summaryrefslogtreecommitdiff
path: root/modules/user/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'modules/user/controllers')
-rw-r--r--modules/user/controllers/users.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 3c93262f..a0f6a2ef 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -38,7 +38,7 @@ class Users_Controller extends REST_Controller {
$form = user::get_add_form();
if ($form->validate()) {
- $user = user::create($form->add_user->uname->value,
+ $user = user::create($form->add_user->uname->value,
$form->add_user->full_name->value, $form->add_user->password->value);
$user->email = $form->add_user->email->value;
$user->save();
@@ -60,7 +60,7 @@ class Users_Controller extends REST_Controller {
* @see REST_Controller::_update($resource)
*/
public function _update($user) {
- if ($user->guest || (!user::active()->admin && $user->id != user::active()->id)) {
+ if (!user::active()->admin && ($user->guest || $user->id != user::active()->id)) {
access::forbidden();
}
@@ -82,7 +82,7 @@ class Users_Controller extends REST_Controller {
* @see REST_Controller::_delete($resource)
*/
public function _delete($user) {
- if (!(user::active()->admin) || $user->id == user::active()->id) {
+ if (!user::active()->admin && ($user->guest || $user->id != user::active()->id)) {
access::forbidden();
}
// Prevent CSRF
@@ -101,7 +101,7 @@ class Users_Controller extends REST_Controller {
* @see REST_Controller::form($resource)
*/
public function _form_edit($user) {
- if ($user->guest || user::active()->id != $user->id) {
+ if (!user::active()->admin && ($user->guest || $user->id != user::active()->id)) {
access::forbidden();
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-14 14:35:11 +0000