aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2014-07-25 09:10:49 +0000
committerplegall <plg@piwigo.org>2014-07-25 09:10:49 +0000
commitbf58209d7dd6cc0f53c2c4b34115dfec9574cfb8 (patch)
tree4b66991e0ff85300f21e565ea27e80f8d183e9f6 /include
parent30fa11fb9aca3988ca9339dc54902a10eb1254ec (diff)
bug 3104: less rights for admins (compared to webmaster). Now an admin can't:
* delete a webmaster * give webmaster/admin status to any user * change status of a webmaster/admin git-svn-id: http://piwigo.org/svn/trunk@29074 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r--include/ws_functions/pwg.users.php66
1 files changed, 46 insertions, 20 deletions
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index e007dd111..d0436acb7 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -325,25 +325,39 @@ function ws_users_delete($params, &$service)
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
- // protect some users
- $params['user_id'] = array_diff(
- $params['user_id'],
- array(
- $user['id'],
- $conf['guest_id'],
- $conf['default_user_id'],
- $conf['webmaster_id'],
- )
+ $protected_users = array(
+ $user['id'],
+ $conf['guest_id'],
+ $conf['default_user_id'],
+ $conf['webmaster_id'],
);
+ // an admin can't delete other admin/webmaster
+ if ('admin' == $user['status'])
+ {
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+ }
+
+ // protect some users
+ $params['user_id'] = array_diff($params['user_id'], $protected_users);
+
+ $counter = 0;
+
foreach ($params['user_id'] as $user_id)
{
delete_user($user_id);
+ $counter++;
}
return l10n_dec(
'%d user deleted', '%d users deleted',
- count($params['user_id'])
+ $counter
);
}
@@ -418,25 +432,37 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['status']))
{
- if ( $params['status'] == 'webmaster' and !is_webmaster() )
+ if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() )
{
- return new PwgError(403, 'Only webmasters can grant "webmaster" status');
+ return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status');
}
+
if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) )
{
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status');
}
+ $protected_users = array(
+ $user['id'],
+ $conf['guest_id'],
+ $conf['webmaster_id'],
+ );
+
+ // an admin can't change status of other admin/webmaster
+ if ('admin' == $user['status'])
+ {
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+ }
+
// status update query is separated from the rest as not applying to the same
// set of users (current, guest and webmaster can't be changed)
- $params['user_id_for_status'] = array_diff(
- $params['user_id'],
- array(
- $user['id'],
- $conf['guest_id'],
- $conf['webmaster_id'],
- )
- );
+ $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users);
$update_status = $params['status'];
}