From 88dd6abbf3f519897f2f6280e95c9eec9123a4ae Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Fri, 11 Aug 2017 21:24:29 -0700
Subject: Make sure only admins can change password of other users

---
 app/Validator/UserValidator.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/Validator')

diff --git a/app/Validator/UserValidator.php b/app/Validator/UserValidator.php
index fe402c47..041390a3 100644
--- a/app/Validator/UserValidator.php
+++ b/app/Validator/UserValidator.php
@@ -116,6 +116,10 @@ class UserValidator extends BaseValidator
         $v = new Validator($values, array_merge($rules, $this->commonPasswordValidationRules()));
 
         if ($v->execute()) {
+            if (! $this->userSession->isAdmin() && $values['id'] != $this->userSession->getId()) {
+                return array(false, array('current_password' => array('Invalid User ID')));
+            }
+
             if ($this->authenticationManager->passwordAuthentication($this->userSession->getUsername(), $values['current_password'], false)) {
                 return array(true, array());
             } else {
-- 
cgit v1.2.3