fixes #419, an admin can't change webmaster password

This commit is contained in:
plegall
2016-02-12 14:56:00 +01:00
parent 718fe065f7
commit 6290be46f2
3 changed files with 34 additions and 3 deletions
+21
View File
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['password']))
{
if (!is_webmaster())
{
$password_protected_users = array($conf['guest_id']);
$query = '
SELECT
user_id
FROM '.USER_INFOS_TABLE.'
WHERE status IN (\'webmaster\', \'admin\')
;';
$admin_ids = query2array($query, null, 'user_id');
// we add all admin+webmaster users BUT the user herself
$password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
if (in_array($params['user_id'][0], $password_protected_users))
{
return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
}
}
$updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
}
}