aboutsummaryrefslogtreecommitdiffstats
path: root/include/ws_functions/pwg.users.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/ws_functions/pwg.users.php')
-rw-r--r--include/ws_functions/pwg.users.php21
1 files changed, 21 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index d878bcb31..f8fe51c2a 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['password']))
{
+ if (!is_webmaster())
+ {
+ $password_protected_users = array($conf['guest_id']);
+
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $admin_ids = query2array($query, null, 'user_id');
+
+ // we add all admin+webmaster users BUT the user herself
+ $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
+
+ if (in_array($params['user_id'][0], $password_protected_users))
+ {
+ return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
+ }
+ }
+
$updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
}
}