From 1513ff53a3112df7d62eb4d88b479dd0041bae3c Mon Sep 17 00:00:00 2001
From: Bartek Fabiszewski <github@fabiszewski.net>
Date: Thu, 24 Aug 2017 11:05:00 +0200
Subject: [PATCH] Fix client API: only admin can add users

---
 client/index.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/client/index.php b/client/index.php
index ca815de..6975052 100644
--- a/client/index.php
+++ b/client/index.php
@@ -42,6 +42,10 @@ switch ($action) {
 
   // action: adduser (currently unused)
   case "adduser":
+    if (!$user->isAdmin) {
+      setError($response, "User not authorized");
+      break;
+    }
     $login = isset($_REQUEST['login']) ? $_REQUEST['login'] : NULL;
     $pass = isset($_REQUEST['password']) ? $_REQUEST['password'] : NULL;
     if (!empty($login) && !empty($pass)) {