check permissions before changing the display name

diff --git a/settings/ajax/changedisplayname.php b/settings/ajax/changedisplayname.php
index 82ca18c3706c0534f054903b4b924d81bf77d1fe..f80ecb7a0c939063cc44d2125f40058a51f41f87 100644 (file)
--- a/settings/ajax/changedisplayname.php
+++ b/settings/ajax/changedisplayname.php
@@ -6,6 +6,19 @@ OC_JSON::checkLoggedIn();
 $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();\r
 $displayName = $_POST["displayName"];\r
 \r
+$userstatus = null;\r
+if(OC_User::isAdminUser(OC_User::getUser())) {\r
+       $userstatus = 'admin';\r
+}\r
+if(OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) {\r
+       $userstatus = 'subadmin';\r
+}\r
+\r
+if(is_null($userstatus)) {\r
+       OC_JSON::error( array( "data" => array( "message" => "Authentication error" )));\r
+       exit();\r
+}\r
+\r
 // Return Success story\r
 if( OC_User::setDisplayName( $username, $displayName )) {\r
        OC_JSON::success(array("data" => array( "username" => $username )));\r