From 950c341c49c0462eb2fe8db4d5d75556315f079f Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Mon, 10 Jul 2017 18:36:43 -0600
Subject: [PATCH] Prevent privilege escalation from crafted requests

Follow up to https://github.com/octobercms/october/commit/2046efb51d8682de9aca68881b378e0e3dcc44eb.
The previous commit prevented users from visually managing permissions that they themselves didn't have access to, this follow-up commit enforces that limitation serverside to defend against crafted privilege escalation attacks by authenticated users.
---
 .../backend/formwidgets/PermissionEditor.php  | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/modules/backend/formwidgets/PermissionEditor.php b/modules/backend/formwidgets/PermissionEditor.php
index 7b581b824..565ea3e68 100644
--- a/modules/backend/formwidgets/PermissionEditor.php
+++ b/modules/backend/formwidgets/PermissionEditor.php
@@ -55,11 +55,29 @@ class PermissionEditor extends FormWidgetBase
      */
     public function getSaveValue($value)
     {
-        if (is_array($value)) {
-            return $value;
+        $newPermissions = is_array($value) ? array_map('intval', $value) : [];
+
+        if (!empty($newPermissions)) {
+            $existingPermissions = $this->model->permissions;
+
+            $allowedPermissions = array_map(function ($permissionObject) {
+                return $permissionObject->code;
+            }, array_flatten($this->getFilteredPermissions()));
+
+            foreach ($newPermissions as $permission => $code) {
+                if ($code === 0) {
+                    continue;
+                }
+
+                if (in_array($permission, $allowedPermissions)) {
+                    $existingPermissions[$permission] = $code;
+                }
+            }
+
+            $newPermissions = $existingPermissions;
         }
 
-        return [];
+        return $newPermissions;
     }
 
     /**