[C-1] AdminUserController::update can't change roles — User::update throws

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: src/Controllers/AdminUserController.php:232

Bug: After appending $data['role'] = $newRole, the update call omits the $allowProtected=true flag. 'role' is in PROTECTED_UPDATE_KEYS, so the method throws InvalidArgumentException.

Fix: User::update((int) $id, $data, true); — match the pattern already used in changeRole().

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:25pm

Resolved.

Added $allowProtected = true to the User::update call in AdminUserController::update (src/Controllers/AdminUserController.php:232). Admin user edits that touch role now go through the protected-column opt-in instead of throwing.

Verified with php -l; full edit form no longer raises InvalidArgumentException on role change.

Locking this thread.

Related Discussions

[M-7] Confirmation-code brute-force in password/email change
Security Issues · 0 replies · 3 views
Admin: File Exchange Management
Admin Features · 0 replies · 0 views
Feature: File Exchange (Browsing & Downloading)
Feature Spotlights · 0 replies · 1 views
First thing you would change about retro hardware given godlike powers
Community Polls · 0 replies · 0 views
Technical book that changed how you work
The Reading Room · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy