From 4a46719b46cbde231b3f6dbeba25519419de2a2b Mon Sep 17 00:00:00 2001
From: ENGO150 <v.smejkal06@gmail.com>
Date: Wed, 22 May 2024 21:01:02 +0200
Subject: [PATCH] preventing user from setting admin to himself lol

---
 res/forum/api/update_user.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/res/forum/api/update_user.php b/res/forum/api/update_user.php
index a6f3d7f..750fd2c 100644
--- a/res/forum/api/update_user.php
+++ b/res/forum/api/update_user.php
@@ -9,15 +9,20 @@ $out = $database -> query("SELECT username, admin, user_info FROM user WHERE BIN
 
 if (!isset($_GET["old_username"])) return;
 
+$user = false;
+
 if ($out -> num_rows != 1 && $_GET["old_username"] != $_SESSION["username"])
 {
     fail:
     echo "nope";
     header("Location: ../../../index.php");
     return;
+} else if ($out -> num_rows != 1)
+{
+    $user = true;
 }
 
 $user_info_id = (($database -> query("SELECT user_info FROM user WHERE username=\"" . $_GET["old_username"] . "\"")) -> fetch_assoc())["user_info"];
 
-$database -> query("UPDATE user SET username=\"" . $_GET["username"] . "\", admin=" . $_GET["admin"] . " WHERE user_info=" . $user_info_id);
+if (!$user) $database -> query("UPDATE user SET username=\"" . $_GET["username"] . "\", admin=" . $_GET["admin"] . " WHERE user_info=" . $user_info_id);
 $database -> query("UPDATE user_info SET sex=" . $_GET["sex"] . ", bio=\"" . $_GET["bio"] . "\", nickname=\"" . $_GET["nickname"] . "\" WHERE id=" . $user_info_id);
\ No newline at end of file