Prevent access to private messages when impersonating a user.
This commit is contained in:
parent
ec00cfa176
commit
44a4bb6e6f
1 changed files with 4 additions and 0 deletions
|
|
@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
|
||||||
if(!$this->authInfo->isLoggedIn())
|
if(!$this->authInfo->isLoggedIn())
|
||||||
return 401;
|
return 401;
|
||||||
|
|
||||||
|
// do not allow access to PMs when impersonating in production mode
|
||||||
|
if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
|
||||||
|
return 403;
|
||||||
|
|
||||||
$globalPerms = $this->authInfo->getPerms('global');
|
$globalPerms = $this->authInfo->getPerms('global');
|
||||||
if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
|
if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
|
||||||
return 403;
|
return 403;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue