Skip to content

Commit 6bf2b17

Browse files
parth0025claude
andcommitted
fix: scope updateMember role-promotion guard to PAT requests
Companion to #248: the owner-only role-promotion check in updateMember now runs only for PAT/MCP requests (req.apiToken), so the web app's role management behaves exactly as before. Same 2026-06-15 MCP-isolation hardening as permissionGuard.js. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 42a4fdf commit 6bf2b17

1 file changed

Lines changed: 5 additions & 4 deletions

File tree

Modules/settings/Members/controller.js

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -219,10 +219,11 @@ exports.updateMember = async (req, res) => {
219219
});
220220
}
221221

222-
// Defense in depth (route is already owner/admin-gated): granting
223-
// owner/admin (roleType 1/2) is OWNER-only — prevents an admin from
224-
// promoting anyone (incl. self) to owner. Members never reach here.
225-
if (data && data.roleType !== undefined) {
222+
// Defense in depth: granting owner/admin (roleType 1/2) is OWNER-only.
223+
// SCOPED TO PAT/MCP REQUESTS ONLY (req.apiToken) so the web app's role
224+
// management behaves exactly as before — MCP changes must never affect
225+
// existing frontend/backend behavior (2026-06-15).
226+
if (req.apiToken && data && data.roleType !== undefined) {
226227
const { getRoleType, ROLE_OWNER, ROLE_ADMIN } = require('../../../Config/permissionGuard');
227228
const callerRole = await getRoleType(req.headers['companyid'] || '', req.uid);
228229
const targetRole = Number(data.roleType);

0 commit comments

Comments
 (0)