fix the TODO

packages/cli/src/public-api/v1/handlers/users/users.handler.ee.ts

@@ -1,4 +1,4 @@
-import type { RoleChangeRequestDTO } from '@n8n/api-types';
+import { RoleChangeRequestDTO } from '@n8n/api-types';
 import type express from 'express';
 import type { Response } from 'express';
 import { Container } from 'typedi';
@@ -99,8 +99,19 @@ export = {
 		isLicensed('feat:advancedPermissions'),
 		globalScope('user:changeRole'),
 		async (req: ChangeRole, res: Response) => {
-			// TODO: validate req.body
-			await Container.get(UsersController).changeGlobalRole(req, res, req.body, req.params.id);
+			const validation = RoleChangeRequestDTO.safeParse(req.body);
+			if (validation.error) {
+				return res.status(400).json({
+					message: validation.error.errors[0],
+				});
+			}
+
+			await Container.get(UsersController).changeGlobalRole(
+				req,
+				res,
+				validation.data,
+				req.params.id,
+			);
 
 			return res.status(204).send();
 		},

packages/cli/test/integration/public-api/users.test.ts

@@ -225,6 +225,29 @@ describe('Users in Public API', () => {
 			expect(response.body).toHaveProperty('message', 'Forbidden');
 		});
 
+		it('should return a 400 on invalid payload', async () => {
+			/**
+			 * Arrange
+			 */
+			testServer.license.enable('feat:advancedPermissions');
+			const owner = await createOwner({ withApiKey: true });
+			const member = await createMember();
+			const payload = { newRoleName: 'invalid' };
+
+			/**
+			 * Act
+			 */
+			const response = await testServer
+				.publicApiAgentFor(owner)
+				.patch(`/users/${member.id}/role`)
+				.send(payload);
+
+			/**
+			 * Assert
+			 */
+			expect(response.status).toBe(400);
+		});
+
 		it("should change a user's role", async () => {
 			/**
 			 * Arrange