From 2f2ef471f76f55ec5ea97ea88f202b4280ec2598 Mon Sep 17 00:00:00 2001
From: undefined <i@undefined.moe>
Date: Mon, 1 May 2023 00:58:39 +0800
Subject: [PATCH] core: do not allow updating domain owner's permission

---
 packages/hydrooj/src/handler/domain.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/hydrooj/src/handler/domain.ts b/packages/hydrooj/src/handler/domain.ts
index 943aeca4..926417dd 100644
--- a/packages/hydrooj/src/handler/domain.ts
+++ b/packages/hydrooj/src/handler/domain.ts
@@ -3,7 +3,7 @@ import { Dictionary } from 'lodash';
 import moment from 'moment-timezone';
 import { Context } from '../context';
 import {
-    CannotDeleteSystemDomainError, DomainJoinAlreadyMemberError, DomainJoinForbiddenError,
+    CannotDeleteSystemDomainError, DomainJoinAlreadyMemberError, DomainJoinForbiddenError, ForbiddenError,
     InvalidJoinInvitationCodeError, OnlyOwnerCanDeleteDomainError, PermissionError, RoleAlreadyExistError, ValidationError,
 } from '../error';
 import type { DomainDoc } from '../interface';
@@ -162,6 +162,7 @@ class DomainUserHandler extends ManageHandler {
     @post('uid', Types.Int)
     @post('role', Types.Role)
     async postSetUser(domainId: string, uid: number, role: string) {
+        if (uid === this.domain.owner) throw new ForbiddenError();
         await Promise.all([
             domain.setUserRole(domainId, uid, role),
             oplog.log(this, 'domain.setRole', { uid, role }),
@@ -173,6 +174,7 @@ class DomainUserHandler extends ManageHandler {
     @param('uid', Types.NumericArray)
     @param('role', Types.Role)
     async postSetUsers(domainId: string, uid: number[], role: string) {
+        if (uid.includes(this.domain.owner)) throw new ForbiddenError();
         await Promise.all([
             domain.setUserRole(domainId, uid, role),
             oplog.log(this, 'domain.setRole', { uid, role }),