Fix issue #3002 - "User 'administrator' is not able to change other u…

…sers settings" * account_prefs_update.php + check if $f_user_id is unprotected instead of the current user + if f_user_id is not the current user, perform an additional access check NOTE: I'm not sure we should be sharing this file between the account section and manage section. Having to add that conditional access check is a little ugly and who knows if the pages will always be the same. Most of the code should be in an API function anyway. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2026 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Feb 25, 2003 · 795e50b · 795e50b
1 parent 55f24c1
commit 795e50b
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/account_prefs_update.php b/account_prefs_update.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: account_prefs_update.php,v 1.29 2003-02-18 02:18:00 jfitzell Exp $
+	# $Id: account_prefs_update.php,v 1.30 2003-02-25 17:46:09 jfitzell Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -21,13 +21,22 @@
 ?>
 <?php 
 	auth_ensure_user_authenticated();
-
-	current_user_ensure_unprotected();
 ?>
 <?php
 	$f_user_id					= gpc_get_int( 'user_id' );
 	$f_redirect_url				= gpc_get_string( 'redirect_url' );
 
+	# If the user is trying to modify an account other than their own
+	#  they must have high enough permissions to do so
+	# @@@ should we really be sharing this file between the manage section
+	#  and the account section.  The account section should always be operating
+	#  on the current user, so passing in a user ID here is a little odd.
+	if ( auth_get_current_user_id() !== $f_user_id ) {
+		access_ensure_global_level( config_get( 'manage_user_threshold' ) );
+	}
+
+	user_ensure_unprotected( $f_user_id );
+
 	$t_prefs = user_pref_get( $f_user_id );
 
 	$t_prefs->redirect_delay	= gpc_get_int( 'redirect_delay' );