Commit 6e554667 authored by Robert Lyon's avatar Robert Lyon

Security Bug 1817221: Stop admin from being able to suspend the 'root' user

behatnotneeded

Change-Id: I1e4b44f7fa39779eaf91c992e47d8e075b6cbe33
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 6dbc374d
......@@ -21,6 +21,11 @@ require_once('activity.php');
require_once(get_config('docroot') . 'lib/antispam.php');
$id = param_integer('id');
if ($id == 0) {
// We shouldn't be editing / masquerading as 'root' user
throw new UserException(get_string('invaliduser', 'error'));
}
$user = new User;
$user->find_by_id($id);
$authobj = AuthFactory::create($user->authinstance);
......
......@@ -890,6 +890,11 @@ function privacy_form($ignoreagreevalue = false, $ignoreformswitch = false) {
function auth_check_required_fields() {
global $USER, $SESSION;
if ($USER->get('id') == 0) {
// We shouldn't be checking either logged out user or User = 0
throw new ConfigSanityException(get_string('invaliduser', 'error'));
}
// for the case we are mascarading as the user and we want to return to be admin user
$restoreadmin = param_integer('restore', 0);
$loginanyway = false;
......
......@@ -119,6 +119,7 @@ $string['blockinstancenotfound'] = 'Block instance with id %s not found.';
$string['interactioninstancenotfound'] = 'Activity instance with id %s not found.';
$string['invalidviewaction'] = 'Invalid page control action: %s';
$string['invaliduser'] = 'Invalid user selected';
$string['missingparamblocktype'] = 'Try selecting a block type to add first.';
$string['missingparamcolumn'] = 'Missing column specification';
......
......@@ -1422,6 +1422,11 @@ function get_user($userid) {
* @param int $suspendinguserid The ID of the user who is performing the suspension
*/
function suspend_user($suspendeduserid, $reason, $suspendinguserid=null) {
if ($suspendeduserid == 0) {
// We shouldn't be suspending 'root' user
throw new UserException(get_string('invaliduser', 'error'));
}
if ($suspendinguserid === null) {
global $USER;
$suspendinguserid = $USER->get('id');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment