From aa30770ea36d5887094f18f88ff3c07456436183 Mon Sep 17 00:00:00 2001
From: Tushar Shekokar <tushar_s@tekditechnologies.com>
Date: Thu, 1 Sep 2022 15:07:29 +0530
Subject: [PATCH] Task #187778 chore: Fix security issue on plugin users

---
 src/users/user.php | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/users/user.php b/src/users/user.php
index 50bacf7..1a606b8 100644
--- a/src/users/user.php
+++ b/src/users/user.php
@@ -11,6 +11,9 @@
 // No direct access.
 defined('_JEXEC') or die('Restricted access');
 
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+
 /**
  * User Api.
  * Creates a new user, updates an existing user and gets data of an user
@@ -156,9 +159,17 @@ public function post()
 	 */
 	public function get()
 	{
-		$input = JFactory::getApplication()->input;
-		$id = $input->get('id', 0, 'int');
-		$xidentifier	= $input->server->get('HTTP_X_IDENTIFIER', '', 'String');
+		$input       = Factory::getApplication()->input;
+		$id          = $input->get('id', 0, 'int');
+		$xidentifier = $input->server->get('HTTP_X_IDENTIFIER', '', 'String');
+		$user        = Factory::getUser();
+
+		if (!$user->authorise('core.admin') && $id != $user->id)
+		{
+			ApiError::raiseError(400, Text::_('JERROR_ALERTNOAUTHOR'));
+
+			return;
+		}
 
 		/*
 		 * If we have an id try to fetch the user
@@ -171,7 +182,7 @@ public function get()
 
 			if (! $user->id)
 			{
-				ApiError::raiseError(400, JText::_('PLG_API_USERS_USER_NOT_FOUND_MESSAGE'));
+				ApiError::raiseError(400, Text::_('PLG_API_USERS_USER_NOT_FOUND_MESSAGE'));
 
 				return;
 			}
@@ -180,11 +191,9 @@ public function get()
 		}
 		else
 		{
-			$user = JFactory::getUser();
-
 			if ($user->guest)
 			{
-				ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));
+				ApiError::raiseError(400, Text::_('JERROR_ALERTNOAUTHOR'));
 			}
 
 			$this->plugin->setResponse($user);