# HG changeset patch # User Dan # Date 1190603014 14400 # Node ID 13a43f08ffe107102f0b04866c066f2450c9d20c # Parent 40f7fa5fd061ede5555f85d4b9e9f637d4494c69 SECURITY: Anonymous user can't be edited now; user accounts could be deleted even if errors detected; user CP saving disabled for demo mode diff -r 40f7fa5fd061 -r 13a43f08ffe1 plugins/admin/UserManager.php --- a/plugins/admin/UserManager.php Sun Sep 23 18:42:16 2007 -0400 +++ b/plugins/admin/UserManager.php Sun Sep 23 23:03:34 2007 -0400 @@ -30,11 +30,17 @@ # $errors = array(); + + if ( defined('ENANO_DEMO_MODE') ) + { + $errors[] = 'Users cannot be modified or deleted in demo mode.'; + } + $user_id = intval($_POST['user_id']); - if ( empty($user_id) ) + if ( empty($user_id) || $user_id == 1 ) $errors[] = 'Invalid user ID.'; - if ( isset($_POST['delete_account']) ) + if ( isset($_POST['delete_account']) && count($errors) < 1 ) { $q = $db->sql_query('DELETE FROM '.table_prefix."users_extra WHERE user_id=$user_id;"); if ( !$q ) @@ -108,39 +114,7 @@ $homepage = ''; } - if ( count($errors) > 0 ) - { - echo '
- Your request could not be processed due to the following validation errors: - -
'; - $form = new Admin_UserManager_SmartForm(); - $form->user_id = $user_id; - $form->username = $username; - $form->email = $email; - $form->real_name = $real_name; - $form->signature = $signature; - $form->user_level = $user_level; - $form->im = array( - 'aim' => $imaddr_aim, - 'yahoo' => $imaddr_yahoo, - 'msn' => $imaddr_msn, - 'xmpp' => $imaddr_xmpp - ); - $form->contact = array( - 'homepage' => $homepage, - 'location' => $location, - 'job' => $occupation, - 'hobbies' => $hobbies - ); - $form->email_public = ( isset($_POST['email_public']) ); - $form->account_active = ( isset($_POST['account_active']) ); - echo $form->render(); - return false; - } - else + if ( count($errors) < 1 ) { $q = $db->sql_query('SELECT u.user_level FROM '.table_prefix.'users AS u WHERE u.user_id = ' . $user_id . ';'); if ( !$q ) @@ -257,6 +231,39 @@ } } + if ( count($errors) > 0 ) + { + echo '
+ Your request could not be processed due to the following validation errors: + +
'; + $form = new Admin_UserManager_SmartForm(); + $form->user_id = $user_id; + $form->username = $username; + $form->email = $email; + $form->real_name = $real_name; + $form->signature = $signature; + $form->user_level = $user_level; + $form->im = array( + 'aim' => $imaddr_aim, + 'yahoo' => $imaddr_yahoo, + 'msn' => $imaddr_msn, + 'xmpp' => $imaddr_xmpp + ); + $form->contact = array( + 'homepage' => $homepage, + 'location' => $location, + 'job' => $occupation, + 'hobbies' => $hobbies + ); + $form->email_public = ( isset($_POST['email_public']) ); + $form->account_active = ( isset($_POST['account_active']) ); + echo $form->render(); + return false; + } + # # END VALIDATION # @@ -279,7 +286,7 @@ $q = $db->sql_query('SELECT u.user_id AS authoritative_uid, u.username, u.email, u.real_name, u.signature, u.account_active, u.user_level, x.* FROM '.table_prefix.'users AS u LEFT JOIN '.table_prefix.'users_extra AS x ON ( u.user_id = x.user_id OR x.user_id IS NULL ) - WHERE lcase(u.username) = \'' . $db->escape(strtolower($username)) . '\' OR u.username = \'' . $db->escape($username) . '\';'); + WHERE ( lcase(u.username) = \'' . $db->escape(strtolower($username)) . '\' OR u.username = \'' . $db->escape($username) . '\' ) AND user_id != 1;'); if ( !$q ) $db->_die();