mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2026-01-06 11:43:50 +00:00
Fix code that was designed to block non-superadmins from changing users in the superadmin group. Hide superadmin accounts from users that are not in the superadmin group.
This commit is contained in:
Mark Crane
@@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
The Initial Developer of the Original Code is
|
The Initial Developer of the Original Code is
|
||||||
Mark J Crane <markjcrane@fusionpbx.com>
|
Mark J Crane <markjcrane@fusionpbx.com>
|
||||||
Portions created by the Initial Developer are Copyright (C) 2008-2012
|
Portions created by the Initial Developer are Copyright (C) 2008-2013
|
||||||
the Initial Developer. All Rights Reserved.
|
the Initial Developer. All Rights Reserved.
|
||||||
|
|
||||||
Contributor(s):
|
Contributor(s):
|
||||||
@@ -49,7 +49,7 @@ else {
|
|||||||
echo " <table width='100%' border='0'>";
|
echo " <table width='100%' border='0'>";
|
||||||
echo " <tr>";
|
echo " <tr>";
|
||||||
echo " <td align='left' width='100%'>";
|
echo " <td align='left' width='100%'>";
|
||||||
require_once "userlist.php";
|
require_once "users.php";
|
||||||
echo " <br />";
|
echo " <br />";
|
||||||
echo " <br />";
|
echo " <br />";
|
||||||
echo " <br />";
|
echo " <br />";
|
||||||
|
|||||||
@@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
The Initial Developer of the Original Code is
|
The Initial Developer of the Original Code is
|
||||||
Mark J Crane <markjcrane@fusionpbx.com>
|
Mark J Crane <markjcrane@fusionpbx.com>
|
||||||
Portions created by the Initial Developer are Copyright (C) 2008-2012
|
Portions created by the Initial Developer are Copyright (C) 2008-2013
|
||||||
the Initial Developer. All Rights Reserved.
|
the Initial Developer. All Rights Reserved.
|
||||||
|
|
||||||
Contributor(s):
|
Contributor(s):
|
||||||
@@ -78,17 +78,27 @@ echo " <td align=\"center\">\n";
|
|||||||
echo "</td>\n";
|
echo "</td>\n";
|
||||||
echo "</tr>\n";
|
echo "</tr>\n";
|
||||||
|
|
||||||
//get the user list from the database
|
//get the list of superadmins
|
||||||
$sql = "select * from v_users ";
|
$superadmins = superadmin_list($db);
|
||||||
$sql .= "where domain_uuid = '$domain_uuid' ";
|
|
||||||
|
//get the users from the database
|
||||||
|
$sql = "select count(*) as num_rows from v_users ";
|
||||||
|
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
||||||
if (strlen($field_name) > 0 && strlen($field_value) > 0) {
|
if (strlen($field_name) > 0 && strlen($field_value) > 0) {
|
||||||
$sql .= "and $field_name = '$field_value' ";
|
$sql .= "and $field_name = '$field_value' ";
|
||||||
}
|
}
|
||||||
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
|
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare($sql);
|
||||||
$prep_statement->execute();
|
if ($prep_statement) {
|
||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$prep_statement->execute();
|
||||||
$num_rows = count($result);
|
$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
|
||||||
|
if ($row['num_rows'] > 0) {
|
||||||
|
$num_rows = $row['num_rows'];
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$num_rows = '0';
|
||||||
|
}
|
||||||
|
}
|
||||||
unset ($prep_statement, $result, $sql);
|
unset ($prep_statement, $result, $sql);
|
||||||
$rows_per_page = 200;
|
$rows_per_page = 200;
|
||||||
$param = "";
|
$param = "";
|
||||||
@@ -136,26 +146,30 @@ echo " <td align=\"center\">\n";
|
|||||||
|
|
||||||
if ($result_count > 0) {
|
if ($result_count > 0) {
|
||||||
foreach($result as $row) {
|
foreach($result as $row) {
|
||||||
echo "<tr >\n";
|
if (if_superadmin($superadmins, $row['user_uuid']) && !if_group("superadmin")) {
|
||||||
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']." </td>\n";
