From ea23bb151ac944abb28440e3b09076ca14c790dc Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sun, 13 Jul 2014 10:28:06 +0000 Subject: [PATCH] * Preferences: non-admins were allowed to changed default, forced or group preferences --- preferences/inc/class.preferences_settings.inc.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/preferences/inc/class.preferences_settings.inc.php b/preferences/inc/class.preferences_settings.inc.php index c62452b1c0..8bd2544066 100644 --- a/preferences/inc/class.preferences_settings.inc.php +++ b/preferences/inc/class.preferences_settings.inc.php @@ -68,7 +68,11 @@ class preferences_settings { case 'save': case 'apply': - // ToDo: save preferences + // check if user has rights to store preferences for $type and $account_id + if ($content['old_type'] !== 'user' && !$GLOBALS['egw_info']['user']['apps']['admin']) + { + throw new egw_exception_no_permission_admin; + } list($type,$account_id) = explode(':', $content['old_type']); // merge prefs of all tabs together again $prefs = array(); @@ -463,7 +467,7 @@ class preferences_settings 'default' => 'Default preferences', 'forced' => 'Forced preferences', ); - if ($GLOBALS['egw_info']['apps']['admin']) + if ($GLOBALS['egw_info']['user']['apps']['admin']) { $content['type'] = $type; if (($id = $GLOBALS['egw']->preferences->get_account_id()) != $GLOBALS['egw_info']['user']['account_id'])