From f7c421ef48fd061f7604bb073f2f5382ae4cfe93 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Mon, 6 May 2024 14:30:46 +0530
Subject: [PATCH] Restricted status change to user by admin only

---
 modules/Users/actions/Save.php     | 16 +++++++++++++++-
 modules/Users/actions/SaveAjax.php | 19 +++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index e0155d7b8..5c5c7aecd 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -110,9 +110,23 @@ class Users_Save_Action extends Vtiger_Save_Action {
 	}
 
 	protected function checkRestrictedValueChange(Vtiger_Request $request) {
+		// NOTE: to be repeated in SaveAjax.php
+
 		if ($request->has('user_name') || $request->has('user_password') || $request->has('accesskey') ) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+		}
+
+		if ($request->get('field', "") == "status" || $request->has("status")) {
+			$currentUserModel = Users_Record_Model::getCurrentUserModel();
+			// only admin (not self) can change status.
+			if (!$currentUserModel->isAdminUser()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+			$recordId = $request->get('record');
+			if ($recordId == $currentUserModel->getId()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
 		}
 	}
 
diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index e136a1c8a..485a092d3 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -44,14 +44,29 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	}
 
 	protected function checkRestrictedValueChange(Vtiger_Request $request) {
+		// NOTE: to be repeated in Save.php
+		
 		if ($request->has('user_name') || $request->has('user_password') || $request->has('accesskey') ) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
 		}
 		if ($request->has('field') && in_array($request->get('field'), array('user_name', 'user_password', 'accesskey'))) {
 			// should use separate actions.
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $module));
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
 		}
+
+		if ($request->get('field', "") == "status" || $request->has("status")) {
+			$currentUserModel = Users_Record_Model::getCurrentUserModel();
+			// only admin (not self) can change status.
+			if (!$currentUserModel->isAdminUser()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+			$recordId = $request->get('record');
+			if ($recordId == $currentUserModel->getId()) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+			}
+		}
+
 	}
 	
 	public function process(Vtiger_Request $request) {
-- 
GitLab