From: Stéphane Jacob <sj@m4x.org>
Date: Sat, 7 Aug 2010 11:22:26 +0000 (+0200)
Subject: Prevents group animator to edit data from a user who does not belong to this group.
X-Git-Tag: xorg/1.1.0~26^2~38
X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=7ae5c545c0848bb629c7c52851976913a2169aa7;p=platal.git

Prevents group animator to edit data from a user who does not belong to this group.

Signed-off-by: Stéphane Jacob <sj@m4x.org>
---

diff --git a/classes/user.php b/classes/user.php
index b521048..cc2404a 100644
--- a/classes/user.php
+++ b/classes/user.php
@@ -595,6 +595,15 @@ class User extends PlUser
         return ($groupNb == 1);
     }
 
+    public function inGroup($asso_id)
+    {
+        $res = XDB::fetchOneCell('SELECT  COUNT(*)
+                                    FROM  group_members
+                                   WHERE  uid = {?} AND asso_id = {?}',
+                                 $this->id(), $asso_id);
+        return ($res > 0);
+    }
+
     /**
      * Clears a user.
      *  *always deletes in: account_lost_passwords, register_marketing,
diff --git a/modules/xnetgrp.php b/modules/xnetgrp.php
index 068ad86..b962b4e 100644
--- a/modules/xnetgrp.php
+++ b/modules/xnetgrp.php
@@ -863,13 +863,17 @@ class XnetGrpModule extends PLModule
     {
         global $globals;
 
-        $page->changeTpl('xnetgrp/membres-edit.tpl');
-
         $user = User::getSilent($user);
         if (empty($user)) {
             return PL_NOT_FOUND;
         }
 
+        if (!$user->inGroup($globals->asso('id'))) {
+            pl_redirect('annuaire');
+        }
+
+        $page->changeTpl('xnetgrp/membres-edit.tpl');
+
         $mmlist = new MMList($user, $globals->asso('mail_domain'));
 
         if (Post::has('change')) {