nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2025-12-30 00:53:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix code that was designed to block non-superadmins from changing users in the superadmin group. Hide superadmin accounts from users that are not in the superadmin group.

Browse Source
This commit is contained in:
Mark Crane
2013-08-16 06:27:06 +00:00
parent 21b4fd91ff
commit bd1cdd6eb9
3 changed files with 48 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/users/index.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2012
Portions created by the Initial Developer are Copyright (C) 2008-2013
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -49,7 +49,7 @@ else {
echo " <table width='100%' border='0'>";
echo " <tr>";
echo " <td align='left' width='100%'>";
require_once "userlist.php";
require_once "users.php";
echo " <br />";
echo " <br />";
echo " <br />";

68
core/users/userlist.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2012
Portions created by the Initial Developer are Copyright (C) 2008-2013
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -78,17 +78,27 @@ echo " <td align=\"center\">\n";
echo "</td>\n";
echo "</tr>\n";
//get the user list from the database
$sql = "select * from v_users ";
$sql .= "where domain_uuid = '$domain_uuid' ";
//get the list of superadmins
$superadmins = superadmin_list($db);
//get the users from the database
$sql = "select count(*) as num_rows from v_users ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
if (strlen($field_name) > 0 && strlen($field_value) > 0) {
$sql .= "and $field_name = '$field_value' ";
}
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
$num_rows = count($result);
$prep_statement = $db->prepare($sql);
if ($prep_statement) {
$prep_statement->execute();
$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
if ($row['num_rows'] > 0) {
$num_rows = $row['num_rows'];
}
else {
$num_rows = '0';
}
}
unset ($prep_statement, $result, $sql);
$rows_per_page = 200;
$param = "";
@@ -136,26 +146,30 @@ echo " <td align=\"center\">\n";
if ($result_count > 0) {
foreach($result as $row) {
echo "<tr >\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>";
if ($row['user_enabled'] == 'true') {
echo $text['option-true'];
if (if_superadmin($superadmins, $row['user_uuid']) && !if_group("superadmin")) {
//hide
} else {
echo "<tr >\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>";
if ($row['user_enabled'] == 'true') {
echo $text['option-true'];
}
else {
echo $text['option-false'];
}
echo "&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('user_edit')) {
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
}
if (permission_exists('user_delete')) {
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
}
else {
echo $text['option-false'];
}
echo "&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('user_edit')) {
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
}
if (permission_exists('user_delete')) {
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
} //end foreach
unset($sql, $result, $row_count);
} //end if results

11
core/users/usersupdate.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2012
Portions created by the Initial Developer are Copyright (C) 2008-2013
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -63,16 +63,15 @@ else {
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
foreach ($result as &$row) {
$username = $row["username"];
break; //limit to 1 row
}
unset ($prep_statement);
//required to be a superadmin to update an account that is a member of the superadmin group
$superadmin_list = superadmin_list($db);
if (if_superadmin($superadmin_list, $_SESSION['user_uuid'])) {
$superadmins = superadmin_list($db);
if (if_superadmin($superadmins, $user_uuid)) {
if (!if_group("superadmin")) {
echo "access denied";
return;
exit;
}
}
@@ -116,7 +115,7 @@ else {
}
}
if (count($_POST)>0 && $_POST["persistform"] != "1") {
if (count($_POST) > 0 && $_POST["persistform"] != "1") {
$user_uuid = $_REQUEST["id"];
$password = check_str($_POST["password"]);
$confirm_password = check_str($_POST["confirm_password"]);