Security: fix ajax user manager to not display user info to anonymous…

… users - refs #3905
chamilo · Aug 10, 2021 · 4ab26ce · 4ab26ce
1 parent 9f141a6
commit 4ab26ce
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/main/inc/ajax/user_manager.ajax.php b/main/inc/ajax/user_manager.ajax.php
@@ -69,6 +69,10 @@
 
         $isAnonymous = api_is_anonymous();
 
+        if ($isAnonymous && empty($courseId)) {
+            break;
+        }
+
         if ($isAnonymous && $courseId) {
             if ('false' === api_get_setting('course_catalog_published')) {
                 break;