nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-01-31 04:59:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix code that was designed to block non-superadmins from changing users in the superadmin group. Hide superadmin accounts from users that are not in the superadmin group.

Browse Source
This commit is contained in:
Mark Crane
2013-08-16 06:27:06 +00:00
parent eab5c1ca45
commit 67ec2c49db
3 changed files with 48 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
core/users/userlist.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2012
Portions created by the Initial Developer are Copyright (C) 2008-2013
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -78,17 +78,27 @@ echo " <td align=\"center\">\n";
echo "</td>\n";
echo "</tr>\n";
//get the user list from the database
$sql = "select * from v_users ";
$sql .= "where domain_uuid = '$domain_uuid' ";
//get the list of superadmins
$superadmins = superadmin_list($db);
//get the users from the database
$sql = "select count(*) as num_rows from v_users ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
if (strlen($field_name) > 0 && strlen($field_value) > 0) {
$sql .= "and $field_name = '$field_value' ";
}
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
$num_rows = count($result);
$prep_statement = $db->prepare($sql);
if ($prep_statement) {
$prep_statement->execute();
$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
if ($row['num_rows'] > 0) {
$num_rows = $row['num_rows'];
}
else {
$num_rows = '0';
}
}
unset ($prep_statement, $result, $sql);
$rows_per_page = 200;
$param = "";
@@ -136,26 +146,30 @@ echo " <td align=\"center\">\n";
if ($result_count > 0) {
foreach($result as $row) {
echo "<tr >\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>";
if ($row['user_enabled'] == 'true') {
echo $text['option-true'];
if (if_superadmin($superadmins, $row['user_uuid']) && !if_group("superadmin")) {
//hide
} else {
echo "<tr >\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>";
if ($row['user_enabled'] == 'true') {
echo $text['option-true'];
}
else {
echo $text['option-false'];
}
echo "&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('user_edit')) {
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
}
if (permission_exists('user_delete')) {
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
}
else {
echo $text['option-false'];
}
echo "&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('user_edit')) {
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
}
if (permission_exists('user_delete')) {
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
} //end foreach
unset($sql, $result, $row_count);
} //end if results