diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/memberlist.php | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index de627e6217..ba51befde5 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -134,6 +134,7 @@ <li>[Fix] Custom profile fields with date type should be timezone independend (Bug #15003)</li> <li>[Fix] Fixing some XHTML errors/warnings within the ACP (Bug #22875)</li> <li>[Fix] Warnings if poll title/options exceed maximum characters per post (Bug #22865)</li> + <li>[Fix] Do not allow selecting non-authorized groups within memberlist by adjusting URL (Bug #22805 - patch provided by ToonArmy)</li> </ul> diff --git a/phpBB/memberlist.php b/phpBB/memberlist.php index d021581cb2..7244a09591 100644 --- a/phpBB/memberlist.php +++ b/phpBB/memberlist.php @@ -1237,6 +1237,7 @@ switch ($mode) { $group_selected = request_var('search_group_id', 0); $s_group_select = '<option value="0"' . ((!$group_selected) ? ' selected="selected"' : '') . '> </option>'; + $group_ids = array(); if ($auth->acl_gets('a_group', 'a_groupadd', 'a_groupdel')) { @@ -1261,10 +1262,16 @@ switch ($mode) while ($row = $db->sql_fetchrow($result)) { + $group_ids[] = $row['group_id']; $s_group_select .= '<option value="' . $row['group_id'] . '"' . (($group_selected == $row['group_id']) ? ' selected="selected"' : '') . '>' . (($row['group_type'] == GROUP_SPECIAL) ? $user->lang['G_' . $row['group_name']] : $row['group_name']) . '</option>'; } $db->sql_freeresult($result); + if ($group_selected !== 0 && !in_array($group_selected, $group_ids)) + { + trigger_error('NO_GROUP'); + } + $template->assign_vars(array( 'USERNAME' => $username, 'EMAIL' => $email, |