FIX #16832 TIME 0:20 can change ws user password if no default connection enabled

244a2f2b · Florian Azizian · 0974d0dd · 244a2f2b
Verified Commit 244a2f2b authored 3 years ago by Florian Azizian
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -563,15 +563,16 @@ class UserController
    public function updatePassword(Request $request, Response $response, array $args)
    {
-        $connection = ConfigurationModel::getConnection();
-        if ($connection != 'default') {
-            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
-        }
        if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
            return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
        }
+        $user = UserModel::getById(['select' => ['login', '"isRest"'], 'id' => $args['id']]);
+        $connection = ConfigurationModel::getConnection();
+        if ($connection != 'default' && $user['isRest'] == false) {
+            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+        }
        if ($GLOBALS['id'] != $args['id']) {
            if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
                return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
@@ -585,8 +586,6 @@ class UserController
            return $response->withStatus(400)->withJson(['errors' => 'Body newPassword and passwordConfirmation must be identical']);
        }
-        $user = UserModel::getById(['select' => ['login', '"isRest"'], 'id' => $args['id']]);
        if ($user['isRest'] == false) {
            if (empty($body['currentPassword']) || !AuthenticationModel::authentication(['login' => $user['login'], 'password' => $body['currentPassword']])) {
                return $response->withStatus(401)->withJson(['errors' => 'Wrong Password', 'lang' => 'wrongCurrentPassword']);