mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-05 17:32:25 +02:00
fixes #419, an admin can't change webmaster password
This commit is contained in:
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
|
||||
|
||||
if (!empty($params['password']))
|
||||
{
|
||||
if (!is_webmaster())
|
||||
{
|
||||
$password_protected_users = array($conf['guest_id']);
|
||||
|
||||
$query = '
|
||||
SELECT
|
||||
user_id
|
||||
FROM '.USER_INFOS_TABLE.'
|
||||
WHERE status IN (\'webmaster\', \'admin\')
|
||||
;';
|
||||
$admin_ids = query2array($query, null, 'user_id');
|
||||
|
||||
// we add all admin+webmaster users BUT the user herself
|
||||
$password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
|
||||
|
||||
if (in_array($params['user_id'][0], $password_protected_users))
|
||||
{
|
||||
return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
|
||||
}
|
||||
}
|
||||
|
||||
$updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user