Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: [QUICK FIX]Admin account settings switch to NO (EDITED)  (Read 4702 times)

lilspen

  • Jr. Member
  • **
  • Karma: 2
  • Posts: 57
[QUICK FIX]Admin account settings switch to NO (EDITED)
« on: December 21, 2007, 05:36:55 AM »

When you edit an admin profile/account it doesn't show certain things (admin comment. site owner. etc) and when you edit your account it simply changes them to the default (which is NO)


FIX:
FIND (starts line 1114 in default/unedited snewsMU.php):
Quote
if ($level == '2' || $level == '3'){
 echo html_input('checkbox', 'edit_comments', 'edcom', 'YES', l('mu_edit_comments'), '', '', '', '', $edit_comments, '', '', '', '', '', '');
 echo html_input('checkbox', 'permit_upload', 'pfiles', 'YES', l('mu_permit_upload'), '', '', '', '', $permit_upload, '', '', '', '', '');
 if (get_identity($_GET['id'], 'site_owner') == 'YES'){
  echo html_input('checkbox', 'site_owner', 'sowner', 'YES', l('mu_site_owner'), '', '', '', '', $site_owner, '', '', '', '', '');
 }
}

ADD THE BLUE AND REPLACE THE RED:
Quote
if ($level == '1' || $level == '2' || $level == '3'){
 echo html_input('checkbox', 'edit_comments', 'edcom', 'YES', l('mu_edit_comments'), '', '', '', '', $edit_comments, '', '', '', '', '', '');
 echo html_input('checkbox', 'permit_upload', 'pfiles', 'YES', l('mu_permit_upload'), '', '', '', '', $permit_upload, '', '', '', '', '');
 if (get_identity($_SESSION['id'], 'site_owner') == 'YES' && $level == '1'){
   echo html_input('checkbox', 'site_owner', 'sowner', 'YES', l('mu_site_owner'), '', '', '', '', $site_owner, '', '', '', '', '');
 }
}

My first "FIX" simply added the "$level == '1' || " change. That would mean that any admin could change the site_owner section (which I suppose could be counted as a security risk or bug).

I added something else, the $_SESSION section, but I added it between the $_GET section (original snewsMU.php file).
That didn't work because then if an admin (non-site owner) edited it, it wouldn't show up but it would still change it to " " (blank).

This final edit (which I show you in this post) should take care of that.
BUT no. It doesn't fully fix it.
If a non-owner admin edits an owner admins account it will add " " (blank) to the site_owner setting. BUT that only happens when they save it, go back, and then go to the user list (which then will show the "edit" AND "delete" buttons) and/or go back to edit the account.

Basically, it will temporarily allow non-owner admins to remove the site_owner setting from a site owner and give that admin the ability to delete the account.
I can't fix this. Can someone else have a look at it.

EDIT: also, when you edit your own account (as an owner) it will remove the owner setting still. Someone else needs to fix.


I will continue to check that when I edit admin account(s).

WARNING: this actually isn't much of a fix. It opens the site up to a potential security risk (an admin could become "site owner") and if you edit your profile and any options are missing it will revert them to the default (which is NO)

 8)

Just between you and me:
Remember, I don't know PHP. So it's amazing I (sorta) fixed this!

NOTE: The initial problem will be properly patched with the next release of sNewMU.
sNewsMU is currently disabled from download. When it is back up, this problem should have been fixed.
« Last Edit: January 10, 2008, 07:15:14 AM by nodnarb »
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: [PATCH]Admin account settings switch to NO
« Reply #1 on: December 21, 2007, 07:16:30 AM »

Karma upgraded. ;)
Logged