Missing check for accessible user groups

author Alexander Ebert <ebert@woltlab.com>

Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)

committer Alexander Ebert <ebert@woltlab.com>

Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)
author Alexander Ebert <ebert@woltlab.com>
Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)
committer Alexander Ebert <ebert@woltlab.com>
Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)
diff --git a/wcfsetup/install/files/lib/acp/form/UserMergeForm.class.php b/wcfsetup/install/files/lib/acp/form/UserMergeForm.class.php

index 3d7e84f437a97e3f1da9a164fce025cc9d8d2a80..162f6f82eeb1e598721ed3bb6eb5a0233fe97244 100644 (file)
--- a/wcfsetup/install/files/lib/acp/form/UserMergeForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/UserMergeForm.class.php
@@ -7,6 +7,7 @@ use wcf\form\AbstractForm;
  use wcf\system\clipboard\ClipboardHandler;
  use wcf\system\database\util\PreparedStatementConditionBuilder;
  use wcf\system\exception\IllegalLinkException;
+use wcf\system\exception\PermissionDeniedException;
  use wcf\system\exception\UserInputException;
  use wcf\system\session\SessionHandler;
  use wcf\system\WCF;
@@ -73,6 +74,11 @@ class UserMergeForm extends AbstractForm {
                 if (empty($this->users) || count($this->users) < 2) {
                         throw new IllegalLinkException();
                 }
+               foreach ($this->users as $user) {
+                       if (!$user->canEdit()) {
+                               throw new PermissionDeniedException();
+                       }
+               }
                 $this->userIDs = array_keys($this->users);
         }
author	Alexander Ebert <ebert@woltlab.com>
	Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)
committer	Alexander Ebert <ebert@woltlab.com>
	Mon, 1 Feb 2021 11:47:09 +0000 (12:47 +0100)