Security: Fix logical flaw allowing unauthenticated users to send dat…

…a to a specific table
chamilo · Sep 20, 2024 · 58c54f4 · 58c54f4
1 parent dc24215
commit 58c54f4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/main/lp/storageapi.php b/main/lp/storageapi.php
@@ -67,7 +67,7 @@
 function storage_can_set($sv_user)
 {
     // platform admin can change any user's stored values, other users can only change their own values
-    $allowed = ((api_is_platform_admin()) || ($sv_user == api_get_user_id()));
+    $allowed = ((api_is_platform_admin()) || (!empty($sv_user) && $sv_user == api_get_user_id()));
     if (!$allowed) {
         echo "ERROR : Not allowed";
     }