[geeklog-cvs] geeklog-1.3/public_html/admin user.php,1.46,1.46.4.1

dhaun at geeklog.net dhaun at geeklog.net
Mon Jan 19 15:08:02 EST 2004


Update of /usr/cvs/geeklog/geeklog-1.3/public_html/admin
In directory geeklog_prod:/tmp/cvs-serv8243

Modified Files:
      Tag: geeklog_1_3_7sr2_1
	user.php 
Log Message:
Don't let Group Admins assign themselves to the Root group (bug #135).


Index: user.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/user.php,v
retrieving revision 1.46
retrieving revision 1.46.4.1
diff -C2 -d -r1.46 -r1.46.4.1
*** user.php	30 Dec 2002 13:28:53 -0000	1.46
--- user.php	19 Jan 2004 20:07:59 -0000	1.46.4.1
***************
*** 9,17 ****
  // |                                                                           |
  // +---------------------------------------------------------------------------+
! // | Copyright (C) 2000,2001 by the following authors:                         |
  // |                                                                           |
! // | Authors: Tony Bibbs       - tony at tonybibbs.com                            |
! // |          Mark Limburg     - mlimburg at users.sourceforge.net                |
! // |          Jason Wittenburg - jwhitten at securitygeeks.com                    |
  // +---------------------------------------------------------------------------+
  // |                                                                           |
--- 9,17 ----
  // |                                                                           |
  // +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2004 by the following authors:                         |
  // |                                                                           |
! // | Authors: Tony Bibbs        - tony at tonybibbs.com                           |
! // |          Mark Limburg      - mlimburg at users.sourceforge.net               |
! // |          Jason Whittenburg - jwhitten at securitygeeks.com                   |
  // +---------------------------------------------------------------------------+
  // |                                                                           |
***************
*** 151,155 ****
              $selected .= DB_getItem($_TABLES['groups'],'grp_id',"grp_name='Logged-in Users'");
          }
! 		$user_templates->set_var('group_options', COM_checkList($_TABLES['groups'],'grp_id,grp_name','',$selected));
          $user_templates->parse('group_edit', 'groupedit', true);
  	} else {
--- 151,161 ----
              $selected .= DB_getItem($_TABLES['groups'],'grp_id',"grp_name='Logged-in Users'");
          }
!         $where = '';
!         if (!SEC_inGroup ('Root')) {
!             $where .= "grp_name <> 'Root'";
!         }
! 		$user_templates->set_var ('group_options',
!                 COM_checkList ($_TABLES['groups'], 'grp_id,grp_name',
!                                $where, $selected));
          $user_templates->parse('group_edit', 'groupedit', true);
  	} else {
***************
*** 236,240 ****
  		
  		// if groups is -1 then this user isn't allowed to change any groups so ignore
! 		if (is_array($groups)) {
  			if ($_USER_VERBOSE) COM_errorLog("deleting all group_assignments for user $uid/$username",1);
  			DB_query("DELETE FROM {$_TABLES['group_assignments']} WHERE ug_uid = $uid");
--- 242,255 ----
  		
  		// if groups is -1 then this user isn't allowed to change any groups so ignore
! 		if (is_array ($groups) && SEC_inGroup ('Group Admin')) {
!             if (!SEC_inGroup ('Root')) {
!                 $rootgrp = DB_getItem ($_TABLES['groups'], 'grp_id',
!                                        "grp_name = 'Root'");
!                 if (in_array ($rootgrp, $groups)) {
!                     COM_accessLog ("User {$_USER['username']} just tried to give Root permissions to user $username.");
!                     echo COM_refresh ($_CONF['site_admin_url'] . '/index.php');
!                     exit;
!                 }
!             }
  			if ($_USER_VERBOSE) COM_errorLog("deleting all group_assignments for user $uid/$username",1);
  			DB_query("DELETE FROM {$_TABLES['group_assignments']} WHERE ug_uid = $uid");
***************
*** 520,523 ****
--- 535,570 ----
  }
  
+ function deleteUser ($uid)
+ {
+     global $_CONF, $_TABLES, $_USER;
+ 
+     if (!SEC_inGroup ('Root')) {
+         if (SEC_inGroup ('Root', $uid)) {
+             COM_accessLog ("User {$_USER['username']} just tried to delete Root user $uid.");
+             return COM_refresh ($_CONF['site_admin_url'] . '/user.php');
+         }
+     }
+ 
+     // Ok, delete everything related to this user
+ 
+     // first, remove from all security groups
+     DB_delete ($_TABLES['group_assignments'], 'ug_uid', $uid);
+ 
+     // remove user information and preferences
+     DB_delete ($_TABLES['userprefs'], 'uid', $uid);
+     DB_delete ($_TABLES['userindex'], 'uid', $uid);
+     DB_delete ($_TABLES['usercomment'], 'uid', $uid);
+     DB_delete ($_TABLES['userinfo'], 'uid', $uid);
+ 
+     // avoid having orphand stories/comments by making them anonymous posts
+     DB_query ("UPDATE {$_TABLES['comments']} SET uid = 1 WHERE uid = $uid");
+     DB_query ("UPDATE {$_TABLES['stories']} SET uid = 1 WHERE uid = $uid");
+ 
+     // now delete the user itself
+     DB_delete ($_TABLES['users'], 'uid', $uid);
+ 
+     return COM_refresh ($_CONF['site_admin_url'] . '/user.php?msg=22');
+ }
+ 
  // MAIN
  if (($mode == $LANG28[19]) && !empty ($LANG28[19])) { // delete
***************
*** 526,542 ****
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/user.php');
      } else {
!         // Ok, delete everything related to this user
! 
!         // first, remove from all security groups
!         DB_delete($_TABLES['group_assignments'],'ug_uid',$uid);
!         DB_delete($_TABLES['userprefs'],'uid',$uid);
!         DB_delete($_TABLES['userindex'],'uid',$uid);
!         DB_delete($_TABLES['usercomment'],'uid',$uid);
!         DB_delete($_TABLES['userinfo'],'uid',$uid);
! 
!         // what to do with orphan stories/comments?
! 
!         // now move delete the user itself
!         DB_delete($_TABLES['users'],'uid',$uid,$_CONF['site_admin_url'] . '/user.php?msg=22');
      }
  } else if (($mode == $LANG28[20]) && !empty ($LANG28[20])) { // save
--- 573,577 ----
          $display .= COM_refresh ($_CONF['site_admin_url'] . '/user.php');
      } else {
!         $display .= deleteUser ($uid);
      }
  } else if (($mode == $LANG28[20]) && !empty ($LANG28[20])) { // save





More information about the geeklog-cvs mailing list