non-superuser admins cannot update the permission name and description anymore.
This commit is contained in:
@@ -47,8 +47,10 @@ if ($API_permissions->request_method === 'GET') {
|
||||
|
||||
} elseif ($API_permissions->request_method === 'PUT') {
|
||||
|
||||
# Update the permission name and description
|
||||
$API_permissions->checkPermissions('admin-access-control-permissions', 'RW');
|
||||
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
||||
if (!$API_permissions->isSuperuser()) {
|
||||
$API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||
}
|
||||
|
||||
$requiredFields = [
|
||||
'permission_uuid' => ['type' => 'uuid'],
|
||||
|
||||
@@ -18,7 +18,8 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php';
|
||||
|
||||
# Check permissions
|
||||
$API = new API();
|
||||
if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) {
|
||||
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
||||
if (!$API->isSuperuser()) {
|
||||
echo 'error 401 unauthorized';
|
||||
exit;
|
||||
}
|
||||
|
||||
@@ -201,7 +201,7 @@ while ($row = $stmt->fetch_assoc()) {
|
||||
<td class=""><?php echo $permission['permission_description'] ?></td>
|
||||
<td class="text-nowrap">
|
||||
|
||||
<?php if ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) { ?>
|
||||
<?php if ($API->isSuperuser()) { ?>
|
||||
<a href="?permission_edit=<?php echo $permission['permission_uuid'] ?>" class="btn btn-primary btn-sm btn-rounded"><i class="fas fa-edit"></i></a>
|
||||
<?php } ?>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user