Skip to content

Fix: Prevent Admin from demoting their own role (#9326) #9389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yasw175 wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Fix: Prevent Admin from demoting their own role (#9326) #9389

yasw175 wants to merge 1 commit into from
+14 −3

Conversation

@yasw175
Copy link

@yasw175 yasw175 commented Dec 31, 2025

Description

This PR addresses Issue #9326.

I implemented a validation check in user_service.py (inside the update method) to prevent an Admin user from demoting their own role permissions. This fixes a logic gap where an admin could accidentally lock themselves out of administrative privileges.

Specifically:

  • Added a check to verify if uid matches context.credentials (the user modifying themselves).
  • Added a check to verify if the current user role is ADMIN.
  • Raises a SyftError with the message "Admins cannot demote their own role!" if a demotion is attempted.

Fixes #9326

Affected Dependencies

None. This change only modifies internal logic in packages/syft/src/syft/service/user/user_service.py.

How has this been tested?

  • Manual Logic Verification
  • I verified the code path in user_service.py to ensure the conditional logic correctly targets only self-updates by Admin users.

Checklist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prevent Admin user from de-leveling its own permissions

1 participant

@yasw175