fix admin (not super) not being authorized to update users

ticketz-oss · Jul 22, 2024 · 2c133cf · 2c133cf
1 parent e492d17
commit 2c133cf
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/backend/src/services/UserServices/UpdateUserService.ts b/backend/src/services/UserServices/UpdateUserService.ts
@@ -36,9 +36,11 @@ const UpdateUserService = async ({
 
   const requestUser = await User.findByPk(requestUserId);
 
-  if ( 
-    (requestUser.super === false && userData.companyId !== requestUser.companyId) ||
-    (requestUser.profile !== "admin" && +userId !== requestUser.id )
+  if (
+    !requestUser.super &&
+    +userId !== requestUser.id &&
+    (user.companyId !== requestUser.companyId ||
+      requestUser.profile !== "admin")
   ) {
     throw new AppError("ERR_FORBIDDEN", 403);
   }