Module: Spree::Api::V3::Admin::RoleGrantGuard

Extended by:

ActiveSupport::Concern

Included in:

AdminUsersController, InvitationsController

Defined in:

app/controllers/concerns/spree/api/v3/admin/role_grant_guard.rb

Overview

Shared guard preventing role-assignment privilege escalation. Staff role grants (via admin_users#update and invitations#create) must not let a caller hand out the ‘admin` super-role unless they already hold it on the current store. API-key principals have no human identity to bound the grant, so they can never grant the admin role.

Without this, any principal able to write staff (‘write_settings` scope, or a `UserManagement`/`RoleManagement` JWT role) could promote an account to store super-admin. See the 2026-06 admin API security review (Vulns 2-4).