Fix: admin operation permission verification

internal/op/room.go

@@ -102,12 +102,19 @@ func (r *Room) UserRole(userID string) (model.RoomMemberRole, error) {
 
 // do not use this value for permission determination
 func (r *Room) IsAdmin(userID string) bool {
+	if r.IsCreator(userID) {
+		return true
+	}
 	role, err := r.UserRole(userID)
 	if err != nil {
 		log.Errorf("get user role failed: %s", err.Error())
 		return false
 	}
-	return role == model.RoomMemberRoleCreator
+	return role.IsAdmin()
+}
+
+func (r *Room) IsCreator(userID string) bool {
+	return r.CreatorID == userID
 }
 
 func (r *Room) HasAdminPermission(userID string, permission model.RoomAdminPermission) bool {

internal/op/user.go

@@ -208,14 +208,11 @@ func (u *User) HasRoomAdminPermission(room *Room, permission model.RoomAdminPerm
 }
 
 func (u *User) IsRoomAdmin(room *Room) bool {
-	if u.IsAdmin() {
-		return true
-	}
 	return room.IsAdmin(u.ID)
 }
 
 func (u *User) IsRoomCreator(room *Room) bool {
-	return room.CreatorID == u.ID
+	return room.IsCreator(u.ID)
 }
 
 func (u *User) DeleteRoom(room *RoomEntry) error {
@@ -454,6 +451,12 @@ func (u *User) BanRoomMember(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionBanRoomMember) {
 		return model.ErrNoPermission
 	}
+	if u.ID == userID {
+		return errors.New("cannot ban yourself")
+	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot ban admin")
+	}
 	return room.BanMember(userID)
 }
 
@@ -461,6 +464,9 @@ func (u *User) UnbanRoomMember(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionBanRoomMember) {
 		return model.ErrNoPermission
 	}
+	if u.ID == userID {
+		return errors.New("cannot unban yourself")
+	}
 	return room.UnbanMember(userID)
 }
 
@@ -468,6 +474,9 @@ func (u *User) SetMemberPermissions(room *Room, userID string, permissions model
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot set admin permissions")
+	}
 	return room.SetMemberPermissions(userID, permissions)
 }
 
@@ -475,6 +484,9 @@ func (u *User) AddMemberPermissions(room *Room, userID string, permissions model
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot add admin permissions")
+	}
 	return room.AddMemberPermissions(userID, permissions)
 }
 
@@ -482,6 +494,9 @@ func (u *User) RemoveMemberPermissions(room *Room, userID string, permissions mo
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot remove admin permissions")
+	}
 	return room.RemoveMemberPermissions(userID, permissions)
 }
 
@@ -489,6 +504,9 @@ func (u *User) ResetMemberPermissions(room *Room, userID string) error {
 	if !u.HasRoomAdminPermission(room, model.PermissionSetUserPermission) {
 		return model.ErrNoPermission
 	}
+	if room.IsAdmin(userID) && !u.IsRoomCreator(room) {
+		return errors.New("cannot reset admin permissions")
+	}
 	return room.ResetMemberPermissions(userID)
 }