From 10d55130d486ae94caf6e4bb6b465a7c5b20b376 Mon Sep 17 00:00:00 2001
From: Carsten Schmitz <carsten.schmitz@limesurvey.org>
Date: Thu, 13 Apr 2023 13:43:20 +0200
Subject: [PATCH] Fixed issue: [security] Administrator can change his own
 password without entering the existing one

---
 application/controllers/UserManagementController.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/application/controllers/UserManagementController.php b/application/controllers/UserManagementController.php
index 5ebc4cecab0..5750a765c58 100644
--- a/application/controllers/UserManagementController.php
+++ b/application/controllers/UserManagementController.php
@@ -166,6 +166,16 @@ public function actionApplyEdit()
             $aUser['expires'] = null;
         }
 
+        // A user may not edit himself using this action
+        if (isset($aUser['uid']) && $aUser['uid'] && $aUser['uid'] == Yii::app()->user->id) {
+            return App()->getController()->renderPartial('/admin/super/_renderJson', [
+                "data" => [
+                    'success' => false,
+                    'errors'  =>  gT('No permission')
+                ]
+                ]);
+        }
+
         if (isset($aUser['uid']) && $aUser['uid']) {
             $oUser = $this->updateAdminUser($aUser);
             if ($oUser->hasErrors()) {