diff options
| author | plegall <plg@piwigo.org> | 2016-02-12 14:56:00 +0100 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2016-02-12 14:56:00 +0100 |
| commit | 6290be46f2307e8b47937af153dcf2b66bba2e4e (patch) | |
| tree | 8e7d9e167e090ffb36f1aa09d85c3596780e5109 | |
| parent | 718fe065f7cd342b8f5e3fb069aec63138d5b3e8 (diff) | |
fixes #419, an admin can't change webmaster password
| -rw-r--r-- | admin/themes/default/template/user_list.tpl | 4 | ||||
| -rw-r--r-- | admin/user_list.php | 12 | ||||
| -rw-r--r-- | include/ws_functions/pwg.users.php | 21 |
3 files changed, 34 insertions, 3 deletions
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl index 54b8b936e..dedf59cf6 100644 --- a/admin/themes/default/template/user_list.tpl +++ b/admin/themes/default/template/user_list.tpl @@ -28,6 +28,7 @@ var selection = [{$selection}]; var pwg_token = "{$PWG_TOKEN}"; var protectedUsers = [{$protected_users}]; +var passwordProtectedUsers = [{$password_protected_users}]; var guestUser = {$guest_user}; var truefalse = { @@ -247,6 +248,7 @@ jQuery(document).ready(function() { user.isGuest = (parseInt(userId) == guestUser); user.isProtected = (protectedUsers.indexOf(parseInt(userId)) != -1); + user.isPasswordProtected = (passwordProtectedUsers.indexOf(parseInt(userId)) != -1); user.registeredOn_string = sprintf( registeredOn_pattern, @@ -1051,7 +1053,7 @@ span.infos, span.errors {background-image:none; padding:2px 5px; margin:0;border <script type="text/template" class="userDetails"> <form> <div class="userActions"> -<% if (!user.isGuest) { %> +<% if (!user.isPasswordProtected) { %> <span class="changePasswordDone infos" style="display:none">✔ {'Password updated'|translate}</span> <span class="changePassword" style="display:none">{'New password'|translate} <input type="text"> <a href="#" class="buttonLike updatePassword"><img src="themes/default/images/ajax-loader-small.gif" style="margin-bottom:-1px;margin-left:1px;display:none;"><span class="text">{'Submit'|translate}</span></a> <a href="#" class="cancel">{'Cancel'|translate}</a></span> <a class="icon-key changePasswordOpen" href="#">{'Change password'|translate}</a> diff --git a/admin/user_list.php b/admin/user_list.php index 183f771f7..6a7a0a2e8 100644 --- a/admin/user_list.php +++ b/admin/user_list.php @@ -100,6 +100,8 @@ $protected_users = array( $conf['webmaster_id'], ); +$password_protected_users = array($conf['guest_id']); + // an admin can't delete other admin/webmaster if ('admin' == $user['status']) { @@ -109,7 +111,12 @@ SELECT FROM '.USER_INFOS_TABLE.' WHERE status IN (\'webmaster\', \'admin\') ;'; - $protected_users = array_merge($protected_users, query2array($query, null, 'user_id')); + $admin_ids = query2array($query, null, 'user_id'); + + $protected_users = array_merge($protected_users, $admin_ids); + + // we add all admin+webmaster users BUT the user herself + $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id']))); } $template->assign( @@ -123,6 +130,7 @@ $template->assign( 'language_selected' => get_default_language(), 'association_options' => $groups, 'protected_users' => implode(',', array_unique($protected_users)), + 'password_protected_users' => implode(',', array_unique($password_protected_users)), 'guest_user' => $conf['guest_id'], ) ); @@ -135,7 +143,7 @@ foreach (get_enums(USER_INFOS_TABLE, 'status') as $status) $pref_status_options = $label_of_status; -// a simple "admin" can set/remove statuses webmaster/admin +// a simple "admin" can't set/remove statuses webmaster/admin if ('admin' == $user['status']) { unset($pref_status_options['webmaster']); diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index d878bcb31..f8fe51c2a 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -426,6 +426,27 @@ function ws_users_setInfo($params, &$service) if (!empty($params['password'])) { + if (!is_webmaster()) + { + $password_protected_users = array($conf['guest_id']); + + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $admin_ids = query2array($query, null, 'user_id'); + + // we add all admin+webmaster users BUT the user herself + $password_protected_users = array_merge($password_protected_users, array_diff($admin_ids, array($user['id']))); + + if (in_array($params['user_id'][0], $password_protected_users)) + { + return new PwgError(403, 'Only webmasters can change password of other "webmaster/admin" users'); + } + } + $updates[ $conf['user_fields']['password'] ] = $conf['password_hash']($params['password']); } } |