Update: 2026-05-03 22:51:59

2026-05-03 22:51:59 +03:00
parent 6d2c61497c
commit 87809ac893
9 changed files with 201 additions and 45 deletions
--- a/app/modules_app/users/create.php
+++ b/app/modules_app/users/create.php
@@ -16,6 +16,17 @@ if ($decoded['role'] !== 'super_admin' && $decoded['role'] !== 'admin') {

 $data = input();

+// 1. Role Authorization check (Prevent Role Escalation)
+$allowedRoles = match($decoded['role']) {
+    'super_admin' => ['super_admin', 'admin', 'accountant', 'employee', 'viewer'],
+    'admin'       => ['accountant', 'employee', 'viewer'], 
+    default       => []
+};
+
+if (!in_array($data['role'] ?? '', $allowedRoles, true)) {
+    json_error('غير مصرح لك بإنشاء مستخدم بهذا الدور', 403);
+}
+
 // 2. Validation
 $errors = Validator::validate($data, [
    'name'     => 'required',