Browse Source
Merge pull request #13931 from craftcms/bugfix/user-perms
Fixed a potential privilege escalation bug
pull/14164/head
Brandon Kelly
2 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
5 additions and
1 deletions
CHANGELOG.md
src/controllers/UsersController.php
@ -1,5 +1,9 @@
# Release Notes for Craft CMS 3.x
## Unreleased
- Fixed a privilege escalation vulnerability.
## 3.9.5 - 2023-10-17
- Added `pgpassword` and `pwd` to the list of keywords that Craft will look for when determining whether a value is sensitive and should be redacted from logs, etc.
@ -1206,7 +1206,7 @@ JS;
// Is the site set to use email addresses as usernames?
if ( $generalConfig -> useEmailAsUsername ) {
$user -> username = $user -> email ;
} else {
} elseif ( $isNewUser || $currentUser -> admin || $isCurrentUser ) {
$user -> username = $this -> request -> getBodyParam ( 'username' , ( $user -> username ? : $user -> email ));
}