enh: hide icon customization link for non-admin users and enforce admin check in web server

views/default3.handlebars

@@ -597,7 +597,7 @@
                             </span>
                             <span id="accountCreateLoginTokenSpan" style="display:none"><a href=# onclick="return account_createLoginToken()">Create login token</a><br /></span>
                             <a href=# onclick="return account_showThemesSwitcher()">Switch theme</a><br />
-                            <a href=# onclick="return showIconCustomization()">Icons Customization</a><br />
+                            <span id="accountCustomIconsSpan" style="display:none"><a href=# onclick="return showIconCustomization()">Icons Customization</a><br /></span>
                         </p>
                         <br style=clear:both />
                     </div>
@@ -2806,6 +2806,7 @@
             QV('p2ServerActions', (siteRights & 21) && ((serverFeatures & 143) != 0));
             QV('LeftMenuMyServer', (siteRights & 21) && ((serverFeatures & 64) != 0)); // 16 + 4 + 1
             QV('MainMenuMyServer', siteRights & 21);
+            QV('accountCustomIconsSpan', (userinfo.siteadmin === 0xFFFFFFFF));
             QV('p2ServerActionsBackup', (siteRights & 1) && ((serverFeatures & 1) != 0));
             QV('p2ServerActionsRestore', (siteRights & 4) && ((serverFeatures & 2) != 0));
             QV('p2ServerActionsVersion', (siteRights & 16) && ((serverFeatures & 4) != 0));

webserver.js

@@ -4575,6 +4575,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
         if ((req.session == null) || (typeof req.session.userid !== 'string')) { res.sendStatus(401); return; }
         const user = obj.users[req.session.userid];
         if (user == null) { res.sendStatus(401); return; }
+        if (user.siteadmin !== SITERIGHT_ADMIN) { res.sendStatus(401); return; }
 
         const multiparty = require('multiparty');
         const form = new multiparty.Form();