From 5320f5c67ce7dbf4605cc5b7fd7be8773c8ee157 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 13 Jul 2020 21:16:45 -0700
Subject: [PATCH] Disallow non-super users from editing their own permissions

---
 app/Http/Controllers/UsersController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/Http/Controllers/UsersController.php b/app/Http/Controllers/UsersController.php
index ebd68b0ec1..fe7cb37249 100755
--- a/app/Http/Controllers/UsersController.php
+++ b/app/Http/Controllers/UsersController.php
@@ -240,6 +240,12 @@ class UsersController extends Controller
             if ($user->id == $request->input('manager_id')) {
                 return redirect()->back()->withInput()->with('error', 'You cannot be your own manager.');
             }
+
+            // If the user isn't a superuser, don't let them edit their own permissions
+            if ((!Auth::user()->isSuperUser()) && ($user->id == Auth::user()->id)) {
+                return redirect()->back()->withInput()->with('error', 'You cannot edit your own permissions. Please contact an administrator.');
+            }
+
             $this->authorize('update', $user);
             // Figure out of this user was an admin before this edit
             $orig_permissions_array = $user->decodePermissions();