avoid to impersonate inactive users or without profiles

glpi-project · May 24, 2022 · dfe8065 · dfe8065
1 parent 747818d
commit dfe8065
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/src/Session.php b/src/Session.php
@@ -1598,10 +1598,23 @@ public static function canImpersonate($user_id)
             return false; // Cannot impersonate invalid user, self, or already impersonated user
         }
 
-       // For now we do not check more than config update right, but we may
-       // implement more fine checks in the future.
+        // Cannot impersonate if we don't have config right
+        if (!self::haveRight(Config::$rightname, UPDATE)) {
+            return false;
+        }
+
+        // Cannot impersonate inactive user
+        $user = new User();
+        if (!$user->getFromDB($user_id) || !$user->getField('is_active')) {
+            return false;
+        }
 
-        return self::haveRight(Config::$rightname, UPDATE);
+        // Cannot impersonate user with no profile
+        if (Profile_User::getUserProfiles($user_id, true) == []) {
+            return false;
+        }
+
+        return true;
     }
 
     /**