[Fixed] Admin security bug

[kevin1]

Right now admins can edit gods and other admins which shouldn't be the case. An admin can reset god's password and login as god.

So I made some changes to admin_users.php and user_show_center.tpl. Basically I made a function in the php:

Code:

function canIChangeUser($user_level) {
    global $amIgod, $main_smarty;
    
    //Don't want to let admins reset other admins or god
    $viewer = $main_smarty->get_template_vars('user_logged_in');
    $target = $_GET["user"];
    
    if ($viewer != $target && !$amIgod && (($user_level == 'god') || ($user_level == 'admin'))) {
        echo "Access denied";
        die;
    } 
}

And I stuck this function in the different "Mode" sections.

Also modified user_show_center.tpl to not show the edit panel if the user is an admin or a god (unless it's the viewer himself):

Code:

         {* Only show edit panel if: 
           - user is god
           - user is viewing him/herself
           - viewed person is not an admin or god
         *} 
	{if $amIgod || $user_logged_in eq $userdata[nr].user_login || ($userdata[nr].user_level neq 'admin' && $userdata[nr].user_level neq 'god')}
		    <div id="admin_view_user_edit">
   etc...

admin_user.php also includes the header redirective to go back to user list instead of the tpl with the "go back to user" button. The button just goes back in window history, and if you edited the user's name, things get messed up.

Lemme know what u think.

[argh2xxx]

don't look like we have user_show_center.tpl in 9.1, is this a new file you created to fix the problem? It it's where can we upload user_show_center.tpl to? Under the templates/yget sub-directory?

Thanks...

[Simpatico]

argh2xxx - user_show_center.tpl can be found in the admin_templates folder.

[humaneasy]

I didn't found it in 9.1 code nor in latest SVN (802)

[kbeeveer46]

It's in /templates/your_template/admin_templates/user_show_center.tpl