CodeCow/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-06-05 21:02:14 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #5508 from Zoey2936/fix-5441

Browse Source 
Fix bug that allowed any authenticated user to modify their own roles field through the PUT
This commit is contained in:
jc21 2026-05-14 10:23:31 +10:00 committed by GitHub
commit 13cfa340de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
backend/internal/user.js
View File

@ -87,7 +87,13 @@ const internalUser = {
}
return access
.can("users:update", data.id)
.can("users:permissions", data.id)
.catch(() => {
delete data.roles;
})
.then(() => {
return access.can("users:update", data.id);
})
.then(() => {
// Make sure that the user being updated doesn't change their email to another user that is already using it
// 1. get user we want to update