From e17f3e94289b2dac7187e8039e1a3429779e273c Mon Sep 17 00:00:00 2001
From: Bozhidar Slaveykov <bobi@microweber.com>
Date: Wed, 19 Jan 2022 11:40:09 +0200
Subject: [PATCH] fix secure issue with user data export

---
 src/MicroweberPackages/User/helpers/api_user.php |  2 +-
 src/MicroweberPackages/User/routes/api.php       | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/MicroweberPackages/User/helpers/api_user.php b/src/MicroweberPackages/User/helpers/api_user.php
index ad6bb9572b3..ca47ef10216 100644
--- a/src/MicroweberPackages/User/helpers/api_user.php
+++ b/src/MicroweberPackages/User/helpers/api_user.php
@@ -65,7 +65,7 @@
 
 api_expose_admin('users/search_authors', function ($params = false) {
 
-    $return = array(); 
+    $return = array();
 
     $kw = false;
     if (isset($params['kw'])) {
diff --git a/src/MicroweberPackages/User/routes/api.php b/src/MicroweberPackages/User/routes/api.php
index 9e5495a7483..26ee8243628 100644
--- a/src/MicroweberPackages/User/routes/api.php
+++ b/src/MicroweberPackages/User/routes/api.php
@@ -17,6 +17,17 @@
 
     $userId = (int) $request->all()['user_id'];
 
+    $allowToExport = false;
+    if ($userId == user_id()) {
+        $allowToExport = true;
+    } else if (is_admin()) {
+        $allowToExport = true;
+    }
+
+    if ($allowToExport == false) {
+        return array('error' => 'You are now allowed to export this information.');
+    }
+
     $exportFromTables = [];
     $prefix = mw()->database_manager->get_prefix();
     $tablesList = mw()->database_manager->get_tables_list(true);