Browse Source

Merge pull request #13931 from craftcms/bugfix/user-perms

Fixed a potential privilege escalation bug
pull/14164/head
Brandon Kelly 2 years ago
committed by GitHub
parent
commit
be81eb653d
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      CHANGELOG.md
  2. 2
      src/controllers/UsersController.php

4
CHANGELOG.md

@ -1,5 +1,9 @@
# Release Notes for Craft CMS 3.x
## Unreleased
- Fixed a privilege escalation vulnerability.
## 3.9.5 - 2023-10-17
- Added `pgpassword` and `pwd` to the list of keywords that Craft will look for when determining whether a value is sensitive and should be redacted from logs, etc.

2
src/controllers/UsersController.php

@ -1206,7 +1206,7 @@ JS;
// Is the site set to use email addresses as usernames?
if ($generalConfig->useEmailAsUsername) {
$user->username = $user->email;
} else {
} elseif ($isNewUser || $currentUser->admin || $isCurrentUser) {
$user->username = $this->request->getBodyParam('username', ($user->username ?: $user->email));
}

Loading…
Cancel
Save