From 7352d17dd81f101753e5d8bac2aa1b97c08c4c26 Mon Sep 17 00:00:00 2001
From: Danny Auble <da@schedmd.com>
Date: Mon, 9 Sep 2013 15:33:00 -0700
Subject: [PATCH] Return error if an operator or below tries to modify the
 admin level of someone.  They can still add or remove a user of any admin
 level.

---
 src/slurmdbd/proc_req.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/slurmdbd/proc_req.c b/src/slurmdbd/proc_req.c
index d793c6777e9..7043c18525e 100644
--- a/src/slurmdbd/proc_req.c
+++ b/src/slurmdbd/proc_req.c
@@ -2365,9 +2365,15 @@ is_same_user:
 
 	if ((user_rec->admin_level != SLURMDB_ADMIN_NOTSET)
 	    && (*uid != slurmdbd_conf->slurm_user_id && *uid != 0)
-	    && (admin_level < user_rec->admin_level)) {
-		comment = "You have to be the same or higher admin level to change another persons";
-		user_rec->admin_level = SLURMDB_ADMIN_NOTSET;
+	    && (admin_level < SLURMDB_ADMIN_SUPER_USER)) {
+		comment = "You must be a super user to modify a users admin level";
+		error("CONN:%u %s", slurmdbd_conn->newsockfd, comment);
+		*out_buffer = make_dbd_rc_msg(slurmdbd_conn->
+					      rpc_version,
+					      ESLURM_ACCESS_DENIED,
+					      comment,
+					      DBD_MODIFY_USERS);
+		return ESLURM_ACCESS_DENIED;
 	}
 
 	if (!(list_msg.my_list = acct_storage_g_modify_users(
-- 
GitLab