From a1bb333153fa8ba29a88cfba423d810f509a2b37 Mon Sep 17 00:00:00 2001
From: Diego Najar <dignajar@gmail.com>
Date: Tue, 28 May 2019 20:49:29 +0200
Subject: [PATCH] Prevent non-administrators to change the password from other
 users

---
 bl-kernel/admin/controllers/user-password.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/bl-kernel/admin/controllers/user-password.php b/bl-kernel/admin/controllers/user-password.php
index 0f86abb7..8a7e8c9d 100644
--- a/bl-kernel/admin/controllers/user-password.php
+++ b/bl-kernel/admin/controllers/user-password.php
@@ -13,8 +13,14 @@
 // ============================================================================
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+	// Prevent non-administrators to change other users
+	$username = $_POST['username'];
+	if ($login->role()!=='admin') {
+	    $username = $login->username();
+	}
+
 	if (changeUserPassword(array(
-		'username'=>$_POST['username'],
+		'username'=>$username,
 		'newPassword'=>$_POST['newPassword'],
 		'confirmPassword'=>$_POST['confirmPassword']
 	))) {