Commit 93430d92 authored by thomas's avatar thomas
Browse files

Improve access control checks on Perso::cancel()

parent d88f43c7
......@@ -490,8 +490,11 @@ class Perso extends Controller
public function cancel($f3, $params)
{
if (!$f3->exists('SESSION.user')) {
$f3->reroute('/login');
}
$db = $f3->get('DB');
$result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".$params['id']."'");
$result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".$params['id']."' and user_id='".\Utils::asl($f3->get('SESSION.id'))."'");
$result = $result->fetch(\PDO::FETCH_ASSOC);
if ($result) {
$identifier = $result['identifier'];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment