From: Alexander Ebert Date: Sun, 26 Feb 2012 16:56:34 +0000 (+0100) Subject: Restricted updating own user to options X-Git-Tag: 2.0.0_Beta_1~1305 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=67ca32615055a7d193f6d39aade6840ea051f868;p=GitHub%2FWoltLab%2FWCF.git Restricted updating own user to options --- diff --git a/wcfsetup/install/files/lib/data/user/UserAction.class.php b/wcfsetup/install/files/lib/data/user/UserAction.class.php index c0344f1181..5193278e13 100644 --- a/wcfsetup/install/files/lib/data/user/UserAction.class.php +++ b/wcfsetup/install/files/lib/data/user/UserAction.class.php @@ -39,12 +39,6 @@ class UserAction extends AbstractDatabaseObjectAction { */ protected $permissionsUpdate = array('admin.user.canEditUser'); - /** - * list of user actions allowed within update - * @var array - */ - public $allowOwnUserUpdate = array('data', 'options'); - /** * Validates permissions and parameters. */ @@ -103,11 +97,9 @@ class UserAction extends AbstractDatabaseObjectAction { catch (PermissionDeniedException $e) { // check if we're editing ourselves if (count($this->objects) == 1 && ($this->objects[0]->userID == WCF::getUser()->userID)) { - foreach (array_keys($this->parameters) as $key) { - // check if action is allowed (prevent the user from updating own groups etc) - if (!in_array($key, $this->allowOwnUserUpdate)) { - throw new ValidateActionException('Insufficient permissions'); - } + $count = count($this->parameters); + if ($count > 1 || ($count == 1 && !isset($this->parameters['options']))) { + throw new ValidateActionException('Insufficient permissions'); } }