Only allow users to modify permissions that they have access to

2018-02-11 22:00:44 -05:00 · 2018-02-11 22:00:44 -05:00 · 35ed664dfd
commit 35ed664dfd
parent 48b28fc3cd
1 changed files with 4 additions and 4 deletions
--- a/admin/manage_permission_groups.php
+++ b/admin/manage_permission_groups.php
@ -198,7 +198,7 @@ function createEditModal($template, $features, $categories)
                                            $disabled = ' disabled';
                                        }?>
-                                        <?php if (in_array($category['id'], $_SESSION['categories']) || $checked): ?>
+                                        <?php if ($_SESSION['isadmin'] || in_array($category['id'], $_SESSION['categories']) || $checked): ?>
                                        <div class="checkbox">
                                            <label>
                                                <input type="checkbox" name="categories[]"
@ -231,7 +231,7 @@ function createEditModal($template, $features, $categories)
                                            $template['heskprivileges'] === 'ALL') {
                                            $disabled = ' disabled';
                                        }
-                                        if (strpos($_SESSION['heskprivileges'], $feature) !== false || $checked):  ?>
+                                        if ($_SESSION['isadmin'] || strpos($_SESSION['heskprivileges'], $feature) !== false || $checked):  ?>
                                        <div class="checkbox">
                                            <label>
                                                <input type="checkbox" name="features[]"
@ -299,7 +299,7 @@ function buildCreateModal($features, $categories)
                                <div class="form-group">
                                    <?php
                                    foreach ($categories as $category):
-                                        if (in_array($category['id'], $_SESSION['categories']) || hesk_SESSION('isadmin')): ?>
+                                        if (hesk_SESSION('isadmin') || in_array($category['id'], $_SESSION['categories'])): ?>
                                        <div class="checkbox">
                                            <label>
                                                <input type="checkbox" name="categories[]"
@ -396,7 +396,7 @@ function save()
        }
        // Update features based on user visibility
-        $originalFeatures = explode(',', $row['features']);
+        $originalFeatures = explode(',', $row['heskprivileges']);
        $newFeatures = array();
        foreach ($originalFeatures as $innerFeature) {
            if (in_array($innerFeature, $featArray) && strpos($_SESSION['heskprivileges'], $innerFeature) !== false) {