From 4463016efeeac2c1b71f45d3813edd7a3a8c962b Mon Sep 17 00:00:00 2001
From: markjcrane <markjcrane@gmail.com>
Date: Thu, 5 Nov 2015 12:25:30 -0700
Subject: [PATCH] Secure the device mac address when the user doesn't have
 permission to change it.

---
 app/devices/device_edit.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/app/devices/device_edit.php b/app/devices/device_edit.php
index 12b4bfc0b2..af2231ef23 100644
--- a/app/devices/device_edit.php
+++ b/app/devices/device_edit.php
@@ -128,10 +128,25 @@ require_once "resources/require.php";
 
 //get http post variables and set them to php variables
 	if (count($_POST) > 0) {
+		//device mac address
+			if (permission_exists('device_mac_address')) {
+				$device_mac_address = check_str($_POST["device_mac_address"]);
+				$device_mac_address = strtolower(preg_replace('#[^a-fA-F0-9./]#', '', $device_mac_address));
+				$_POST["device_mac_address"] = $device_mac_address;
+			}
+			else {
+				$orm = new orm;
+				$orm->name('devices');
+				$orm->uuid($device_uuid);
+				$result = $orm->find()->get();
+				//$message = $orm->message;
+				foreach ($result as &$row) {
+					$device_mac_address = $row["device_mac_address"];
+					$_POST["device_mac_address"] = $device_mac_address;
+				}
+				unset ($prep_statement);
+			}
 		//devices
-			$device_mac_address = check_str($_POST["device_mac_address"]);
-			$device_mac_address = strtolower(preg_replace('#[^a-fA-F0-9./]#', '', $device_mac_address));
-			$_POST["device_mac_address"] = $device_mac_address;
 			$device_label = check_str($_POST["device_label"]);
 			$device_vendor = check_str($_POST["device_vendor"]);
 			$device_uuid_alternate = check_str($_POST["device_uuid_alternate"]);