flashii/misuzu
flashii/misuzu
1
1
Fork 0
Code Issues Pull requests Releases 142 Activity

Prevent access to private messages when impersonating a user.

Browse source
This commit is contained in:
flash 2024-06-02 19:57:58 +00:00
parent ec00cfa176
commit 44a4bb6e6f
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Messages/MessagesRoutes.php
View file

@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
if(!$this->authInfo->isLoggedIn())
return 401;
// do not allow access to PMs when impersonating in production mode
if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
return 403;
$globalPerms = $this->authInfo->getPerms('global');
if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
return 403;