fix: Unauthenticated privilege escalation

Pek5892 · Pek5892 · commit da25e4799f24 · 2026-02-17T16:13:45.000+01:00
diff --git a/modules/utenti/actions.php b/modules/utenti/actions.php
@@ -18,7 +18,6 @@
  * along with this program. If not, see <https://www.gnu.org/licenses/>.
  */
 
-$skip_permissions = true;
 include_once __DIR__.'/../../core.php';
 
 use Models\Group;
diff --git a/modules/utenti/info.php b/modules/utenti/info.php
@@ -21,13 +21,8 @@
 use Models\Module;
 use Models\Setting;
 
-$skip_permissions = true;
 include_once __DIR__.'/../../core.php';
 
-if (!AuthOSM::check()) {
-    redirect_url(base_path_osm().'/index.php');
-}
-
 $pageTitle = tr('Utente');
 
 include_once App::filepath('include|custom|', 'top.php');
@@ -49,6 +44,7 @@
 
 $api = base_url().'/api/?token='.$token;
 $module = Module::where('name', 'Utenti e permessi')->first();
+$first_module = AuthOSM::firstModule();
 
 echo '
 <div class="row">
@@ -213,7 +209,7 @@ function salvaImpostazione(id, valore){
         dataType: "JSON",
         data: {
             op: "update_setting",
-            id_module: '.$module->id.',
+            id_module: '.$first_module.',
             id: id,
             valore: valore,
         },
