From efab4af451c4759d4ea860741c6a27a997137fb6 Mon Sep 17 00:00:00 2001
From: vincent-peugnet <v.peugnet@free.fr>
Date: Tue, 8 Jan 2019 02:50:43 +0100
Subject: fix user update admin

---
 app/class/application.php    |  7 +++----
 app/class/controlleruser.php | 13 ++++++++-----
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/app/class/application.php b/app/class/application.php
index 926db20..07db776 100644
--- a/app/class/application.php
+++ b/app/class/application.php
@@ -29,10 +29,9 @@ class Application
                 header('Location: ./');
                 exit;
             }
-        } elseif(isset($_POST['userinit'])) {
+        } elseif(isset($_POST['userinit']) && !empty($_POST['userinit']['id']) && !empty($_POST['userinit']['password'])) {
             $userdata = $_POST['userinit'];
             $userdata['level'] = 10;
-            //$userdata['id'] = idclean($userdata['id']);
             $user = new User($userdata);
             $this->usermanager->add($user);
             header('Location: ./');
@@ -108,14 +107,14 @@ class Application
         <h2>
         <label for="id">Your identifiant</label>
         </h2>
-        <input type="text" name="userinit[id]" value="<?= Config::admin() ?>" id="admin" maxlength="64">
+        <input type="text" name="userinit[id]" id="admin" maxlength="64" required>
         <p><i>Your user id as the first administrator.</i></p>
         </div>
         <div>
         <h2>
         <label for="password">Your password</label>
         </h2>
-        <input type="password" name="userinit[password]" value="<?= Config::admin() ?>" id="admin" minlength="4" maxlength="64">
+        <input type="password" name="userinit[password]" id="password" minlength="4" maxlength="64" required>
         <p><i>Your user passworder as first administrator.</i></p>
         </div>
         <input type="submit" value="set">
diff --git a/app/class/controlleruser.php b/app/class/controlleruser.php
index 7863956..495fab5 100644
--- a/app/class/controlleruser.php
+++ b/app/class/controlleruser.php
@@ -58,15 +58,18 @@ class Controlleruser extends Controller
 
                 case 'update':
                     $user = $this->usermanager->get($_POST['id']);
-                    $user->hydrate($_POST);
-                    if(empty($user->id())) {
+                    $userupdate = clone $user;
+                    $userupdate->hydrate($_POST);
+                    if(empty($userupdate->id())) {
                         $this->routedirectget('user', ['error' => 'wrong_id']);
-                    } elseif (!empty($_POST['password']) && (empty($user->password())  || $this->usermanager->passwordexist($user->password()))) {
+                    } elseif (!empty($_POST['password']) && (empty($userupdate->password())  || $this->usermanager->passwordexist($userupdate->password()))) {
                         $this->routedirectget('user', ['error' => 'change_password']);
-                    } elseif (empty($user->level())) {
+                    } elseif (empty($userupdate->level())) {
                         $this->routedirectget('user', ['error' => 'wrong_level']);
+                    } elseif ($user->level() === 10 && $userupdate->level() !== 10) {
+                        $this->routedirectget('user', ['error' => 'cant_edit_yourself']);
                     } else {
-                        $this->usermanager->add($user);
+                        $this->usermanager->add($userupdate);
                         $this->routedirect('user');
                     }
             }
-- 
cgit v1.2.3