From ab1370277036b337040ce180614f967295ad287a Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Wed, 28 Nov 2012 17:57:31 +0100
Subject: make some checks server-side

---
 settings/ajax/togglegroups.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'settings/ajax')

diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index de941f99132..931ab2689e2 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -7,6 +7,12 @@ $success = true;
 $username = $_POST["username"];
 $group = OC_Util::sanitizeHTML($_POST["group"]);
 
+if($username == OC_User::getUser() && $group == "admin" &&  OC_Group::inGroup($username, 'admin')){
+	$l = OC_L10N::get('core');
+	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Admins can\'t remove themself from the admin group'))));
+	exit();
+}
+
 if(!OC_Group::inGroup(OC_User::getUser(), 'admin') && (!OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username) || !OC_SubAdmin::isGroupAccessible(OC_User::getUser(), $group))) {
 	$l = OC_L10N::get('core');
 	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
-- 
cgit v1.2.3