From 3dac20c20ff80b0da004b453a983a2ec77bea2a4 Mon Sep 17 00:00:00 2001 From: snipe Date: Mon, 31 Oct 2016 19:08:24 -0700 Subject: [PATCH] Unset superadmin by non-superadmins on user create --- app/Http/Controllers/UsersController.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/UsersController.php b/app/Http/Controllers/UsersController.php index f2a2752196..68f669a48d 100755 --- a/app/Http/Controllers/UsersController.php +++ b/app/Http/Controllers/UsersController.php @@ -125,7 +125,16 @@ class UsersController extends Controller $user->company_id = e(Company::getIdForUser($request->input('company_id'))); $user->manager_id = e($request->input('manager_id')); $user->notes = e($request->input('notes')); - $user->permissions = json_encode($request->input('permission')); + + // Strip out the superuser permission if the user isn't a superadmin + $permissions_array = $request->input('permission'); + + if (!Auth::user()->isSuperUser()) { + unset($permissions_array['superuser']); + } + + $user->permissions = json_encode($permissions_array); + if ($user->manager_id == "") { @@ -357,7 +366,7 @@ class UsersController extends Controller } $user->permissions = json_encode($permissions_array); - + if ($user->manager_id == "") { $user->manager_id = null; }