Commit 7d75c9f6 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Minor improvements to the permission checking code to prevent people

from being able to edit the TB default images!
parent ded94123
......@@ -37,7 +37,14 @@ $pid = $row[pid];
#
# Verify that this uid is a member of the project that owns the IMAGEID.
#
if (!$isadmin && $pid) {
if (!$isadmin) {
#
# Only admin people can edit imageids with no pid, since they are global.
#
if (!$pid) {
USERERROR("You do not have permission to edit ImageID $imageid!", 1);
}
$query_result = mysql_db_query($TBDBNAME,
"SELECT pid FROM proj_memb WHERE uid=\"$uid\" and pid=\"$pid\"");
if (mysql_num_rows($query_result) == 0) {
......
......@@ -37,7 +37,14 @@ $pid = $row[pid];
#
# Verify that this uid is a member of the project that owns the IMAGEID.
#
if (!$isadmin && $pid) {
if (!$isadmin) {
#
# Only admin people can edit imageids with no pid, since they are global.
#
if (!$pid) {
USERERROR("You do not have permission to edit ImageID $imageid!", 1);
}
$query_result = mysql_db_query($TBDBNAME,
"SELECT pid FROM proj_memb WHERE uid=\"$uid\" and pid=\"$pid\"");
if (mysql_num_rows($query_result) == 0) {
......
......@@ -52,13 +52,16 @@ if (!$isadmin && $pid) {
SHOWIMAGEID($imageid, 0);
#
# Edit option
# Edit option, but only if admin or the imageid has a pid. No pid means
# a global imageid, and only admin people can change those.
#
$fooid = rawurlencode($imageid);
echo "<p><center>
Do you want to edit this ImageID?
<A href='editimageid_form.php3?imageid=$fooid'>Yes</a>
</center>\n";
if ($isadmin || $pid) {
$fooid = rawurlencode($imageid);
echo "<p><center>
Do you want to edit this ImageID?
<A href='editimageid_form.php3?imageid=$fooid'>Yes</a>
</center>\n";
}
#
# Standard Testbed Footer
......
......@@ -30,7 +30,7 @@ else {
$query_result = mysql_db_query($TBDBNAME,
"select distinct i.* from images as i ".
"left join proj_memb as p on i.pid IS NULL or p.pid=i.pid ".
"where p.uid='$uid' order by i.osid");
"where p.uid='$uid' order by i.imageid");
}
if (! $query_result) {
$err = mysql_error();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment