Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
Lucifix
Regular
Regular



Joined: Mar 11, 2005
Posts: 67

PostPosted: Mon Oct 08, 2012 10:57 am Reply with quote

I've got one question about functions is_mod_admin and is_admin.

I've added new admin which have only News permissions. But this admin can also edit and delete Review. I check Review index.php file (not in admin folder) and I found this code:

Code:


function del_review($id_del) {
   global $admin, $prefix, $db, $module_name;
   $id_del = intval($id_del);
   if (is_admin($admin)) {
      $db->sql_query('DELETE FROM ' . $prefix . '_reviews WHERE id = \'' . $id_del . '\'');
      $db->sql_query('DELETE FROM ' . $prefix . '_reviews_comments WHERE rid=\'' . $id_del . '\'');
      Header('Location: modules.php?name=' . $module_name);
      die();
   } else {
      echo 'ACCESS DENIED';
   }
}




is_admin function in mainfile.php only check if admin is really saved in authors table, but it's not checking if admin has also permission in this module.

Code:
function is_admin($admin) {

   if (!$admin) return 0;
   static $adminSave;
   if (isset($adminSave)) return $adminSave;
   if (!is_array($admin)) {
      $admin = base64_decode($admin);
      $admin = addslashes($admin);
      $admin = explode(':', $admin);
   }
   $aid = isset($admin[0]) ? substr($admin[0], 0, 25) : '';
   $pwd = isset($admin[1]) ? $admin[1] : '';
   if (!empty($aid) && !empty($pwd)) {
      global $db, $prefix;
      $sql = 'SELECT `pwd` FROM `' . $prefix . '_authors` WHERE `aid`=\'' .  $db->sql_escape_string($aid) . '\'';
      $result = $db->sql_query($sql);
      list($rpwd) = $db->sql_fetchrow($result, SQL_NUM);
      if($rpwd == $pwd && !empty($rpwd)) {
         return $adminSave = $aid;
      }
   }
   return $adminSave = 0;
}


If I'm right function for del_review should be?

Code:


function del_review($id_del) {
   global $admin, $prefix, $db, $module_name;
   $id_del = intval($id_del);
   if (is_mod_admin($module_name)) {
      $db->sql_query('DELETE FROM ' . $prefix . '_reviews WHERE id = \'' . $id_del . '\'');
      $db->sql_query('DELETE FROM ' . $prefix . '_reviews_comments WHERE rid=\'' . $id_del . '\'');
      Header('Location: modules.php?name=' . $module_name);
      die();
   } else {
      echo 'ACCESS DENIED';
   }
}
 
View user's profile Send private message
Palbin
Site Admin



Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Mon Oct 08, 2012 11:35 am Reply with quote

Off the top of my head what you propose sounds correct.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." Brian W. Kernighan. 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©