payload

Files

Jessica Rynkar 6e5ddc8873 fix(examples): only allow super admins to create users with super admin role (#13015 )

### What?

This PR updates the `create` access control on the `users` collection in
the `multi-tenant` example to prevent unauthorized creation of
`super-admin` users.

### Why?

Previously, any authenticated user could create a new user and assign
them the `super-admin` role — even if they didn’t have that role
themselves. This bypassed role-based restrictions and introduced a
security vulnerability, allowing users to escalate their own privileges
by working around role restrictions during user creation.

### How?

The `create` access function now checks whether the current user has the
`super-admin` role before allowing the creation of another
`super-admin`. If not, the request is denied.


**Fixes:** `CMS2-Q225-01`

2025-07-02 15:42:55 +01:00

access

feat: adds multi-tenant plugin (#10447 )

2025-01-15 14:47:46 -05:00

app

fix(examples): ensure working multi-tenant example with pg (#11501 )

2025-03-03 10:21:55 -05:00

collections

fix(examples): only allow super admins to create users with super admin role (#13015 )

2025-07-02 15:42:55 +01:00

utilities

fix(examples): ensure working multi-tenant example with pg (#11501 )