fix removeuser.php for subadmins

2026-04-23 07:08:34 -04:00 · 2012-07-18 17:23:40 +02:00 · 2012-07-18 17:23:40 +02:00 · fb6468936e
commit fb6468936e
parent a5bebb86a5
1 changed files with 17 additions and 1 deletions
--- a/settings/ajax/removeuser.php
+++ b/settings/ajax/removeuser.php
@ -3,11 +3,27 @@
 // Init owncloud
 require_once('../../lib/base.php');

-OC_JSON::checkAdminUser();
+OC_JSON::checkSubAdminUser();
 OCP\JSON::callCheck();

 $username = $_POST["username"];

+if(!OC_Group::inGroup(OC_User::getUser(), 'admin') && OC_SubAdmin::isSubAdmin(OC_User::getUser())){
+	$accessiblegroups = OC_SubAdmin::getSubAdminsGroups(OC_User::getUser());
+	$isuseraccessible = false;
+	foreach($accessiblegroups as $accessiblegroup){
+		if(OC_Group::inGroup($username, $accessiblegroup)){
+			$isuseraccessible = true;
+			break;
+		}
+	}
+	if(!$isuseraccessible){
+		$l = OC_L10N::get('core');
+		self::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
+		exit();
+	}
+}
+
 // Return Success story
 if( OC_User::deleteUser( $username )){
 	OC_JSON::success(array("data" => array( "username" => $username )));