[pmwiki-users] Bug report for UserAuth2
Olle Bergkvist
ollebe at student.chalmers.se
Tue Nov 11 19:08:46 CST 2008
Hello users, hello ThomasP, i found a pretty silly bug in latest
UserAuth2. File is cookbook/userauth2/userauth1-admintool.php, line is 545
and onwards.
Original: ---------
// admin_action == 'deluser' or == 'delgroup'
if (isset($reqVars['tool_confirm'])) {
if (!isValidPermHolderString($tool_username, $groupaction) ||
!doesPermHolderExist($tool_username, $groupaction, false))
PrintAdminToolPageAndExit( $pagename,
($groupaction ? $GroupNotExistsFmt : $UserNotExistsFmt)
);
-----------------
In the line "if (isset($reqVars['tool_confirm'])) {" it is not enough to
check that $reqVars['tool_confirm'] is set. It could be set, but set to
"No". That's why the user/group is deleted even though i click "No, i dont
want to delete". The string must equal "Yes".
Something like this:--------
// admin_action == 'deluser' or == 'delgroup'
// ollebe - check so that the answer is YES
if (isset($reqVars['tool_confirm']) && $reqVars['tool_confirm']=="Yes") {
if (!isValidPermHolderString($tool_username, $groupaction) ||
!doesPermHolderExist($tool_username, $groupaction, false))
PrintAdminToolPageAndExit( $pagename,
($groupaction ? $GroupNotExistsFmt : $UserNotExistsFmt)
);
--------------------------
Thanks for UserAuth2 btw, for the most part it's great! And also, PLEASE
read in your inbox the security-related emails i sent you from this email
address, i think it's rather important.
//Olle Bergkvist
More information about the pmwiki-users
mailing list