We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
1 parent a8bc6ff commit 78d6ed3Copy full SHA for 78d6ed3
CHANGELOG.md
@@ -1,5 +1,9 @@
1
# Release Notes
2
3
+## WIP
4
+
5
+- Fix not allowed user role modification by intercepting request
6
7
## 2.3.7 (2023-01-31)
8
9
- Batch update collection items state
modules/System/Controller/Users.php
@@ -82,6 +82,11 @@ public function save() {
82
return $this->stop(['error' => 'User data is missing'], 412);
83
}
84
85
+ // don't allow to change role if not allowed
86
+ if (isset($user['role']) && !$this->isAllowed('app/users/manage')) {
87
+ unset($user['role']);
88
+ }
89
90
$user['_modified'] = time();
91
$isUpdate = isset($user['_id']);
92
0 commit comments