From 72cee7547437114d675567967ebdcbeab9df3627 Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Thu, 19 Feb 2026 12:39:55 +0530
Subject: [PATCH] fix: only allow lms roles to be modified by moderator

---
 lms/lms/api.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lms/lms/api.py b/lms/lms/api.py
index d9849999..36848d9e 100644
--- a/lms/lms/api.py
+++ b/lms/lms/api.py
@@ -1369,6 +1369,10 @@ def get_certification_details(course: str):
 @frappe.whitelist()
 def save_role(user: str, role: str, value: int):
 	frappe.only_for("Moderator")
+	ALLOWED_ROLES = ["Moderator", "Course Creator", "Batch Evaluator", "LMS Student"]
+	if role not in ALLOWED_ROLES:
+		frappe.throw(_("You do not have permission to modify this role."), frappe.PermissionError)
+
 	if cint(value):
 		doc = frappe.get_doc(
 			{