Skip to content

Commit

Permalink
Added some missing permission checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@thorsten
thorsten committed Jan 29, 2012
1 parent 012d389 commit 9b31ae1
Showing 1 changed file with 24 additions and 8 deletions.
32 changes: 24 additions & 8 deletions phpmyfaq/admin/user.php
View file
Expand Up @@ -20,7 +20,7 @@
* @author Uwe Pries <uwe.pries@digartis.de> * @author Uwe Pries <uwe.pries@digartis.de>
* @author Sarah Hermann <sayh@gmx.de> * @author Sarah Hermann <sayh@gmx.de>
* @author Thorsten Rinne <thorsten@phpmyfaq.de> * @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @copyright 2005-2011 phpMyFAQ Team * @copyright 2005-2012 phpMyFAQ Team
* @license http://www.mozilla.org/MPL/MPL-1.1.html Mozilla Public License Version 1.1 * @license http://www.mozilla.org/MPL/MPL-1.1.html Mozilla Public License Version 1.1
* @link http://www.phpmyfaq.de * @link http://www.phpmyfaq.de
* @since 2005-12-15 * @since 2005-12-15
Expand Down Expand Up @@ -50,7 +50,7 @@
} }


// update user rights // update user rights
if ($userAction == 'update_rights') { if ($userAction == 'update_rights' && $permission['edituser']) {
$message = ''; $message = '';
$userAction = $defaultUserAction; $userAction = $defaultUserAction;
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
Expand All @@ -74,10 +74,12 @@
$PMF_LANG['ad_msg_savedsuc_2']); $PMF_LANG['ad_msg_savedsuc_2']);
$message .= '<script type="text/javascript">updateUser('.$userId.');</script>'; $message .= '<script type="text/javascript">updateUser('.$userId.');</script>';
} }
} else {
print $PMF_LANG['err_NotAuth'];
} }


// update user data // update user data
if ($userAction == 'update_data') { if ($userAction == 'update_data' && $permission['edituser']) {
$message = ''; $message = '';
$userAction = $defaultUserAction; $userAction = $defaultUserAction;
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
Expand Down Expand Up @@ -127,10 +129,12 @@
$message .= '<script type="text/javascript">updateUser('.$userId.');</script>'; $message .= '<script type="text/javascript">updateUser('.$userId.');</script>';
} }
} }
} else {
print $PMF_LANG['err_NotAuth'];
} }


// delete user confirmation // delete user confirmation
if ($userAction == 'delete_confirm') { if ($userAction == 'delete_confirm' && $permission['deluser']) {
$message = ''; $message = '';
$user = new PMF_User_CurrentUser(); $user = new PMF_User_CurrentUser();


Expand Down Expand Up @@ -161,10 +165,12 @@
<?php <?php
} }
} }
} else {
print $PMF_LANG['err_NotAuth'];
} }


// delete user // delete user
if ($userAction == 'delete') { if ($userAction == 'delete' && $permission['deluser']) {
$message = ''; $message = '';
$user = new PMF_User(); $user = new PMF_User();
$userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0);
Expand Down Expand Up @@ -200,10 +206,12 @@
$message .= sprintf('<p class="error">%s</p>', $userError); $message .= sprintf('<p class="error">%s</p>', $userError);
} }
} }
} else {
print $PMF_LANG['err_NotAuth'];
} }


// save new user // save new user
if ($userAction == 'addsave') { if ($userAction == 'addsave' && $permission['adduser']) {
$user = new PMF_User(); $user = new PMF_User();
$message = ''; $message = '';
$messages = array(); $messages = array();
Expand Down Expand Up @@ -271,14 +279,16 @@
} }
$message .= '</p>'; $message .= '</p>';
} }
} else {
print $PMF_LANG['err_NotAuth'];
} }


if (!isset($message)) { if (!isset($message)) {
$message = ''; $message = '';
} }


// show new user form // show new user form
if ($userAction == 'add') { if ($userAction == 'add' && $permission['adduser']) {
?> ?>
<header> <header>
<h2><?php print $PMF_LANG["ad_adus_adduser"]; ?></h2> <h2><?php print $PMF_LANG["ad_adus_adduser"]; ?></h2>
Expand Down Expand Up @@ -331,6 +341,8 @@
</form> </form>
</div> <!-- end #user_create --> </div> <!-- end #user_create -->
<?php <?php
} else {
print $PMF_LANG['err_NotAuth'];
} }


// show list of users // show list of users
Expand Down Expand Up @@ -409,7 +421,9 @@ function(data) {
</fieldset> </fieldset>
<p> <p>
[ <a href="?action=user&amp;user_action=add"><?php print $PMF_LANG["ad_user_add"]; ?></a> ]<br/> [ <a href="?action=user&amp;user_action=add"><?php print $PMF_LANG["ad_user_add"]; ?></a> ]<br/>
<?php if ($permission['edituser']): ?>
[ <a href="?action=user&amp;user_action=listallusers"><?php print $PMF_LANG['list_all_users']; ?></a> ] [ <a href="?action=user&amp;user_action=listallusers"><?php print $PMF_LANG['list_all_users']; ?></a> ]
<?php endif; ?>
</p> </p>
</div> <!-- end #userList --> </div> <!-- end #userList -->
</div> <!-- end #userAccounts --> </div> <!-- end #userAccounts -->
Expand Down Expand Up @@ -474,7 +488,7 @@ function(data) {
} }


// show list of all users // show list of all users
if ($userAction == 'listallusers') { if ($userAction == 'listallusers' && $permission['edituser']) {
?> ?>
<header> <header>
<h2><?php print $PMF_LANG['ad_user']; ?></h2> <h2><?php print $PMF_LANG['ad_user']; ?></h2>
Expand Down Expand Up @@ -542,6 +556,8 @@ function(response) {
/* ]]> */ /* ]]> */
</script> </script>
<?php <?php
} else {
print $PMF_LANG['err_NotAuth'];
} }
} else { } else {
print $PMF_LANG['err_NotAuth']; print $PMF_LANG['err_NotAuth'];
Expand Down

2 comments on commit 9b31ae1

@thorsten
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which permissions does this user have?

@thorsten
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I see the issue, I'll fix it

Please sign in to comment.