Simplify FormController context identification logic

Author: LukeTowers

modules/backend/behaviors/FormController.php

@@ -122,11 +122,7 @@ public function __construct($controller)
      */
     public function initForm($model, $context = null)
     {
-        if ($context !== null) {
-            $this->context = $context;
-        }
-
-        $context = $this->formGetContext();
+        $context = $this->context = $context ?? $this->formGetContext();
 
         /*
          * Each page can supply a unique form definition, if desired
@@ -432,15 +428,13 @@ public function formGetModel()
     }
 
     /**
-     * Returns the active form context, either obtained from the postback
-     * variable called `form_context` or detected from the configuration,
-     * or routing parameters.
+     * Returns the active form context detected from the configuration or routing parameters.
      *
      * @return string
      */
     public function formGetContext()
     {
-        return post('form_context', $this->context);
+        return $this->context;
     }
 
     /**

modules/backend/lang/en/lang.php

@@ -160,6 +160,9 @@
         'updated_at' => 'Updated at',
         'deleted_at' => 'Deleted at',
         'show_deleted' => 'Show deleted',
+        'self_escalation_denied' => 'You cannot modify your own role, permissions, or superuser status.',
+        'superuser_grant_denied' => 'Only superusers can grant superuser status or modify other superuser accounts.',
+        'manage_users_denied' => 'You do not have permission to manage other administrators.',
         'group' => [
             'name' => 'Group',
             'name_field' => 'Name',

modules/backend/models/User.php

@@ -3,8 +3,10 @@
 use Mail;
 use Event;
 use Backend;
-use BackendAuth;
+use Backend\Facades\BackendAuth;
+use Illuminate\Support\Facades\Lang;
 use Winter\Storm\Auth\Models\User as UserBase;
+use Winter\Storm\Exception\ApplicationException;
 
 /**
  * Administrator user model
@@ -117,6 +119,36 @@ public function getAvatarThumb($size = 25, $options = null)
             '&d='. urlencode($default);
     }
 
+    /**
+     * Before save event — enforce authorization rules to prevent privilege escalation.
+     * @return void
+     */
+    public function beforeSave()
+    {
+        $actor = BackendAuth::getUser();
+        $isCurrentUser = $this->exists && $actor && $actor->getKey() === $this->getKey();
+
+        // No authenticated user (CLI, artisan, queue, seeders) — allow everything
+        if (!$actor) {
+            return;
+        }
+
+        // Rule 1: Self-escalation — users cannot modify their own role, superuser status, or permissions
+        if ($isCurrentUser && $this->isDirty(['role_id', 'is_superuser', 'permissions'])) {
+            throw new ApplicationException(Lang::get('backend::lang.user.self_escalation_denied'));
+        }
+
+        // Rule 2: Must have backend.manage_users to manage other users
+        if (!$isCurrentUser && !$actor->hasAccess('backend.manage_users')) {
+            throw new ApplicationException(Lang::get('backend::lang.user.manage_users_denied'));
+        }
+
+        // Rule 3: Only superusers can grant superuser status or edit existing superusers
+        if (!$actor->isSuperUser() && ($this->is_superuser || $this->getOriginal('is_superuser'))) {
+            throw new ApplicationException(Lang::get('backend::lang.user.superuser_grant_denied'));
+        }
+    }
+
     /**
      * After create event
      * @return void