diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/groupcp.php | 29 | ||||
| -rwxr-xr-x | phpBB/language/lang_english.php | 1 | ||||
| -rw-r--r-- | phpBB/profile.php | 4 |
3 files changed, 31 insertions, 3 deletions
diff --git a/phpBB/groupcp.php b/phpBB/groupcp.php index fd8a0d4491..acc96b3b98 100644 --- a/phpBB/groupcp.php +++ b/phpBB/groupcp.php @@ -40,6 +40,7 @@ if(!isset($HTTP_GET_VARS['start'])) } $page_title = $lang['Group_Control_Panel']; +$is_moderator = FALSE; // // First, joining a group @@ -157,6 +158,7 @@ else if( isset($HTTP_POST_VARS['unsub']) || isset($HTTP_POST_VARS['unsubpending' // else if( isset($HTTP_GET_VARS[POST_GROUPS_URL]) || isset($HTTP_POST_VARS[POST_GROUPS_URL]) ) { + // // Include page header here because we might need to send a header redirect from the unsub section // @@ -164,11 +166,36 @@ else if( isset($HTTP_GET_VARS[POST_GROUPS_URL]) || isset($HTTP_POST_VARS[POST_GR $group_id = ( isset($HTTP_POST_VARS[POST_GROUPS_URL]) ) ? $HTTP_POST_VARS[POST_GROUPS_URL] : $HTTP_GET_VARS[POST_GROUPS_URL]; // + // For security, get the ID of the group moderator. + // + $sql = "SELECT group_moderator FROM " . GROUPS_TABLE . " WHERE group_id = $group_id"; + + if(!$result = $db->sql_query($sql)) + { + message_die(GENERAL_ERROR, "Could not get moderator information", $lang['Error'], __LINE__, __FILE__, $sql); + } + + $row = $db->sql_fetchrow($result); + $group_moderator = $row['group_moderator']; + + if($group_moderator == $userdata['user_id'] || $userdata['user_level'] == ADMIN) + { + $is_moderator = TRUE; + } + + + // // Handle Additions, removals, approvals and denials // if(isset($HTTP_POST_VARS['approve']) || isset($HTTP_POST_VARS['deny']) || $HTTP_POST_VARS['add'] || $HTTP_POST_VARS['remove']) { + if(!$is_moderator) + { + message_die(GENERAL_ERROR, $lang['Not_group_moderator'], $lang['Error']); + } + + $members = $HTTP_POST_VARS['member']; if(isset($HTTP_POST_VARS['add'])) @@ -307,7 +334,7 @@ else if( isset($HTTP_GET_VARS[POST_GROUPS_URL]) || isset($HTTP_POST_VARS[POST_GR // // END approve or deny // - + $start = ( isset($HTTP_GET_VARS['start']) ) ? $HTTP_GET_VARS['start'] : 0; diff --git a/phpBB/language/lang_english.php b/phpBB/language/lang_english.php index 5abec9f15a..95791eb9e8 100755 --- a/phpBB/language/lang_english.php +++ b/phpBB/language/lang_english.php @@ -558,6 +558,7 @@ $lang['Deny_selected'] = "Deny Selected"; $lang['Not_logged_in'] = "You must be logged in to join a group."; $lang['Remove_selected'] = "Remove Selected"; $lang['Add_member'] = "Add Member"; +$lang['Not_group_moderator'] = "You are not this groups moderator therefor you cannot preform that action."; $lang['This_open_group'] = "This is an open group, click to request membership"; $lang['This_closed_group'] = "This is a closed group, no more users accepted"; diff --git a/phpBB/profile.php b/phpBB/profile.php index 194a2c99b0..6c3e65a94a 100644 --- a/phpBB/profile.php +++ b/phpBB/profile.php @@ -1429,9 +1429,9 @@ if( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) $username = $row['username']; $user_actkey = generate_activation_key(); $user_password = generate_password(); - + $sql = "UPDATE " . USERS_TABLE . " - SET user_active = 0, user_newpasswd = '" .md5($user_password) . "', user_actkey = '$user_actkey' + SET user_newpasswd = '" .md5($user_password) . "', user_actkey = '$user_actkey' WHERE user_id = " . $row['user_id']; if( !$result = $db->sql_query($sql) ) { |