diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs index cdafda1c0a..1901515fdf 100644 --- a/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs +++ b/src/Umbraco.Web/umbraco.presentation/umbraco/users/EditUser.aspx.cs @@ -11,6 +11,7 @@ using Umbraco.Core.Configuration; using Umbraco.Core.Logging; using umbraco.BasePages; using umbraco.BusinessLogic; +using umbraco.businesslogic.Exceptions; using umbraco.cms.businesslogic.media; using umbraco.cms.businesslogic.propertytype; using umbraco.cms.businesslogic.web; @@ -63,16 +64,23 @@ namespace umbraco.cms.presentation.user protected void Page_Load(object sender, EventArgs e) { + //if the current user is not an admin they cannot edit a user at all + if (CurrentUser.IsAdmin() == false) + { + throw new UserAuthorizationException("Access denied"); + } int UID = int.Parse(Request.QueryString["id"]); u = BusinessLogic.User.GetUser(UID); - // do initial check for edit rights + //the true admin can only edit the true admin if (u.Id == 0 && CurrentUser.Id != 0) { throw new Exception("Only the root user can edit the 'root' user (id:0)"); } - else if (u.IsAdmin() && !CurrentUser.IsAdmin()) + + //only another admin can edit another admin (who is not the true admin) + if (u.IsAdmin() && CurrentUser.IsAdmin() == false) { throw new Exception("Admin users can only be edited by admins"); } @@ -342,6 +350,8 @@ namespace umbraco.cms.presentation.user protected override void OnInit(EventArgs e) { + base.OnInit(e); + //lapps.SelectionMode = ListSelectionMode.Multiple; lapps.RepeatLayout = RepeatLayout.Flow; lapps.RepeatDirection = RepeatDirection.Vertical;