diff options
| author | Frederic Guillot <fred@kanboard.net> | 2017-08-11 21:24:29 -0700 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2017-08-11 21:24:29 -0700 |
| commit | 88dd6abbf3f519897f2f6280e95c9eec9123a4ae (patch) | |
| tree | 0fecfbbf0facc5bd8bad5fd3fbb1b15844d26c56 /app/Validator | |
| parent | 7a6b1bc3da0af442e02b5a2dc430a4ded8e7c4ee (diff) | |
Make sure only admins can change password of other users
Diffstat (limited to 'app/Validator')
| -rw-r--r-- | app/Validator/UserValidator.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/app/Validator/UserValidator.php b/app/Validator/UserValidator.php index fe402c47..041390a3 100644 --- a/app/Validator/UserValidator.php +++ b/app/Validator/UserValidator.php @@ -116,6 +116,10 @@ class UserValidator extends BaseValidator $v = new Validator($values, array_merge($rules, $this->commonPasswordValidationRules())); if ($v->execute()) { + if (! $this->userSession->isAdmin() && $values['id'] != $this->userSession->getId()) { + return array(false, array('current_password' => array('Invalid User ID'))); + } + if ($this->authenticationManager->passwordAuthentication($this->userSession->getUsername(), $values['current_password'], false)) { return array(true, array()); } else { |