only owners can manage owners

2025-07-04 01:22:50 -05:00 · 2017-09-27 22:37:13 -04:00
parent c135a2a166
commit 2444346ea9
2 changed files with 32 additions and 1 deletions
--- a/src/Api/Controllers/OrganizationUsersController.cs
+++ b/src/Api/Controllers/OrganizationUsersController.cs
@ -174,6 +174,11 @@ namespace Bit.Api.Controllers
                throw new NotFoundException();
            }

+            if(organizationUser.Type == Core.Enums.OrganizationUserType.Owner && !_currentContext.OrganizationOwner(orgGuidId))
+            {
+                throw new BadRequestException("Only owners can update other owners.");
+            }
+
            await _organizationUserRepository.UpdateGroupsAsync(organizationUser.Id, model.GroupIds.Select(g => new Guid(g)));
        }