Skip to content

Commit be81eb6

Browse files
authored
Merge pull request #13931 from craftcms/bugfix/user-perms
Fixed a potential privilege escalation bug
2 parents e7fcfe8 + dfe1b83 commit be81eb6

File tree

2 files changed

+5
-1
lines changed

2 files changed

+5
-1
lines changed

Diff for: CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
# Release Notes for Craft CMS 3.x
22

3+
## Unreleased
4+
5+
- Fixed a privilege escalation vulnerability.
6+
37
## 3.9.5 - 2023-10-17
48

59
- Added `pgpassword` and `pwd` to the list of keywords that Craft will look for when determining whether a value is sensitive and should be redacted from logs, etc.

Diff for: src/controllers/UsersController.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -1206,7 +1206,7 @@ public function actionSaveUser()
12061206
// Is the site set to use email addresses as usernames?
12071207
if ($generalConfig->useEmailAsUsername) {
12081208
$user->username = $user->email;
1209-
} else {
1209+
} elseif ($isNewUser || $currentUser->admin || $isCurrentUser) {
12101210
$user->username = $this->request->getBodyParam('username', ($user->username ?: $user->email));
12111211
}
12121212

0 commit comments

Comments
 (0)