From 9a8ab050cb6dab5142d9085dd14d899bcfd1cf87 Mon Sep 17 00:00:00 2001
From: int2001 <int2001@users.noreply.github.com>
Date: Fri, 14 Jul 2023 11:00:39 +0000
Subject: [PATCH] SecFix: Added checking for session when editing or watching
 profile

---
 application/controllers/User.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/application/controllers/User.php b/application/controllers/User.php
index 69f43a89..e713146c 100644
--- a/application/controllers/User.php
+++ b/application/controllers/User.php
@@ -178,7 +178,7 @@ class User extends CI_Controller {
 
 	function edit() {
 		$this->load->model('user_model');
-		if((!$this->user_model->authorize(99)) && ($this->session->userdata('user_id') != $this->uri->segment(3))) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
+		if ( ($this->session->userdata('user_id') == '') || ((!$this->user_model->authorize(99)) && ($this->session->userdata('user_id') != $this->uri->segment(3))) ) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		$query = $this->user_model->get_by_id($this->uri->segment(3));
 
 		$this->load->model('bands');
@@ -494,6 +494,7 @@ class User extends CI_Controller {
 
 	function profile() {
 		$this->load->model('user_model');
+		if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		$query = $this->user_model->get_by_id($this->session->userdata('user_id'));
     $q = $query->row();
     $data['page_title'] = "Profile";