From 3552da18dc0285fc0828f8e6aa00037c1ad903b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jens=20Mei=C3=9Fner?= <jens.meissner@stunet.tu-freiberg.de>
Date: Sat, 25 Nov 2017 14:52:28 +0100
Subject: [PATCH] Disable user management api functions if LDAP is used for
 authentication.

---
 api/edit-user.php | 4 ++++
 api/password.php  | 4 ++++
 api/users.php     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/api/edit-user.php b/api/edit-user.php
index 3087f7a..f8c3d9c 100644
--- a/api/edit-user.php
+++ b/api/edit-user.php
@@ -26,6 +26,10 @@ if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
     echo "Permission denied!";
     exit();
 }
+if(!isset($_SESSION['id']) || $_SESSION['id'] == 0) {
+    echo "Permission denied!";
+    exit();
+}
 if(isset($input->action) && $input->action == "addUser") {
     $passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
     $db->beginTransaction();
diff --git a/api/password.php b/api/password.php
index 9d5ef75..a5b03ed 100644
--- a/api/password.php
+++ b/api/password.php
@@ -22,6 +22,10 @@ if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
     echo "Permission denied!";
     exit();
 }
+if(!isset($_SESSION['id']) || $_SESSION['id'] == 0) {
+    echo "Permission denied!";
+    exit();
+}
 if(isset($input->action) && $input->action == "changePassword") {
     $passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
     $stmt = $db->prepare("UPDATE users SET password=:password WHERE id=:id");
diff --git a/api/users.php b/api/users.php
index 2b228d3..79e8d9b 100644
--- a/api/users.php
+++ b/api/users.php
@@ -26,6 +26,10 @@ if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
     echo "Permission denied!";
     exit();
 }
+if(!isset($_SESSION['id']) || $_SESSION['id'] == 0) {
+    echo "Permission denied!";
+    exit();
+}
 if(isset($input->action) && $input->action == "getUsers") {
     $sql = "
         SELECT id,name,type