From 2274ae6f171a31d09f618c041d77dad4d98cb651 Mon Sep 17 00:00:00 2001
From: Pedro Sitaras <sitaras.pedro@iconn.es>
Date: Wed, 14 Sep 2016 14:14:13 +0200
Subject: [PATCH] Critical Security issue - Privilege Scalation

---
 user/models/YumUser.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/user/models/YumUser.php b/user/models/YumUser.php
index c2dc2f2..899e044 100644
--- a/user/models/YumUser.php
+++ b/user/models/YumUser.php
@@ -241,6 +241,9 @@ public function rules() {
     $rules[] = array('notifyType, avatar, id', 'safe');
     $rules[] = array('password', 'required', 'on' => array('insert', 'registration'));
     $rules[] = array('createtime, lastvisit, lastaction, superuser, status', 'numerical', 'integerOnly' => true);
+    
+    $rules[] = array('superuser', 'safe', 'on'=> 'managerUserUpdate');
+    $rules[] = array('superuser', 'unsafe', 'on'=> 'userUpdate, registration, insert, update');
 
     if (Yum::hasModule('avatar')) {
       // require an avatar image in the avatar upload screen