From 67ca32615055a7d193f6d39aade6840ea051f868 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Sun, 26 Feb 2012 17:56:34 +0100 Subject: [PATCH] Restricted updating own user to options --- .../files/lib/data/user/UserAction.class.php | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/wcfsetup/install/files/lib/data/user/UserAction.class.php b/wcfsetup/install/files/lib/data/user/UserAction.class.php index c0344f1181..5193278e13 100644 --- a/wcfsetup/install/files/lib/data/user/UserAction.class.php +++ b/wcfsetup/install/files/lib/data/user/UserAction.class.php @@ -39,12 +39,6 @@ class UserAction extends AbstractDatabaseObjectAction { */ protected $permissionsUpdate = array('admin.user.canEditUser'); - /** - * list of user actions allowed within update - * @var array - */ - public $allowOwnUserUpdate = array('data', 'options'); - /** * Validates permissions and parameters. */ @@ -103,11 +97,9 @@ class UserAction extends AbstractDatabaseObjectAction { catch (PermissionDeniedException $e) { // check if we're editing ourselves if (count($this->objects) == 1 && ($this->objects[0]->userID == WCF::getUser()->userID)) { - foreach (array_keys($this->parameters) as $key) { - // check if action is allowed (prevent the user from updating own groups etc) - if (!in_array($key, $this->allowOwnUserUpdate)) { - throw new ValidateActionException('Insufficient permissions'); - } + $count = count($this->parameters); + if ($count > 1 || ($count == 1 && !isset($this->parameters['options']))) { + throw new ValidateActionException('Insufficient permissions'); } } -- 2.20.1