Restricted updating own user to options
authorAlexander Ebert <ebert@woltlab.com>
Sun, 26 Feb 2012 16:56:34 +0000 (17:56 +0100)
committerAlexander Ebert <ebert@woltlab.com>
Sun, 26 Feb 2012 16:56:34 +0000 (17:56 +0100)
wcfsetup/install/files/lib/data/user/UserAction.class.php

index c0344f1181fa1e70f78f553a6a2ea9df36d2326a..5193278e13ad4f0f3954087e91ebac9ff906e8d3 100644 (file)
@@ -39,12 +39,6 @@ class UserAction extends AbstractDatabaseObjectAction {
         */
        protected $permissionsUpdate = array('admin.user.canEditUser');
        
-       /**
-        * list of user actions allowed within update
-        * @var array<string>
-        */
-       public $allowOwnUserUpdate = array('data', 'options');
-       
        /**
         * Validates permissions and parameters.
         */
@@ -103,11 +97,9 @@ class UserAction extends AbstractDatabaseObjectAction {
                catch (PermissionDeniedException $e) {
                        // check if we're editing ourselves
                        if (count($this->objects) == 1 && ($this->objects[0]->userID == WCF::getUser()->userID)) {
-                               foreach (array_keys($this->parameters) as $key) {
-                                       // check if action is allowed (prevent the user from updating own groups etc)
-                                       if (!in_array($key, $this->allowOwnUserUpdate)) {
-                                               throw new ValidateActionException('Insufficient permissions');
-                                       }
+                               $count = count($this->parameters);
+                               if ($count > 1 || ($count == 1 && !isset($this->parameters['options']))) {
+                                       throw new ValidateActionException('Insufficient permissions');
                                }
                        }