aboutsummaryrefslogtreecommitdiffstats
path: root/include/ws_functions/pwg.users.php
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2016-02-12 14:56:00 +0100
committerplegall <plg@piwigo.org>2016-02-12 14:56:00 +0100
commit6290be46f2307e8b47937af153dcf2b66bba2e4e (patch)
tree8e7d9e167e090ffb36f1aa09d85c3596780e5109 /include/ws_functions/pwg.users.php
parent718fe065f7cd342b8f5e3fb069aec63138d5b3e8 (diff)
fixes #419, an admin can't change webmaster password
Diffstat (limited to '')
-rw-r--r--include/ws_functions/pwg.users.php21
1 files changed, 21 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index d878bcb31..f8fe51c2a 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['password']))
{
+ if (!is_webmaster())
+ {
+ $password_protected_users = array($conf['guest_id']);
+
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $admin_ids = query2array($query, null, 'user_id');
+
+ // we add all admin+webmaster users BUT the user herself
+ $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
+
+ if (in_array($params['user_id'][0], $password_protected_users))
+ {
+ return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
+ }
+ }
+
$updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
}
}