From e31a38b08b4230d3743e62eefc66a95d097e4929 Mon Sep 17 00:00:00 2001
From: miguel angel rasteu <miguelangel.rasteu@pandorafms.com>
Date: Mon, 4 Sep 2023 12:50:23 +0200
Subject: [PATCH 1/2] #11791 Prevent any user from changing another user's
 notification settings

---
 pandora_console/include/functions_notifications.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pandora_console/include/functions_notifications.php b/pandora_console/include/functions_notifications.php
index 60a8e6bce0..eb16d5ebc0 100644
--- a/pandora_console/include/functions_notifications.php
+++ b/pandora_console/include/functions_notifications.php
@@ -653,7 +653,14 @@ function notifications_get_user_label_status($source, $user, $label)
  */
 function notifications_set_user_label_status($source, $user, $label, $value)
 {
+    global $config;
+
+    if ((bool) check_acl($config['id_user'], 0, 'PM') === false && $config['id_user'] !== $user) {
+        return false;
+    }
+
     $source_info = notifications_get_all_sources(['id' => $source]);
+
     if (!isset($source_info[0])
         || !$source_info[0]['enabled']
         || !$source_info[0]['user_editable']

From 748238a7ea8da8a814db373d4e1e3536ab6c83af Mon Sep 17 00:00:00 2001
From: miguel angel rasteu <miguelangel.rasteu@pandorafms.com>
Date: Fri, 10 Nov 2023 10:03:13 +0100
Subject: [PATCH 2/2] #11791 Prevent any user from changing another user's
 notification settings in AJAX

---
 pandora_console/include/ajax/notifications.ajax.php | 4 ++++
 pandora_console/include/functions_notifications.php | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/pandora_console/include/ajax/notifications.ajax.php b/pandora_console/include/ajax/notifications.ajax.php
index 36ea95900d..a69ad1b56e 100644
--- a/pandora_console/include/ajax/notifications.ajax.php
+++ b/pandora_console/include/ajax/notifications.ajax.php
@@ -38,6 +38,10 @@ if ($change_label === '1') {
     $source = get_parameter('source', 0);
     $user = get_parameter('user', '');
     $value = get_parameter('value', 0) ? 1 : 0;
+    $user_info = get_user_info($config['id_user']);
+    if ((bool) $user_info['is_admin'] === false && $config['id_user'] !== $user) {
+        return false;
+    }
 
     // Update the label value.
     ob_clean();
diff --git a/pandora_console/include/functions_notifications.php b/pandora_console/include/functions_notifications.php
index ea29c2c98a..4838f3c954 100644
--- a/pandora_console/include/functions_notifications.php
+++ b/pandora_console/include/functions_notifications.php
@@ -661,7 +661,8 @@ function notifications_set_user_label_status($source, $user, $label, $value)
 {
     global $config;
 
-    if ((bool) check_acl($config['id_user'], 0, 'PM') === false && $config['id_user'] !== $user) {
+    $user_info = get_user_info($config['id_user']);
+    if ((bool) $user_info['is_admin'] === false && $config['id_user'] !== $user) {
         return false;
     }