Prevent access to private messages when impersonating a user.

This commit is contained in:
flash 2024-06-02 19:57:58 +00:00
parent ec00cfa176
commit 44a4bb6e6f

View file

@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
if(!$this->authInfo->isLoggedIn())
return 401;
// do not allow access to PMs when impersonating in production mode
if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
return 403;
$globalPerms = $this->authInfo->getPerms('global');
if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
return 403;