summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-08-11 21:24:29 -0700
committerFrederic Guillot <fred@kanboard.net>2017-08-11 21:24:29 -0700
commit88dd6abbf3f519897f2f6280e95c9eec9123a4ae (patch)
tree0fecfbbf0facc5bd8bad5fd3fbb1b15844d26c56
parent7a6b1bc3da0af442e02b5a2dc430a4ded8e7c4ee (diff)
Make sure only admins can change password of other users
Diffstat
-rw-r--r--app/Controller/UserCredentialController.php4
-rw-r--r--app/Validator/UserValidator.php4
2 files changed, 8 insertions, 0 deletions
diff --git a/app/Controller/UserCredentialController.php b/app/Controller/UserCredentialController.php
index 23e7edba..ae52a13c 100644
--- a/app/Controller/UserCredentialController.php
+++ b/app/Controller/UserCredentialController.php
@@ -43,6 +43,10 @@ class UserCredentialController extends BaseController
list($valid, $errors) = $this->userValidator->validatePasswordModification($values);
+ if (! $this->userSession->isAdmin()) {
+ $values['id'] = $this->userSession->getId();
+ }
+
if ($valid) {
if ($this->userModel->update($values)) {
$this->flash->success(t('Password modified successfully.'));
diff --git a/app/Validator/UserValidator.php b/app/Validator/UserValidator.php
index fe402c47..041390a3 100644
--- a/app/Validator/UserValidator.php
+++ b/app/Validator/UserValidator.php
@@ -116,6 +116,10 @@ class UserValidator extends BaseValidator
$v = new Validator($values, array_merge($rules, $this->commonPasswordValidationRules()));
if ($v->execute()) {
+ if (! $this->userSession->isAdmin() && $values['id'] != $this->userSession->getId()) {
+ return array(false, array('current_password' => array('Invalid User ID')));
+ }
+
if ($this->authenticationManager->passwordAuthentication($this->userSession->getUsername(), $values['current_password'], false)) {
return array(true, array());
} else {
generated by cgit v1.2.3 (git 2.46.0) at 2024-11-22 18:37:17 +0000