From adc439496804ab9eb405e18d8a5e74d340e055eb Mon Sep 17 00:00:00 2001
From: Sebastian Reichel <sre@ring0.de>
Date: Wed, 18 Jul 2018 23:54:49 +0200
Subject: web: don't allow non-logged in person to view guest account

---
 src/web/web.vala | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/web/web.vala b/src/web/web.vala
index 8934763..dbfcb54 100644
--- a/src/web/web.vala
+++ b/src/web/web.vala
@@ -336,7 +336,7 @@ public class WebServer {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
 
-			if(id != session.user && !(session.superuser || session.auth_users)) {
+			if(id == 0 || id != session.user && !(session.superuser || session.auth_users)) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
-- 
cgit v1.2.3