From cac8b54e874da9bdc368c1c6d9f28efd685f8a18 Mon Sep 17 00:00:00 2001
From: Dave Shoreman <code@dsdev.io>
Date: Thu, 24 Sep 2015 12:04:26 +0100
Subject: [PATCH] Remove superuser field for non-superusers

If an admin user has permission to manage other users, they are
able to set others as superuser, or even create their own
superuser account. That's not really what we want.
---
 modules/backend/controllers/Users.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/backend/controllers/Users.php b/modules/backend/controllers/Users.php
index b7cd8d5a7..0caea82b7 100644
--- a/modules/backend/controllers/Users.php
+++ b/modules/backend/controllers/Users.php
@@ -94,6 +94,10 @@ class Users extends Controller
             return;
         }
 
+        if (!$this->user->isSuperUser()) {
+            $form->removeField('permissions[superuser]');
+        }
+
         /*
          * Add permissions tab
          */