Permalink
Browse files

Added some missing permission checks

  • Loading branch information...
thorsten committed Jan 29, 2012
1 parent 012d389 commit 9b31ae1eef69c3f9b25855ee906e496af9217d56
Showing with 24 additions and 8 deletions.
  1. +24 −8 phpmyfaq/admin/user.php
View
@@ -20,7 +20,7 @@
* @author Uwe Pries <uwe.pries@digartis.de>
* @author Sarah Hermann <sayh@gmx.de>
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
- * @copyright 2005-2011 phpMyFAQ Team
+ * @copyright 2005-2012 phpMyFAQ Team
* @license http://www.mozilla.org/MPL/MPL-1.1.html Mozilla Public License Version 1.1
* @link http://www.phpmyfaq.de
* @since 2005-12-15
@@ -50,7 +50,7 @@
}
// update user rights
- if ($userAction == 'update_rights') {
+ if ($userAction == 'update_rights' && $permission['edituser']) {
$message = '';
$userAction = $defaultUserAction;
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
@@ -74,10 +74,12 @@
$PMF_LANG['ad_msg_savedsuc_2']);
$message .= '<script type="text/javascript">updateUser('.$userId.');</script>';
}
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
// update user data
- if ($userAction == 'update_data') {
+ if ($userAction == 'update_data' && $permission['edituser']) {
$message = '';
$userAction = $defaultUserAction;
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
@@ -127,10 +129,12 @@
$message .= '<script type="text/javascript">updateUser('.$userId.');</script>';
}
}
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
// delete user confirmation
- if ($userAction == 'delete_confirm') {
+ if ($userAction == 'delete_confirm' && $permission['deluser']) {
$message = '';
$user = new PMF_User_CurrentUser();
@@ -161,10 +165,12 @@
<?php
}
}
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
// delete user
- if ($userAction == 'delete') {
+ if ($userAction == 'delete' && $permission['deluser']) {
$message = '';
$user = new PMF_User();
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
@@ -200,10 +206,12 @@
$message .= sprintf('<p class="error">%s</p>', $userError);
}
}
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
// save new user
- if ($userAction == 'addsave') {
+ if ($userAction == 'addsave' && $permission['adduser']) {
$user = new PMF_User();
$message = '';
$messages = array();
@@ -271,14 +279,16 @@
}
$message .= '</p>';
}
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
if (!isset($message)) {
$message = '';
}
// show new user form
- if ($userAction == 'add') {
+ if ($userAction == 'add' && $permission['adduser']) {
?>
<header>
<h2><?php print $PMF_LANG["ad_adus_adduser"]; ?></h2>
@@ -331,6 +341,8 @@
</form>
</div> <!-- end #user_create -->
<?php
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
// show list of users
@@ -409,7 +421,9 @@ function(data) {
</fieldset>
<p>
[ <a href="?action=user&amp;user_action=add"><?php print $PMF_LANG["ad_user_add"]; ?></a> ]<br/>
+ <?php if ($permission['edituser']): ?>
[ <a href="?action=user&amp;user_action=listallusers"><?php print $PMF_LANG['list_all_users']; ?></a> ]
+ <?php endif; ?>
</p>
</div> <!-- end #userList -->
</div> <!-- end #userAccounts -->
@@ -474,7 +488,7 @@ function(data) {
}
// show list of all users
- if ($userAction == 'listallusers') {
+ if ($userAction == 'listallusers' && $permission['edituser']) {
?>
<header>
<h2><?php print $PMF_LANG['ad_user']; ?></h2>
@@ -542,6 +556,8 @@ function(response) {
/* ]]> */
</script>
<?php
+ } else {
+ print $PMF_LANG['err_NotAuth'];
}
} else {
print $PMF_LANG['err_NotAuth'];

6 comments on commit 9b31ae1

Contributor

jason102178 replied Jan 29, 2012

i wanted to let you know that i applied this and it causes a small problem when you go to edit a users permission it adds this to the top
https://www.jaysonberger.com/image1.JPG

and if i undo the fix the issue goes away.

Owner

thorsten replied Jan 29, 2012

Which permissions does this user have?

Contributor

jason102178 replied Jan 29, 2012

well i went to edit a user which i have full permission then i went and acted like i was going to edit your user account on my FAQ which you have full permission also

Owner

thorsten replied Jan 29, 2012

Right, I see the issue, I'll fix it

Contributor

jason102178 replied Jan 29, 2012

it also add the same message when i go to view all users
https://www.jaysonberger.com/image%202.JPG

Contributor

jason102178 replied Jan 29, 2012

oh ok

Please sign in to comment.