From da7f8510bbf37abc7e1ba44f5bb68809c511591b Mon Sep 17 00:00:00 2001
From: ENGO150 <v.smejkal06@gmail.com>
Date: Tue, 21 May 2024 20:31:49 +0200
Subject: [PATCH] fixed api permission problems for non-admins

---
 res/forum/api/user_info.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/res/forum/api/user_info.php b/res/forum/api/user_info.php
index 1ccfdd2..651ec2d 100644
--- a/res/forum/api/user_info.php
+++ b/res/forum/api/user_info.php
@@ -7,7 +7,9 @@ if (!isset($_SESSION["username"])) goto fail;
 
 $out = $database -> query("SELECT username, admin FROM user WHERE username=\"" . $_SESSION["username"] . "\" AND admin=\"1\"");
 
-if ($out -> num_rows != 1)
+if (!isset($_GET["username"])) return;
+
+if ($out -> num_rows != 1 && $_GET["username"] != $_SESSION["username"])
 {
     fail:
     echo "nope";
@@ -15,8 +17,6 @@ if ($out -> num_rows != 1)
     return;
 }
 
-if (!isset($_GET["username"])) return;
-
 $out = $database -> query("SELECT user.username, user.admin, user_info.bio, user_info.nickname, user_info.sex FROM user INNER JOIN user_info ON user.user_info=user_info.id AND username=\"" . $_GET["username"] . "\"");
 
 $output = array();