|
#1
|
|||
|
|||
[TSSE v5.1]Permissions on Editing Users
I found out today that Staff Members can alter another members Priviledges greater than their own.
eg. Admin can Promote any user class to Sysop, or Team Leader. This should not be the case, normally staff should only be able to promote to the level below them. Any ideas on how to fix this hole? |
#2
|
||||
|
||||
I suck at php but it should be in edituser.php
Code:
function permission_check () { global $userdata; global $usergroups; global $CURUSER; if ((((($userdata['cansettingspanel'] == 'yes' AND $usergroups['cansettingspanel'] != 'yes') OR ($userdata['issupermod'] == 'yes' AND $usergroups['issupermod'] != 'yes')) OR ($userdata['canstaffpanel'] == 'yes' AND $usergroups['canstaffpanel'] != 'yes')) OR $CURUSER['id'] == $userdata['id'])) { print_no_permission (false, true, 'Permission Denied: Protected usergroup!'); return null; } |
#3
|
|||
|
|||
Will have a look at that, I was looking at this function that deals with the drop down box that selects the usergroups.
PHP Code:
|
#4
|
||||
|
||||
not sure what's in the basket for 5.4.1 but there should be better definition of what group is higher rank than the other group and I think Xam kinda messed it up on 5.1 but i know further down it was fixed but still not sure how it got fixed so not sure if custom group can actually screw up things if you give staff power to them (which I don't recommend unless you make that custom group larger the "team leader")
|
#5
|
|||
|
|||
well , i think we noticed that too , but i didn't try to solve it just ignore it .. but thanks to u guys i feel like i have a nuke bomb in my tracker now :(
__________________
Telegram:https://t.me/mhmd1983 My custom tracker http://tracker.3arbya.info |
Tags |
editing , tsse , users , v51permissions |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
TSSE 5.4.1 "Tracker sending invalid data" Only for USERS | englezu23 | Template Shares | 1 | 14th February 2010 06:01 |
moving users | lovebeer | Community Cafe | 1 | 10th February 2010 14:53 |
Swe users | alpha1969 | Community Cafe | 8 | 5th October 2009 23:14 |
Hello users | starisloven | Introduce Yourself | 1 | 26th February 2009 10:09 |
Import Users | Swompen | Template Shares | 0 | 30th July 2008 06:32 |