diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/ws_functions/pwg.users.php | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index d878bcb31..f8fe51c2a 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service) if (!empty($params['password'])) { + if (!is_webmaster()) + { + $password_protected_users = array($conf['guest_id']); + + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $admin_ids = query2array($query, null, 'user_id'); + + // we add all admin+webmaster users BUT the user herself + $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id']))); + + if (in_array($params['user_id'][0], $password_protected_users)) + { + return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users'); + } + } + $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']); } } |