fix security leaphole

ndeblauw · web-flow · commit 74b28dec5d56 · 2022-10-18T23:06:14.000+02:00
diff --git a/src/UserLoginAsController.php b/src/UserLoginAsController.php
@@ -16,6 +16,9 @@ public function loginAs($user)
         } else {
             $user = \App\Models\User::findOrFail($user);
         }
+        if( method_exists($user,'isManager') && $user->isManager()) {
+            abort(403, "Het is niet mogelijk om in te loggen alsof je een andere admin bent");
+        }
         Auth::login($user);
 
         Session::put('loginas', $current_user_id);

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,9 @@ public function loginAs($user)`
`16`	`16`	`} else {`
`17`	`17`	`$user = \App\Models\User::findOrFail($user);`
`18`	`18`	`}`
	`19`	`+ if( method_exists($user,'isManager') && $user->isManager()) {`
	`20`	`+ abort(403, "Het is niet mogelijk om in te loggen alsof je een andere admin bent");`
	`21`	`+ }`
`19`	`22`	`Auth::login($user);`
`20`	`23`
`21`	`24`	`Session::put('loginas', $current_user_id);`