diff options
author | George Goldberg <george@gberg.me> | 2018-09-14 16:21:05 +0100 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-09-14 08:21:05 -0700 |
commit | fdbb6de3d52a5f41f075812e3b87616685a21b9b (patch) | |
tree | 1e434c28bf56b82148124f15958f36423e02828c /api4/status.go | |
parent | 83a00ae9251475b3ef39284ba922cb3ca55a6fbe (diff) | |
download | chat-fdbb6de3d52a5f41f075812e3b87616685a21b9b.tar.gz chat-fdbb6de3d52a5f41f075812e3b87616685a21b9b.tar.bz2 chat-fdbb6de3d52a5f41f075812e3b87616685a21b9b.zip |
MM-11520: Make entity ID checks consistent across api4. (#9395)
* MM-11520: Make entity ID checks consistent across api4.
* Update tests.
Diffstat (limited to 'api4/status.go')
-rw-r--r-- | api4/status.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/api4/status.go b/api4/status.go index edba5460b..67b4d10bc 100644 --- a/api4/status.go +++ b/api4/status.go @@ -68,6 +68,12 @@ func updateUserStatus(c *Context, w http.ResponseWriter, r *http.Request) { return } + // The user being updated in the payload must be the same one as indicated in the URL. + if status.UserId != c.Params.UserId { + c.SetInvalidParam("user_id") + return + } + if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return |