- Timestamp:
- 12/02/11 17:04:43 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/dns.cgi
r180 r181 1167 1167 changepage(page => "useradmin", errmsg => "You do not have permission to add new users") 1168 1168 unless $permissions{admin} || $permissions{user_create}; 1169 # no scope check; user is created in the current group 1169 1170 ($code,$msg) = addUser($dbh, $webvar{uname}, $curgroup, $webvar{pass1}, 1170 1171 ($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype}, $permstring, … … 1175 1176 changepage(page => "useradmin", errmsg => "You do not have permission to edit users") 1176 1177 unless $permissions{admin} || $permissions{user_edit}; 1178 # security check - does the user have permission to access this entity? 1179 if (!check_scope(id => $webvar{user}, type => 'user')) { 1180 changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user"); 1181 } 1177 1182 # User update is icky. I'd really like to do this in one atomic 1178 1183 # operation, but that would duplicate a **lot** of code in DNSDB.pm … … 1230 1235 unless $permissions{admin} || $permissions{user_edit}; 1231 1236 1237 # security check - does the user have permission to access this entity? 1238 if (!check_scope(id => $webvar{user}, type => 'user')) { 1239 changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user"); 1240 } 1241 1232 1242 $page->param(set_permgroup => 1); 1233 1243 $page->param(action => 'update'); … … 1267 1277 changepage(page=> "useradmin", errmsg => "You are not allowed to delete users") 1268 1278 unless $permissions{admin} || $permissions{user_delete}; 1279 1280 # security check - does the user have permission to access this entity? 1281 if (!check_scope(id => $webvar{id}, type => 'user')) { 1282 changepage(page => "useradmin", errmsg => "You are not permitted to delete the requested user"); 1283 } 1269 1284 1270 1285 $page->param(id => $webvar{id});
Note:
See TracChangeset
for help on using the changeset viewer.