From 4c21b7eea3e9e9499d46278e87c9c305a1bd47f2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 13 Feb 2008 22:45:05 +0100
Subject: make sure not supported profile fields are not accepted FS#1329

darcs-hash:20080213214505-7ad00-8ff1974ccbab38168f95072faaeb53134f95b926.gz
---
 inc/auth.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/inc/auth.php b/inc/auth.php
index 027e9c685..d511930dc 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -640,9 +640,10 @@ function updateprofile() {
     return false;
   }
 
-  if ($_POST['fullname'] != $INFO['userinfo']['name']) $changes['name'] = $_POST['fullname'];
-  if ($_POST['email']    != $INFO['userinfo']['mail']) $changes['mail'] = $_POST['email'];
-  if (!empty($_POST['newpass']))  $changes['pass'] = $_POST['newpass'];
+  if ($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) $changes['name'] = $_POST['fullname'];
+  if ($_POST['email'] != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) $changes['mail'] = $_POST['email'];
+  if (!empty($_POST['newpass']) && $auth->canDo['modPass']) $changes['pass'] = $_POST['newpass'];
+
 
   if (!count($changes)) {
     msg($lang['profnochange'], -1);
-- 
cgit v1.2.3