#11791 Prevent any user from changing another user's notification settings in AJAX

pandora_console/include/ajax/notifications.ajax.php

@@ -38,6 +38,10 @@ if ($change_label === '1') {
     $source = get_parameter('source', 0);
     $user = get_parameter('user', '');
     $value = get_parameter('value', 0) ? 1 : 0;
+    $user_info = get_user_info($config['id_user']);
+    if ((bool) $user_info['is_admin'] === false && $config['id_user'] !== $user) {
+        return false;
+    }
 
     // Update the label value.
     ob_clean();

pandora_console/include/functions_notifications.php

@@ -661,7 +661,8 @@ function notifications_set_user_label_status($source, $user, $label, $value)
 {
     global $config;
 
-    if ((bool) check_acl($config['id_user'], 0, 'PM') === false && $config['id_user'] !== $user) {
+    $user_info = get_user_info($config['id_user']);
+    if ((bool) $user_info['is_admin'] === false && $config['id_user'] !== $user) {
         return false;
     }