Closed hole when using userid information from form data (merged from STABLE)

diff --git a/user/edit.php b/user/edit.php
index 32c26f6502fc2d81b77c878494536e8bc71b7b53..640aa6d08b1e9c31a008574f486727e5671f201f 100644 (file)
--- a/user/edit.php
+++ b/user/edit.php
@@ -39,7 +39,7 @@
         require_login($course->id);
     }
 
-    if ($USER->id <> $user->id and !isadmin()) {
+    if (($USER->id <> $user->id) && !isadmin()) {
         error("You can only edit your own information");
     }
 
@@ -65,6 +65,10 @@
 
     if ($usernew = data_submitted()) {
 
+        if (($USER->id <> $usernew->id) && !isadmin()) {
+            error("You can only edit your own information");
+        }
+
         if (isset($USER->username)) {
             check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
         }