only admins can change user classes, and they should be protected from moderators
This commit is contained in:
Shish
parent
cf621c066c
commit
eccea620ba
@ -50,6 +50,7 @@ $_user_class_base = new UserClass("base", null, array(
|
|||||||
"mass_tag_edit" => False,
|
"mass_tag_edit" => False,
|
||||||
"report_image" => False,
|
"report_image" => False,
|
||||||
"view_image_report" => False,
|
"view_image_report" => False,
|
||||||
|
"protected" => False,
|
||||||
));
|
));
|
||||||
$_user_classes["anonymous"] = new UserClass("anonymous", $_user_class_base, array(
|
$_user_classes["anonymous"] = new UserClass("anonymous", $_user_class_base, array(
|
||||||
"edit_image_tag" => "tag_edit_anon",
|
"edit_image_tag" => "tag_edit_anon",
|
||||||
@ -83,6 +84,7 @@ $_user_classes["admin"] = new UserClass("admin", $_user_class_base, array(
|
|||||||
"mass_tag_edit" => True,
|
"mass_tag_edit" => True,
|
||||||
"report_image" => True,
|
"report_image" => True,
|
||||||
"view_image_report" => True,
|
"view_image_report" => True,
|
||||||
|
"protected" => True,
|
||||||
));
|
));
|
||||||
|
|
||||||
foreach(unserialize(EXTRA_USER_CLASSES) as $class_info) {
|
foreach(unserialize(EXTRA_USER_CLASSES) as $class_info) {
|
||||||
|
|||||||
@ -89,10 +89,30 @@ class UserPage extends Extension {
|
|||||||
$page->set_redirect(make_link());
|
$page->set_redirect(make_link());
|
||||||
}
|
}
|
||||||
else if($event->get_arg(0) == "change_pass") {
|
else if($event->get_arg(0) == "change_pass") {
|
||||||
$this->change_password_wrapper($page);
|
if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) {
|
||||||
|
$duser = User::by_id($_POST['id']);
|
||||||
|
$pass1 = $_POST['pass1'];
|
||||||
|
$pass2 = $_POST['pass2'];
|
||||||
|
$this->change_password_wrapper($duser, $pass1, $pass2);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else if($event->get_arg(0) == "change_email") {
|
else if($event->get_arg(0) == "change_email") {
|
||||||
$this->change_email_wrapper($page);
|
if(isset($_POST['id']) && isset($_POST['address'])) {
|
||||||
|
$duser = User::by_id($_POST['id']);
|
||||||
|
$address = $_POST['address'];
|
||||||
|
$this->change_email_wrapper($duser, $address);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if($event->get_arg(0) == "change_class") {
|
||||||
|
global $_user_classes;
|
||||||
|
if(isset($_POST['id']) && isset($_POST['class'])) {
|
||||||
|
$duser = User::by_id($_POST['id']);
|
||||||
|
$class = $_POST['class'];
|
||||||
|
if(!array_key_exists($class, $_user_classes)) {
|
||||||
|
throw Exception("Invalid user class: ".html_escape($class));
|
||||||
|
}
|
||||||
|
$this->change_class_wrapper($duser, $class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else if($event->get_arg(0) == "recover") {
|
else if($event->get_arg(0) == "recover") {
|
||||||
$user = User::by_name($_POST['username']);
|
$user = User::by_name($_POST['username']);
|
||||||
@ -130,9 +150,6 @@ class UserPage extends Extension {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if($event->get_arg(0) == "set_more") {
|
|
||||||
$this->set_more_wrapper();
|
|
||||||
}
|
|
||||||
else if($event->get_arg(0) == "list") {
|
else if($event->get_arg(0) == "list") {
|
||||||
// select users.id,name,joindate,admin,
|
// select users.id,name,joindate,admin,
|
||||||
// (select count(*) from images where images.owner_id=users.id) as images,
|
// (select count(*) from images where images.owner_id=users.id) as images,
|
||||||
@ -339,26 +356,50 @@ class UserPage extends Extension {
|
|||||||
}
|
}
|
||||||
//}}}
|
//}}}
|
||||||
// Things done *to* the user {{{
|
// Things done *to* the user {{{
|
||||||
private function change_password_wrapper(Page $page) {
|
private function user_can_edit_user(User $a, User $b) {
|
||||||
global $user;
|
if($a->is_anonymous()) {
|
||||||
global $config;
|
|
||||||
global $database;
|
|
||||||
|
|
||||||
if($user->is_anonymous()) {
|
|
||||||
$this->theme->display_error(401, "Error", "You aren't logged in");
|
$this->theme->display_error(401, "Error", "You aren't logged in");
|
||||||
}
|
}
|
||||||
else if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) {
|
if($a->name == $b->name) {
|
||||||
$id = $_POST['id'];
|
return true;
|
||||||
$pass1 = $_POST['pass1'];
|
}
|
||||||
$pass2 = $_POST['pass2'];
|
if($b->can("protected")) {
|
||||||
|
if($a->class->name == "admin") {
|
||||||
$duser = User::by_id($id);
|
return true;
|
||||||
|
|
||||||
if((!$user->can("change_user_info")) && ($duser->name != $user->name)) {
|
|
||||||
$this->theme->display_error(401, "Error",
|
|
||||||
"You need to be an admin to change other people's passwords");
|
|
||||||
}
|
}
|
||||||
else if($pass1 != $pass2) {
|
else {
|
||||||
|
$this->theme->display_error(401, "Error", "You need to be an admin to change other people's details");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if($a->can("edit_user_info")) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$this->theme->display_error(401, "Error", "You need to be an admin to change other people's details");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
