From 88dd6abbf3f519897f2f6280e95c9eec9123a4ae Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Fri, 11 Aug 2017 21:24:29 -0700
Subject: Make sure only admins can change password of other users

---
 app/Controller/UserCredentialController.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/Controller')

diff --git a/app/Controller/UserCredentialController.php b/app/Controller/UserCredentialController.php
index 23e7edba..ae52a13c 100644
--- a/app/Controller/UserCredentialController.php
+++ b/app/Controller/UserCredentialController.php
@@ -43,6 +43,10 @@ class UserCredentialController extends BaseController
 
         list($valid, $errors) = $this->userValidator->validatePasswordModification($values);
 
+        if (! $this->userSession->isAdmin()) {
+            $values['id'] = $this->userSession->getId();
+        }
+
         if ($valid) {
             if ($this->userModel->update($values)) {
                 $this->flash->success(t('Password modified successfully.'));
-- 
cgit v1.2.3