X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=swap_roles.php;h=1652ae2a8d09cec7d2af5a624994e15a888a67af;hb=691958794018beda9788e9bdb47d640a116af492;hp=59a726c5bc9a2049e2d2e6e4ac83996a3c4715ef;hpb=030d2c3ffbf8229cc945427e9e9f7704226effe1;p=timetracker.git

diff --git a/swap_roles.php b/swap_roles.php
index 59a726c5..1652ae2a 100644
--- a/swap_roles.php
+++ b/swap_roles.php
@@ -40,10 +40,15 @@ if (!is_array($users_for_swap) || sizeof($users_for_swap) == 0) {
   header('Location: access_denied.php');
   exit();
 }
-
 if ($request->isPost()) {
-  $cl_id = $request->getParameter('swap_with');
+  $user_id = (int)$request->getParameter('swap_with');
+  $user_details = $user->getUserDetails($user_id);
+  if (!$user_details) {
+    header('Location: access_denied.php');
+    exit();
+  }
 }
+// End of access checks.
 
 $form = new Form('swapForm');
 $form->addInput(array('type'=>'combobox','name'=>'swap_with','style'=>'width: 250px;','data'=>$users_for_swap,'datakeys'=>array('id','name')));
@@ -52,7 +57,7 @@ $form->addInput(array('type'=>'submit','name'=>'btn_cancel','value'=>$i18n->get(
 
 if ($request->isPost()) {
   if ($request->getParameter('btn_submit')) {
-    if (ttTeamHelper::swapRolesWith($cl_id)) {
+    if (ttTeamHelper::swapRolesWith($user_id)) {
       header('Location: users.php');
       exit();
     } else