Fix a permission bug in admin manage roles and manage permissions

donjakobo · Jul 11, 2014 · 55c915a · 55c915a
1 parent 76ba374
commit 55c915a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/application/controllers/account/manage_permissions.php b/application/controllers/account/manage_permissions.php
@@ -100,10 +100,16 @@ function save($id=null)
       redirect('account/sign_in/?continue='.urlencode(base_url().'account/manage_permissions'));
     }
 
-    // Redirect unauthorized users to account profile page
-    if ( ! $this->authorization->is_permitted('retrieve_permissions'))
+    // Check if they are allowed to Update Users
+    if ( ! $this->authorization->is_permitted('update_permissions') && ! empty($id) )
     {
-      redirect('account/account_profile');
+      redirect('account/manage_permissions');
+    }
+
+    // Check if they are allowed to Create Users
+    if ( ! $this->authorization->is_permitted('create_permissions') && empty($id) )
+    {
+      redirect('account/manage_permissions');
     }
 
     // Retrieve sign in user

diff --git a/application/controllers/account/manage_roles.php b/application/controllers/account/manage_roles.php
@@ -102,10 +102,16 @@ function save($id=null)
       redirect('account/sign_in/?continue='.urlencode(base_url().'account/manage_roles'));
     }
 
-    // Redirect unauthorized users to account profile page
-    if ( ! $this->authorization->is_permitted('retrieve_roles'))
+    // Check if they are allowed to Update Roles
+    if ( ! $this->authorization->is_permitted('update_roles') && ! empty($id) )
     {
-      redirect('account/account_profile');
+      redirect('account/manage_permissions');
+    }
+
+    // Check if they are allowed to Create Roles
+    if ( ! $this->authorization->is_permitted('create_roles') && empty($id) )
+    {
+      redirect('account/manage_permissions');
     }
 
     // Set action type (create or update role)