Skip to content
Permalink
Browse files Browse the repository at this point in the history
Make sure only admins can change password of other users
  • Loading branch information
fguillot committed Aug 12, 2017
1 parent 7a6b1bc commit 88dd6ab
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
4 changes: 4 additions & 0 deletions app/Controller/UserCredentialController.php
Expand Up @@ -43,6 +43,10 @@ public function savePassword()

list($valid, $errors) = $this->userValidator->validatePasswordModification($values);

if (! $this->userSession->isAdmin()) {
$values['id'] = $this->userSession->getId();
}

if ($valid) {
if ($this->userModel->update($values)) {
$this->flash->success(t('Password modified successfully.'));
Expand Down
4 changes: 4 additions & 0 deletions app/Validator/UserValidator.php
Expand Up @@ -116,6 +116,10 @@ public function validatePasswordModification(array $values)
$v = new Validator($values, array_merge($rules, $this->commonPasswordValidationRules()));

if ($v->execute()) {
if (! $this->userSession->isAdmin() && $values['id'] != $this->userSession->getId()) {
return array(false, array('current_password' => array('Invalid User ID')));
}

if ($this->authenticationManager->passwordAuthentication($this->userSession->getUsername(), $values['current_password'], false)) {
return array(true, array());
} else {
Expand Down

0 comments on commit 88dd6ab

Please sign in to comment.