Changeset 29074 for trunk/include


Ignore:
Timestamp:
Jul 25, 2014, 11:10:49 AM (10 years ago)
Author:
plg
Message:

bug 3104: less rights for admins (compared to webmaster). Now an admin can't:

  • delete a webmaster
  • give webmaster/admin status to any user
  • change status of a webmaster/admin
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/ws_functions/pwg.users.php

    r28981 r29074  
    326326  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
    327327
     328  $protected_users = array(
     329    $user['id'],
     330    $conf['guest_id'],
     331    $conf['default_user_id'],
     332    $conf['webmaster_id'],
     333    );
     334
     335  // an admin can't delete other admin/webmaster
     336  if ('admin' == $user['status'])
     337  {
     338    $query = '
     339SELECT
     340    user_id
     341  FROM '.USER_INFOS_TABLE.'
     342  WHERE status IN (\'webmaster\', \'admin\')
     343;';
     344    $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
     345  }
     346 
    328347  // protect some users
    329   $params['user_id'] = array_diff(
    330     $params['user_id'],
    331     array(
    332       $user['id'],
    333       $conf['guest_id'],
    334       $conf['default_user_id'],
    335       $conf['webmaster_id'],
    336       )
    337     );
    338 
     348  $params['user_id'] = array_diff($params['user_id'], $protected_users);
     349
     350  $counter = 0;
     351 
    339352  foreach ($params['user_id'] as $user_id)
    340353  {
    341354    delete_user($user_id);
     355    $counter++;
    342356  }
    343357
    344358  return l10n_dec(
    345359    '%d user deleted', '%d users deleted',
    346     count($params['user_id'])
     360    $counter
    347361    );
    348362}
     
    419433  if (!empty($params['status']))
    420434  {
    421     if ( $params['status'] == 'webmaster' and !is_webmaster() )
    422     {
    423       return new PwgError(403, 'Only webmasters can grant "webmaster" status');
    424     }
     435    if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() )
     436    {
     437      return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status');
     438    }
     439   
    425440    if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) )
    426441    {
    427442      return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status');
     443    }
     444
     445    $protected_users = array(
     446      $user['id'],
     447      $conf['guest_id'],
     448      $conf['webmaster_id'],
     449      );
     450
     451    // an admin can't change status of other admin/webmaster
     452    if ('admin' == $user['status'])
     453    {
     454      $query = '
     455SELECT
     456    user_id
     457  FROM '.USER_INFOS_TABLE.'
     458  WHERE status IN (\'webmaster\', \'admin\')
     459;';
     460      $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
    428461    }
    429462
    430463    // status update query is separated from the rest as not applying to the same
    431464    // set of users (current, guest and webmaster can't be changed)
    432     $params['user_id_for_status'] = array_diff(
    433       $params['user_id'],
    434       array(
    435         $user['id'],
    436         $conf['guest_id'],
    437         $conf['webmaster_id'],
    438         )
    439       );
     465    $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users);
    440466
    441467    $update_status = $params['status'];
Note: See TracChangeset for help on using the changeset viewer.