ENGO150/FabrikaHradekTour
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed api permission problems for non-admins

Browse Source
This commit is contained in:
Václav Šmejkal 2024-05-21 20:31:49 +02:00
parent 859b3d5f07
commit da7f8510bb
Signed by: ENGO150
GPG Key ID: 4A57E86482968843
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
res/forum/api/user_info.php
View File

@ -7,7 +7,9 @@ if (!isset($_SESSION["username"])) goto fail;
$out = $database -> query("SELECT username, admin FROM user WHERE username=\"" . $_SESSION["username"] . "\" AND admin=\"1\"");
if ($out -> num_rows != 1)
if (!isset($_GET["username"])) return;
if ($out -> num_rows != 1 && $_GET["username"] != $_SESSION["username"])
{
fail:
echo "nope";
@ -15,8 +17,6 @@ if ($out -> num_rows != 1)
return;
}
if (!isset($_GET["username"])) return;
$out = $database -> query("SELECT user.username, user.admin, user_info.bio, user_info.nickname, user_info.sex FROM user INNER JOIN user_info ON user.user_info=user_info.id AND username=\"" . $_GET["username"] . "\"");
$output = array();