webui: Disabled editing device notes for non-admin users (#5341)

2024-10-07 16:52:45 +00:00 · 2017-01-08 13:05:37 +00:00
parent 1e655c4e03
commit 36e1cc82f6
2 changed files with 29 additions and 11 deletions
--- a/html/includes/forms/update-notes.inc.php
+++ b/html/includes/forms/update-notes.inc.php
@@ -17,16 +17,20 @@ $message   = 'unknown error';
 $device_id = mres($_POST['device_id']);
 $notes = $_POST['notes'];

-if (isset($notes) && (dbUpdate(array('notes' => $notes), 'devices', 'device_id = ?', array($device_id)))) {
+if (is_admin() === false) {
+    $message = 'Only admin accounts can update notes';
+} elseif (isset($notes) && (dbUpdate(array('notes' => $notes), 'devices', 'device_id = ?', array($device_id)))) {
    $status  = 'ok';
    $message = 'Updated';
 } else {
    $status  = 'error';
    $message = 'ERROR: Could not update';
 }
-die(json_encode(array(
-    'status'       => $status,
-    'message'      => $message,
-    'notes'        => $notes,
-    'device_id'    => $device_id
-)));
+echo _json_encode(
+    array(
+        'status'       => $status,
+        'message'      => $message,
+        'notes'        => $notes,
+        'device_id'    => $device_id,
+    )
+);