Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent non-administrators to change the password from other users
  • Loading branch information
dignajar committed May 28, 2019
1 parent ce3d527 commit a1bb333
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion bl-kernel/admin/controllers/user-password.php
Expand Up @@ -13,8 +13,14 @@
// ============================================================================

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Prevent non-administrators to change other users
$username = $_POST['username'];
if ($login->role()!=='admin') {
$username = $login->username();
}

if (changeUserPassword(array(
'username'=>$_POST['username'],
'username'=>$username,
'newPassword'=>$_POST['newPassword'],
'confirmPassword'=>$_POST['confirmPassword']
))) {
Expand Down

0 comments on commit a1bb333

Please sign in to comment.