avoid impersonating yourself; set session var after successful checks

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
author: Arthur Schiwon <blizzz@arthur-schiwon.de> 2020-05-21 02:24:22 +0300
committer: Arthur Schiwon <blizzz@arthur-schiwon.de> 2020-05-21 02:24:22 +0300
commit: c9461bc2f00bb0942f2060f0b6884fc996294677 (patch)
tree: 8c44bda0aba907048a4c9e948dc21da2e7de493a /lib
parent: 79251b92e4fee64876662d7d34889d459022992b (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
index bb8c0da..15acdfc 100644
--- a/lib/Controller/SettingsController.php
+++ b/lib/Controller/SettingsController.php
@@ -82,9 +82,6 @@ class SettingsController extends Controller {
 		/** @var IUser $currentUser */
 		$currentUser = $this->userSession->getUser();
 
-		if($this->session->get('oldUserId') === null) {
-			$this->session->set('oldUserId', $currentUser->getUID());
-		}
 		$this->logger->warning(
 			sprintf(
 				'User %s trying to impersonate user %s',
@@ -139,6 +136,15 @@ class SettingsController extends Controller {
 			);
 		}
 
+		if ($user->getUID() === $currentUser->getUID()) {
+			return new JSONResponse(
+				[
+					'message' => $this->l->t('Can not impersonate yourself.'),
+				],
+				Http::STATUS_FORBIDDEN
+			);
+		}
+
 		$this->logger->warning(
 			sprintf(
 				'Changing to user %s',
@@ -148,6 +154,9 @@ class SettingsController extends Controller {
 				'app' => 'impersonate',
 			]
 		);
+		if($this->session->get('oldUserId') === null) {
+			$this->session->set('oldUserId', $currentUser->getUID());
+		}
 		$this->userSession->setUser($user);
 		return new JSONResponse();
 	}
author	Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-05-21 02:24:22 +0300
committer	Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-05-21 02:24:22 +0300
commit	c9461bc2f00bb0942f2060f0b6884fc996294677 (patch)
tree	8c44bda0aba907048a4c9e948dc21da2e7de493a /lib
parent	79251b92e4fee64876662d7d34889d459022992b (diff)