Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent logged in uses from view other user records and admins from s…
…uper-admin records; thanks to pang0lin
  • Loading branch information
dleffler committed Nov 5, 2016
1 parent 311dd93 commit e38aae6
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions framework/modules/users/controllers/usersController.php
Expand Up @@ -62,6 +62,25 @@ static function canImportData() {
return true;
}

public function show() {
global $user;

$id = !empty($this->params['id']) ? $this->params['id'] : null;

// check to see if we should be editing. You either need to be an admin, or viewing own account.
if ($user->isAdmin() || ($user->id == $id)) {
$u = new user($id);
if ($u->isSuperAdmin() && $user->isActingAdmin()) {
flash('error', gt('You do not have the proper permissions to view this record'));
expHistory::back();
}
parent::show();
} else {
flash('error', gt('You do not have the proper permissions to view this record'));
expHistory::back();
}
}

public function manage() {
global $user;

Expand Down

0 comments on commit e38aae6

Please sign in to comment.