Make sure only admins can change password of other users

2017-08-11 21:24:29 -07:00 · 2017-08-11 21:24:29 -07:00 · 88dd6abbf3
parent 7a6b1bc3da
commit 88dd6abbf3
2 changed files with 8 additions and 0 deletions
--- a/app/Controller/UserCredentialController.php
+++ b/app/Controller/UserCredentialController.php
@ -43,6 +43,10 @@ class UserCredentialController extends BaseController

        list($valid, $errors) = $this->userValidator->validatePasswordModification($values);

+        if (! $this->userSession->isAdmin()) {
+            $values['id'] = $this->userSession->getId();
+        }
+
        if ($valid) {
            if ($this->userModel->update($values)) {
                $this->flash->success(t('Password modified successfully.'));
--- a/app/Validator/UserValidator.php
+++ b/app/Validator/UserValidator.php
@ -116,6 +116,10 @@ class UserValidator extends BaseValidator
        $v = new Validator($values, array_merge($rules, $this->commonPasswordValidationRules()));

        if ($v->execute()) {
+            if (! $this->userSession->isAdmin() && $values['id'] != $this->userSession->getId()) {
+                return array(false, array('current_password' => array('Invalid User ID')));
+            }
+
            if ($this->authenticationManager->passwordAuthentication($this->userSession->getUsername(), $values['current_password'], false)) {
                return array(true, array());
            } else {