From f38864d3eacdb90d0fd0d2aa7a8bd88ca9974ff1 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Thu, 24 Oct 2019 21:47:33 +0200
Subject: [PATCH] login/post: ignore ?login override for non user admins

Confidential data was not secure from people who acquired these urls.
---
 login/post/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login/post/index.php b/login/post/index.php
index 2f6a9f9..e491e35 100644
--- a/login/post/index.php
+++ b/login/post/index.php
@@ -1,7 +1,7 @@
 <?php
 $body = ob_get_clean();
 
-if ($username = @$_REQUEST['login']) {
+if ($User->admin('user') and $username = @$_REQUEST['login']) {
 	try {
 		$user = new User("profile/$username");
 	}
-- 
2.30.0