From 7da0ffc325e5fa0497b484184d588c1db6e67706 Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 13 Jan 2016 06:51:56 -0800 Subject: [PATCH] Fixes #1623 - disallow admins to edit permissions on users --- app/controllers/admin/UsersController.php | 4 ++- app/views/backend/users/edit.blade.php | 43 ++++++++++++++++++----- 2 files changed, 38 insertions(+), 9 deletions(-) diff --git a/app/controllers/admin/UsersController.php b/app/controllers/admin/UsersController.php index b5551a0be3..86c5f0da11 100755 --- a/app/controllers/admin/UsersController.php +++ b/app/controllers/admin/UsersController.php @@ -377,7 +377,9 @@ class UsersController extends AdminController { $user->email = Input::get('email'); $user->employee_num = Input::get('employee_num'); $user->activated = Input::get('activated', $user->activated); - $user->permissions = Input::get('permissions'); + if (Sentry::getUser()->hasAccess('superuser')) { + $user->permissions = Input::get('permissions'); + } $user->jobtitle = Input::get('jobtitle'); $user->phone = Input::get('phone'); $user->location_id = Input::get('location_id'); diff --git a/app/views/backend/users/edit.blade.php b/app/views/backend/users/edit.blade.php index aad78e4296..d140278b8b 100755 --- a/app/views/backend/users/edit.blade.php +++ b/app/views/backend/users/edit.blade.php @@ -14,6 +14,14 @@ {{-- Page content --}} @section('content') + + +