check permissions before changing the display name

author: Björn Schießle <schiessle@owncloud.com> 2013-01-29 22:20:15 +0100
committer: Björn Schießle <schiessle@owncloud.com> 2013-01-29 22:20:15 +0100
commit: afad6e95db5387a26fe698396f7dc8b3db26da2c (patch)
tree: 061b98643485cc2e5c6dadaefaf43d2906fd8e05 /settings/ajax/changedisplayname.php
parent: 27edbfdf562ece30bd1fb81a1eaa7b5bd037a219 (diff)
download: nextcloud-server-afad6e95db5387a26fe698396f7dc8b3db26da2c.tar.gz
nextcloud-server-afad6e95db5387a26fe698396f7dc8b3db26da2c.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/settings/ajax/changedisplayname.php b/settings/ajax/changedisplayname.php
index 82ca18c3706..f80ecb7a0c9 100644
--- a/settings/ajax/changedisplayname.php
+++ b/settings/ajax/changedisplayname.php
@@ -6,6 +6,19 @@ OC_JSON::checkLoggedIn();
 $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();
 $displayName = $_POST["displayName"];
 
+$userstatus = null;
+if(OC_User::isAdminUser(OC_User::getUser())) {
+	$userstatus = 'admin';
+}
+if(OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) {
+	$userstatus = 'subadmin';
+}
+
+if(is_null($userstatus)) {
+	OC_JSON::error( array( "data" => array( "message" => "Authentication error" )));
+	exit();
+}
+
 // Return Success story
 if( OC_User::setDisplayName( $username, $displayName )) {
 	OC_JSON::success(array("data" => array( "username" => $username )));
author	Björn Schießle <schiessle@owncloud.com>	2013-01-29 22:20:15 +0100
committer	Björn Schießle <schiessle@owncloud.com>	2013-01-29 22:20:15 +0100
commit	afad6e95db5387a26fe698396f7dc8b3db26da2c (patch)
tree	061b98643485cc2e5c6dadaefaf43d2906fd8e05 /settings/ajax/changedisplayname.php
parent	27edbfdf562ece30bd1fb81a1eaa7b5bd037a219 (diff)
download	nextcloud-server-afad6e95db5387a26fe698396f7dc8b3db26da2c.tar.gz nextcloud-server-afad6e95db5387a26fe698396f7dc8b3db26da2c.zip