Don't allow deletion when spoofing another userkey

(cherry picked from commit 3fd4f32c344573addea1dbb44dddef63b0e793e3)

1 files changed, 5 insertions, 5 deletions

diff --git a/src/usr/local/www/services_acb.php b/src/usr/local/www/services_acb.php
index b8732e3..c1ed112 100644
--- a/src/usr/local/www/services_acb.php
+++ b/src/usr/local/www/services_acb.php
@@ -31,10 +31,6 @@ $legacy = false;
 
 if (isset($_REQUEST['legacy'])) {
 	$legacy = true;
-} else {
-	if (isset($_REQUEST['userkey'] )) {
-		$userkey = $_REQUEST['userkey'];
-	}
 }
 
 // Encryption password
@@ -537,7 +533,11 @@ if (!$legacy) {
 						<td>
 							<a class="fa fa-undo"		title="<?=gettext('Restore this revision')?>"	href="services_acb.php?hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&newver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>"	onclick="return confirm('<?=gettext("Are you sure you want to restore {$cv['localtime']}?")?>')"></a>
 							<a class="fa fa-download"	title="<?=gettext('Show info')?>"	href="services_acb.php?download=<?=urlencode($cv['time'])?>&hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&reason=<?=urlencode($cv['reason'])?><?=($legacy ? "&legacy=true":"")?> "></a>
-							<a class="fa fa-trash"		title="<?=gettext('Delete config')?>"	href="services_acb.php?hostname=<?=urlencode($hostname)?>&userkey=<?=urlencode($userkey)?>&rmver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>"></a>
+<?php
+		if ($userkey == $origkey) {
+?>
+							<a class="fa fa-trash"		title="<?=gettext('Delete config')?>"	href="services_acb.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time'])?><?=($legacy ? "&legacy=true":"")?>"></a>
+<?php 	} ?>
 						</td>
 					</tr>
 				<?php	$counter++;