From 1a86eccccd086ee27d1e466c94b1945bc97199ad Mon Sep 17 00:00:00 2001
From: moodler <moodler>
Date: Mon, 27 Sep 2004 13:26:06 +0000
Subject: [PATCH] Closed hole when using userid information from form data
 (merged from STABLE)

---
 user/edit.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/user/edit.php b/user/edit.php
index 32c26f6502..640aa6d08b 100644
--- a/user/edit.php
+++ b/user/edit.php
@@ -39,7 +39,7 @@
         require_login($course->id);
     }
 
-    if ($USER->id <> $user->id and !isadmin()) {
+    if (($USER->id <> $user->id) && !isadmin()) {
         error("You can only edit your own information");
     }
 
@@ -65,6 +65,10 @@
 
     if ($usernew = data_submitted()) {
 
+        if (($USER->id <> $usernew->id) && !isadmin()) {
+            error("You can only edit your own information");
+        }
+
         if (isset($USER->username)) {
             check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
         }
-- 
2.39.5