Fix a bug giving read access to the contacts of another user when

adding/removing this user from our contacts. Close #1080

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>

diff --git a/modules/carnet.php b/modules/carnet.php
index 7479b3c..d71aec1 100644 (file)
--- a/modules/carnet.php
+++ b/modules/carnet.php
@@ -266,18 +266,20 @@ class CarnetModule extends PLModule
         }
         switch (Env::v('action')) {
             case 'retirer':
-                if (($user = User::get(Env::v('user')))) {
+                if (($contact = User::get(Env::v('user')))) {
                     if (XDB::execute("DELETE FROM  contacts
-                                            WHERE  uid = {?} AND contact = {?}", $uid, $user->id())) {
+                                            WHERE  uid = {?} AND contact = {?}",
+                                     $uid, $contact->id())) {
                         $page->trigSuccess("Contact retiré !");
                     }
                 }
                 break;
 
             case 'ajouter':
-                if (($user = User::get(Env::v('user')))) {
+                if (($contact = User::get(Env::v('user')))) {
                     if (XDB::execute("REPLACE INTO  contacts (uid, contact)
-                                            VALUES  ({?}, {?})", $uid, $user->id())) {
+                                            VALUES  ({?}, {?})",
+                                     $uid, $contact->id())) {
                         $page->trigSuccess('Contact ajouté !');
                     } else {
                         $page->trigWarning('Contact déjà dans la liste !');