DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-11-12 16:44:08 -08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Disallow non-super users from editing their own permissions

Browse source
This commit is contained in:
snipe 2020-07-13 21:16:45 -07:00
parent 12c92e30b7
commit 5320f5c67c
No known key found for this signature in database
GPG key ID: 10BFFDA3ED34B5AC
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/Http/Controllers/UsersController.php
View file

@ -240,6 +240,12 @@ class UsersController extends Controller
if ($user->id == $request->input('manager_id')) { if ($user->id == $request->input('manager_id')) {
return redirect()->back()->withInput()->with('error', 'You cannot be your own manager.'); return redirect()->back()->withInput()->with('error', 'You cannot be your own manager.');
} }
// If the user isn't a superuser, don't let them edit their own permissions
if ((!Auth::user()->isSuperUser()) && ($user->id == Auth::user()->id)) {
return redirect()->back()->withInput()->with('error', 'You cannot edit your own permissions. Please contact an administrator.');
}
$this->authorize('update', $user); $this->authorize('update', $user);
// Figure out of this user was an admin before this edit // Figure out of this user was an admin before this edit
$orig_permissions_array = $user->decodePermissions(); $orig_permissions_array = $user->decodePermissions();