Minor security tightening of IdentityProvider::change_provider().

author: Andy Staudacher <andy.st@gmail.com> 2010-02-14 16:12:18 -0800
committer: Andy Staudacher <andy.st@gmail.com> 2010-02-14 16:12:18 -0800
commit: 74471df7770784887bd44cfbe02f48ec12bf8532 (patch)
tree: 21850a53eead20b0c0e8ea611a20e2d56e365589 /modules
parent: ed401fc8a682c49a9e740e41b4401165a28dfd96 (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/modules/gallery/libraries/IdentityProvider.php b/modules/gallery/libraries/IdentityProvider.php
index 3f1666eb..9fbc5e21 100644
--- a/modules/gallery/libraries/IdentityProvider.php
+++ b/modules/gallery/libraries/IdentityProvider.php
@@ -66,6 +66,11 @@ class IdentityProvider_Core {
   }
 
   static function change_provider($new_provider) {
+    if (!identity::active_user()->admin) {
+      // Below, the active user is set to the primary admin.
+      access::forbidden();
+    }
+
     $current_provider = module::get_var("gallery", "identity_provider");
     if (!empty($current_provider)) {
       module::uninstall($current_provider);
diff --git a/modules/gallery/libraries/drivers/IdentityProvider.php b/modules/gallery/libraries/drivers/IdentityProvider.php
index b7b1fbe8..09cdd093 100644
--- a/modules/gallery/libraries/drivers/IdentityProvider.php
+++ b/modules/gallery/libraries/drivers/IdentityProvider.php
@@ -26,7 +26,7 @@ interface IdentityProvider_Driver {
   public function guest();
 
   /**
-   * Return the admins user.
+   * Return the primary admin user.
    *
    * @return User_Definition the user object
    */
author	Andy Staudacher <andy.st@gmail.com>	2010-02-14 16:12:18 -0800
committer	Andy Staudacher <andy.st@gmail.com>	2010-02-14 16:12:18 -0800
commit	74471df7770784887bd44cfbe02f48ec12bf8532 (patch)
tree	21850a53eead20b0c0e8ea611a20e2d56e365589 /modules
parent	ed401fc8a682c49a9e740e41b4401165a28dfd96 (diff)