diff options
-rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_activate.php | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 14d165b819..986e957237 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -167,6 +167,7 @@ <li>[Feature] db_tools now support create table and drop table.</li> <li>[Feature] Database updater checks for incompatible db schema (MySQL 3.x/4.x against MySQL 4.1.x/5.x/6.x)</li> <li>[Feature] New search option: Maximum number of words allowed to search for.</li> + <li>[Sec] Prevent accounts from being activated by users when admin activation is turned on and the correct activation key is known.</li> </ul> <a name="v303"></a><h3>1.ii. Changes since 3.0.3</h3> diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php index f8aeb2297a..36ab8a0e9b 100644 --- a/phpBB/includes/ucp/ucp_activate.php +++ b/phpBB/includes/ucp/ucp_activate.php @@ -56,6 +56,17 @@ class ucp_activate trigger_error('WRONG_ACTIVATION'); } + // Do not allow activating by non administrators when admin activation is on + // Only activation type the user should be able to do is INACTIVE_REMIND + if ($user_row['user_inactive_reason'] != INACTIVE_REMIND && $config['require_activation'] == USER_ACTIVATION_ADMIN && !$auth->acl_get('a_user')) + { + if (!$user->data['is_registered']) + { + login_box('', $user->lang['NO_AUTH_OPERATION']); + } + trigger_error('NO_AUTH_OPERATION'); + } + $update_password = ($user_row['user_newpasswd']) ? true : false; if ($update_password) |