Fixed issue: [security] Administrator can change his own password wit…

…hout entering the existing one
LimeSurvey · Apr 13, 2023 · 10d5513 · 10d5513
1 parent 759d9b3
commit 10d5513
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/application/controllers/UserManagementController.php b/application/controllers/UserManagementController.php
@@ -166,6 +166,16 @@ public function actionApplyEdit()
             $aUser['expires'] = null;
         }
 
+        // A user may not edit himself using this action
+        if (isset($aUser['uid']) && $aUser['uid'] && $aUser['uid'] == Yii::app()->user->id) {
+            return App()->getController()->renderPartial('/admin/super/_renderJson', [
+                "data" => [
+                    'success' => false,
+                    'errors'  =>  gT('No permission')
+                ]
+                ]);
+        }
+
         if (isset($aUser['uid']) && $aUser['uid']) {
             $oUser = $this->updateAdminUser($aUser);
             if ($oUser->hasErrors()) {