@@ -776,17 +776,26 @@ const updateUserRole = (req, res) => {
776776
777777const deleteUserRole = async ( req , res ) => {
778778 try {
779- let isSuperAdmin = authAPI . checkHasRole ( req . user , 'libretexts' , 'superadmin' ) ;
780- if ( ! isSuperAdmin && ( req . body . orgID !== process . env . ORG_ID ) ) {
779+ const isSuperAdmin = authAPI . checkHasRole ( req . user , 'libretexts' , 'superadmin' ) ;
780+ // Check if the user is trying to delete a role for an organization they are not a campus admin for (if not a super admin)
781+ // or if they are trying to delete a role for the LibreTexts organization (only super admins can do this)
782+ if ( ! isSuperAdmin && ( req . body . orgID !== process . env . ORG_ID || req . body . orgID === 'libretexts' ) ) {
781783 return res . send ( {
782784 err : true ,
783785 errMsg : conductorErrors . err8
784786 } ) ;
785787 }
788+
789+ if ( req . user . decoded . uuid === req . body . uuid ) {
790+ return res . status ( 403 ) . send ( {
791+ err : true ,
792+ errMsg : conductorErrors . err91
793+ } ) ;
794+ }
786795
787796 const user = await User . findOne ( { uuid : req . body . uuid } ) . lean ( ) ;
788797 if ( ! user ) {
789- return res . send ( {
798+ return res . status ( 400 ) . send ( {
790799 err : true ,
791800 errMsg : conductorErrors . err7
792801 } ) ;
@@ -808,14 +817,14 @@ const deleteUserRole = async (req, res) => {
808817 msg : "Successfully deleted the user's role."
809818 } ) ;
810819 } else {
811- return res . send ( {
820+ return res . status ( 500 ) . send ( {
812821 err : true ,
813822 errMsg : conductorErrors . err3
814823 } ) ;
815824 }
816825 } catch ( err ) {
817826 debugError ( err ) ;
818- return res . send ( {
827+ return res . status ( 500 ) . send ( {
819828 err : true ,
820829 errMsg : conductorErrors . err6
821830 } ) ;
0 commit comments