requireAdmin() now factors in the allowAdminChanges config setting

Resolves #3728
craftcms · Jan 28, 2019 · 1eb7eba · 1eb7eba
1 parent e9e7ac8
commit 1eb7eba
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/CHANGELOG-v3.md b/CHANGELOG-v3.md
@@ -2,6 +2,9 @@
 
 ## Unreleased
 
+### Changed
+- `craft\web\Controller::requireAdmin()` now sends a 403 (Forbidden) response if the `allowAdminChanges` config setting has been set to `false`. ([#3728](https://github.com/craftcms/cms/issues/3728))
+
 ### Fixed
 - Fixed an erroc that occurred when uing the `json_decode` filter. ([#3722](https://github.com/craftcms/cms/pull/3722))
 - Fixed a bug a bug where plugin screenshots in teh Plugin Store were not rendering correctly. ([#3709](https://github.com/craftcms/cms/issues/3709))

diff --git a/src/web/Controller.php b/src/web/Controller.php
@@ -193,6 +193,11 @@ public function requireAdmin()
         if (!Craft::$app->getUser()->getIsAdmin()) {
             throw new ForbiddenHttpException('User is not permitted to perform this action.');
         }
+
+        // Make sure admin changes are allowed
+        if (!Craft::$app->getConfig()->getGeneral()->allowAdminChanges) {
+            throw new ForbiddenHttpException('Administrative changes are disallowed in this environment.');
+        }
     }
 
     /**