Fix user security issue

2 files changed, 9 insertions, 1 deletions

diff --git a/web/app/view/user/UserDialog.js b/web/app/view/user/UserDialog.js
index 7b6dc4199..fba182eb1 100644
--- a/web/app/view/user/UserDialog.js
+++ b/web/app/view/user/UserDialog.js
@@ -50,7 +50,9 @@ Ext.define('Traccar.view.user.UserDialog', {
             xtype: 'checkboxfield',
             name: 'admin',
             fieldLabel: strings.login_admin,
-            allowBlank: false
+            allowBlank: false,
+            disabled: true,
+            reference: 'adminField'
         }]
     },
 
diff --git a/web/app/view/user/UserDialogController.js b/web/app/view/user/UserDialogController.js
index 1ec14c5e8..c5464225c 100644
--- a/web/app/view/user/UserDialogController.js
+++ b/web/app/view/user/UserDialogController.js
@@ -18,6 +18,12 @@ Ext.define('Traccar.view.user.UserDialogController', {
     extend: 'Ext.app.ViewController',
     alias: 'controller.userdialog',
 
+    init: function() {
+        if (Traccar.getApplication().getUser().get('admin')) {
+            this.lookupReference('adminField').setDisabled(false);
+        }
+    },
+
     onSaveClick: function(button) {
         var dialog = button.up('window').down('form');
         dialog.updateRecord();