From 78d6ed3bf093ee11356ba66320c628c727068714 Mon Sep 17 00:00:00 2001
From: Artur Heinze <artur@agentejo.com>
Date: Wed, 1 Feb 2023 23:52:43 +0100
Subject: [PATCH] Fix not allowed user role modification by intercepting
 request

---
 CHANGELOG.md                        | 4 ++++
 modules/System/Controller/Users.php | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d45603e..587710a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Fix not allowed user role modification by intercepting request
+
 ## 2.3.7 (2023-01-31)
 
 - Batch update collection items state
diff --git a/modules/System/Controller/Users.php b/modules/System/Controller/Users.php
index 78f844d0..c53c1706 100644
--- a/modules/System/Controller/Users.php
+++ b/modules/System/Controller/Users.php
@@ -82,6 +82,11 @@ public function save() {
             return $this->stop(['error' => 'User data is missing'], 412);
         }
 
+        // don't allow to change role if not allowed
+        if (isset($user['role']) && !$this->isAllowed('app/users/manage')) {
+            unset($user['role']);
+        }
+
         $user['_modified'] = time();
         $isUpdate = isset($user['_id']);