fix(users): fix for users.profile.server.controller.js security (#1338)

* Fix for users.profile.server.controller.js security (#1338)

Fixes an issue where if req.body._id was not set to the current user it
could potentially log the current user in as another user.

Don't use req.body._id when editing user

Prevents a user from being logged in as another if edit user form _id is
not their own.

Fixes #1338

Author: masterwok

modules/users/server/controllers/users/users.profile.server.controller.js

@@ -22,6 +22,9 @@ exports.update = function (req, res) {
   // For security measurement we remove the roles from the req.body object
   delete req.body.roles;
 
+  // For security measurement do not use _id from the req.body object
+  delete req.body._id;
+
   if (user) {
     // Merge existing user
     user = _.extend(user, req.body);