Skip to content

fix: prevent privilege escalation in set-role endpoint (#3954)#3959

Open
atul-upadhyay-7 wants to merge 10 commits into
Premshaw23:masterfrom
atul-upadhyay-7:fix/privilege-escalation-admin-role
Open

fix: prevent privilege escalation in set-role endpoint (#3954)#3959
atul-upadhyay-7 wants to merge 10 commits into
Premshaw23:masterfrom
atul-upadhyay-7:fix/privilege-escalation-admin-role

Conversation

@atul-upadhyay-7

Copy link
Copy Markdown
Contributor

Summary

This PR fixes the privilege escalation vulnerability in the endpoint that allowed any authenticated user to self-appoint as admin without any invite code or approval.

Changes

  1. Added admin invite code validation — The role now requires a valid environment variable, matching the existing pattern for and roles.

  2. Added role hierarchy check — Prevents users with existing roles from escalating to a higher-privilege role (e.g., a cannot upgrade themselves to ).

  3. Added role validation — Unknown roles are now rejected with a 403 error instead of being silently accepted.

How It Works

Role Invite Code Required Env Variable
admin Yes
teacher Yes
institute Yes
student No
parent No

Testing

  1. Register a new user account
  2. Try to call with — should return 403
  3. Try with a valid invite code — should succeed
  4. Try to escalate from to — should return 403

Related Issue

Fixes #3954

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Privilege Escalation: Any User Can Self-Appoint as Admin via /api/auth/set-role

1 participant