Closed hole when using userid information from form data (merged from STABLE)
authormoodler <moodler>
Mon, 27 Sep 2004 13:26:06 +0000 (13:26 +0000)
committermoodler <moodler>
Mon, 27 Sep 2004 13:26:06 +0000 (13:26 +0000)
user/edit.php

index 32c26f6..640aa6d 100644 (file)
@@ -39,7 +39,7 @@
         require_login($course->id);
     }
 
-    if ($USER->id <> $user->id and !isadmin()) {
+    if (($USER->id <> $user->id) && !isadmin()) {
         error("You can only edit your own information");
     }
 
 
     if ($usernew = data_submitted()) {
 
+        if (($USER->id <> $usernew->id) && !isadmin()) {
+            error("You can only edit your own information");
+        }
+
         if (isset($USER->username)) {
             check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
         }