From 7ae5c545c0848bb629c7c52851976913a2169aa7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?St=C3=A9phane=20Jacob?= Date: Sat, 7 Aug 2010 13:22:26 +0200 Subject: [PATCH] Prevents group animator to edit data from a user who does not belong to this group. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Jacob --- classes/user.php | 9 +++++++++ modules/xnetgrp.php | 8 ++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/classes/user.php b/classes/user.php index b521048..cc2404a 100644 --- a/classes/user.php +++ b/classes/user.php @@ -595,6 +595,15 @@ class User extends PlUser return ($groupNb == 1); } + public function inGroup($asso_id) + { + $res = XDB::fetchOneCell('SELECT COUNT(*) + FROM group_members + WHERE uid = {?} AND asso_id = {?}', + $this->id(), $asso_id); + return ($res > 0); + } + /** * Clears a user. * *always deletes in: account_lost_passwords, register_marketing, diff --git a/modules/xnetgrp.php b/modules/xnetgrp.php index 068ad86..b962b4e 100644 --- a/modules/xnetgrp.php +++ b/modules/xnetgrp.php @@ -863,13 +863,17 @@ class XnetGrpModule extends PLModule { global $globals; - $page->changeTpl('xnetgrp/membres-edit.tpl'); - $user = User::getSilent($user); if (empty($user)) { return PL_NOT_FOUND; } + if (!$user->inGroup($globals->asso('id'))) { + pl_redirect('annuaire'); + } + + $page->changeTpl('xnetgrp/membres-edit.tpl'); + $mmlist = new MMList($user, $globals->asso('mail_domain')); if (Post::has('change')) { -- 2.1.4