aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2016-02-12 14:56:00 +0100
committerplegall <plg@piwigo.org>2016-02-12 14:56:00 +0100
commit6290be46f2307e8b47937af153dcf2b66bba2e4e (patch)
tree8e7d9e167e090ffb36f1aa09d85c3596780e5109
parent718fe065f7cd342b8f5e3fb069aec63138d5b3e8 (diff)
fixes #419, an admin can't change webmaster password
-rw-r--r--admin/themes/default/template/user_list.tpl4
-rw-r--r--admin/user_list.php12
-rw-r--r--include/ws_functions/pwg.users.php21
3 files changed, 34 insertions, 3 deletions
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
index 54b8b936e..dedf59cf6 100644
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@@ -28,6 +28,7 @@ var selection = [{$selection}];
var pwg_token = "{$PWG_TOKEN}";
var protectedUsers = [{$protected_users}];
+var passwordProtectedUsers = [{$password_protected_users}];
var guestUser = {$guest_user};
var truefalse = {
@@ -247,6 +248,7 @@ jQuery(document).ready(function() {
user.isGuest = (parseInt(userId) == guestUser);
user.isProtected = (protectedUsers.indexOf(parseInt(userId)) != -1);
+ user.isPasswordProtected = (passwordProtectedUsers.indexOf(parseInt(userId)) != -1);
user.registeredOn_string = sprintf(
registeredOn_pattern,
@@ -1051,7 +1053,7 @@ span.infos, span.errors {background-image:none; padding:2px 5px; margin:0;border
<script type="text/template" class="userDetails">
<form>
<div class="userActions">
-<% if (!user.isGuest) { %>
+<% if (!user.isPasswordProtected) { %>
<span class="changePasswordDone infos" style="display:none">&#x2714; {'Password updated'|translate}</span>
<span class="changePassword" style="display:none">{'New password'|translate} <input type="text"> <a href="#" class="buttonLike updatePassword"><img src="themes/default/images/ajax-loader-small.gif" style="margin-bottom:-1px;margin-left:1px;display:none;"><span class="text">{'Submit'|translate}</span></a> <a href="#" class="cancel">{'Cancel'|translate}</a></span>
<a class="icon-key changePasswordOpen" href="#">{'Change password'|translate}</a>
diff --git a/admin/user_list.php b/admin/user_list.php
index 183f771f7..6a7a0a2e8 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -100,6 +100,8 @@ $protected_users = array(
$conf['webmaster_id'],
);
+$password_protected_users = array($conf['guest_id']);
+
// an admin can't delete other admin/webmaster
if ('admin' == $user['status'])
{
@@ -109,7 +111,12 @@ SELECT
FROM '.USER_INFOS_TABLE.'
WHERE status IN (\'webmaster\', \'admin\')
;';
- $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+ $admin_ids = query2array($query, null, 'user_id');
+
+ $protected_users = array_merge($protected_users, $admin_ids);
+
+ // we add all admin+webmaster users BUT the user herself
+ $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
}
$template->assign(
@@ -123,6 +130,7 @@ $template->assign(
'language_selected' => get_default_language(),
'association_options' => $groups,
'protected_users' => implode(',', array_unique($protected_users)),
+ 'password_protected_users' => implode(',', array_unique($password_protected_users)),
'guest_user' => $conf['guest_id'],
)
);
@@ -135,7 +143,7 @@ foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
$pref_status_options = $label_of_status;
-// a simple "admin" can set/remove statuses webmaster/admin
+// a simple "admin" can't set/remove statuses webmaster/admin
if ('admin' == $user['status'])
{
unset($pref_status_options['webmaster']);
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index d878bcb31..f8fe51c2a 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['password']))
{
+ if (!is_webmaster())
+ {
+ $password_protected_users = array($conf['guest_id']);
+
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $admin_ids = query2array($query, null, 'user_id');
+
+ // we add all admin+webmaster users BUT the user herself
+ $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
+
+ if (in_array($params['user_id'][0], $password_protected_users))
+ {
+ return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
+ }
+ }
+
$updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
}
}