From e2160b8275c1b4a210ba462db28fd8a1a22da5cf Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 11 Oct 2007 15:41:42 +0000 Subject: [PATCH] =?UTF-8?q?Fix:=20s=E9curit=E9=20sur=20onglet=20"interface?= =?UTF-8?q?=20utilisateur"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/user/param_ihm.php | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/htdocs/user/param_ihm.php b/htdocs/user/param_ihm.php index ed8ff6abfe3..5f51993febf 100644 --- a/htdocs/user/param_ihm.php +++ b/htdocs/user/param_ihm.php @@ -33,6 +33,20 @@ $langs->load("products"); $langs->load("admin"); $langs->load("users"); +// Defini si peux lire/modifier permisssions +$canreadperms=($user->admin || $user->rights->user->user->lire); + +if ($_GET["id"]) +{ + // $user est le user qui edite, $_GET["id"] est l'id de l'utilisateur edité + $caneditfield=( (($user->id == $_GET["id"]) && $user->rights->user->self->creer) + || (($user->id != $_GET["id"]) && $user->rights->user->user->creer) ); +} +if ($user->id <> $_GET["id"] && ! $canreadperms) +{ + accessforbidden(); +} + $id=isset($_GET["id"])?$_GET["id"]:$_POST["id"]; $dirtop = "../includes/menus/barre_top"; $dirleft = "../includes/menus/barre_left"; @@ -54,7 +68,7 @@ $html = new Form($db); /* * Actions */ -if ($_POST["action"] == 'update') +if ($_POST["action"] == 'update' && $caneditfield) { if ($_POST["cancel"]) { @@ -197,7 +211,7 @@ else print ''; print '
'; - if (($fuser->id == $user->id) || $user->admin) // Si utilisateur édité = utilisateur courant ou admin + if ($caneditfield || $user->admin) // Si utilisateur édité = utilisateur courant ayant les droits de créer ou admin { print ''.$langs->trans("Edit").''; }