		if user.Role == common.RoleCommonUser {
+			c.JSON(http.StatusOK, gin.H{
+				"success": false,
+				"message": "该用户已经是普通用户",
+			})
+			return
+		}
 		user.Role = common.RoleCommonUser
 	}