[TSSE v5.1]Permissions on Editing Users

Krypto · #1 21st November 2008, 04:36

I found out today that Staff Members can alter another members Priviledges greater than their own.

eg. Admin can Promote any user class to Sysop, or Team Leader.

This should not be the case, normally staff should only be able to promote to the level below them.

Any ideas on how to fix this hole?

Ashur · #2 21st November 2008, 06:08

I suck at php but it should be in edituser.php

Code:

  function permission_check ()
  {
    global $userdata;
    global $usergroups;
    global $CURUSER;
    if ((((($userdata['cansettingspanel'] == 'yes' AND $usergroups['cansettingspanel'] != 'yes') OR ($userdata['issupermod'] == 'yes' AND $usergroups['issupermod'] != 'yes')) OR ($userdata['canstaffpanel'] == 'yes' AND $usergroups['canstaffpanel'] != 'yes')) OR $CURUSER['id'] == $userdata['id']))
    {
      print_no_permission (false, true, 'Permission Denied: Protected usergroup!');
      return null;
    }

well because once they added umm special groups and group numbers doesn't mean crap so I have an idea how to get this solved but no clue how write it in php

Krypto · #3 21st November 2008, 11:08

Will have a look at that, I was looking at this function that deals with the drop down box that selects the usergroups.

PHP Code:


			
  function selectbox ($title, $name, $type, $class = 'specialboxnn')



  {



    global $userdata;



    global $usergroups;



    echo '' . '<tr>



<td valign="top" width="40%" align="right">' . $title . '</td><td valign="top" width="60%" align="left">



<select name="' . $name . '" id="' . $class . '">



';



    if ($type == 'trackergroups')



    {



      $query = sql_query ('SELECT gid,title,cansettingspanel,issupermod,canstaffpanel FROM usergroups');



      while ($tclass = mysql_fetch_array ($query))



      {



        if (((((($tclass['cansettingspanel'] == 'yes' AND $usergroups['cansettingspanel'] != 'yes') OR ($tclass['issupermod'] == 'yes' AND $usergroups['issupermod'] != 'yes')) OR ($tclass['canstaffpanel'] == 'yes' AND $usergroups['canstaffpanel'] != 'yes')) OR (($tclass['cansettingspanel'] == 'yes' OR $tclass['issupermod'] == 'yes') AND $usergroups['cansettingspanel'] != 'yes')) OR (($tclass['gid'] == UC_ADMINISTRATOR OR $tclass['gid'] == UC_SYSOP) AND $usergroups['cansettingspanel'] != 'yes')))



        {



          continue;



        }







        echo '<option value="' . $tclass['gid'] . '" ' . ($userdata['usergroup'] == $tclass['gid'] ? 'selected' : '') . '>' . $tclass['title'] . '</option>';



      }



    }







    echo '</select>



</td>



</tr>



';



  }

Ashur · #4 21st November 2008, 21:09

not sure what's in the basket for 5.4.1 but there should be better definition of what group is higher rank than the other group and I think Xam kinda messed it up on 5.1 but i know further down it was fixed but still not sure how it got fixed so not sure if custom group can actually screw up things if you give staff power to them (which I don't recommend unless you make that custom group larger the "team leader")

mhmd_1983 · #5 21st November 2008, 22:36

well , i think we noticed that too , but i didn't try to solve it just ignore it .. but thanks to u guys i feel like i have a nuke bomb in my tracker now :(

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
TSSE 5.4.1 "Tracker sending invalid data" Only for USERS	englezu23	Template Shares	1	14th February 2010 06:01
moving users	lovebeer	Community Cafe	1	10th February 2010 14:53
Swe users	alpha1969	Community Cafe	8	5th October 2009 23:14
Hello users	starisloven	Introduce Yourself	1	26th February 2009 10:09
Import Users	Swompen	Template Shares	0	30th July 2008 06:32