From 69ed62087392deb17972f06e1326a79e0aa0a997 Mon Sep 17 00:00:00 2001
From: trafficlunar <hello@trafficlunar.net>
Date: Thu, 14 May 2026 23:07:59 +0100
Subject: [PATCH] fix: prevent non-admins from editing miis' admin fields

---
 backend/src/app/api/mii/[id]/edit/route.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/app/api/mii/[id]/edit/route.ts b/backend/src/app/api/mii/[id]/edit/route.ts
index 3c0b65e..236dac7 100644
--- a/backend/src/app/api/mii/[id]/edit/route.ts
+++ b/backend/src/app/api/mii/[id]/edit/route.ts
@@ -153,7 +153,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 	}
 
 	// Prevent non-admins from quarantining Miis
-	if (quarantined && needsFixingReason && session.user?.id?.toString() !== process.env.NEXT_PUBLIC_ADMIN_USER_ID)
+	if ((quarantined || needsFixingReason) && session.user?.id?.toString() !== process.env.NEXT_PUBLIC_ADMIN_USER_ID)
 		return rateLimit.sendResponse({ error: `You're not an admin!` }, 401);
 
 	const clearImages = formData.get("clearImages") === "true";