From 38f8584ecf4eefda05620d1414e58c0460c1eaef Mon Sep 17 00:00:00 2001 From: Meteo Date: Sat, 16 May 2026 23:45:28 +0200 Subject: [PATCH] non-superuser admins cannot update the permission name and description anymore. --- pub/api/v1/permissions/index.php | 6 ++++-- .../portal-management/pageAccessControl_permission_edit.php | 3 ++- pub/bin/pages/portal-management/pageAccessControl_view.php | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pub/api/v1/permissions/index.php b/pub/api/v1/permissions/index.php index 27c9de8..e0a31e4 100644 --- a/pub/api/v1/permissions/index.php +++ b/pub/api/v1/permissions/index.php @@ -47,8 +47,10 @@ if ($API_permissions->request_method === 'GET') { } elseif ($API_permissions->request_method === 'PUT') { - # Update the permission name and description - $API_permissions->checkPermissions('admin-access-control-permissions', 'RW'); + # Only superuser can delete permission due to fact that the backend needs programming when setting a permission + if (!$API_permissions->isSuperuser()) { + $API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); + } $requiredFields = [ 'permission_uuid' => ['type' => 'uuid'], diff --git a/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php b/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php index c00c13f..1c0a09d 100644 --- a/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php +++ b/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php @@ -18,7 +18,8 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php'; # Check permissions $API = new API(); -if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) { +# Only superuser can delete permission due to fact that the backend needs programming when setting a permission +if (!$API->isSuperuser()) { echo 'error 401 unauthorized'; exit; } diff --git a/pub/bin/pages/portal-management/pageAccessControl_view.php b/pub/bin/pages/portal-management/pageAccessControl_view.php index 7ecd59f..ddeedad 100644 --- a/pub/bin/pages/portal-management/pageAccessControl_view.php +++ b/pub/bin/pages/portal-management/pageAccessControl_view.php @@ -201,7 +201,7 @@ while ($row = $stmt->fetch_assoc()) { - checkPermissions('admin-access-control-permissions', 'RW', true)) { ?> + isSuperuser()) { ?>