fix(core): Do not allow admins to generate password-reset links for instance owner (#9488)

2025-12-18 10:31:15 +00:00 · 2024-05-22 16:13:56 +02:00
parent 8f55bb1457
commit 88b9a4070b
2 changed files with 37 additions and 6 deletions
--- a/packages/cli/src/controllers/users.controller.ts
+++ b/packages/cli/src/controllers/users.controller.ts
@@ -115,6 +115,10 @@ export class UsersController {
 			throw new NotFoundError('User not found');
 		}

+		if (req.user.role === 'global:admin' && user.role === 'global:owner') {
+			throw new ForbiddenError('Admin cannot reset password of global owner');
+		}
+
 		const link = this.authService.generatePasswordResetUrl(user);
 		return { link };
 	}