Loophole in ip histories cleared up

Loophole in all histories cleared up

Fixing forum mod issues
This commit is contained in:
What.CD 2011-06-23 08:00:06 +00:00
parent fae1d64491
commit fcdcc2631a
7 changed files with 48 additions and 28 deletions

View File

@ -27,7 +27,8 @@
<strong>Send to: </strong>
<select name="level">
<option value="0" selected="selected">First Line Support</option>
<option value="650">Staff</option>
<option value="650">Forum Moderators</option>
<option value="700">Staff</option>
</select>
<input type="submit" value="Send message" />
@ -83,7 +84,7 @@
$CloseTable = true;
echo '<br /><h3>'.$ClassName.'s</h3>';
?>
<? if($CurClass == 28) { ?>
<? if($CurClass == 650) { ?>
<p>Forum Mods are users who have been promoted to help moderate the forums. They can only help with forum oriented questions</p>
<? } ?>
<table class="staff" width="100%">

View File

@ -10,14 +10,18 @@
************************************************************************/
if(!check_perms('users_view_email')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$UsersOnly = $_GET['usersonly'];
$DB->query("SELECT m.Username, i.JoinDate FROM users_main AS m JOIN users_info AS i ON m.ID=i.UserID WHERE ID = $UserID");
list($Username,$Joined) = $DB->next_record();
$DB->query("SELECT um.Username, ui.JoinDate, p.Level AS Class FROM users_main AS um JOIN users_info AS ui ON um.ID=ui.UserID JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = $UserID");
list($Username, $Joined, $Class) = $DB->next_record();
if(!check_perms('users_view_email', $Class)) {
error(403);
}
$UsersOnly = $_GET['usersonly'];
show_header("Email history for $Username");

View File

@ -10,14 +10,17 @@
************************************************************************/
if(!check_perms('users_view_email')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$UsersOnly = $_GET['usersonly'];
$DB->query("SELECT m.Username, i.JoinDate FROM users_main AS m JOIN users_info AS i ON m.ID=i.UserID WHERE ID = $UserID");
list($Username,$Joined) = $DB->next_record();
$DB->query("SELECT um.Username, ui.JoinDate, p.Level AS Class FROM users_main AS um JOIN users_info AS ui ON um.ID=ui.UserID JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = $UserID");
list($Username, $Joined, $Class) = $DB->next_record();
if(!check_perms('users_view_email', $Class)) {
error(403);
}
$UsersOnly = $_GET['usersonly'];
show_header("Email history for $Username");

View File

@ -12,14 +12,17 @@
define('IPS_PER_PAGE', 25);
if(!check_perms('users_view_ips')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$UsersOnly = $_GET['usersonly'];
$DB->query("SELECT UserName FROM users_main WHERE ID = $UserID");
list($Username) = $DB->next_record();
$DB->query("SELECT um.Username, p.Level AS Class FROM users_main AS um LEFT JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = ".$UserID);
list($Username, $Class) = $DB->next_record();
if(!check_perms('users_view_ips', $Class)) {
error(403);
}
$UsersOnly = $_GET['usersonly'];
show_header("IP history for $Username");
?>

View File

@ -12,14 +12,19 @@
define('IPS_PER_PAGE', 25);
if(!check_perms('users_view_ips') || !check_perms('users_mod')) { error(403); }
if(!check_perms('users_mod')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$UsersOnly = $_GET['usersonly'];
$DB->query("SELECT UserName FROM users_main WHERE ID = $UserID");
list($Username) = $DB->next_record();
$DB->query("SELECT um.Username, p.Level AS Class FROM users_main AS um LEFT JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = ".$UserID);
list($Username, $Class) = $DB->next_record();
if(!check_perms('users_view_ips', $Class)) {
error(403);
}
$UsersOnly = $_GET['usersonly'];
show_header("Tracker IP history for $Username");
?>

View File

@ -10,13 +10,15 @@
************************************************************************/
if(!check_perms('users_view_keys')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$DB->query("SELECT UserName FROM users_main WHERE ID = $UserID");
list($Username) = $DB->next_record();
$DB->query("SELECT um.Username, p.Level AS Class FROM users_main AS um LEFT JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = ".$UserID);
list($Username, $Class) = $DB->next_record();
if(!check_perms('users_view_keys', $Class)) {
error(403);
}
show_header("PassKey history for $Username");

View File

@ -10,13 +10,15 @@
************************************************************************/
if(!check_perms('users_view_keys')) { error(403); }
$UserID = $_GET['userid'];
if (!is_number($UserID)) { error(404); }
$DB->query("SELECT UserName FROM users_main WHERE ID = $UserID");
list($Username) = $DB->next_record();
$DB->query("SELECT um.Username, p.Level AS Class FROM users_main AS um LEFT JOIN permissions AS p ON p.ID=um.PermissionID WHERE um.ID = ".$UserID);
list($Username, $Class) = $DB->next_record();
if(!check_perms('users_view_keys', $Class)) {
error(403);
}
show_header("Password reset history for $Username");