From afad6e95db5387a26fe698396f7dc8b3db26da2c Mon Sep 17 00:00:00 2001 From: Björn Schießle Date: Tue, 29 Jan 2013 22:20:15 +0100 Subject: check permissions before changing the display name --- settings/ajax/changedisplayname.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'settings/ajax') diff --git a/settings/ajax/changedisplayname.php b/settings/ajax/changedisplayname.php index 82ca18c3706..f80ecb7a0c9 100644 --- a/settings/ajax/changedisplayname.php +++ b/settings/ajax/changedisplayname.php @@ -6,6 +6,19 @@ OC_JSON::checkLoggedIn(); $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser(); $displayName = $_POST["displayName"]; +$userstatus = null; +if(OC_User::isAdminUser(OC_User::getUser())) { + $userstatus = 'admin'; +} +if(OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) { + $userstatus = 'subadmin'; +} + +if(is_null($userstatus)) { + OC_JSON::error( array( "data" => array( "message" => "Authentication error" ))); + exit(); +} + // Return Success story if( OC_User::setDisplayName( $username, $displayName )) { OC_JSON::success(array("data" => array( "username" => $username ))); -- cgit v1.2.3