FIX #11644 TIME 0:10 prevent password reset if user does not have privilege

3689a78c · Guillaume Heurtier · 2d6c4968 · 3689a78c
Commit 3689a78c authored 5 years ago by Guillaume Heurtier
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -532,6 +532,10 @@ class UserController

    public function resetPassword(Request $request, Response $response, array $aArgs)
    {
+        if (!PrivilegeController::hasPrivilege(['privilegeId' => 'manage_personal_data', 'userId' => $GLOBALS['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+        }
+
        $error = $this->hasUsersRights(['id' => $aArgs['id']]);
        if (!empty($error['error'])) {
            return $response->withStatus($error['status'])->withJson(['errors' => $error['error']]);