[H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only #19

Open
opened 2026-06-05 17:35:45 -07:00 by azcomputerguru · 0 comments

Severity: High

Component(s): server + dashboard

Affected file(s):

  • server/src/api/users.rs + auth extractor
  • dashboard/src/.../EditUserModal.tsx

Problem:
The server blocks self-delete but not self-role-demotion, and the lockout guard is client-only — a user can demote/disable themselves and lock out the last admin.

Recommended fix:
Enforce self-demotion/self-disable protection server-side (mirror GuruRMM SPEC-027 last-admin guards).

Remediation phase: P0

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H5) and REMEDIATION-PLAN.md (P0).

**Severity:** High **Component(s):** server + dashboard **Affected file(s):** - `server/src/api/users.rs` + auth extractor - `dashboard/src/.../EditUserModal.tsx` **Problem:** The server blocks self-delete but not self-role-demotion, and the lockout guard is client-only — a user can demote/disable themselves and lock out the last admin. **Recommended fix:** Enforce self-demotion/self-disable protection server-side (mirror GuruRMM SPEC-027 last-admin guards). **Remediation phase:** P0 From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H5) and REMEDIATION-PLAN.md (P0).
azcomputerguru added the severity:highcomponent:servercomponent:dashboardsecurity labels 2026-06-05 17:35:45 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#19