diff options
Diffstat (limited to 'web')
| -rw-r--r-- | web/html/account.php | 11 | ||||
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 33 |
2 files changed, 39 insertions, 5 deletions
diff --git a/web/html/account.php b/web/html/account.php index 786ae026..cccdd76c 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "UpdateAccount") { - # user is submitting their modifications to an existing account - # - if (check_token()) { + $uid = uid_from_sid($_COOKIE['AURSID']); + + /* Details for account being updated */ + $acctinfo = account_details(in_request('ID'), in_request('U')); + + /* Verify user permissions and that the request is a valid POST */ + if (can_edit_account($atype, $acctinfo, $uid) && check_token()) { + /* Update the details for the existing account */ process_account_form($atype, "edit", "UpdateAccount", in_request("U"), in_request("T"), in_request("S"), in_request("E"), in_request("P"), in_request("C"), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3fd23ae4..a41659ee 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); @@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")"; $result = $dbh->exec($q); } + +/** + * Verify a user has the proper permissions to edit an account + * + * @param string $atype Account type of the editing user + * @param array $acctinfo User account information for edited account + * @param int $uid User ID of the editing user + * + * @return bool True if permission to edit the account, otherwise false + */ +function can_edit_account($atype, $acctinfo, $uid) { + /* Developers can edit any account */ + if ($atype == 'Developer') { + return true; + } + + /* Trusted Users can edit all accounts except Developer accounts */ + if ($atype == 'Trusted User' && + $acctinfo['AccountType'] != 'Developer') { + return true; + } + + /* Users can edit only their own account */ + if ($acctinfo['ID'] == $uid) { + return true; + } + + return false; +} |