From a0c51c652443cfb53ebd7b48f5e1c918d65f0fb8 Mon Sep 17 00:00:00 2001
From: einhornimmond <dario.rekowski@gmx.de>
Date: Wed, 24 Mar 2021 17:56:28 +0100
Subject: [PATCH] fix bug with access rights

---
 login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp b/login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp
index 3a4b5d105..5b426782a 100644
--- a/login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp
+++ b/login_server/src/cpp/JSONInterface/JsonGetUserInfos.cpp
@@ -77,11 +77,12 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
 	auto session_user = session->getNewUser();
 	auto session_user_model = session_user->getModel();
 	bool isAdmin = false;
+	bool emailBelongToUser = false;
 	if (model::table::ROLE_ADMIN == session_user_model->getRole()) {
 		isAdmin = true;
 	}
-	if (session_user_model->getEmail() != email && !isAdmin) {
-		return customStateError("not same", "email don't belong to logged in user");
+	if (session_user_model->getEmail() == email) {
+		emailBelongToUser = true;
 	}
 	
 	auto user = controller::User::create();
@@ -102,7 +103,7 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
 		std::string parameterString;
 		try {
 			parameter.convert(parameterString);
-			if (parameterString == "EmailVerificationCode.Register" && isAdmin && session_user_model->getEmail() != user_model->getEmail()) {
+			if (parameterString == "EmailVerificationCode.Register" && isAdmin && !emailBelongToUser) {
 				auto code = readOrCreateEmailVerificationCode(user_model->getID(), model::table::EMAIL_OPT_IN_REGISTER_DIRECT);
 				if (code) {
 					jsonUser.set("EmailVerificationCode.Register", std::to_string(code));
@@ -123,7 +124,7 @@ Poco::JSON::Object* JsonGetUserInfos::handle(Poco::Dynamic::Var params)
 			else if (parameterString == "user.disabled") {
 				jsonUser.set("disabled", user_model->isDisabled());
 			}
-			else if (parameterString == "user.email_checked") {
+			else if (parameterString == "user.email_checked" && (isAdmin || emailBelongToUser)) {
 				jsonUser.set("email_checked", user_model->isEmailChecked());
 			}
 			else if (parameterString == "user.identHash") {