mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-03 21:27:25 +02:00
Code Issues Releases Wiki Activity

Fixes #5045 - Removed inline editing for when only "Quick Add User" has been granted, and removed adding of admin perms to avoid access escalation.

Browse Source
This commit is contained in:
camer0n
2023-08-22 12:51:23 -07:00
parent 9949a297f6
commit abf94d0310
1 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
e107_admin/users.php
View File

@@ -419,7 +419,12 @@ class users_admin_ui extends e_admin_ui
if(!getperms('4|U0')) // Quick Add User Access Only.
{
unset($this->fields['checkboxes']);
unset($this->fields['options']);
unset($this->fields['options']);
foreach($this->fields as $fld=>$val)
{
$this->fields[$fld]['inline'] = false;
}
}
$this->fields['user_image']['writeParms'] = $this->getAvatarList();
@@ -1679,22 +1684,24 @@ class users_admin_ui extends e_admin_ui
}
// Make Admin.
$text .= "
<tr>
<td>".USRLAN_35."</td>
<td>
<a href='#set_perms' class='btn btn-default btn-secondary e-expandit'>".USRLAN_243."</a>
<div class='e-hideme' id='set_perms'>
";
$text .= $prm->renderPermTable('grouped');
if(getperms('4|U0')) // Quick Add User access should not be allowed to create new users with escalated perms.
{
$text .= "
<tr>
<td>".USRLAN_35."</td>
<td>
<a href='#set_perms' class='btn btn-default btn-secondary e-expandit'>".USRLAN_243."</a>
<div class='e-hideme' id='set_perms'>
";
$text .= "
</div>
</td>
</tr>
";
$text .= $prm->renderPermTable('grouped');
$text .= "
</div>
</td>
</tr>
";
}
$text .= "