From 5fbc662b36e9d01b48b9aae362f729fb1746b2a5 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 12 Nov 2013 09:57:38 -0600
Subject: [PATCH] Forbid update of email address to one of another user

Ultimately, in the user information ("contact information") form, forbid
updating a user's email address to an email address in use by another user.
Because email addresses are a unique identifier of user accounts, they
cannot be reused between different users.
---
 include/ajax.forms.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/ajax.forms.php b/include/ajax.forms.php
index a04c327a0..c196ea2b2 100644
--- a/include/ajax.forms.php
+++ b/include/ajax.forms.php
@@ -70,6 +70,18 @@ class DynamicFormsAjaxAPI extends AjaxController {
             $valid &= $cd->isValid();
         }
 
+        if ($valid) {
+            foreach ($custom_data as $cd)
+                foreach ($cd->getFields() as $f)
+                    if ($f->get('name') == 'email')
+                        $email = $f;
+            $u = User::lookup(array('emails__address'=>$email->getClean()));
+            if ($u && $u->id != $user_id) {
+                $valid = false;
+                $email->addError('Email is assigned to another user');
+            }
+        }
+
         if (!$valid) {
             include(STAFFINC_DIR . 'templates/user-info.tmpl.php');
             return;
-- 
GitLab