Michael wrote:
For a "group_admin" account, you don't have access to view accounts unless you are the group owner, but, you can go to "Edit My Account", then change the "cid=" option to display any info for any cid.
This may be undesirable and qualify as a security risk for some people.
In 'users.php' maybe check permissions if user_mode == edit_account just like if user_mode == edit_account_now ???
Michael
diff -ur users.php.orig users.php --- users.php.orig Thu Feb 3 19:06:42 2005 +++ users.php Thu Mar 3 18:35:41 2005 @@ -36,6 +36,23 @@ // Get account info $account_info = get_account_info($id);
+ // If group_admin, make sure this account belongs to the user + if($user_info['Account_Type'] != 'senior_admin' + && $user_info['cid'] != $account_info['cid']) { + if($user_info['Account_Type'] == 'group_admin' && + $account_info['gid'] != $user_info['cid']) { + $message = "<span class=\"error\">Error: you do not have permission to edit this account</span>\n"; + header("Location: $base_url&message=".urlencode($message)); + exit; + } else if($user_info['Account_Type'] == 'user' && + $_REQUEST['cid'] != $user_info['cid']) { + $message = "<span class=\"error\">Error: you do not have permission to edit this account</span>\n"; + header("Location: $base_url&message=".urlencode($message)); + exit; + } + } + + // Set user_mode_next and title $smarty->assign('user_mode_next', 'edit_account_now'); $smarty->assign('account_title', 'Edit Account');
Got it, thanks!
Bill
