From 434154e26d82020d6b89a6cff97b12fa34eb1bca Mon Sep 17 00:00:00 2001
From: PxlLoewe <72106766+PxlLoewe@users.noreply.github.com>
Date: Mon, 15 Dec 2025 02:55:44 +0100
Subject: [PATCH] Security Fixes

---
 .../(app)/admin/user/[id]/_components/forms.tsx    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/hub/app/(app)/admin/user/[id]/_components/forms.tsx b/apps/hub/app/(app)/admin/user/[id]/_components/forms.tsx
index 8772a1a4..1ba128c8 100644
--- a/apps/hub/app/(app)/admin/user/[id]/_components/forms.tsx
+++ b/apps/hub/app/(app)/admin/user/[id]/_components/forms.tsx
@@ -76,6 +76,20 @@ export const ProfileForm: React.FC<ProfileFormProps> = ({ user }: ProfileFormPro
 			className="card-body"
 			onSubmit={form.handleSubmit(async (values) => {
 				if (!values.id) return;
+				if (values.id === session.data?.user.id && values.permissions !== user.permissions){
+					toast.error("Du kannst deine eigenen Berechtigungen nicht ändern.");
+					return;
+				}
+				if ( values.permissions?.some((perm) => !session.data?.user.permissions.includes(perm)) ){
+					toast.error("Du kannst Berechtigungen nicht hinzufügen, die du selbst nicht besitzt.");
+					return;
+				}
+				const removedPermissions = user.permissions?.filter((perm) => !values.permissions?.includes(perm)) || [];
+				if ( removedPermissions.some((perm) => !session.data?.user.permissions.includes(perm)) ){
+					toast.error("Du kannst Berechtigungen nicht entfernen, die du selbst nicht besitzt.");
+					return;
+				}
+
 				await editUser(values.id, {
 					...values,
 					email: values.email.toLowerCase(),