From f191016c72d0ac71928ca8ce20f9ef9da700f9ff Mon Sep 17 00:00:00 2001
From: garvinhicking <garvinhicking>
Date: Thu, 8 Dec 2005 11:03:32 +0000
Subject: [PATCH] fix user checks

---
 docs/NEWS                   | 5 +++++
 include/admin/users.inc.php | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/docs/NEWS b/docs/NEWS
index e2eba8a..ab175ff 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,11 @@
 Version 0.9.2 ()
 ------------------------------------------------------------------------
 
+   * Fix not being able to create users of the same userlevel when
+     being admin [workaround was to first create user with lower userlevel
+     and then edit the user account, which lead to propper permission 
+     checks]
+
    * Include a template's "config.inc.php" also when previewing an entry,
      so that custom functions can be called (garvinhicking)
 
diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php
index 67df299..5e413f7 100644
--- a/include/admin/users.inc.php
+++ b/include/admin/users.inc.php
@@ -15,7 +15,7 @@ require_once(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php');
 /* Delete a user */
 if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
     $user = serendipity_fetchUsers($serendipity['POST']['user']);
-    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersDelete')) {
+    if (($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $user[0]['userlevel'] >= $serendipity['serendipityUserlevel']) || !serendipity_checkPermission('adminUsersDelete')) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
     } elseif ($_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
@@ -36,7 +36,7 @@ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
 
 /* Save new user */
 if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
-    if ($_POST['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersCreateNew')) {
+    if (($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $_POST['userlevel'] >= $serendipity['serendipityUserlevel']) || !serendipity_checkPermission('adminUsersCreateNew')) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
     } else {
         $serendipity['POST']['user'] = serendipity_addAuthor($_POST['username'], $_POST['pass'], $_POST['realname'], $_POST['email'], $_POST['userlevel']);
-- 
2.39.5