From f191016c72d0ac71928ca8ce20f9ef9da700f9ff Mon Sep 17 00:00:00 2001 From: garvinhicking <garvinhicking> Date: Thu, 8 Dec 2005 11:03:32 +0000 Subject: [PATCH] fix user checks --- docs/NEWS | 5 +++++ include/admin/users.inc.php | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/NEWS b/docs/NEWS index e2eba8a..ab175ff 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,11 @@ Version 0.9.2 () ------------------------------------------------------------------------ + * Fix not being able to create users of the same userlevel when + being admin [workaround was to first create user with lower userlevel + and then edit the user account, which lead to propper permission + checks] + * Include a template's "config.inc.php" also when previewing an entry, so that custom functions can be called (garvinhicking) diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php index 67df299..5e413f7 100644 --- a/include/admin/users.inc.php +++ b/include/admin/users.inc.php @@ -15,7 +15,7 @@ require_once(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php'); /* Delete a user */ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) { $user = serendipity_fetchUsers($serendipity['POST']['user']); - if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersDelete')) { + if (($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $user[0]['userlevel'] >= $serendipity['serendipityUserlevel']) || !serendipity_checkPermission('adminUsersDelete')) { echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>'; } elseif ($_POST['userlevel'] > $serendipity['serendipityUserlevel']) { echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>'; @@ -36,7 +36,7 @@ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) { /* Save new user */ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) { - if ($_POST['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersCreateNew')) { + if (($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $_POST['userlevel'] >= $serendipity['serendipityUserlevel']) || !serendipity_checkPermission('adminUsersCreateNew')) { echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>'; } else { $serendipity['POST']['user'] = serendipity_addAuthor($_POST['username'], $_POST['pass'], $_POST['realname'], $_POST['email'], $_POST['userlevel']); -- 2.39.5