Merge pull request #280 from mrclay/4138-notifications

Fixes #4138: Admin can edit any users' notifications
author: Cash Costello <cash.costello@gmail.com> 2012-06-26 17:01:23 -0700
committer: Cash Costello <cash.costello@gmail.com> 2012-06-26 17:01:23 -0700
commit: 264d3643f2c76bedf875e3c586055d9f5ee14132 (patch)
tree: ee3f3c09cad0e22ff54db8dbc62026d1c6d2d800 /mod/notifications/actions/save.php
parent: 91d3da6284490c32c595bb94f112fe30982bdb6c (diff)
parent: 4d8c3b75e36c45d5dd8b9d56338f7b303ea0a4fa (diff)
download: elgg-264d3643f2c76bedf875e3c586055d9f5ee14132.tar.gz
elgg-264d3643f2c76bedf875e3c586055d9f5ee14132.tar.bz2
1 files changed, 10 insertions, 1 deletions
diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php
index 163b656aa..3fe0001a3 100644
--- a/mod/notifications/actions/save.php
+++ b/mod/notifications/actions/save.php
@@ -6,9 +6,18 @@
  * @package ElggNotifications
  */
 
-$user = elgg_get_logged_in_user_entity();
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+	forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+	forward();
+}
 
 global $NOTIFICATION_HANDLERS;
+$subscriptions = array();
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subscriptions[$method] = get_input($method.'subscriptions');
 	$personal[$method] = get_input($method.'personal');
author	Cash Costello <cash.costello@gmail.com>	2012-06-26 17:01:23 -0700
committer	Cash Costello <cash.costello@gmail.com>	2012-06-26 17:01:23 -0700
commit	264d3643f2c76bedf875e3c586055d9f5ee14132 (patch)
tree	ee3f3c09cad0e22ff54db8dbc62026d1c6d2d800 /mod/notifications/actions/save.php
parent	91d3da6284490c32c595bb94f112fe30982bdb6c (diff)
parent	4d8c3b75e36c45d5dd8b9d56338f7b303ea0a4fa (diff)
download	elgg-264d3643f2c76bedf875e3c586055d9f5ee14132.tar.gz elgg-264d3643f2c76bedf875e3c586055d9f5ee14132.tar.bz2