fixes #419, an admin can't change webmaster password

admin/themes/default/template/user_list.tpl

@@ -28,6 +28,7 @@ var selection = [{$selection}];
 var pwg_token = "{$PWG_TOKEN}";
 
 var protectedUsers = [{$protected_users}];
+var passwordProtectedUsers = [{$password_protected_users}];
 var guestUser = {$guest_user};
 
 var truefalse = {
@@ -247,6 +248,7 @@ jQuery(document).ready(function() {
           
           user.isGuest = (parseInt(userId) == guestUser);
           user.isProtected = (protectedUsers.indexOf(parseInt(userId)) != -1);
+          user.isPasswordProtected = (passwordProtectedUsers.indexOf(parseInt(userId)) != -1);
           
           user.registeredOn_string = sprintf(
             registeredOn_pattern,
@@ -1051,7 +1053,7 @@ span.infos, span.errors {background-image:none; padding:2px 5px; margin:0;border
 <script type="text/template" class="userDetails">
 <form>
   <div class="userActions">
-<% if (!user.isGuest) { %>
+<% if (!user.isPasswordProtected) { %>
     <span class="changePasswordDone infos" style="display:none">&#x2714; {'Password updated'|translate}</span>
     <span class="changePassword" style="display:none">{'New password'|translate} <input type="text"> <a href="#" class="buttonLike updatePassword"><img src="themes/default/images/ajax-loader-small.gif" style="margin-bottom:-1px;margin-left:1px;display:none;"><span class="text">{'Submit'|translate}</span></a> <a href="#" class="cancel">{'Cancel'|translate}</a></span>
     <a class="icon-key changePasswordOpen" href="#">{'Change password'|translate}</a>

admin/user_list.php

@@ -100,6 +100,8 @@ $protected_users = array(
   $conf['webmaster_id'],
   );
 
+$password_protected_users = array($conf['guest_id']);
+
 // an admin can't delete other admin/webmaster
 if ('admin' == $user['status'])
 {
@@ -109,7 +111,12 @@ SELECT
   FROM '.USER_INFOS_TABLE.'
   WHERE status IN (\'webmaster\', \'admin\')
 ;';
-  $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+  $admin_ids = query2array($query, null, 'user_id');
+  
+  $protected_users = array_merge($protected_users, $admin_ids);
+
+  // we add all admin+webmaster users BUT the user herself
+  $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
 }
 
 $template->assign(
@@ -123,6 +130,7 @@ $template->assign(
     'language_selected' => get_default_language(),
     'association_options' => $groups,
     'protected_users' => implode(',', array_unique($protected_users)),
+    'password_protected_users' => implode(',', array_unique($password_protected_users)),
     'guest_user' => $conf['guest_id'],
     )
   );
@@ -135,7 +143,7 @@ foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
 
 $pref_status_options = $label_of_status;
 
-// a simple "admin" can set/remove statuses webmaster/admin
+// a simple "admin" can't set/remove statuses webmaster/admin
 if ('admin' == $user['status'])
 {
   unset($pref_status_options['webmaster']);

include/ws_functions/pwg.users.php

@@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service)
 
     if (!empty($params['password']))
     {
+      if (!is_webmaster())
+      {
+        $password_protected_users = array($conf['guest_id']);
+
+        $query = '
+SELECT
+    user_id
+  FROM '.USER_INFOS_TABLE.'
+  WHERE status IN (\'webmaster\', \'admin\')
+;';
+        $admin_ids = query2array($query, null, 'user_id');
+
+        // we add all admin+webmaster users BUT the user herself
+        $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id'])));
+
+        if (in_array($params['user_id'][0], $password_protected_users))
+        {
+          return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users');
+        }
+      }
+
       $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']);
     }
   }