prevent admin hijacks
This commit is contained in:
		| @@ -127,7 +127,7 @@ function notifications_content(&$a) { | |||||||
| 		notice( t('No notifications.') . EOL); | 		notice( t('No notifications.') . EOL); | ||||||
|  |  | ||||||
| 	if ($a->config['register_policy'] = REGISTER_APPROVE &&	 | 	if ($a->config['register_policy'] = REGISTER_APPROVE &&	 | ||||||
| 		$a->config['admin_email'] = $a->user['email']){ | 		$a->config['admin_email'] === $a->user['email']){ | ||||||
| 		$o .= load_view_file('view/registrations-top.tpl'); | 		$o .= load_view_file('view/registrations-top.tpl'); | ||||||
| 		 | 		 | ||||||
| 		$r = q("SELECT `register`.*, `contact`.`name`, `user`.`email` | 		$r = q("SELECT `register`.*, `contact`.`name`, `user`.`email` | ||||||
|   | |||||||
| @@ -12,6 +12,11 @@ function regmod_content(&$a) { | |||||||
| 		return $o; | 		return $o; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|  | 	if((! (x($a->config,'admin_email'))) || ($a->config['admin_email'] !== $a->user['email'])) { | ||||||
|  | 		notice( t('Permission denied.') . EOL); | ||||||
|  | 		return ''; | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	if($a->argc != 3) | 	if($a->argc != 3) | ||||||
| 		killme(); | 		killme(); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -95,6 +95,10 @@ function settings_post(&$a) { | |||||||
| 		$email_changed = true; | 		$email_changed = true; | ||||||
|         if(! valid_email($email)) |         if(! valid_email($email)) | ||||||
| 			$err .= t(' Not valid email.'); | 			$err .= t(' Not valid email.'); | ||||||
|  | 		if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) { | ||||||
|  | 			$err .= t(' Cannot change to that email.'); | ||||||
|  | 			$email = $a->user['email']; | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if(strlen($err)) { | 	if(strlen($err)) { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user