Merge pull request #13932 from craftcms/bugfix/element-pe

Fixed a potential privilege escalation bug
craftcms · Nov 16, 2023 · 76caf9a · 76caf9a
2 parents d29a74a + db5fff9
commit 76caf9a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,7 +11,7 @@
 - Fixed a bug where dropdown option labels within Table fields weren’t getting translated. ([#13914](https://github.com/craftcms/cms/issues/13914))
 - Fixed a bug where “Updating search indexes” jobs were getting queued for Matrix block revisions. ([#13917](https://github.com/craftcms/cms/issues/13917))
 - Fixed a bug where control panel resources weren’t getting published on demand. ([#13935](https://github.com/craftcms/cms/issues/13935))
-- Fixed a privilege escalation vulnerability.
+- Fixed privilege escalation vulnerabilities.
 
 ## 4.5.10 - 2023-11-07
 

diff --git a/src/controllers/ElementsController.php b/src/controllers/ElementsController.php
@@ -1103,11 +1103,17 @@ public function actionSave(): ?Response
         }
 
         $this->element = $element;
-
-        $this->_applyParamsToElement($element);
         $elementsService = Craft::$app->getElements();
         $user = static::currentUser();
 
+        // Check save permissions before and after applying POST params to the element
+        // in case the request was tampered with.
+        if (!$elementsService->canSave($element, $user)) {
+            throw new ForbiddenHttpException('User not authorized to save this element.');
+        }
+
+        $this->_applyParamsToElement($element);
+
         if (!$elementsService->canSave($element, $user)) {
             throw new ForbiddenHttpException('User not authorized to save this element.');
         }