Merge pull request #2287 from int2001/user_auth_fix

SecFix: Added checking for session when editing or watching profile

application/controllers/User.php

@@ -178,7 +178,7 @@ class User extends CI_Controller {
 
 	function edit() {
 		$this->load->model('user_model');
-		if((!$this->user_model->authorize(99)) && ($this->session->userdata('user_id') != $this->uri->segment(3))) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
+		if ( ($this->session->userdata('user_id') == '') || ((!$this->user_model->authorize(99)) && ($this->session->userdata('user_id') != $this->uri->segment(3))) ) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		$query = $this->user_model->get_by_id($this->uri->segment(3));
 
 		$this->load->model('bands');
@@ -494,6 +494,7 @@ class User extends CI_Controller {
 
 	function profile() {
 		$this->load->model('user_model');
+		if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
 		$query = $this->user_model->get_by_id($this->session->userdata('user_id'));
     $q = $query->row();
     $data['page_title'] = "Profile";