When using ac-admin/index.php?page=profile users can change their username as well as their password. Unfortunately no check appears to be made to see if the new username already exists. If a user changes his name to that of an existing user then he will only have access to calendars belonging to the lower numbered user ID.
As a workaround I've added a "readonly" attribute to the username input field in line 29 of ac-admin/profile.admin.php.
- Code: Select all
<td><input readonly type="text" name="mod[username]" value="'.$row["username"].'" style="width:99%;" class="validate[\'required\',\'length[0,100]\'] text-input"></td>
Ideally it would be better if the script checked for duplicate usernames before attempting to modify the user's profile.
