From 74471df7770784887bd44cfbe02f48ec12bf8532 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sun, 14 Feb 2010 16:12:18 -0800
Subject: Minor security tightening of IdentityProvider::change_provider().

---
 modules/gallery/libraries/IdentityProvider.php         | 5 +++++
 modules/gallery/libraries/drivers/IdentityProvider.php | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/gallery/libraries/IdentityProvider.php b/modules/gallery/libraries/IdentityProvider.php
index 3f1666eb..9fbc5e21 100644
--- a/modules/gallery/libraries/IdentityProvider.php
+++ b/modules/gallery/libraries/IdentityProvider.php
@@ -66,6 +66,11 @@ class IdentityProvider_Core {
   }
 
   static function change_provider($new_provider) {
+    if (!identity::active_user()->admin) {
+      // Below, the active user is set to the primary admin.
+      access::forbidden();
+    }
+
     $current_provider = module::get_var("gallery", "identity_provider");
     if (!empty($current_provider)) {
       module::uninstall($current_provider);
diff --git a/modules/gallery/libraries/drivers/IdentityProvider.php b/modules/gallery/libraries/drivers/IdentityProvider.php
index b7b1fbe8..09cdd093 100644
--- a/modules/gallery/libraries/drivers/IdentityProvider.php
+++ b/modules/gallery/libraries/drivers/IdentityProvider.php
@@ -26,7 +26,7 @@ interface IdentityProvider_Driver {
   public function guest();
 
   /**
-   * Return the admins user.
+   * Return the primary admin user.
    *
    * @return User_Definition the user object
    */
-- 
cgit v1.2.3