Avoid showing user popup to non authenticated users if user is not a course teacher #security

6 years ago · 5e81f51c7b
parent 4b94a58748
commit 5e81f51c7b
1 changed files with 7 additions and 1 deletions
--- a/main/inc/ajax/user_manager.ajax.php
+++ b/main/inc/ajax/user_manager.ajax.php
@ -58,7 +58,13 @@ switch ($action) {

        $userData = '<h3>'.$user_info['complete_name'].'</h3>'.$user_info['mail'].$user_info['official_code'];
        if ($isAnonymous) {
-            echo $userData;
+            // Only allow anonymous users to see user popup if the popup user
+            // is a teacher (which might be necessary to illustrate a course)
+            if ($user_info['status'] === COURSEMANAGER) {
+                echo $userData;
+            } else {
+                echo '<h3>-</h3>';
+            }
        } else {
            echo Display::url(
                $userData,