Prevents group animator to edit data from a user who does not belong to this group.

Signed-off-by: Stéphane Jacob <sj@m4x.org>

diff --git a/classes/user.php b/classes/user.php
index b521048..cc2404a 100644 (file)
--- a/classes/user.php
+++ b/classes/user.php
@@ -595,6 +595,15 @@ class User extends PlUser
         return ($groupNb == 1);
     }
 
+    public function inGroup($asso_id)
+    {
+        $res = XDB::fetchOneCell('SELECT  COUNT(*)
+                                    FROM  group_members
+                                   WHERE  uid = {?} AND asso_id = {?}',
+                                 $this->id(), $asso_id);
+        return ($res > 0);
+    }
+
     /**
      * Clears a user.
      *  *always deletes in: account_lost_passwords, register_marketing,

diff --git a/modules/xnetgrp.php b/modules/xnetgrp.php
index 068ad86..b962b4e 100644 (file)
--- a/modules/xnetgrp.php
+++ b/modules/xnetgrp.php
@@ -863,13 +863,17 @@ class XnetGrpModule extends PLModule
     {
         global $globals;
 
-        $page->changeTpl('xnetgrp/membres-edit.tpl');
-
         $user = User::getSilent($user);
         if (empty($user)) {
             return PL_NOT_FOUND;
         }
 
+        if (!$user->inGroup($globals->asso('id'))) {
+            pl_redirect('annuaire');
+        }
+
+        $page->changeTpl('xnetgrp/membres-edit.tpl');
+
         $mmlist = new MMList($user, $globals->asso('mail_domain'));
 
         if (Post::has('change')) {