From 5e81f51c7b6b9c1c566828715106be27d6061a86 Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Fri, 22 Feb 2019 19:33:20 -0500
Subject: [PATCH] Avoid showing user popup to non authenticated users if user
 is not a course teacher #security

---
 main/inc/ajax/user_manager.ajax.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/main/inc/ajax/user_manager.ajax.php b/main/inc/ajax/user_manager.ajax.php
index 48175a6f2d..aebbbebf59 100755
--- a/main/inc/ajax/user_manager.ajax.php
+++ b/main/inc/ajax/user_manager.ajax.php
@@ -58,7 +58,13 @@ switch ($action) {
 
         $userData = '<h3>'.$user_info['complete_name'].'</h3>'.$user_info['mail'].$user_info['official_code'];
         if ($isAnonymous) {
-            echo $userData;
+            // Only allow anonymous users to see user popup if the popup user
+            // is a teacher (which might be necessary to illustrate a course)
+            if ($user_info['status'] === COURSEMANAGER) {
+                echo $userData;
+            } else {
+                echo '<h3>-</h3>';
+            }
         } else {
             echo Display::url(
                 $userData,