From a51b1fe6346983fb3fa638c5faf8e87eb5106e89 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Fri, 3 May 2024 13:50:20 +0530
Subject: [PATCH] Added validation checks for user administration actions

---
 modules/Users/actions/Save.php  | 6 ++++++
 modules/Users/models/Record.php | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index bbe106565..378a09d58 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -122,7 +122,13 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			if ($status == true) {
 				throw new AppException(vtranslate('LBL_DUPLICATE_USER_EXISTS', $module));
 			}
+		} else {
+			if ($request->has('user_name') || $request->has('user_password') || $request->has('accesskey') ) {
+				// should use separate actions.
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			}
 		}
+
 		$recordModel = $this->saveRecord($request);
 
 		if ($request->get('relationOperation')) {
diff --git a/modules/Users/models/Record.php b/modules/Users/models/Record.php
index ecaf1385f..06fc11f1d 100644
--- a/modules/Users/models/Record.php
+++ b/modules/Users/models/Record.php
@@ -882,8 +882,9 @@ class Users_Record_Model extends Vtiger_Record_Model {
 		$response = array('success'=> false,'message' => 'error');
 		$record = self::getInstanceFromPreferenceFile($forUserId);
 		$moduleName = $record->getModuleName();
+		$currentUserModel = static::getCurrentUserModel();
 		
-		if(!Users_Privileges_Model::isPermittedToChangeUsername($forUserId)) {
+		if($currentUserModel->getId() == $forUserId || !Users_Privileges_Model::isPermittedToChangeUsername($forUserId)) {
 			$response['message'] = vtranslate('LBL_PERMISSION_DENIED', $moduleName);
 			return $response;
 		}
-- 
GitLab