|
//hide
|
||||||
echo " <td valign='top' class='".$row_style[$c]."'>";
|
} else {
|
||||||
if ($row['user_enabled'] == 'true') {
|
echo "<tr >\n";
|
||||||
echo $text['option-true'];
|
echo " <td valign='top' class='".$row_style[$c]."'>".$row['username']." </td>\n";
|
||||||
|
echo " <td valign='top' class='".$row_style[$c]."'>";
|
||||||
|
if ($row['user_enabled'] == 'true') {
|
||||||
|
echo $text['option-true'];
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
echo $text['option-false'];
|
||||||
|
}
|
||||||
|
echo " </td>\n";
|
||||||
|
echo " <td valign='top' align='right'>\n";
|
||||||
|
if (permission_exists('user_edit')) {
|
||||||
|
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
|
||||||
|
}
|
||||||
|
if (permission_exists('user_delete')) {
|
||||||
|
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
|
||||||
|
}
|
||||||
|
echo " </td>\n";
|
||||||
|
echo "</tr>\n";
|
||||||
|
if ($c==0) { $c=1; } else { $c=0; }
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
echo $text['option-false'];
|
|
||||||
}
|
|
||||||
echo " </td>\n";
|
|
||||||
echo " <td valign='top' align='right'>\n";
|
|
||||||
if (permission_exists('user_edit')) {
|
|
||||||
echo " <a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
|
|
||||||
}
|
|
||||||
if (permission_exists('user_delete')) {
|
|
||||||
echo " <a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
|
|
||||||
}
|
|
||||||
echo " </td>\n";
|
|
||||||
echo "</tr>\n";
|
|
||||||
if ($c==0) { $c=1; } else { $c=0; }
|
|
||||||
} //end foreach
|
} //end foreach
|
||||||
unset($sql, $result, $row_count);
|
unset($sql, $result, $row_count);
|
||||||
} //end if results
|
} //end if results
|
||||||
|
|||||||
@@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
The Initial Developer of the Original Code is
|
The Initial Developer of the Original Code is
|
||||||
Mark J Crane <markjcrane@fusionpbx.com>
|
Mark J Crane <markjcrane@fusionpbx.com>
|
||||||
Portions created by the Initial Developer are Copyright (C) 2008-2012
|
Portions created by the Initial Developer are Copyright (C) 2008-2013
|
||||||
the Initial Developer. All Rights Reserved.
|
the Initial Developer. All Rights Reserved.
|
||||||
|
|
||||||
Contributor(s):
|
Contributor(s):
|
||||||
@@ -63,16 +63,15 @@ else {
|
|||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
||||||
foreach ($result as &$row) {
|
foreach ($result as &$row) {
|
||||||
$username = $row["username"];
|
$username = $row["username"];
|
||||||
break; //limit to 1 row
|
|
||||||
}
|
}
|
||||||
unset ($prep_statement);
|
unset ($prep_statement);
|
||||||
|
|
||||||
//required to be a superadmin to update an account that is a member of the superadmin group
|
//required to be a superadmin to update an account that is a member of the superadmin group
|
||||||
$superadmin_list = superadmin_list($db);
|
$superadmins = superadmin_list($db);
|
||||||
if (if_superadmin($superadmin_list, $_SESSION['user_uuid'])) {
|
if (if_superadmin($superadmins, $user_uuid)) {
|
||||||
if (!if_group("superadmin")) {
|
if (!if_group("superadmin")) {
|
||||||
echo "access denied";
|
echo "access denied";
|
||||||
return;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -116,7 +115,7 @@ else {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (count($_POST)>0 && $_POST["persistform"] != "1") {
|
if (count($_POST) > 0 && $_POST["persistform"] != "1") {
|
||||||
$user_uuid = $_REQUEST["id"];
|
$user_uuid = $_REQUEST["id"];
|
||||||
$password = check_str($_POST["password"]);
|
$password = check_str($_POST["password"]);
|
||||||
$confirm_password = check_str($_POST["confirm_password"]);
|
$confirm_password = check_str($_POST["confirm_password"]);
|
||||||
|
|||||||
Reference in New Issue
Block a user