From b7d1f9e1f1d1d7e18d50a15b8dff1d7770fb9923 Mon Sep 17 00:00:00 2001
From: Fred Tempez <frederic.tempez@outlook.com>
Date: Thu, 29 Jun 2023 09:43:31 +0200
Subject: [PATCH] Check permission on delete

---
 core/module/user/user.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/module/user/user.php b/core/module/user/user.php
index cb213d54..47b5d945 100644
--- a/core/module/user/user.php
+++ b/core/module/user/user.php
@@ -184,6 +184,7 @@ class user extends common
 	{
 		// Accès refusé
 		if (
+			$this->getUser('permission', __CLASS__, __FUNCTION__) === false ||
 			// L'utilisateur n'existe pas
 			$this->getData(['user', $this->getUrl(2)]) === null
 			// Groupe insuffisant
@@ -230,7 +231,7 @@ class user extends common
 	public function edit()
 	{
 		if (
-			$this->checkCSRF()
+			$this->getUser('permission', __CLASS__, __FUNCTION__) === false
 		) {
 
 			// Valeurs en sortie
@@ -531,6 +532,7 @@ class user extends common
 	public function profilEdit()
 	{
 		if (
+			$this->getUser('permission', __CLASS__, __FUNCTION__) === false ||
 			$this->checkCSRF()
 		) {