Validate permissions for resending activation mails

See #2766

diff --git a/wcfsetup/install/files/lib/data/user/UserAction.class.php b/wcfsetup/install/files/lib/data/user/UserAction.class.php
index 3796b1ec929628dc9b626dd46dc716c6fa605840..561f5ff037f0a16fc5ed1fd2da8ad55fdfd49443 100644 (file)
--- a/wcfsetup/install/files/lib/data/user/UserAction.class.php
+++ b/wcfsetup/install/files/lib/data/user/UserAction.class.php
@@ -15,6 +15,7 @@ use wcf\system\email\mime\RecipientAwareTextMimePart;
 use wcf\system\email\Email;
 use wcf\system\email\UserMailbox;
 use wcf\system\event\EventHandler;
+use wcf\system\exception\IllegalLinkException;
 use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\UserInputException;
 use wcf\system\request\RequestHandler;
@@ -879,6 +880,14 @@ class UserAction extends AbstractDatabaseObjectAction implements IClipboardActio
        public function validateResendActivationMail() {
                $this->readObjects();
                
+               if (!WCF::getSession()->getPermission('admin.user.canEnableUser')) {
+                       throw new PermissionDeniedException();
+               }
+               
+               if (REGISTER_ACTIVATION_METHOD != 1) {
+                       throw new IllegalLinkException();
+               }  
+               
                foreach ($this->objects as $object) {
                        if (!$object->activationCode) {
                                throw new UserInputException('objectIDs');