add: prevent supporters from modifying their own accounts via support

[gigi.git] / src / org / cacert / gigi / pages / admin / support / SupportUserDetailsForm.java

diff --git a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
index ac7ffd00bb68e69b22478c7fc378ed9215d5d482..d3589c8e4ad6b9a187b681400f7251a6399c7634 100644 (file)
--- a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
+++ b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
@@ -18,6 +18,7 @@ import org.cacert.gigi.output.GroupIterator;
 import org.cacert.gigi.output.GroupSelector;
 import org.cacert.gigi.output.template.Form;
 import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
 
 public class SupportUserDetailsForm extends Form {
 
@@ -40,6 +41,9 @@ public class SupportUserDetailsForm extends Form {
         if (user.getTicket() == null) {
             return false;
         }
+        if (user.getTargetUser() == LoginPage.getUser(req)) {
+            throw new GigiApiException("Supporter may not modify himself.");
+        }
         if ((req.getParameter("detailupdate") != null ? 1 : 0) + (req.getParameter("addGroup") != null ? 1 : 0) + (req.getParameter("removeGroup") != null ? 1 : 0) + (req.getParameter("resetPass") != null ? 1 : 0) != 1) {
             throw new GigiApiException("More than one action requested!");
         }