BUGFIX: Don't let non ADMINs with permission-editing rights assign themselves ADMIN permissions. (from r89805)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@96718 467b73ca-7a2a-4603-9d3b-597d59a354a9

security/Permission.php

@@ -488,7 +488,7 @@ class Permission extends DataObject {
 			'help' => null,
 			'sort' => 100000
 		);
-
+		
 		if($classes) foreach($classes as $class) {
 			$SNG = singleton($class);
 			if($SNG instanceof TestOnly) continue;
@@ -532,6 +532,9 @@ class Permission extends DataObject {
 					'sort' => 0
 				);
 		}
+
+		// Don't let people hijack ADMIN rights
+		if(!Permission::check("ADMIN")) unset($allCodes['ADMIN']);
 		
 		ksort($allCodes);