Closed hole when using userid information from form data (merged from STABLE)

2025-03-14 12:40:01 +01:00 · 2004-09-27 13:26:06 +00:00 · 2004-09-27 13:26:06 +00:00 · 1a86eccccd
commit 1a86eccccd
parent ce791f885e
1 changed files with 5 additions and 1 deletions
--- a/user/edit.php
+++ b/user/edit.php
@ -39,7 +39,7 @@
        require_login($course->id);
    }

-    if ($USER->id <> $user->id and !isadmin()) {
+    if (($USER->id <> $user->id) && !isadmin()) {
        error("You can only edit your own information");
    }

@ -65,6 +65,10 @@

    if ($usernew = data_submitted()) {

+        if (($USER->id <> $usernew->id) && !isadmin()) {
+            error("You can only edit your own information");
+        }
+
        if (isset($USER->username)) {
            check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
        }