Prevent access to private messages when impersonating a user.
This commit is contained in:
parent
ec00cfa176
commit
44a4bb6e6f
1 changed files with 4 additions and 0 deletions
|
@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
|
|||
if(!$this->authInfo->isLoggedIn())
|
||||
return 401;
|
||||
|
||||
// do not allow access to PMs when impersonating in production mode
|
||||
if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
|
||||
return 403;
|
||||
|
||||
$globalPerms = $this->authInfo->getPerms('global');
|
||||
if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
|
||||
return 403;
|
||||
|
|
Loading…
Reference in a new issue