diff --git a/ajax/deleteKeys.php b/ajax/deleteKeys.php
index 468bf33006a495e4b4d3903122508a43dbf1f533..8f09a07e5cfff4b5d9b89f0beb6e455454fcb961 100644
--- a/ajax/deleteKeys.php
+++ b/ajax/deleteKeys.php
@@ -11,10 +11,22 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_deleteKeys',
function ($userId, $titles) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $titles = Orthos::clearArray(json_decode($titles, true));
+ $Users = QUI::getUsers();
+ $AuthUser = $Users->get((int)$userId);
+ $titles = Orthos::clearArray(json_decode($titles, true));
+ $SessionUser = QUI::getUserBySession();
// @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
diff --git a/ajax/generateKey.php b/ajax/generateKey.php
index 208bf19386ee9f54bd230aede70150723e4d7bfb..66364ab37a45fd76b3c161cbd1b4c005c0b69542 100644
--- a/ajax/generateKey.php
+++ b/ajax/generateKey.php
@@ -15,16 +15,25 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_generateKey',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $CreateUser = QUI::getUserBySession();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$Google2FA = new Google2FA();
-
- $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
+ $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
if (empty($secrets)) {
$secrets = array();
@@ -43,7 +52,7 @@ function ($userId, $title) {
$secrets[$title] = array(
'key' => Security::encrypt($Google2FA->generateSecretKey(32)),
'recoveryKeys' => Auth::generateRecoveryKeys(),
- 'createUserId' => $CreateUser->getId(),
+ 'createUserId' => $SessionUser->getId(),
'createDate' => date('Y-m-d H:i:s')
);
diff --git a/ajax/getKey.php b/ajax/getKey.php
index 622ef80b13d85015abf68eadf224b0e824c8717c..96a2890349c42b83c3a20b1ec2d68cf6e2f3cf4a 100644
--- a/ajax/getKey.php
+++ b/ajax/getKey.php
@@ -15,11 +15,21 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_getKey',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $keyData = array();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$Google2FA = new Google2FA();
diff --git a/ajax/getKeys.php b/ajax/getKeys.php
index 98bb68cd59f6b1a15f3d6a82e8bb8e2d9c0865be..16a5cc20ef69193a9da024695ebf9016666b85f9 100644
--- a/ajax/getKeys.php
+++ b/ajax/getKeys.php
@@ -9,10 +9,22 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_getKeys',
function ($userId) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $keys = array();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
+
+ $keys = array();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
diff --git a/ajax/regenerateRecoveryKeys.php b/ajax/regenerateRecoveryKeys.php
index 71f619005eae8481b010eff45deb295ebb4700d2..01e8ebbd1e84de059e0a33469cee78264be34aba 100644
--- a/ajax/regenerateRecoveryKeys.php
+++ b/ajax/regenerateRecoveryKeys.php
@@ -15,11 +15,21 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_regenerateRecoveryKeys',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $EditUser = QUI::getUserBySession();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);