lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #14810 from TobiasSekan/FixAdminCanRemoveAllHisUserRights

Browse Source 
FIX that a admin can remove all his user rights
This commit is contained in:
Laurent Destailleur 2020-10-05 17:18:24 +02:00 committed by GitHub
commit 03226ad2a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/user/class/user.class.php
View File

@ -701,6 +701,15 @@ class User extends CommonObject
$sql .= " AND ".$wherefordel;
}
// avoid admin can remove his own important rights
if ($this->admin == 1)
{
$sql .= " AND id NOT IN (251, 252, 253, 254, 255, 256)"; // other users rights
$sql .= " AND id NOT IN (341, 342, 343, 344)"; // own rights
$sql .= " AND id NOT IN (351, 352, 353, 354)"; // groups rights
$sql .= " AND id NOT IN (358)"; // user export
}
$result = $this->db->query($sql);
if ($result)
{