For a "group_admin" account, you don't have access to view accounts
unless you are the group owner, but, you can go to "Edit My Account", then
change the "cid=" option to display any info for any cid.
This may be undesirable and qualify as a security risk for some people.
In 'users.php' maybe check permissions if user_mode == edit_account just
like if user_mode == edit_account_now ???
Michael
diff -ur users.php.orig users.php
--- users.php.orig Thu Feb 3 19:06:42 2005
+++ users.php Thu Mar 3 18:35:41 2005
@@ -36,6 +36,23 @@
// Get account info
$account_info = get_account_info($id);
+ // If group_admin, make sure this account belongs to the user
+ if($user_info['Account_Type'] != 'senior_admin'
+ && $user_info['cid'] != $account_info['cid']) {
+ if($user_info['Account_Type'] == 'group_admin' &&
+ $account_info['gid'] != $user_info['cid']) {
+ $message = "<span class=\"error\">Error: you do not have
permission to edit this account</span>\n";
+ header("Location: $base_url&message=".urlencode($message));
+ exit;
+ } else if($user_info['Account_Type'] == 'user' &&
+ $_REQUEST['cid'] != $user_info['cid']) {
+ $message = "<span class=\"error\">Error: you do not have
permission to edit this account</span>\n";
+ header("Location: $base_url&message=".urlencode($message));
+ exit;
+ }
+ }
+
+
// Set user_mode_next and title
$smarty->assign('user_mode_next', 'edit_account_now');
$smarty->assign('account_title', 'Edit Account');
