From bf58209d7dd6cc0f53c2c4b34115dfec9574cfb8 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 25 Jul 2014 09:10:49 +0000
Subject: bug 3104: less rights for admins (compared to webmaster). Now an
 admin can't:

* delete a webmaster
* give webmaster/admin status to any user
* change status of a webmaster/admin


git-svn-id: http://piwigo.org/svn/trunk@29074 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 admin/user_list.php | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

(limited to 'admin/user_list.php')

diff --git a/admin/user_list.php b/admin/user_list.php
index cda20a002..d9f85b6bd 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -99,6 +99,18 @@ $protected_users = array(
   $conf['webmaster_id'],
   );
 
+// an admin can't delete other admin/webmaster
+if ('admin' == $user['status'])
+{
+  $query = '
+SELECT
+    user_id
+  FROM '.USER_INFOS_TABLE.'
+  WHERE status IN (\'webmaster\', \'admin\')
+;';
+  $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+}
+
 $template->assign(
   array(
     'PWG_TOKEN' => get_pwg_token(),
@@ -117,12 +129,19 @@ $template->assign(
 // Status options
 foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
 {
-  // Only status <= can be assign
-  if (is_autorize_status(get_access_type_status($status)))
-  {
-    $pref_status_options[$status] = l10n('user_status_'.$status);
-  }
+  $label_of_status[$status] = l10n('user_status_'.$status);
 }
+
+$pref_status_options = $label_of_status;
+
+// a simple "admin" can set/remove statuses webmaster/admin
+if ('admin' == $user['status'])
+{
+  unset($pref_status_options['webmaster']);
+  unset($pref_status_options['admin']);
+}
+
+$template->assign('label_of_status', $label_of_status);
 $template->assign('pref_status_options', $pref_status_options);
 $template->assign('pref_status_selected', 'normal');
 
-- 
cgit v1.2.3