diff options
author | plegall <plg@piwigo.org> | 2016-02-12 14:56:00 +0100 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2016-02-12 14:56:00 +0100 |
commit | 6290be46f2307e8b47937af153dcf2b66bba2e4e (patch) | |
tree | 8e7d9e167e090ffb36f1aa09d85c3596780e5109 /include/ws_functions/pwg.users.php | |
parent | 718fe065f7cd342b8f5e3fb069aec63138d5b3e8 (diff) |
fixes #419, an admin can't change webmaster password
Diffstat (limited to 'include/ws_functions/pwg.users.php')
-rw-r--r-- | include/ws_functions/pwg.users.php | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index d878bcb31..f8fe51c2a 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service) if (!empty($params['password'])) { + if (!is_webmaster()) + { + $password_protected_users = array($conf['guest_id']); + + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $admin_ids = query2array($query, null, 'user_id'); + + // we add all admin+webmaster users BUT the user herself + $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id']))); + + if (in_array($params['user_id'][0], $password_protected_users)) + { + return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users'); + } + } + $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']); } } |