Fixes security issue where an admin user could possibly edit a super-…

…admin user [#1322 state:resolved]
exponentcms · Dec 26, 2015 · 1d8f6e4 · 1d8f6e4
1 parent c4a42e5
commit 1d8f6e4
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/framework/modules/users/controllers/usersController.php b/framework/modules/users/controllers/usersController.php
@@ -114,6 +114,10 @@ public function edituser() {
         // check to see if we should be editing.  You either need to be an admin, or editing own account.
         if ($user->isAdmin() || ($user->id == $id && !$user->globalPerm('prevent_profile_change'))) {
             $u = new user($id);
+            if ($u->isSuperAdmin() && $user->isActingAdmin()) {  // prevent regular admin's from editing super-admins
+                flash('error', gt('You do not have the proper permissions to edit this user'));
+                expHistory::back();
+            }
         } else {
             flash('error', gt('You do not have the proper permissions to edit this user'));
             expHistory::back();