Remove superuser field for non-superusers

If an admin user has permission to manage other users, they are able to set others as superuser, or even create their own superuser account. That's not really what we want.
2015-09-24 12:04:26 +01:00 · 2015-09-24 12:04:26 +01:00 · cac8b54e87
parent 5816ae5604
commit cac8b54e87
1 changed files with 4 additions and 0 deletions
--- a/modules/backend/controllers/Users.php
+++ b/modules/backend/controllers/Users.php
@ -94,6 +94,10 @@ class Users extends Controller
            return;
        }

+        if (!$this->user->isSuperUser()) {
+            $form->removeField('permissions[superuser]');
+        }
+
        /*
         * Add permissions tab
         */