Users with admin-access-control-permissions RW are no longer able to change superuser permissions.

This commit is contained in:
2026-05-16 23:47:20 +02:00
parent 38f8584ecf
commit f4cd8e9cde
5 changed files with 30 additions and 7 deletions

View File

@@ -688,7 +688,7 @@ class API
protected function buildDynamicQuery(string $tableName): array
{
unset($this->baseQuery);
$this->baseQuery = '';
if (!$this->baseQuery) {
$this->baseQuery = "SELECT * FROM " . $tableName;
}

View File

@@ -14,7 +14,6 @@ if ($API_permissions->request_method === 'GET') {
# to be made, get all the access-rights and implement the builder
} elseif ($API_permissions->request_method === 'PUT') {
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
$API_permissions->return_url = false;
@@ -34,7 +33,13 @@ if ($API_permissions->request_method === 'GET') {
# check if the user_group_uuid exists
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $API_permissions->data['user_group_uuid']]]];
$API_usergroups->getUsergroup();
$user_group = $API_usergroups->getUsergroup();
# if the user updating the permissions is in a lower group (higher group weight number) prevent them for doing so to prevent
# Privilege escalation.
if ($user_group[0]['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
$API_permissions->apiOutput(405, ['error' => 'You are not allowed to update this user since you are in a lower group']);
}
# Update the permission
$API_permissions->updateAccessRights();