Fixed issue #18977: [security] Improper Authorization in add role fun…

…ction leads to privilege escalation (#3307)

application/controllers/UserManagementController.php

@@ -1152,7 +1152,8 @@ public function actionBatchAddGroup()
      */
     public function actionBatchApplyRoles()
     {
-        if (!Permission::model()->hasGlobalPermission('users', 'update')) {
+        /* Need super admin roles */
+        if (!Permission::model()->hasGlobalPermission('superadmin')) {
             return $this->renderPartial(
                 'partial/error',
                 ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
@@ -1166,9 +1167,8 @@ public function actionBatchApplyRoles()
             $aResults[$sItem]['title'] = '';
             $model = $this->loadModel($sItem);
             $aResults[$sItem]['title'] = $model->users_name;
-
-            //check if user is admin otherwhise change the role
-            if (intval($sItem) == 1) {  //todo REFACTORING is admin id always 1?? is there another possibility to check for admin user?
+            if (Permission::isForcedSuperAdmin($sItem)) {
+                /* Show an error for forced super admin, this don't disable for DB superadmin */
                 $aResults[$sItem]['result'] = false;
                 $aResults[$sItem]['error'] = gT('The superadmin role cannot be changed.');
             } else {
@@ -1177,7 +1177,6 @@ public function actionBatchApplyRoles()
                 }
             }
         }
-
         $tableLabels = array(gT('User ID'), gT('Username'), gT('Status'));
 
         Yii::app()->getController()->renderPartial(