Prevent assignment of superadmin group in UserController

Exclude the 'superadmin' group when syncing user groups during creation and updates to ensure this role cannot be assigned through the standard user management interface.

Author: bertugfahriozer

modules/Users/Controllers/UserController.php

@@ -141,7 +141,7 @@ public function create_user()
                 if (!$users->save($user)) return redirect()->route('create_user')->withInput()->with('errors', $users->errors());
                 $new_user = $users->findById($users->getInsertID());
 
-                $groups = $this->commonModel->lists('auth_groups', 'group', [], 'id ASC', 0, 0, [], ['id' => $this->request->getPost('group')]);
+                $groups = $this->commonModel->lists('auth_groups', 'group', ['group!=' => 'superadmin'], 'id ASC', 0, 0, [], ['id' => $this->request->getPost('group')]);
                 $groupNames = array_column($groups, 'group');
                 $new_user->syncGroups(...$groupNames);
 
@@ -219,7 +219,7 @@ public function update_user(int $id)
 
             $u->fill($data);
             if ($user->save($u)) {
-                $groups = $this->commonModel->lists('auth_groups', 'group', [], 'id ASC', 0, 0, [], ['id' => $this->request->getPost('group')]);
+                $groups = $this->commonModel->lists('auth_groups', 'group', ['group!=' => 'superadmin'], 'id ASC', 0, 0, [], ['id' => $this->request->getPost('group')]);
                 $groupNames = array_column($groups, 'group');
                 $u->syncGroups(...$groupNames);
                 return redirect()->route('users')->with('message', lang('Backend.updated', [$data['username']]));