From ae967d16f1ad584d7e03b4466e6cc3d1d067dea6 Mon Sep 17 00:00:00 2001
From: Josh Woody <a_jelly_doughnut@phpbb.com>
Date: Mon, 5 Jul 2010 22:22:25 -0500
Subject: [ticket/9650] Do not allow banning the anonymous user by username

Banning anonymous can result in bad things, like not being able to log in.  However, it was possible until now.

PHPBB3-9650
---
 phpBB/includes/functions_user.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'phpBB/includes/functions_user.php')

diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 271542efdd..8d2fa14a4b 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -837,14 +837,15 @@ function user_ban($mode, $ban, $ban_len, $ban_len_other, $ban_exclude, $ban_reas
 				FROM ' . USERS_TABLE . '
 				WHERE ' . $db->sql_in_set('username_clean', $sql_usernames);
 
-			// Do not allow banning yourself
+			// Do not allow banning yourself, the guest account, or founders.
+			$non_bannable = array($user->data['user_id'], ANONYMOUS);
 			if (sizeof($founder))
 			{
-				$sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), array($user->data['user_id'])), true);
+				$sql .= ' AND ' . $db->sql_in_set('user_id', array_merge(array_keys($founder), $non_bannable), true);
 			}
 			else
 			{
-				$sql .= ' AND user_id <> ' . $user->data['user_id'];
+				$sql .= ' AND ' . $db->sql_in_set('user_id', $non_bannable, true);
 			}
 
 			$result = $db->sql_query($sql);
-- 
cgit v1.2.1