only admins can change user classes, and they should be protected from moderators

2012-02-22 12:32:54 +00:00 · 2012-02-22 12:32:54 +00:00 · eccea620ba
commit eccea620ba
parent cf621c066c
3 changed files with 76 additions and 85 deletions
--- a/core/userclass.class.php
+++ b/core/userclass.class.php
@ -50,6 +50,7 @@ $_user_class_base = new UserClass("base", null, array(
 	"mass_tag_edit" => False,
 	"report_image" => False,
 	"view_image_report" => False,
+	"protected" => False,
 ));
 $_user_classes["anonymous"] = new UserClass("anonymous", $_user_class_base, array(
 	"edit_image_tag" => "tag_edit_anon",
@ -83,6 +84,7 @@ $_user_classes["admin"] = new UserClass("admin", $_user_class_base, array(
 	"mass_tag_edit" => True,
 	"report_image" => True,
 	"view_image_report" => True,
+	"protected" => True,
 ));

 foreach(unserialize(EXTRA_USER_CLASSES) as $class_info) {
--- a/ext/user/main.php
+++ b/ext/user/main.php
@ -89,10 +89,30 @@ class UserPage extends Extension {
 				$page->set_redirect(make_link());
 			}
 			else if($event->get_arg(0) == "change_pass") {
-				$this->change_password_wrapper($page);
+				if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) {
+					$duser = User::by_id($_POST['id']);
+					$pass1 = $_POST['pass1'];
+					$pass2 = $_POST['pass2'];
+					$this->change_password_wrapper($duser, $pass1, $pass2);
+				}
 			}
 			else if($event->get_arg(0) == "change_email") {
-				$this->change_email_wrapper($page);
+				if(isset($_POST['id']) && isset($_POST['address'])) {
+					$duser = User::by_id($_POST['id']);
+					$address = $_POST['address'];
+					$this->change_email_wrapper($duser, $address);
+				}
+			}
+			else if($event->get_arg(0) == "change_class") {
+				global $_user_classes;
+				if(isset($_POST['id']) && isset($_POST['class'])) {
+					$duser = User::by_id($_POST['id']);
+					$class = $_POST['class'];
+					if(!array_key_exists($class, $_user_classes)) {
+						throw Exception("Invalid user class: ".html_escape($class));
+					}
+					$this->change_class_wrapper($duser, $class);
+				}
 			}
 			else if($event->get_arg(0) == "recover") {
 				$user = User::by_name($_POST['username']);
@ -130,9 +150,6 @@ class UserPage extends Extension {
 					}
 				}
 			}
-			else if($event->get_arg(0) == "set_more") {
-				$this->set_more_wrapper();
-			}
 			else if($event->get_arg(0) == "list") {
 // select users.id,name,joindate,admin,
 // (select count(*) from images where images.owner_id=users.id) as images,
@ -339,26 +356,50 @@ class UserPage extends Extension {
 	}
 //}}}
 // Things done *to* the user {{{
-	private function change_password_wrapper(Page $page) {
-		global $user;
-		global $config;
-		global $database;
-
-		if($user->is_anonymous()) {
+	private function user_can_edit_user(User $a, User $b) {
+		if($a->is_anonymous()) {
 			$this->theme->display_error(401, "Error", "You aren't logged in");
 		}
-		else if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) {
-			$id = $_POST['id'];
-			$pass1 = $_POST['pass1'];
-			$pass2 = $_POST['pass2'];
-
-			$duser = User::by_id($id);
-
-			if((!$user->can("change_user_info")) && ($duser->name != $user->name)) {
-				$this->theme->display_error(401, "Error",
-						"You need to be an admin to change other people's passwords");
+		if($a->name == $b->name) {
+			return true;
+		}
+		if($b->can("protected")) {
+			if($a->class->name == "admin") {
+				return true;
 			}
-			else if($pass1 != $pass2) {
+			else {
+				$this->theme->display_error(401, "Error", "You need to be an admin to change other people's details");
+			}
+		}
+		else {
+			if($a->can("edit_user_info")) {
+				return true;
+			}
+			else {
+				$this->theme->display_error(401, "Error", "You need to be an admin to change other people's details");
+			}
+		}
+		return false;
+	}
+
+	private function redirect_to_user(User $duser) {
+		global $page, $user;
+
+		if($user->id == $duser->id) {
+			$page->set_mode("redirect");
+			$page->set_redirect(make_link("user"));
+		}
+		else {
+			$page->set_mode("redirect");
+			$page->set_redirect(make_link("user/{$duser->name}"));
+		}
+	}
+
+	private function change_password_wrapper(User $duser, $pass1, $pass2) {
+		global $user;
+
+		if($this->user_can_edit_user($user, $duser)) {
+			if($pass1 != $pass2) {
 				$this->theme->display_error(400, "Error", "Passwords don't match");
 			}
 			else {
@ -367,80 +408,28 @@ class UserPage extends Extension {

