Fixed issue: User without superadmin permission can enter comfort upd…

…ate page without restriction
LimeSurvey · Oct 14, 2020 · 9a8a031 · 9a8a031 · Shnoulle · Oct 14, 2020
1 parent 7804ea5
commit 9a8a031
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/application/controllers/admin/update.php b/application/controllers/admin/update.php
@@ -72,6 +72,11 @@ class update extends Survey_Common_Action
      */
     public function index()
     {
+        if (!Permission::model()->hasGlobalPermission('superadmin')) {
+            Yii::app()->setFlashMessage(gT('You are not allowed to enter this page'), 'error');
+            $this->getController()->redirect(Yii::app()->getController()->createUrl("/admin"));
+        }
+
         if (Yii::app()->getConfig('demoMode')) {
             Yii::app()->setFlashMessage(gT('This function cannot be executed because demo mode is active.'), 'error');
             $this->getController()->redirect(Yii::app()->getController()->createUrl("/admin"));