diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-05-21 02:24:22 +0300 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2020-05-21 02:24:22 +0300 |
commit | c9461bc2f00bb0942f2060f0b6884fc996294677 (patch) | |
tree | 8c44bda0aba907048a4c9e948dc21da2e7de493a /lib | |
parent | 79251b92e4fee64876662d7d34889d459022992b (diff) |
avoid impersonating yourself; set session var after successful checks
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Controller/SettingsController.php | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php index bb8c0da..15acdfc 100644 --- a/lib/Controller/SettingsController.php +++ b/lib/Controller/SettingsController.php @@ -82,9 +82,6 @@ class SettingsController extends Controller { /** @var IUser $currentUser */ $currentUser = $this->userSession->getUser(); - if($this->session->get('oldUserId') === null) { - $this->session->set('oldUserId', $currentUser->getUID()); - } $this->logger->warning( sprintf( 'User %s trying to impersonate user %s', @@ -139,6 +136,15 @@ class SettingsController extends Controller { ); } + if ($user->getUID() === $currentUser->getUID()) { + return new JSONResponse( + [ + 'message' => $this->l->t('Can not impersonate yourself.'), + ], + Http::STATUS_FORBIDDEN + ); + } + $this->logger->warning( sprintf( 'Changing to user %s', @@ -148,6 +154,9 @@ class SettingsController extends Controller { 'app' => 'impersonate', ] ); + if($this->session->get('oldUserId') === null) { + $this->session->set('oldUserId', $currentUser->getUID()); + } $this->userSession->setUser($user); return new JSONResponse(); } |