Fix avatar edit permissions (by Jerôme Bakker)

author: Steve Clay <steve@mrclay.org> 2013-05-29 13:13:16 -0400
committer: Steve Clay <steve@mrclay.org> 2013-05-29 13:13:16 -0400
commit: dd9df95001f5293e7a3a93a365c64842fe3650e4 (patch)
tree: 8f31359b90940a73349f668dd33efd9d5059f0fa /pages
parent: 28c43f6c615fba77d81f59e73ef29ba9d58049ea (diff)
download: elgg-dd9df95001f5293e7a3a93a365c64842fe3650e4.tar.gz
elgg-dd9df95001f5293e7a3a93a365c64842fe3650e4.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/pages/avatar/edit.php b/pages/avatar/edit.php
index c71633b8b..56aede887 100644
--- a/pages/avatar/edit.php
+++ b/pages/avatar/edit.php
@@ -11,6 +11,11 @@ elgg_set_context('profile_edit');
 $title = elgg_echo('avatar:edit');
 
 $entity = elgg_get_page_owner_entity();
+if (!elgg_instanceof($entity, 'user') || !$entity->canEdit()) {
+	register_error(elgg_echo('avatar:noaccess'));
+	forward(REFERER);
+}
+
 $content = elgg_view('core/avatar/upload', array('entity' => $entity));
 
 // only offer the crop view if an avatar has been uploaded
author	Steve Clay <steve@mrclay.org>	2013-05-29 13:13:16 -0400
committer	Steve Clay <steve@mrclay.org>	2013-05-29 13:13:16 -0400
commit	dd9df95001f5293e7a3a93a365c64842fe3650e4 (patch)
tree	8f31359b90940a73349f668dd33efd9d5059f0fa /pages
parent	28c43f6c615fba77d81f59e73ef29ba9d58049ea (diff)
download	elgg-dd9df95001f5293e7a3a93a365c64842fe3650e4.tar.gz elgg-dd9df95001f5293e7a3a93a365c64842fe3650e4.tar.bz2