Changeset:
568384810b7d
https://sourceforge.net/p/mrbs/hg-code/ci/568384810b7def2402b92e648c4b2a9fcc167394
Author:
Campbell Morrison <[email protected]>
Date:
Mon Aug 15 17:12:32 2016 +0100
Log message:
Allowed custom fields in the users table to be writable only by admins
diffstat:
web/edit_users.php | 9 ++++++++-
web/systemdefaults.inc.php | 7 +++++++
2 files changed, 15 insertions(+), 1 deletions(-)
diffs (49 lines):
diff -r f916461ef2e6 -r 568384810b7d web/edit_users.php
--- a/web/edit_users.php Sun Aug 14 12:05:55 2016 +0100
+++ b/web/edit_users.php Mon Aug 15 17:12:32 2016 +0100
@@ -350,13 +350,14 @@
break;
default:
echo "<div>\n";
+ $params['disabled'] = ($level < $min_user_editing_level) &&
in_array($key, $auth['db']['protected_fields']);
switch($key)
{
case 'level':
// Work out whether the level select input should be
disabled (NB you can't make a <select> readonly)
// We don't want the user to be able to change the level
if (a) it's the first user being created or
// (b) it's the last admin left or (c) they don't have
admin rights
- $params['disabled'] = $initial_user_creation ||
$editing_last_admin || ($level < $min_user_editing_level);
+ $params['disabled'] = $initial_user_creation ||
$editing_last_admin || $params['disabled'];
// Only display options up to and including one's own
level (you can't upgrade yourself).
// If you're not some kind of admin then the select will
also be disabled.
// (Note - disabling individual options doesn't work in
older browsers, eg IE6)
@@ -686,6 +687,12 @@
// For each db column get the value ready for the database
foreach ($fields as $field)
{
+ // Stop ordinary users trying to change fields they are not allowed to
+ if (($level < $min_user_editing_level) && in_array($field['name'],
$auth['db']['protected_fields']))
+ {
+ continue;
+ }
+
$fieldname = $field['name'];
if ($fieldname != 'id')
{
diff -r f916461ef2e6 -r 568384810b7d web/systemdefaults.inc.php
--- a/web/systemdefaults.inc.php Sun Aug 14 12:05:55 2016 +0100
+++ b/web/systemdefaults.inc.php Mon Aug 15 17:12:32 2016 +0100
@@ -712,6 +712,13 @@
// $pwd_policy['special'] = 1; // Minimum number of special characters (not
alpha-numeric)
+// 'auth_db' configuration settings
+// List of fields which only admins can edit. By default these are the
+// user level (ie admin/user) and the username. Custom fields can be added
+// as required.
+$auth['db']['protected_fields'] = array('level', 'name');
+
+
// 'auth_db_ext' configuration settings
// The 'db_system' variable is equivalent to the core MRBS $dbsys variable,
// and allows you to use any of MRBS's database abstraction layers for
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
