diff options
| -rw-r--r-- | INSTALL | 28 | ||||
| -rw-r--r-- | web/html/account.php | 11 | ||||
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 33 |
3 files changed, 52 insertions, 20 deletions
@@ -44,39 +44,37 @@ Setup on Arch Linux: 5) Configure PHP Make sure you have mysql and json enabled in PHP. - - Edit php.ini and uncomment/add these lines: + - Edit php.ini and uncomment/add this line: extension=pdo_mysql.so - extension=json.so - If those php extensions are separate packages on your system, install - them. + If this PHP extension is a separate package on your system, install it. 6) Configure MySQL - Start the MySQL service. Example: - # /etc/rc.d/mysqld start + # systemctl start mysqld - Create database # mysqladmin -p create AUR - Connect to the mysql client - # mysql -uroot -p AUR + $ mysql -uroot -p AUR - Issue the following commands to the mysql client mysql> GRANT ALL PRIVILEGES ON AUR.* to aur@localhost - > identified by 'aur'; + -> identified by 'aur'; mysql> FLUSH PRIVILEGES; mysql> quit - Load the schema file - # mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql + $ mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql (give password 'aur' at the prompt) - Optionally load some test data for development purposes. - # pacman -S words mysql-python - # cd ~/aur/support/schema/ - # python gendummydata.py dummy-data.sql - # bzip2 dummy-data.sql - # bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR + # pacman -S words fortune-mod + $ cd ~/aur/support/schema/ + $ python gendummydata.py dummy-data.sql + $ bzip2 dummy-data.sql + $ bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR (give password 'aur' at the prompt) If your test data consists of real people and real email addresses consider @@ -85,7 +83,7 @@ Setup on Arch Linux: mysql> UPDATE Users SET Email = RAND() * RAND(); 7) Copy the config.inc.php.proto file to config.inc.php. Modify as needed. - # cd ~/aur/web/lib/ - # cp config.inc.php.proto config.inc.php + $ cd ~/aur/web/lib/ + $ cp config.inc.php.proto config.inc.php 8) Point your browser to http://aur diff --git a/web/html/account.php b/web/html/account.php index 786ae02..cccdd76 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "UpdateAccount") { - # user is submitting their modifications to an existing account - # - if (check_token()) { + $uid = uid_from_sid($_COOKIE['AURSID']); + + /* Details for account being updated */ + $acctinfo = account_details(in_request('ID'), in_request('U')); + + /* Verify user permissions and that the request is a valid POST */ + if (can_edit_account($atype, $acctinfo, $uid) && check_token()) { + /* Update the details for the existing account */ process_account_form($atype, "edit", "UpdateAccount", in_request("U"), in_request("T"), in_request("S"), in_request("E"), in_request("P"), in_request("C"), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3fd23ae..a41659e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); @@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")"; $result = $dbh->exec($q); } + +/** + * Verify a user has the proper permissions to edit an account + * + * @param string $atype Account type of the editing user + * @param array $acctinfo User account information for edited account + * @param int $uid User ID of the editing user + * + * @return bool True if permission to edit the account, otherwise false + */ +function can_edit_account($atype, $acctinfo, $uid) { + /* Developers can edit any account */ + if ($atype == 'Developer') { + return true; + } + + /* Trusted Users can edit all accounts except Developer accounts */ + if ($atype == 'Trusted User' && + $acctinfo['AccountType'] != 'Developer') { + return true; + } + + /* Users can edit only their own account */ + if ($acctinfo['ID'] == $uid) { + return true; + } + + return false; +} |