fixed broken access control issue for account update

naresh verma · naresh verma · commit be6f74144243 · 2021-09-14T13:29:40.000+05:30
diff --git a/packages/Webkul/Admin/src/Http/Controllers/User/AccountController.php b/packages/Webkul/Admin/src/Http/Controllers/User/AccountController.php
@@ -46,6 +46,12 @@ public function update()
             return redirect()->back();
         }
 
+        if( isset($data['role_id']) || isset($data['view_permission']) ) {
+            session()->flash('warning', trans('admin::app.user.account.permission-denied'));
+
+            return redirect()->back();
+        }
+
         if (! $data['password']) {
             unset($data['password']);
         } else {
@@ -63,4 +69,4 @@ public function update()
 
         return redirect()->route('admin.dashboard.index');
     }
-}
+}
diff --git a/packages/Webkul/Admin/src/Resources/lang/en/app.php b/packages/Webkul/Admin/src/Resources/lang/en/app.php
@@ -650,6 +650,7 @@
                 'confirm_password'  => 'Confirm password',
                 'password-match'    => 'Current password does not match.',
                 'account-save'      => 'Account changes saved successfully.',
+                'permission-denied' => 'Permission Denied'
             ]
         ],
 
@@ -674,4 +675,4 @@
             ]
         ]
     ];
-?>
+?>

Original file line number	Diff line number	Diff line change
`@@ -650,6 +650,7 @@`
`650`	`650`	`'confirm_password' => 'Confirm password',`
`651`	`651`	`'password-match' => 'Current password does not match.',`
`652`	`652`	`'account-save' => 'Account changes saved successfully.',`
	`653`	`+ 'permission-denied' => 'Permission Denied'`
`653`	`654`	`]`
`654`	`655`	`],`
`655`	`656`
`@@ -674,4 +675,4 @@`
`674`	`675`	`]`
`675`	`676`	`]`
`676`	`677`	`];`
`677`		`-?>`
	`678`	`+?>`