From 4a3c49240140449ef4c91c4b999a91b11380db3c Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Sun, 24 Jun 2012 00:09:17 -0400
Subject: Fixes #4138: Admin can edit any users' notifications

---
 mod/notifications/actions/save.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'mod/notifications/actions/save.php')

diff --git a/mod/notifications/actions/save.php b/mod/notifications/actions/save.php
index 163b656aa..3fe0001a3 100644
--- a/mod/notifications/actions/save.php
+++ b/mod/notifications/actions/save.php
@@ -6,9 +6,18 @@
  * @package ElggNotifications
  */
 
-$user = elgg_get_logged_in_user_entity();
+$current_user = elgg_get_logged_in_user_entity();
+
+$guid = (int) get_input('guid', 0);
+if (!$guid || !($user = get_entity($guid))) {
+	forward();
+}
+if (($user->guid != $current_user->guid) && !$current_user->isAdmin()) {
+	forward();
+}
 
 global $NOTIFICATION_HANDLERS;
+$subscriptions = array();
 foreach($NOTIFICATION_HANDLERS as $method => $foo) {
 	$subscriptions[$method] = get_input($method.'subscriptions');
 	$personal[$method] = get_input($method.'personal');
-- 
cgit v1.2.3