[feladat @ 308]
authorpeter
Mon, 10 Nov 2008 21:07:14 +0000
changeset 195 5ac118d6556c
parent 194 df674d004508
child 196 1e24ee6c41e5
[feladat @ 308] Bugfix: when not all data was entered correctly when creating a new user, an error was displayed, but the user still was created. Bugfix: A possible privilege escalation has been reported by Pim Rupert. This has also been adressed.
add_user.php
edit_user.php
inc/users.inc.php
--- a/add_user.php	Fri Sep 26 10:02:33 2008 +0000
+++ b/add_user.php	Mon Nov 10 21:07:14 2008 +0000
@@ -49,16 +49,18 @@
 	echo "        <td class=\"n\">" . _('Emailaddress') . "</td>\n"; 
 	echo "        <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"\"></td>\n";
 	echo "       </tr>\n";
-	echo "       <tr>\n";
-	echo "        <td class=\"n\">" . _('Permission template') . "</td>\n"; 
-	echo "        <td class=\"n\">\n";
-	echo "         <select name=\"perm_templ\">\n";
-	foreach (list_permission_templates() as $template) {
-		echo "          <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+	if (verify_permission('user_edit_templ_perm')) {
+		echo "       <tr>\n";
+		echo "        <td class=\"n\">" . _('Permission template') . "</td>\n"; 
+		echo "        <td class=\"n\">\n";
+		echo "         <select name=\"perm_templ\">\n";
+		foreach (list_permission_templates() as $template) {
+			echo "          <option value=\"" . $template['id'] . "\">" . $template['name'] . "</option>\n";
+		}
+		echo "         </select>\n";
+		echo "       </td>\n";
+		echo "       </tr>\n";
 	}
-	echo "         </select>\n";
-	echo "       </td>\n";
-	echo "       </tr>\n";
 	echo "       <tr>\n";
 	echo "        <td class=\"n\">" . _('Description') . "</td>\n"; 
 	echo "        <td class=\"n\"><textarea rows=\"4\" cols=\"30\" class=\"inputarea\" name=\"descr\"></textarea></td>\n";
--- a/edit_user.php	Fri Sep 26 10:02:33 2008 +0000
+++ b/edit_user.php	Mon Nov 10 21:07:14 2008 +0000
@@ -114,16 +114,18 @@
 		echo "        <td class=\"n\">" . _('Emailaddress') . "</td>\n"; 
 		echo "        <td class=\"n\"><input type=\"text\" class=\"input\" name=\"email\" value=\"" . $user['email'] . "\"></td>\n";
 		echo "       </tr>\n";
-		echo "       <tr>\n";
-		echo "        <td class=\"n\">" . _('Permission template') . "</td>\n"; 
-		echo "        <td class=\"n\">\n";
-		echo "         <select name=\"perm_templ\">\n";
-		foreach (list_permission_templates() as $template) {
-			($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
-			echo "          <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+		if (verify_permission('user_edit_templ_perm')) {
+			echo "       <tr>\n";
+			echo "        <td class=\"n\">" . _('Permission template') . "</td>\n"; 
+			echo "        <td class=\"n\">\n";
+			echo "         <select name=\"perm_templ\">\n";
+			foreach (list_permission_templates() as $template) {
+				($template['id'] == $user['tpl_id']) ? $select = " SELECTED" : $select = "" ;
+				echo "          <option value=\"" . $template['id'] . "\"" . $select . ">" . $template['name'] . "</option>\n";
+			}
+			echo "         </select>\n";
+			echo "       </td>\n";
 		}
-		echo "         </select>\n";
-		echo "       </td>\n";
 		echo "       </tr>\n";
 		echo "       <tr>\n";
 		echo "        <td class=\"n\">" . _('Description') . "</td>\n"; 
--- a/inc/users.inc.php	Fri Sep 26 10:02:33 2008 +0000
+++ b/inc/users.inc.php	Mon Nov 10 21:07:14 2008 +0000
@@ -313,9 +313,11 @@
 		$query = "UPDATE users SET
 				username = " . $db->quote($user, 'text') . ",
 				fullname = " . $db->quote($fullname, 'text') . ",
-				email = " . $db->quote($email, 'text') . ",
-				perm_templ = " . $db->quote($perm_templ, 'integer') . ",
-				description = " . $db->quote($description, 'text') . ", 
+				email = " . $db->quote($email, 'text') . ",";
+		if (verify_permission('user_edit_templ_perm')) {
+			$query .= "perm_templ = " . $db->quote($perm_templ, 'integer') . ",";
+		}
+		$query .= "description = " . $db->quote($description, 'text') . ", 
 				active = " . $db->quote($active, 'integer') ;
 
 		if($password != "") {
@@ -734,29 +736,34 @@
 
 	if (!verify_permission('user_add_new')) {
 		error(ERR_PERM_ADD_USER);
-
+		return false;
 	} elseif (user_exists($details['username'])) {
 		error(ERR_USER_EXISTS);
-
+		return false;
 	} elseif (!is_valid_email($details['email'])) {
 		error(ERR_INV_EMAIL);
-	
+		return false;
 	} elseif ($details['active'] == 1) {
 		$active = 1;
 	} else {
 		$active = 0;
 	}
 
-	$query = "INSERT INTO users (username, password, fullname, email, description, perm_templ, active) VALUES ("
+	$query = "INSERT INTO users (username, password, fullname, email, description,";
+	if (verify_permission('user_edit_templ_perm')) {
+		$query .= ' perm_templ,';
+	}
+	$query .= " active) VALUES ("
 			. $db->quote($details['username'], 'text') . ", "
 			. $db->quote(md5($details['password']), 'text') . ", "
 			. $db->quote($details['fullname'], 'text') . ", "
 			. $db->quote($details['email'], 'text') . ", "
-			. $db->quote($details['descr'], 'text') . ", "
-			. $db->quote($details['perm_templ'], 'integer') . ", "
-			. $db->quote($active, 'integer') 
+			. $db->quote($details['descr'], 'text') . ", ";
+	if (verify_permission('user_edit_templ_perm')) {
+		$query .= $db->quote($details['perm_templ'], 'integer') . ", ";
+	}
+	$query .= $db->quote($active, 'integer') 
 			. ")";
-
 	$response = $db->query($query);
 	if (PEAR::isError($response)) { error($response->getMessage()); return false; }