Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

• • For

  • Enterprise

  • Teams

  • Startups

  • Education

  • By Solution

  • CI/CD & Automation

  • DevOps

  • DevSecOps

  • Case Studies

  • Customer Stories

  • Resources

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

• Pricing

• Notifications

• Fork 20

• Code

• Issues 10

• Pull requests 3

• Discussions

• Actions

• Security

• Insights

Permalink

Browse files

Fix not allowed user role modification by intercepting request

• Loading branch information

Showing 2 changed files with 9 additions and 0 deletions.

• CHANGELOG.md
• • Users.php

@@ -1,5 +1,9 @@

Release Notes

WIP

- Fix not allowed user role modification by intercepting request

2.3.7 (2023-01-31)

- Batch update collection items state

@@ -82,6 +82,11 @@ public function save() {

return $this->stop([‘error’ => ‘User data is missing’], 412);

}

// don’t allow to change role if not allowed

if (isset($user[‘role’]) && !$this->isAllowed(‘app/users/manage’)) {

unset($user[‘role’]);

}

$user[‘_modified’] = time();

$isUpdate = isset($user[‘_id’]);

0 comments on commit 78d6ed3

Please sign in to comment.