Skip to content

Commit

Permalink
Fixed issue: [security] Superadmin can delete a protected superadmin
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-schmitz
c-schmitz committed Apr 24, 2020
1 parent 8c582d2 commit 0e47d3f
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions application/controllers/UserManagementController.php
View file
Expand Up @@ -689,10 +689,7 @@ public function actionDeleteMultiple()
$aResults[$user]['title'] = $model->users_name;
$aResults[$user]['result'] = $this->deleteUser($user);
if (!$aResults[$user]['result'] && $user == Yii::app()->user->id) {
$aResults[$user]['error'] = gT("You cannot delete yourself.");
}
if (Permission::isForcedSuperAdmin($user)) {
$aResults[$user]['error'] = gT("You have no permission to delete this user.");
$aResults[$user]['error'] = gT("You cannot delete yourself or a protected user.");
}
}

Expand Down Expand Up @@ -964,10 +961,13 @@ public function deleteUser(int $uid)

if ($uid == Yii::app()->user->id) {
return false;
} else {
$oUser = User::model()->findByPk($uid);
return $oUser->delete();
}
if (Permission::isForcedSuperAdmin($uid)) {
return false;
}

$oUser = User::model()->findByPk($uid);
return $oUser->delete();
}

/**
Expand Down

0 comments on commit 0e47d3f

Please sign in to comment.