X-Git-Url: https://git.r.bdr.sh/rbdr/mobius/blobdiff_plain/e17f2303e8c1fb940b7550af2b02b6eb35d58f96..ecb1fcd941a85162b9a799e59bb3b6b0bc1a5580:/hotline/transaction_handlers.go

diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index abe2ea8..2d03b07 100644
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
 			newAccess := accessBitmap{}
 			copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
+			// Prevent account from creating new account with greater permission
+			for i := 0; i < 64; i++ {
+				if newAccess.IsSet(i) {
+					if !cc.Authorize(i) {
+						return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+					}
+				}
+			}
+
 			err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
 			if err != nil {
 				return []Transaction{}, err
@@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
 	newAccess := accessBitmap{}
 	copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
+	// Prevent account from creating new account with greater permission
+	for i := 0; i < 64; i++ {
+		if newAccess.IsSet(i) {
+			if !cc.Authorize(i) {
+				res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+				return res, err
+			}
+		}
+	}
+
 	if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
 		return []Transaction{}, err
 	}