Fixes #5045 - Removed inline editing for when only "Quick Add User" h…

…as been granted, and removed adding of admin perms to avoid access escalation.
e107inc · Aug 22, 2023 · abf94d0 · abf94d0
1 parent 9949a29
commit abf94d0
Showing 1 changed file with 22 additions and 15 deletions.
diff --git a/e107_admin/users.php b/e107_admin/users.php
@@ -419,7 +419,12 @@ function init()
 		if(!getperms('4|U0')) // Quick Add User Access Only. 
 		{
 			unset($this->fields['checkboxes']);
-			unset($this->fields['options']);			
+			unset($this->fields['options']);
+			foreach($this->fields as $fld=>$val)
+			{
+				 $this->fields[$fld]['inline'] = false;
+			}
+
 		}	
 
 		$this->fields['user_image']['writeParms'] = $this->getAvatarList();
@@ -1679,22 +1684,24 @@ function AddPage()
 		}
 
 		// Make Admin.
-		$text .= "
-		<tr>
-			<td>".USRLAN_35."</td>
-			<td>
-				<a href='#set_perms' class='btn btn-default btn-secondary e-expandit'>".USRLAN_243."</a>
-				<div class='e-hideme' id='set_perms'>
-		";
-
-		$text .= $prm->renderPermTable('grouped');
+		if(getperms('4|U0')) // Quick Add User access should not be allowed to create new users with escalated perms. 
+		{
+			$text .= "
+			<tr>
+				<td>".USRLAN_35."</td>
+				<td>
+					<a href='#set_perms' class='btn btn-default btn-secondary e-expandit'>".USRLAN_243."</a>
+					<div class='e-hideme' id='set_perms'>
+			";
 
-		$text .= "
-				</div>
-			</td>
-		</tr>
-		";
+			$text .= $prm->renderPermTable('grouped');
 
+			$text .= "
+					</div>
+				</td>
+			</tr>
+			";
+		}
 
 		$text .= "