fix: [users:toggle] Prevent users to disable admins

src/Controller/Component/ACLComponent.php

@@ -291,6 +291,9 @@ class ACLComponent extends Component
             return false;
         }
         if (!$currentUser['role']['perm_admin']) {
+            if ($user['role']['perm_admin']) {
+                return false; // org_admins cannot edit admins
+            }
             if (!$currentUser['role']['perm_org_admin']) {
                 return false;
             } else {

src/Controller/Component/CRUDComponent.php

@@ -967,6 +967,9 @@ class CRUDComponent extends Component
         }
 
         $data = $this->Table->get($id, $params);
+        if (isset($params['afterFind'])) {
+            $data = $params['afterFind']($data, $params);
+        }
         if ($this->request->is(['post', 'put'])) {
             if (isset($params['force_state'])) {
                 $data->{$fieldName} = $params['force_state'];

src/Controller/UsersController.php

@@ -184,7 +184,19 @@ class UsersController extends AppController
 
     public function toggle($id, $fieldName = 'disabled')
     {
-        $this->CRUD->toggle($id, $fieldName);
+        $params = [
+            'contain' => 'Roles'
+        ];
+        $currentUser = $this->ACL->getUser();
+        if (!$currentUser['role']['perm_admin']) {
+            $params['afterFind'] = function ($user, &$params) use ($currentUser) {
+                if (!$this->ACL->canEditUser($currentUser, $user)) {
+                    throw new MethodNotAllowedException(__('You cannot edit the given user.'));
+                }
+                return $user;
+            };
+        }
+        $this->CRUD->toggle($id, $fieldName, $params);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
             return $responsePayload;