From 826ce3dcd103d8956d9b0bf9474c6f0b60502c1c Mon Sep 17 00:00:00 2001 From: Hyko Date: Sat, 25 Apr 2026 09:59:33 -0400 Subject: [PATCH] fix(auth): prevent system roles from being updated - throw error in updateRole when role is system-protected - hide edit button in roles table for system roles - update README to reflect roles cannot be modified (not just renamed) --- src/core/users/README.md | 2 +- src/core/users/roles.js | 1 + src/features/admin/pages/RolesPage.client.js | 16 +++++++++------- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/core/users/README.md b/src/core/users/README.md index edce495..2101959 100644 --- a/src/core/users/README.md +++ b/src/core/users/README.md @@ -214,7 +214,7 @@ await assignUserRole(userId, roleId); await revokeUserRole(userId, roleId); ``` -Les rôles système (`is_system = true`) ne peuvent pas être renommés ni supprimés. +Les rôles système (`is_system = true`) ne peuvent pas être modifiés ni supprimés. --- diff --git a/src/core/users/roles.js b/src/core/users/roles.js index eb60d4c..1c6011a 100644 --- a/src/core/users/roles.js +++ b/src/core/users/roles.js @@ -54,6 +54,7 @@ export async function updateRole(roleId, { name, description, color, permissionK if (role.rows.length === 0) throw new Error('Role not found'); const isSystem = role.rows[0].is_system; + if (isSystem) throw new Error('Cannot update a system role'); return transaction(async (client) => { const updateFields = []; diff --git a/src/features/admin/pages/RolesPage.client.js b/src/features/admin/pages/RolesPage.client.js index e4c031f..7abd948 100644 --- a/src/features/admin/pages/RolesPage.client.js +++ b/src/features/admin/pages/RolesPage.client.js @@ -81,13 +81,15 @@ const RolesPageClient = ({ canManage }) => { align: 'right', render: (role) => (
- + {!role.is_system && ( + + )} {!role.is_system && (