Fix not allowed user role modification by intercepting request

Cockpit-HQ · Feb 1, 2023 · 78d6ed3 · 78d6ed3
1 parent a8bc6ff
commit 78d6ed3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Fix not allowed user role modification by intercepting request
+
 ## 2.3.7 (2023-01-31)
 
 - Batch update collection items state

diff --git a/modules/System/Controller/Users.php b/modules/System/Controller/Users.php
@@ -82,6 +82,11 @@ public function save() {
             return $this->stop(['error' => 'User data is missing'], 412);
         }
 
+        // don't allow to change role if not allowed
+        if (isset($user['role']) && !$this->isAllowed('app/users/manage')) {
+            unset($user['role']);
+        }
+
         $user['_modified'] = time();
         $isUpdate = isset($user['_id']);