Permalink
Browse files

Prevent logged in uses from view other user records and admins from s…

…uper-admin records; thanks to pang0lin
  • Loading branch information...
dleffler committed Nov 5, 2016
1 parent 311dd93 commit e38aae66c785f08f3907aa121378caf71ca5f2d7
Showing with 19 additions and 0 deletions.
  1. +19 −0 framework/modules/users/controllers/usersController.php
@@ -62,6 +62,25 @@ static function canImportData() {
return true;
}
public function show() {
global $user;
$id = !empty($this->params['id']) ? $this->params['id'] : null;
// check to see if we should be editing. You either need to be an admin, or viewing own account.
if ($user->isAdmin() || ($user->id == $id)) {
$u = new user($id);
if ($u->isSuperAdmin() && $user->isActingAdmin()) {
flash('error', gt('You do not have the proper permissions to view this record'));
expHistory::back();
}
parent::show();
} else {
flash('error', gt('You do not have the proper permissions to view this record'));
expHistory::back();
}
}
public function manage() {
global $user;

0 comments on commit e38aae6

Please sign in to comment.