Fixed vulnerability in changeRankController.js

src/controllers/api/admin/changeRankController.js

@@ -25,18 +25,31 @@ const userModel = require('../../../schemas/userSchema');
 //api change rank functions
 module.exports.post = async function(req, res){
     try{
+        //Get validation results
         const validResult = validationResult(req);
 
+        //If we don't have any validation errors
         if(validResult.isEmpty()){
+            //get validated/sanatized data and use it to find our user from the Database.
             const data = matchedData(req);
             const user = await userModel.findOne({user: data.user});
 
             if(user == null){
+                //If the user is null, scream and shout
                 res.status(400);
                 res.send({errors:[{type: "Bad Query", msg: "User not found.", date: new Date()}]});
+            }else if(user.user == req.session.user.user){
+                //If some smart-ass is trying self-privelege escalation
+                res.status(401);
+                return res.send({errors:[{type: "Unauthorized", msg: "No, you can't change your own rank. Fuck off.", date: new Date()}]});
             }else if(permissionModel.rankToNum(data.rank) >= permissionModel.rankToNum(req.session.user.rank)){
+                //If the user is below the new rank of the user they're setting, scream and shout
                 res.status(401);
                 return res.send({errors:[{type: "Unauthorized", msg: "New rank must be below that of the user changing it.", date: new Date()}]});
+            }else if(permissionModel.rankToNum(user.rank) >= permissionModel.rankToNum(req.session.user.rank)){
+                //If the user is below the original rank of the user they're setting, scream and shout
+                res.status(401);
+                return res.send({errors:[{type: "Unauthorized", msg: "You cannot promote/demote peer/outranking users.", date: new Date()}]});
             }
 
             user.rank = data.rank;