From 8b549dcb12ab093d661e17cde10f6fe92f67dc5f Mon Sep 17 00:00:00 2001 From: mikelittle Date: Tue, 3 Jun 2003 00:08:51 +0000 Subject: [PATCH] Fixed admin level security problem. Plus an user -> a user git-svn-id: http://svn.automattic.com/wordpress/trunk@149 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/b2edit.php | 4 ++-- wp-admin/b2edit.showposts.php | 4 ++-- wp-admin/b2team.php | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/wp-admin/b2edit.php b/wp-admin/b2edit.php index c78fdaa8f3..c339ca98de 100644 --- a/wp-admin/b2edit.php +++ b/wp-admin/b2edit.php @@ -127,7 +127,7 @@ switch($action) { if ($user_level > 0) { $postdata = get_postdata($post); $authordata = get_userdata($postdata["Author_ID"]); - if ($user_level < $authordata[13]) + if ($user_level < $authordata->user_level) die ('You don’t have the right to edit '.$authordata[1].'’s posts.'); $content = $postdata['Content']; @@ -218,7 +218,7 @@ switch($action) { $postdata=get_postdata($post) or die("Oops, no post with this ID. Go back !"); $authordata = get_userdata($postdata["Author_ID"]); - if ($user_level < $authordata[13]) + if ($user_level < $authordata->user_level) die ("You don't have the right to delete ".$authordata[1]."'s posts."); $query = "DELETE FROM $tableposts WHERE ID=$post"; diff --git a/wp-admin/b2edit.showposts.php b/wp-admin/b2edit.showposts.php index 862e5c6e2c..853dc80ca7 100644 --- a/wp-admin/b2edit.showposts.php +++ b/wp-admin/b2edit.showposts.php @@ -235,7 +235,7 @@ if ($i == "ASC")

[ $authordata[13]) or ($user_login == $authordata[1])) { + if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) { echo " - @ $authordata[13]) or ($user_login == $authordata[1])) { + if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) { echo "[ comment_ID."\">Edit"; echo " - ID."&comment=".$commentdata->comment_ID."\">Delete ]"; } diff --git a/wp-admin/b2team.php b/wp-admin/b2team.php index 45afc705f9..07d29717d3 100644 --- a/wp-admin/b2team.php +++ b/wp-admin/b2team.php @@ -33,10 +33,10 @@ case 'promote': $prom = $HTTP_GET_VARS["prom"]; $user_data = get_userdata($id); - $usertopromote_level = $user_data[13]; + $usertopromote_level = $user_data->user_level; if ($user_level <= $usertopromote_level) { - die('Can’t change the level of an user whose level is higher than yours.'); + die('Can’t change the level of a user whose level is higher than yours.'); } if ('up' == $prom) { @@ -65,7 +65,7 @@ case 'delete': $usertodelete_level = $user_data->user_level; if ($user_level <= $usertodelete_level) - die('Can’t delete an user whose level is higher than yours.'); + die('Can’t delete a user whose level is higher than yours.'); $sql = "DELETE FROM $tableusers WHERE ID = $id"; $result = $wpdb->query($sql) or die("Couldn’t delete user #$id."); @@ -83,7 +83,7 @@ default: include ('b2header.php'); ?> -

Click on an user’s login name to see his complete profile.
+

Click on a user’s login name to see his complete profile.
To edit your profile, click on your login name.

@@ -191,8 +191,8 @@ default: } if ($user_level >= 3) { ?>
-

To delete an user, bring his level to zero, then click on the red X.
- Warning: deleting an user also deletes all posts made by this user. +

To delete a user, bring his level to zero, then click on the red X.
+ Warning: deleting a user also deletes all posts made by this user.