Skip to content

Commit e38aae6

Browse files
committed
Prevent logged in uses from view other user records and admins from super-admin records; thanks to pang0lin
1 parent 311dd93 commit e38aae6

File tree

1 file changed

+19
-0
lines changed

1 file changed

+19
-0
lines changed

Diff for: framework/modules/users/controllers/usersController.php

+19
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,25 @@ static function canImportData() {
6262
return true;
6363
}
6464

65+
public function show() {
66+
global $user;
67+
68+
$id = !empty($this->params['id']) ? $this->params['id'] : null;
69+
70+
// check to see if we should be editing. You either need to be an admin, or viewing own account.
71+
if ($user->isAdmin() || ($user->id == $id)) {
72+
$u = new user($id);
73+
if ($u->isSuperAdmin() && $user->isActingAdmin()) {
74+
flash('error', gt('You do not have the proper permissions to view this record'));
75+
expHistory::back();
76+
}
77+
parent::show();
78+
} else {
79+
flash('error', gt('You do not have the proper permissions to view this record'));
80+
expHistory::back();
81+
}
82+
}
83+
6584
public function manage() {
6685
global $user;
6786

0 commit comments

Comments
 (0)