Skip to content

Commit 78d6ed3

Browse files
committed
Fix not allowed user role modification by intercepting request
1 parent a8bc6ff commit 78d6ed3

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

Diff for: CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
# Release Notes
22

3+
## WIP
4+
5+
- Fix not allowed user role modification by intercepting request
6+
37
## 2.3.7 (2023-01-31)
48

59
- Batch update collection items state

Diff for: modules/System/Controller/Users.php

+5
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,11 @@ public function save() {
8282
return $this->stop(['error' => 'User data is missing'], 412);
8383
}
8484

85+
// don't allow to change role if not allowed
86+
if (isset($user['role']) && !$this->isAllowed('app/users/manage')) {
87+
unset($user['role']);
88+
}
89+
8590
$user['_modified'] = time();
8691
$isUpdate = isset($user['_id']);
8792

0 commit comments

Comments
 (0)