From 9f072764d32e813a2af62dae89cd3a1bcd258a41 Mon Sep 17 00:00:00 2001
From: Git <git@what.cd>
Date: Tue, 5 Jan 2016 08:00:28 +0000
Subject: [PATCH] Empty commit

---
 docs/CHANGES.txt              |  3 +++
 sections/user/permissions.php | 14 +++++++++++---
 sections/wiki/article.php     |  6 +++---
 sections/wiki/delete.php      |  9 +++++++++
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/docs/CHANGES.txt b/docs/CHANGES.txt
index 90e8ed8c..69099730 100644
--- a/docs/CHANGES.txt
+++ b/docs/CHANGES.txt
@@ -1,5 +1,8 @@
 CHANGE LOG
 
+2016-01-03 by newman
+Fix several permissions bugs
+
 2015-12-24 by newman
 Fix several XSS, SQLi, and misc vulnerabilities
 
diff --git a/sections/user/permissions.php b/sections/user/permissions.php
index 496e8fd6..3ef27f2f 100644
--- a/sections/user/permissions.php
+++ b/sections/user/permissions.php
@@ -1,12 +1,20 @@
 <?
 //TODO: Redo HTML
-if (!check_perms('admin_manage_permissions')) {
-	error(403);
-}
 if (!isset($_REQUEST['userid']) || !is_number($_REQUEST['userid'])) {
 	error(404);
 }
 
+// Get the user class of the user being edited to ensure that the logged in user has permission
+$DB->query("SELECT p.Level 
+            FROM permissions p
+            JOIN users_main AS um ON um.PermissionID = p.ID
+            WHERE um.ID = '" . $_REQUEST['userid'] . "'");
+list($UserClass) = $DB->next_record();
+
+if (!check_perms('admin_manage_permissions', $UserClass)) {
+	error(403);
+}
+
 include(SERVER_ROOT."/classes/permissions_form.php");
 
 list($UserID, $Username, $PermissionID) = array_values(Users::user_info($_REQUEST['userid']));
diff --git a/sections/wiki/article.php b/sections/wiki/article.php
index 0c0dbb8a..8a776e4c 100644
--- a/sections/wiki/article.php
+++ b/sections/wiki/article.php
@@ -50,9 +50,9 @@
 <? if ($Edit <= $LoggedUser['EffectiveClass']) { ?>
 			<a href="wiki.php?action=edit&amp;id=<?=$ArticleID?>" class="brackets">Contribute</a>
 			<a href="wiki.php?action=revisions&amp;id=<?=$ArticleID?>" class="brackets">History</a>
-<? } ?>
-<? if (check_perms('admin_manage_wiki') && $_GET['id'] != INDEX_ARTICLE) { ?>
-			<a href="wiki.php?action=delete&amp;id=<?=$ArticleID?>&amp;authkey=<?=$LoggedUser['AuthKey']?>" class="brackets" onclick="return confirm('Are you sure you want to delete?\nYes, DELETE, not as in \'Oh hey, if this is wrong we can get someone to magically undelete it for us later\' it will be GONE.\nGiven this new information, do you still want to DELETE this article and all its revisions and all its alias\' and act like it never existed?')">Delete</a>
+	<? if (check_perms('admin_manage_wiki') && $_GET['id'] != INDEX_ARTICLE) { ?>
+			<a href="wiki.php?action=delete&amp;id=<?=$ArticleID?>&amp;auth=<?=$LoggedUser['AuthKey']?>" class="brackets" onclick="return confirm('Are you sure you want to delete?\nYes, DELETE, not as in \'Oh hey, if this is wrong we can get someone to magically undelete it for us later\' it will be GONE.\nGiven this new information, do you still want to DELETE this article and all its revisions and all its alias\' and act like it never existed?')">Delete</a>
+	<? } ?>
 <? } ?>
 			<!--<a href="reports.php?action=submit&amp;type=wiki&amp;article=<?=$ArticleID ?>" class="brackets">Report</a>-->
 		</div>
diff --git a/sections/wiki/delete.php b/sections/wiki/delete.php
index 84ec58af..e5eec119 100644
--- a/sections/wiki/delete.php
+++ b/sections/wiki/delete.php
@@ -1,4 +1,6 @@
 <?
+authorize();
+
 if (!check_perms('admin_manage_wiki')) {
 	error(403);
 }
@@ -12,6 +14,13 @@
 	error('You cannot delete the main wiki article.');
 }
 
+$DB->query("SELECT MinClassEdit FROM wiki_articles WHERE ID = '$ID'");
+list($MinEditClass) = $DB->next_record();
+
+if ($MinEditClass > $LoggedUser['EffectiveClass']) {
+    error(403);
+}
+
 $DB->query("
 	SELECT Title
 	FROM wiki_articles