BUGFIX: Don't let non ADMINs with permission-editing rights assign themselves ADMIN permissions. (from r89805)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@96718 467b73ca-7a2a-4603-9d3b-597d59a354a9
2024-10-22 12:05:37 +00:00 · 2010-01-12 22:53:52 +00:00 · 2010-01-12 22:53:52 +00:00 · 150457f8a2
commit 150457f8a2
parent ad20ff2ac0
1 changed files with 4 additions and 1 deletions
--- a/security/Permission.php
+++ b/security/Permission.php
@ -533,6 +533,9 @@ class Permission extends DataObject {
 				);
 		}

+		// Don't let people hijack ADMIN rights
+		if(!Permission::check("ADMIN")) unset($allCodes['ADMIN']);
+		
 		ksort($allCodes);

 		foreach($allCodes as $category => $permissions) {