Home
| Bug Reports
| Wrong permissions check doesn't allow moderators to edit members
| Wrong permissions check doesn't allow moderators to edit members |
bbogdan
Posts: 1
Joined: 08 October 2008
BabbleBoard Version: 1.1.6
|
Sunday, Nov 16, 2008 23:31
I've found an error that doesn't allow anyone else other than admins to edit a member's profile, despite the right permissions being set for the group.
In includes/pages/admin.php the following code occurs:
RAW CODE if ($can_change_forum_settings == '0' && $can_change_site_settings == '0' ) {
header("HTTP/1.0 200 OK");
header('Location: ' . bb_link("index.php?page=error&error=11", "error/11") . '');
exit;
This prohibits Moderators from accessing the Edit profile page in the first place, as it only checks for admin-like permissions.
I have changed the IF statement to the following:
RAW CODE if (
$can_change_forum_settings == '0'
&& $can_change_site_settings == '0'
&& $can_edit_members == '0'
&& $can_warn_members == '0'
&& $can_delete_members == '0'
&& $can_ban_members == '0'
&& $can_change_user_title == '0'
&& $can_edit_others_posts == '0'
&& $can_delete_others_posts == '0'
)
|
|
|
linin
Posts: 1
Joined: 15 June 2008
BabbleBoard Version: 1.1.6
|
Wednesday, Feb 25, 2009 22:38
bbogdan
I have changed the IF statement to the following:
RAW CODE if (
$can_change_forum_settings == '0'
&& $can_change_site_settings == '0'
&& $can_edit_members == '0'
&& $can_warn_members == '0'
&& $can_delete_members == '0'
&& $can_ban_members == '0'
&& $can_change_user_title == '0'
&& $can_edit_others_posts == '0'
&& $can_delete_others_posts == '0'
)
Surely you meant the && to be || as with the current code it will only redirect if ALL of those conditions are met. So if, lets say, the members group had the permission "Can Change User Title" then that if statement would not redirect & kill the page.
Mark.
Last edited by: linin
- Wednesday, Feb 25, 2009 22:39.
|
|
|
|
1 Guest(s), 0 Member(s) Viewing This Topic:
|
|
