From: Mischa POSLAWSKY <perl@shiar.org>
Date: Thu, 24 Oct 2019 19:47:33 +0000 (+0200)
Subject: login/post: ignore ?login override for non user admins
X-Git-Tag: v4.1~17
X-Git-Url: http://git.shiar.net/minimedit.git/commitdiff_plain/f38864d3eacdb90d0fd0d2aa7a8bd88ca9974ff1

login/post: ignore ?login override for non user admins

Confidential data was not secure from people who acquired these urls.
---

diff --git a/login/post/index.php b/login/post/index.php
index 2f6a9f9..e491e35 100644
--- a/login/post/index.php
+++ b/login/post/index.php
@@ -1,7 +1,7 @@
 <?php
 $body = ob_get_clean();
 
-if ($username = @$_REQUEST['login']) {
+if ($User->admin('user') and $username = @$_REQUEST['login']) {
 	try {
 		$user = new User("profile/$username");
 	}