Merge branch 'xorg/maint' into xorg/master

diff --git a/SECURITY b/SECURITY
index 7bc0c39..cd722cc 100644 (file)
--- a/SECURITY
+++ b/SECURITY
@@ -12,6 +12,7 @@
 # The commit id should refer to the id in the "master" branch, if the initial
 # commit in a version branch had another name.
 
+2012-01-04 a471e374 Fixes access to list administration.
 2010-10-28 4c5a5921 Registration allowed reactivation and resetting password of disabled accounts.
 2010-06-23 aa8a2914 Fix visibility of emails, groups, death info on profile.
 2010-04-02 3e2442cd Fix freetext visibility.

diff --git a/modules/geoloc.php b/modules/geoloc.php
index fafbe49..41da79a 100644 (file)
--- a/modules/geoloc.php
+++ b/modules/geoloc.php
@@ -37,7 +37,6 @@ class GeolocModule extends PLModule
         $page->addJsLink($map_url, false);
         $page->addJsLink('maps.js');
         $page->addJsLink('markerclusterer.js');
-        $page->addJsLink('markerwithlabel.js');
         $page->assign('pl_extra_header', '<meta name="viewport" content="initial-scale=1.0, user-scalable=no" />');
     }
 

diff --git a/modules/lists.php b/modules/lists.php
index 6dcef34..baed14f 100644 (file)
--- a/modules/lists.php
+++ b/modules/lists.php
@@ -61,6 +61,19 @@ class ListsModule extends PLModule
         return $globals->mail->domain;
     }
 
+    function verify_list_owner($page, $liste)
+    {
+        if (list(, , $owners) = $this->client->get_members($liste)) {
+            if (!(in_array(S::user()->forlifeEmail(), $owners) || S::admin())) {
+                $page->kill("La liste n'existe pas ou tu n'as pas le droit de l'administrer.");
+            }
+        } else {
+            $page->kill("La liste n'existe pas ou tu n'as pas le droit de l'administrer.<br />"
+                      . " Si tu penses qu'il s'agit d'une erreur, "
+                      . "<a href='mailto:support@polytechnique.org'>contact le support</a>.");
+        }
+    }
+
     function get_pending_ops($domain, $list)
     {
         list($subs,$mails) = $this->client->get_pending_ops($list);
@@ -483,6 +496,7 @@ class ListsModule extends PLModule
         }
 
         $domain = $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
 
         $page->changeTpl('lists/moderate.tpl');
 
@@ -602,6 +616,7 @@ class ListsModule extends PLModule
         }
 
         $domain = $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
 
         $page->changeTpl('lists/admin.tpl');
 
@@ -730,7 +745,6 @@ class ListsModule extends PLModule
             $page->assign_by_ref('members', $membres);
             $page->assign_by_ref('owners',  $moderos);
             $page->assign('np_m', count($mem));
-
         } else {
             $page->kill("La liste n'existe pas ou tu n'as pas le droit de l'administrer.<br />"
                       . " Si tu penses qu'il s'agit d'une erreur, "
@@ -745,6 +759,7 @@ class ListsModule extends PLModule
         }
 
         $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
 
         $page->changeTpl('lists/options.tpl');
 
@@ -813,6 +828,7 @@ class ListsModule extends PLModule
         }
 
         $domain = $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
         $page->changeTpl('lists/delete.tpl');
         if (Post::v('valid') == 'OUI') {
             S::assert_xsrf_token();
@@ -847,6 +863,7 @@ class ListsModule extends PLModule
         }
 
         $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
 
         $page->changeTpl('lists/soptions.tpl');
 
@@ -876,6 +893,7 @@ class ListsModule extends PLModule
         }
 
         $this->prepare_client($page);
+        $this->verify_list_owner($page, $liste);
 
         $page->changeTpl('lists/check.tpl');