Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX A non admin user should not be able to set/unset a user as admin

Browse Source 
even if he has right to manage permission
This commit is contained in:
Laurent Destailleur 2016-06-04 18:37:41 +02:00
parent c59c86e648
commit c2e853db41
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/user/card.php
View File

@ -333,7 +333,7 @@ if (empty($reshook)) {
$object->gender = GETPOST("gender", 'alpha');
$object->pass = GETPOST("password");
$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
$object->admin = empty($user->admin) ? 0 : GETPOST("admin"); // A user can only be set admin by an admin
if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
$object->address = GETPOST('address', 'alpha');
$object->zip = GETPOST('zipcode', 'alpha');
$object->town = GETPOST('town', 'alpha');

2
htdocs/user/class/user.class.php
View File

@ -1285,7 +1285,7 @@ class User extends CommonObject
$sql.= ", login = '".$this->db->escape($this->login)."'";
$sql.= ", api_key = ".($this->api_key ? "'".$this->db->escape($this->api_key)."'" : "null");
$sql.= ", gender = ".($this->gender != -1 ? "'".$this->db->escape($this->gender)."'" : "null"); // 'man' or 'woman'
$sql.= ", admin = ".$this->admin;
if (! empty($user->admin)) $sql.= ", admin = ".$this->admin; // admin flag can be set/unset only by an admin user
$sql.= ", address = '".$this->db->escape($this->address)."'";
$sql.= ", zip = '".$this->db->escape($this->zip)."'";
$sql.= ", town = '".$this->db->escape($this->town)."'";