Skip to content

Commit

Permalink
fix: privilege escalation for users with insufficient permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
thorsten committed Feb 14, 2023
1 parent f3380f4 commit ae6c1d8
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions phpmyfaq/admin/user.php
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@
$isSuperAdmin = Filter::filterInput(INPUT_POST, 'is_superadmin', FILTER_UNSAFE_RAW);
$isSuperAdmin = $isSuperAdmin === 'on';

if (!$user->isSuperAdmin()) {
$isSuperAdmin = false;
}

// Sanity check
if (is_null($userData['email'])) {
$message .= sprintf('<p class="alert alert-danger">%s</p>', $PMF_LANG['err_noMailAdress']);
Expand Down Expand Up @@ -705,6 +709,7 @@ class="form-control">
</div>
</div>

<?php if ($user->isSuperAdmin()) { ?>
<div class="form-group row">
<div class="col-lg-4"></div>
<div class="col-lg-8">
Expand All @@ -716,6 +721,7 @@ class="form-control">
</div>
</div>
</div>
<?php } ?>

</form>
</div>
Expand Down

0 comments on commit ae6c1d8

Please sign in to comment.