private function redirect_to_user(User $duser) {
|
||||||
|
global $page, $user;
|
||||||
|
|
||||||
|
if($user->id == $duser->id) {
|
||||||
|
$page->set_mode("redirect");
|
||||||
|
$page->set_redirect(make_link("user"));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$page->set_mode("redirect");
|
||||||
|
$page->set_redirect(make_link("user/{$duser->name}"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private function change_password_wrapper(User $duser, $pass1, $pass2) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
|
if($this->user_can_edit_user($user, $duser)) {
|
||||||
|
if($pass1 != $pass2) {
|
||||||
$this->theme->display_error(400, "Error", "Passwords don't match");
|
$this->theme->display_error(400, "Error", "Passwords don't match");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
@ -367,80 +408,28 @@ class UserPage extends Extension {
|
|||||||
|
|
||||||
if($id == $user->id) {
|
if($id == $user->id) {
|
||||||
$this->set_login_cookie($duser->name, $pass1);
|
$this->set_login_cookie($duser->name, $pass1);
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("user"));
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("user/{$duser->name}"));
|
|
||||||
}
|
}
|
||||||
|
$this->redirect_to_user($duser);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private function change_email_wrapper(Page $page) {
|
private function change_email_wrapper(User $duser, /*string(email)*/ $address) {
|
||||||
global $user;
|
global $user;
|
||||||
global $config;
|
|
||||||
global $database;
|
|
||||||
|
|
||||||
if($user->is_anonymous()) {
|
if($this->user_can_edit_user($user, $duser)) {
|
||||||
$this->theme->display_error(401, "Error", "You aren't logged in");
|
$duser->set_email($address);
|
||||||
}
|
$this->redirect_to_user($duser);
|
||||||
else if(isset($_POST['id']) && isset($_POST['address'])) {
|
|
||||||
$id = $_POST['id'];
|
|
||||||
$address = $_POST['address'];
|
|
||||||
|
|
||||||
$duser = User::by_id($id);
|
|
||||||
|
|
||||||
if((!$user->can("change_user_info")) && ($duser->name != $user->name)) {
|
|
||||||
$this->theme->display_error(401, "Error",
|
|
||||||
"You need to be an admin to change other people's addressess");
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$duser->set_email($address);
|
|
||||||
|
|
||||||
if($id == $user->id) {
|
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("user"));
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("user/{$duser->name}"));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private function set_more_wrapper() {
|
private function change_class_wrapper(User $duser, /*string(class)*/ $class) {
|
||||||
global $config, $database, $page, $user;
|
global $user;
|
||||||
|
|
||||||
$page->set_title("Error");
|
|
||||||
$page->set_heading("Error");
|
|
||||||
$page->add_block(new NavBlock());
|
|
||||||
if(!$user->can("change_user_info")) {
|
|
||||||
$page->add_block(new Block("Not Admin", "Only admins can edit accounts"));
|
|
||||||
}
|
|
||||||
else if(!isset($_POST['id']) || !is_numeric($_POST['id'])) {
|
|
||||||
$page->add_block(new Block("No ID Specified",
|
|
||||||
"You need to specify the account number to edit"));
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
global $_user_classes;
|
|
||||||
$class = $_POST['class'];
|
|
||||||
if(!array_key_exists($class, $_user_classes)) {
|
|
||||||
throw Exception("Invalid user class: ".html_escape($class));
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if($user->class->name == "admin") {
|
||||||
$duser = User::by_id($_POST['id']);
|
$duser = User::by_id($_POST['id']);
|
||||||
$duser->set_class($class);
|
$duser->set_class($class);
|
||||||
|
$this->redirect_to_user($duser);
|
||||||
$page->set_mode("redirect");
|
|
||||||
if($duser->id == $user->id) {
|
|
||||||
$page->set_redirect(make_link("user"));
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$page->set_redirect(make_link("user/{$duser->name}"));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// }}}
|
// }}}
|
||||||
|
|||||||
@ -173,11 +173,11 @@ class UserPageTheme extends Themelet {
|
|||||||
</form>
|
</form>
|
||||||
";
|
";
|
||||||
|
|
||||||
if($user->can("change_user_info")) {
|
if($user->class->name == "admin") {
|
||||||
$i_user_id = int_escape($duser->id);
|
$i_user_id = int_escape($duser->id);
|
||||||
$h_is_admin = $duser->is_admin() ? " checked" : "";
|
$h_is_admin = $duser->is_admin() ? " checked" : "";
|
||||||
$html .= "
|
$html .= "
|
||||||
<p>".make_form(make_link("user_admin/set_more"))."
|
<p>".make_form(make_link("user_admin/change_class"))."
|
||||||
<input type='hidden' name='id' value='$i_user_id'>
|
<input type='hidden' name='id' value='$i_user_id'>
|
||||||
Class: <select name='class'>
|
Class: <select name='class'>
|
||||||
";
|
";
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user