From 33fa84db1702f006c51ecadf6394c90816a06d3a Mon Sep 17 00:00:00 2001
From: Max Castro <max@mctekk.com>
Date: Mon, 8 Mar 2021 02:46:19 -0400
Subject: [PATCH] Update UsersController.php

---
 src/Api/Controllers/UsersController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controllers/UsersController.php b/src/Api/Controllers/UsersController.php
index 9dd7eef3..e7ceefdd 100644
--- a/src/Api/Controllers/UsersController.php
+++ b/src/Api/Controllers/UsersController.php
@@ -179,7 +179,8 @@ public function edit($id) : Response
             unset($request['default_company'], $request['default_company_branch']);
         }
 
-        if (isset($request['roles_id'])) {
+        //only admin can modify roles
+        if (isset($request['roles_id']) && $this->userData->hasRole('Default.Admins')) {
             $user->assignRoleById((int)$request['roles_id']);
         }