Unset admin if auth user is not admin

2026-03-12 17:52:00 +08:00 · 2026-03-07 10:45:57 +00:00
parent 7ea549df4a
commit 83e61ec8cd
2 changed files with 29 additions and 7 deletions
--- a/app/Http/Controllers/Api/UsersController.php
+++ b/app/Http/Controllers/Api/UsersController.php
@@ -450,10 +450,18 @@ class UsersController extends Controller
        if ($request->has('permissions')) {
            $permissions_array = $request->input('permissions');

-            // Strip out the superuser permission if the API user isn't a superadmin
            if (! auth()->user()->isSuperUser()) {
-                unset($permissions_array['superuser']);
+                if ((is_array($permissions_array)) && (array_key_exists('superuser', $permissions_array))) {
+                    unset($permissions_array['superuser']);
+                }
            }
+
+            if (!auth()->user()->isAdmin()) {
+                if ((is_array($permissions_array)) && (array_key_exists('admin', $permissions_array))) {
+                    unset($permissions_array['admin']);
+                }
+            }
+
            $user->permissions = $permissions_array;
        }

@@ -589,23 +597,24 @@ class UsersController extends Controller


            $permissions_array = $request->input('permissions');
-            \Log::error(print_r($permissions_array, true));

            // Strip out the individual superuser permission if the API user isn't a superadmin
            if (!auth()->user()->isSuperUser()) {
-                if (array_key_exists('superuser', $permissions_array)) {
+
+                if ((is_array($permissions_array)) && (array_key_exists('superuser', $permissions_array))) {
                    unset($permissions_array['superuser']);
                }
            }

            // Strip out the individual admin permission if the API user isn't an admin
            if (!auth()->user()->isAdmin()) {
+
                if ((is_array($permissions_array)) && (array_key_exists('admin', $permissions_array))) {
                    unset($permissions_array['admin']);
                }
-
            }

+
            $user->permissions = $permissions_array;
        }

--- a/app/Http/Controllers/Users/UsersController.php
+++ b/app/Http/Controllers/Users/UsersController.php
@@ -122,9 +122,22 @@ class UsersController extends Controller
        // Strip out the superuser permission if the user isn't a superadmin
        $permissions_array = $request->input('permission');

-        if (! auth()->user()->isSuperUser()) {
-            unset($permissions_array['superuser']);
+        // Strip out the individual superuser permission if the API user isn't a superadmin
+        if (!auth()->user()->isSuperUser()) {
+
+            if ((is_array($permissions_array)) && (array_key_exists('superuser', $permissions_array))) {
+                unset($permissions_array['superuser']);
+            }
        }
+
+        // Strip out the individual admin permission if the API user isn't an admin
+        if (!auth()->user()->isAdmin()) {
+
+            if ((is_array($permissions_array)) && (array_key_exists('admin', $permissions_array))) {
+                unset($permissions_array['admin']);
+            }
+        }
+
        $user->permissions = json_encode($permissions_array);

        // we have to invoke the form request here to handle image uploads