Revision 1406
Added by FrankH almost 14 years ago
- Security fix to stop users from changing module contents without permission, thanks to Michael Schwarz
| admin.php | ||
|---|---|---|
| 70 | 70 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
| 71 | 71 |
} |
| 72 | 72 |
|
| 73 |
// some additional security checks: |
|
| 74 |
// Check whether the section_id belongs to the page_id at all |
|
| 75 |
if ($section_id != 0) {
|
|
| 76 |
$sql = "SELECT module FROM `".TABLE_PREFIX."sections` WHERE `page_id` = '$page_id' AND `section_id` = '$section_id'"; |
|
| 77 |
$res_sec = $database->query($sql); |
|
| 78 |
if ($database->is_error()) |
|
| 79 |
{
|
|
| 80 |
$admin->print_error($database->get_error()); |
|
| 81 |
} |
|
| 82 |
if ($res_sec->numRows() == 0) |
|
| 83 |
{
|
|
| 84 |
$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']); |
|
| 85 |
} |
|
| 86 |
|
|
| 87 |
// check module permissions: |
|
| 88 |
$sec = $res_sec->fetchRow(); |
|
| 89 |
if (!$admin->get_permission($sec['module'], 'module')) |
|
| 90 |
{
|
|
| 91 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
|
| 92 |
} |
|
| 93 |
} |
|
| 94 |
|
|
| 73 | 95 |
// Workout if the developer wants to show the info banner |
| 74 | 96 |
if(isset($print_info_banner) && $print_info_banner == true) {
|
| 75 | 97 |
|
Also available in: Unified diff