From 6a30321c79cf1681e1349da80a0272b420b064ec Mon Sep 17 00:00:00 2001
From: Hamza HRAMCHI <hamza.hramchi@xelians.fr>
Date: Wed, 1 Mar 2023 14:46:13 +0100
Subject: [PATCH] FIX #23892 TIME 0:05 add if condition

---
 src/app/user/controllers/SignatureController.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/app/user/controllers/SignatureController.php b/src/app/user/controllers/SignatureController.php
index 3ab08f97c0..851b218e3b 100755
--- a/src/app/user/controllers/SignatureController.php
+++ b/src/app/user/controllers/SignatureController.php
@@ -219,6 +219,10 @@ class SignatureController
 
     public function updateSubstituted(Request $request, Response $response, array $args)
     {
+        if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+        }
+
         if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']]) && $GLOBALS['id'] !== $args['id']) {
             return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
         }
-- 
GitLab