Merge branch 'develop' into 1.2

Author: LukeTowers

modules/backend/behaviors/FormController.php

@@ -122,11 +122,7 @@ public function __construct($controller)
      */
     public function initForm($model, $context = null)
     {
-        if ($context !== null) {
-            $this->context = $context;
-        }
-
-        $context = $this->formGetContext();
+        $context = $this->context = $context ?? $this->formGetContext();
 
         /*
          * Each page can supply a unique form definition, if desired
@@ -442,7 +438,7 @@ public function formGetModel()
      */
     public function formGetContext()
     {
-        return post('form_context', $this->context);
+        return $this->context;
     }
 
     /**

modules/backend/classes/FormField.php

@@ -91,9 +91,9 @@ class FormField
     public $span = 'full';
 
     /**
-     * @var string Specifies a size. Possible values: tiny, small, large, huge, giant.
+     * @var string|int Specifies a size. Possible values for textarea: tiny, small, large, huge, giant.
      */
-    public $size = 'large';
+    public $size;
 
     /**
      * @var string Specifies contextual visibility of this form field.
@@ -211,7 +211,7 @@ public function span($value = 'full')
     }
 
     /**
-     * Sets a side of the field on a form.
+     * Sets the size of the field on a form.
      * @param string $value Specifies a size. Possible values: tiny, small, large, huge, giant
      */
     public function size($value = 'large')
@@ -259,6 +259,11 @@ public function options($value = null)
      */
     public function displayAs($type, $config = [])
     {
+        if (in_array($type, ['textarea', 'widget'])) {
+            // defaults to 'large'
+            $this->size = 'large';
+        }
+
         $this->type = strtolower($type) ?: $this->type;
         $this->config = $this->evalConfig($config);
 
@@ -281,18 +286,18 @@ protected function evalConfig($config)
          */
         $applyConfigValues = [
             'commentHtml',
-            'placeholder',
+            'context',
+            'cssClass',
             'dependsOn',
-            'required',
-            'readOnly',
             'disabled',
-            'cssClass',
-            'stretch',
-            'context',
             'hidden',
-            'trigger',
-            'preset',
             'path',
+            'placeholder',
+            'preset',
+            'readOnly',
+            'required',
+            'stretch',
+            'trigger',
         ];
 
         foreach ($applyConfigValues as $value) {
@@ -729,4 +734,31 @@ protected function getFieldNameFromData($fieldName, $data, $default = null)
 
         return $result;
     }
+
+    /**
+      * Implements the getter functionality.
+      * @param  string  $name
+      */
+    public function __get($name)
+    {
+        if (is_array($this->config) && array_key_exists($name, $this->config)) {
+            return array_get($this->config, $name);
+        }
+        if (property_exists($this, $name)) {
+            return $this->{$name};
+        }
+        return null;
+    }
+
+    /**
+      * Determine if an attribute exists on the object.
+      * @param  string  $name
+      */
+    public function __isset($name)
+    {
+        if (is_array($this->config) && array_key_exists($name, $this->config)) {
+            return true;
+        }
+        return property_exists($this, $name) && !is_null($this->{$name});
+    }
 }

modules/backend/lang/en/lang.php

@@ -167,6 +167,9 @@
         'updated_at' => 'Updated at',
         'deleted_at' => 'Deleted at',
         'show_deleted' => 'Show deleted',
+        'self_escalation_denied' => 'You cannot modify your own role, permissions, or superuser status.',
+        'superuser_grant_denied' => 'Only superusers can grant superuser status or modify other superuser accounts.',
+        'manage_users_denied' => 'You do not have permission to manage other administrators.',
         'throttle_tab' => 'Failed Logins',
         'throttle_tab_label' => 'Failed Login Records',
         'throttle_comment' => 'View failed login attempts for this user. These records are automatically generated when login attempts fail. Users are suspended after exceeding the attempt limit.',

modules/backend/models/User.php

@@ -3,6 +3,8 @@
 use Backend\Facades\Backend;
 use Backend\Facades\BackendAuth;
 use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Lang;
+use Winter\Storm\Auth\AuthorizationException;
 use Winter\Storm\Auth\Models\User as UserBase;
 use Winter\Storm\Support\Facades\Mail;
 
@@ -126,6 +128,36 @@ public function getAvatarThumb($size = 25, $options = null)
             '&d='. urlencode($default);
     }
 
+    /**
+     * Before save event — enforce authorization rules to prevent privilege escalation.
+     * @return void
+     */
+    public function beforeSave()
+    {
+        $actor = BackendAuth::getUser();
+        $isCurrentUser = $this->exists && $actor && $actor->getKey() === $this->getKey();
+
+        // No authenticated user (CLI, artisan, queue, seeders) — allow everything
+        if (!$actor) {
+            return;
+        }
+
+        // Rule 1: Self-escalation — users cannot modify their own role, superuser status, or permissions
+        if ($isCurrentUser && $this->isDirty(['role_id', 'is_superuser', 'permissions'])) {
+            throw new AuthorizationException(Lang::get('backend::lang.user.self_escalation_denied'));
+        }
+
+        // Rule 2: Must have backend.manage_users to manage other users
+        if (!$isCurrentUser && !$actor->hasAccess('backend.manage_users')) {
+            throw new AuthorizationException(Lang::get('backend::lang.user.manage_users_denied'));
+        }
+
+        // Rule 3: Only superusers can grant superuser status or edit existing superusers
+        if (!$actor->isSuperUser() && ($this->is_superuser || $this->getOriginal('is_superuser'))) {
+            throw new AuthorizationException(Lang::get('backend::lang.user.superuser_grant_denied'));
+        }
+    }
+
     /**
      * After create event
      * @return void
@@ -225,7 +257,7 @@ public function unsuspend()
 
     /**
      * Returns an array of merged permissions based on the user's individual permissions
-     * and their group permissions filtering out any permissions the impersonator doesn't
+     * and their role permissions filtering out any permissions the impersonator doesn't
      * have access to (if the current user is being impersonated)
      *
      * @return array