extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-23 00:13:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

* Preferences: non-admin user was able to give himself run-rights to any app incl. admin

Browse Source
This commit is contained in:
Ralf Becker 2014-09-18 13:53:34 +00:00
parent 3b54e4e39a
commit d0ac7525b6
1 changed files with 37 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
admin/inc/class.admin_acl.inc.php
View File

@ -270,8 +270,8 @@ class admin_acl
!$GLOBALS['egw']->acl->check('account_access', 64, 'admin'); // ! because this denies access!
$own_access = $admin_access || isset($GLOBALS['egw_info']['user']['apps']['preferences']);
}
if (!($location === 'run' || (int)$account_id) ||
!((int)$account_id == (int)$GLOBALS['egw_info']['user']['account_id'] ? $own_access : $admin_access))
if (!(int)$account_id || !((int)$account_id == (int)$GLOBALS['egw_info']['user']['account_id'] && $location !== 'run' ?
$own_access : $admin_access))
{
if ($throw) throw new egw_exception_no_permission(lang('Permission denied!!!'));
return false;
@ -307,6 +307,7 @@ class admin_acl
*/
public static function ajax_change_acl($ids, $rights=null)
{
try {
foreach((array)$ids as $id)
{
list($app, $account_id, $location) = explode(':', $id, 3);
@ -345,6 +346,10 @@ class admin_acl
'type' => !(int)$rights ? 'delete' : 'add',
));
}
catch (Exception $e) {
egw_json_response::get()->call('egw.message', $e->getMessage(), 'error');
}
}
/**
* New index page