 				if($id == $user->id) {
 					$this->set_login_cookie($duser->name, $pass1);
-					$page->set_mode("redirect");
-					$page->set_redirect(make_link("user"));
-				}
-				else {
-					$page->set_mode("redirect");
-					$page->set_redirect(make_link("user/{$duser->name}"));
 				}
+				$this->redirect_to_user($duser);
 			}
 		}
 	}

-	private function change_email_wrapper(Page $page) {
+	private function change_email_wrapper(User $duser, /*string(email)*/ $address) {
 		global $user;
-		global $config;
-		global $database;

-		if($user->is_anonymous()) {
-			$this->theme->display_error(401, "Error", "You aren't logged in");
-		}
-		else if(isset($_POST['id']) && isset($_POST['address'])) {
-			$id = $_POST['id'];
-			$address = $_POST['address'];
-
-			$duser = User::by_id($id);
-
-			if((!$user->can("change_user_info")) && ($duser->name != $user->name)) {
-				$this->theme->display_error(401, "Error",
-						"You need to be an admin to change other people's addressess");
-			}
-			else {
-				$duser->set_email($address);
-
-				if($id == $user->id) {
-					$page->set_mode("redirect");
-					$page->set_redirect(make_link("user"));
-				}
-				else {
-					$page->set_mode("redirect");
-					$page->set_redirect(make_link("user/{$duser->name}"));
-				}
-			}
+		if($this->user_can_edit_user($user, $duser)) {
+			$duser->set_email($address);
+			$this->redirect_to_user($duser);
 		}
 	}

-	private function set_more_wrapper() {
-		global $config, $database, $page, $user;
-
-		$page->set_title("Error");
-		$page->set_heading("Error");
-		$page->add_block(new NavBlock());
-		if(!$user->can("change_user_info")) {
-			$page->add_block(new Block("Not Admin", "Only admins can edit accounts"));
-		}
-		else if(!isset($_POST['id']) || !is_numeric($_POST['id'])) {
-			$page->add_block(new Block("No ID Specified",
-					"You need to specify the account number to edit"));
-		}
-		else {
-			global $_user_classes;
-			$class = $_POST['class'];
-			if(!array_key_exists($class, $_user_classes)) {
-				throw Exception("Invalid user class: ".html_escape($class));
-			}
+	private function change_class_wrapper(User $duser, /*string(class)*/ $class) {
+		global $user;

+		if($user->class->name == "admin") {
 			$duser = User::by_id($_POST['id']);
 			$duser->set_class($class);
-
-			$page->set_mode("redirect");
-			if($duser->id == $user->id) {
-				$page->set_redirect(make_link("user"));
-			}
-			else {
-				$page->set_redirect(make_link("user/{$duser->name}"));
-			}
+			$this->redirect_to_user($duser);
 		}
 	}
 // }}}
--- a/ext/user/theme.php
+++ b/ext/user/theme.php
@ -173,11 +173,11 @@ class UserPageTheme extends Themelet {
 			</form>
 			";

-			if($user->can("change_user_info")) {
+			if($user->class->name == "admin") {
 				$i_user_id = int_escape($duser->id);
 				$h_is_admin = $duser->is_admin() ? " checked" : "";
 				$html .= "
-					<p>".make_form(make_link("user_admin/set_more"))."
+					<p>".make_form(make_link("user_admin/change_class"))."
 						<input type='hidden' name='id' value='$i_user_id'>
 						Class: <select name='class'>
 				";