summaryrefslogtreecommitdiff
path: root/web
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2012-12-07 23:24:22 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2012-12-07 23:24:22 +0100
commitfce4f36e4ff79e90a19bf00fa69b89053b4f62a5 (patch)
treee3444665d01050168bd9d50a3477fb6656b2058c /web
parent20407bb8c60ff705b47df707e21a3e0f73faf239 (diff)
parent332875bbfeb15340b1d67a8f9382e67c4df52eab (diff)
Merge branch 'maint'
Diffstat (limited to 'web')
-rw-r--r--web/html/account.php11
-rw-r--r--web/lib/acctfuncs.inc.php33
2 files changed, 39 insertions, 5 deletions
diff --git a/web/html/account.php b/web/html/account.php
index 786ae02..cccdd76 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "UpdateAccount") {
- # user is submitting their modifications to an existing account
- #
- if (check_token()) {
+ $uid = uid_from_sid($_COOKIE['AURSID']);
+
+ /* Details for account being updated */
+ $acctinfo = account_details(in_request('ID'), in_request('U'));
+
+ /* Verify user permissions and that the request is a valid POST */
+ if (can_edit_account($atype, $acctinfo, $uid) && check_token()) {
+ /* Update the details for the existing account */
process_account_form($atype, "edit", "UpdateAccount",
in_request("U"), in_request("T"), in_request("S"),
in_request("E"), in_request("P"), in_request("C"),
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 3fd23ae..a41659e 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("The PGP key fingerprint is invalid.");
}
- if ($UTYPE == "Trusted User" && $T == 3) {
- $error = __("A Trusted User cannot assign Developer status.");
+ if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) {
+ $error = __("Cannot increase account permissions.");
}
if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
$error = __("Language is not currently supported.");
@@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")";
$result = $dbh->exec($q);
}
+
+/**
+ * Verify a user has the proper permissions to edit an account
+ *
+ * @param string $atype Account type of the editing user
+ * @param array $acctinfo User account information for edited account
+ * @param int $uid User ID of the editing user
+ *
+ * @return bool True if permission to edit the account, otherwise false
+ */
+function can_edit_account($atype, $acctinfo, $uid) {
+ /* Developers can edit any account */
+ if ($atype == 'Developer') {
+ return true;
+ }
+
+ /* Trusted Users can edit all accounts except Developer accounts */
+ if ($atype == 'Trusted User' &&
+ $acctinfo['AccountType'] != 'Developer') {
+ return true;
+ }
+
+ /* Users can edit only their own account */
+ if ($acctinfo['ID'] == $uid) {
+ return true;
+ }
+
+ return false;
+}