Users with admin-access-control-permissions RW are no longer able to change superuser permissions.
This commit is contained in:
@@ -14,7 +14,6 @@ if ($API_permissions->request_method === 'GET') {
|
||||
# to be made, get all the access-rights and implement the builder
|
||||
|
||||
} elseif ($API_permissions->request_method === 'PUT') {
|
||||
|
||||
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
|
||||
$API_permissions->return_url = false;
|
||||
|
||||
@@ -34,7 +33,13 @@ if ($API_permissions->request_method === 'GET') {
|
||||
|
||||
# check if the user_group_uuid exists
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $API_permissions->data['user_group_uuid']]]];
|
||||
$API_usergroups->getUsergroup();
|
||||
$user_group = $API_usergroups->getUsergroup();
|
||||
|
||||
# if the user updating the permissions is in a lower group (higher group weight number) prevent them for doing so to prevent
|
||||
# Privilege escalation.
|
||||
if ($user_group[0]['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
|
||||
$API_permissions->apiOutput(405, ['error' => 'You are not allowed to update this user since you are in a lower group']);
|
||||
}
|
||||
|
||||
# Update the permission
|
||||
$API_permissions->updateAccessRights();
|
||||
|
||||
Reference in New Issue
Block a user