Administrators cannot change other administrators' passwords

& #1472
instantsoft · Aug 14, 2023 · 78ff8ca · 78ff8ca
1 parent a6bf758
commit 78ff8ca
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 12 deletions.
diff --git a/install/templates/step_php.php b/install/templates/step_php.php
@@ -1,6 +1,6 @@
 <h1><?php echo LANG_STEP_PHP_CHECK; ?></h1>
 
-<h2><?php echo LANG_PHP_VERSION; ?></h1>
+<h2><?php echo LANG_PHP_VERSION; ?></h2>
 <p><?php echo LANG_PHP_VERSION_REQ ?></p>
 <table class="grid">
     <tr>

diff --git a/system/controllers/users/actions/profile_edit_password.php b/system/controllers/users/actions/profile_edit_password.php
@@ -8,9 +8,14 @@ class actionUsersProfileEditPassword extends cmsAction {
 
     public function run($profile) {
 
-        // проверяем наличие доступа
+        // Владельцы и админы могут редактировать
         if (!$this->is_own_profile && !$this->cms_user->is_admin) {
-            cmsCore::error404();
+            return cmsCore::error404();
+        }
+
+        // Администраторы тут могут редактировать только свои профили
+        if ($this->cms_user->is_admin && !$this->is_own_profile && $profile['is_admin']) {
+            return cmsCore::error404();
         }
 
         $form = $this->getForm('password', [$profile]);
@@ -153,7 +158,7 @@ public function run($profile) {
                     $result = $this->model->updateUser($profile['id'], $profile);
 
                     if ($result['success']) {
-                        
+
                         list($profile, $data, $form) = cmsEventsManager::hook('users_after_edit_password', [$profile, $data, $form]);
 
                         if (!empty($data['password1'])) {

diff --git a/system/controllers/users/actions/profile_edit_sessions.php b/system/controllers/users/actions/profile_edit_sessions.php
@@ -11,6 +11,10 @@ public function run($profile) {
             return cmsCore::error404();
         }
 
+        if ($this->cms_user->is_admin && !$this->is_own_profile && $profile['is_admin']) {
+            return cmsCore::error404();
+        }
+
         return $this->cms_template->render('profile_edit_sessions', [
             'id'       => $profile['id'],
             'profile'  => $profile,

diff --git a/system/controllers/users/frontend.php b/system/controllers/users/frontend.php
@@ -235,15 +235,18 @@ public function getProfileEditMenu($profile) {
             ];
         }
 
-        $menu[] = [
-            'title' => LANG_SECURITY,
-            'url'   => href_to_profile($profile, ['edit', 'password'])
-        ];
+        if ($this->is_own_profile || (!$profile['is_admin'] && $this->cms_user->is_admin)) {
 
-        $menu[] = [
-            'title' => LANG_USERS_SESSIONS,
-            'url'   => href_to_profile($profile, ['edit', 'sessions'])
-        ];
+            $menu[] = [
+                'title' => LANG_SECURITY,
+                'url'   => href_to_profile($profile, ['edit', 'password'])
+            ];
+
+            $menu[] = [
+                'title' => LANG_USERS_SESSIONS,
+                'url'   => href_to_profile($profile, ['edit', 'sessions'])
+            ];
+        }
 
         list($menu, $profile) = cmsEventsManager::hook('profile_edit_menu', [$menu, $profile]);