Permalink
Browse files

Do not allow user group promotion for and to admins.

Related to #647.
  • Loading branch information...
1 parent 7c4ef38 commit 0de401d263a3f2740c267a3b9b85b43c8c5be48d @franzliedke franzliedke committed Mar 27, 2012
Showing with 10 additions and 5 deletions.
  1. +9 −4 admin_groups.php
  2. +1 −1 lang/English/admin_groups.php
View
@@ -85,7 +85,7 @@
<span><?php echo $lang_admin_groups['User title help'] ?></span>
</td>
</tr>
- <tr>
+<?php if ($group['g_id'] != PUN_ADMIN): if ($group['g_id'] != PUN_GUEST): ?> <tr>
<th scope="row"><?php echo $lang_admin_groups['Promote users label'] ?></th>
<td>
<select name="promote_next_group" tabindex="4">
@@ -94,7 +94,7 @@
foreach ($groups as $cur_group)
{
- if ($cur_group['g_id'] != $group['g_id'])
+ if ($cur_group['g_id'] != $group['g_id'] && $cur_group['g_id'] != PUN_ADMIN)
{
if ($cur_group['g_id'] == $group['g_promote_next_group'])
echo "\t\t\t\t\t\t\t\t\t\t\t".'<option value="'.$cur_group['g_id'].'" selected="selected">'.pun_htmlspecialchars($cur_group['g_title']).'</option>'."\n";
@@ -109,7 +109,7 @@
<span><?php printf($lang_admin_groups['Promote users help'], $lang_admin_groups['Disable promotion']) ?></span>
</td>
</tr>
-<?php if ($group['g_id'] != PUN_ADMIN): if ($group['g_id'] != PUN_GUEST): if ($mode != 'edit' || $pun_config['o_default_user_group'] != $group['g_id']): ?> <tr>
+<?php if ($mode != 'edit' || $pun_config['o_default_user_group'] != $group['g_id']): ?> <tr>
<th scope="row"> <?php echo $lang_admin_groups['Mod privileges label'] ?></th>
<td>
<input type="radio" name="moderator" value="1"<?php if ($group['g_moderator'] == '1') echo ' checked="checked"' ?> tabindex="5" />&#160;<strong><?php echo $lang_admin_common['Yes'] ?></strong>&#160;&#160;&#160;<input type="radio" name="moderator" value="0"<?php if ($group['g_moderator'] == '0') echo ' checked="checked"' ?> tabindex="6" />&#160;<strong><?php echo $lang_admin_common['No'] ?></strong>
@@ -276,8 +276,13 @@
$title = pun_trim($_POST['req_title']);
$user_title = pun_trim($_POST['user_title']);
+
$promote_min_posts = isset($_POST['promote_min_posts']) ? intval($_POST['promote_min_posts']) : '0';
- $promote_next_group = isset($_POST['promote_next_group']) && isset($groups[$_POST['promote_next_group']]) ? $_POST['promote_next_group'] : '0';
+ if (isset($_POST['promote_next_group']) && isset($groups[$_POST['promote_next_group']]) && !in_array($_POST['promote_next_group'], array(PUN_ADMIN, $_POST['group_id'])))
+ $promote_next_group = $_POST['promote_next_group'];
+ else
+ $promote_next_group = '0';
+
$moderator = isset($_POST['moderator']) && $_POST['moderator'] == '1' ? '1' : '0';
$mod_edit_users = $moderator == '1' && isset($_POST['mod_edit_users']) && $_POST['mod_edit_users'] == '1' ? '1' : '0';
$mod_rename_users = $moderator == '1' && isset($_POST['mod_rename_users']) && $_POST['mod_rename_users'] == '1' ? '1' : '0';
@@ -40,7 +40,7 @@
'User title label' => 'User title',
'User title help' => 'The rank users in this group have attained. Leave blank to use default title.',
'Promote users label' => 'Promote users',
-'Promote users help' => 'You can promote users to a new group automatically if they reach a certain number of posts. Select "%s" to disable.',
+'Promote users help' => 'You can promote users to a new group automatically if they reach a certain number of posts. Select "%s" to disable. For security reasons, you are not allowed to select an administrator group here.',
'Disable promotion' => 'Disable promoting',
'Mod privileges label' => 'Allow users moderator privileges',
'Mod privileges help' => 'In order for a user in this group to have moderator abilities, he/she must be assigned to moderate one or more forums. This is done via the user administration page of the user\'s profile.',

0 comments on commit 0de401d

Please sign in to comment.