From 6290be46f2307e8b47937af153dcf2b66bba2e4e Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 12 Feb 2016 14:56:00 +0100
Subject: fixes #419, an admin can't change webmaster password

---
 include/ws_functions/pwg.users.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'include')

diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index d878bcb31..f8fe51c2a 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
 
     if (!empty($params['password']))
     {
+      if (!is_webmaster())
+      {
+        $password_protected_users = array($conf['guest_id']);
+
+        $query = '
+SELECT
+    user_id
+  FROM '.USER_INFOS_TABLE.'
+  WHERE status IN (\'webmaster\', \'admin\')
+;';
+        $admin_ids = query2array($query, null, 'user_id');
+
+        // we add all admin+webmaster users BUT the user herself
+        $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
+
+        if (in_array($params['user_id'][0], $password_protected_users))
+        {
+          return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
+        }
+      }
+
       $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
     }
   }
-- 
cgit v1.2.3