From 90dd01c8bbdc53611eb89825a5514b7b9b78a78b Mon Sep 17 00:00:00 2001 From: Heiko Weber Date: Mon, 4 Jul 2022 15:48:28 +0200 Subject: [PATCH] hijack action should only granted on active users because hijacking / login is not possible on inactive accounts. --- .../behaviour/accesscontrol/hijackaccount.access.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contributions/usermanagement.hijackaccount/behaviour/accesscontrol/hijackaccount.access.php b/contributions/usermanagement.hijackaccount/behaviour/accesscontrol/hijackaccount.access.php index e7eea251..d3d6aab8 100644 --- a/contributions/usermanagement.hijackaccount/behaviour/accesscontrol/hijackaccount.access.php +++ b/contributions/usermanagement.hijackaccount/behaviour/accesscontrol/hijackaccount.access.php @@ -26,7 +26,7 @@ protected function do_is_allowed_for_user($action, $item, $user, $params = false switch ($action) { case 'hijack': // Admins are allowed to hijack - $ret = $this->to_result($user->has_role(USER_ROLE_ADMIN)); + $ret = $this->to_result($user->has_role(USER_ROLE_ADMIN) && $item->is_active()); break; } return $ret;