Fixes #4138: Admin can edit any users' notifications

1 files changed, 10 insertions, 1 deletions

diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php
index 163b656aa..3fe0001a3 100644
--- a/mod/notifications/actions/save.php
+++ b/mod/notifications/actions/save.php
@@ -6,9 +6,18 @@
  * @package ElggNotifications
  */
 
-$user = elgg_get_logged_in_user_entity();
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+	forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+	forward();
+}
 
 global $NOTIFICATION_HANDLERS;
+$subscriptions = array();
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subscriptions[$method] = get_input($method.'subscriptions');
 	$personal[$method] = get_input($method.'personal');