diff options
| author | plegall <plg@piwigo.org> | 2016-03-08 10:48:00 +0100 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2016-03-08 10:48:00 +0100 |
| commit | f9fecd0be09ea6da405f1ab2a09e09bc51312dd4 (patch) | |
| tree | 681f9b4cbbed109beb41ca4babf0662dc814f8c4 /include/ws_functions/pwg.users.php | |
| parent | f5d0f09a20da71d51ed4d85da2d2c12698b11b6b (diff) | |
| parent | d80d853a23119bd21c20ad92024cba5dce47e7d4 (diff) | |
Merge branch 'master' into translation
Diffstat (limited to 'include/ws_functions/pwg.users.php')
| -rw-r--r-- | include/ws_functions/pwg.users.php | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index d878bcb31..eaa96c9c1 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service) if (!empty($params['password'])) { + if (!is_webmaster()) + { + $password_protected_users = array($conf['guest_id']); + + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $admin_ids = query2array($query, null, 'user_id'); + + // we add all admin+webmaster users BUT the user herself + $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id']))); + + if (in_array($params['user_id'][0], $password_protected_users)) + { + return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users'); + } + } + $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']); } } @@ -531,6 +552,11 @@ SELECT array($conf['user_fields']['id'] => $params['user_id'][0]) ); + if (isset($updates[ $conf['user_fields']['password'] ])) + { + deactivate_user_auth_keys($params['user_id'][0]); + } + if (isset($update_status) and count($params['user_id_for_status']) > 0) { $query = ' |