Changeset 149

Timestamp:

06/03/2003 12:08:51 AM (23 years ago)

Author:

mikelittle

Message:

Fixed admin level security problem.
Plus an user -> a user

Location:

trunk/wp-admin

Files:

• b2edit.php (modified) (2 diffs)
• b2edit.showposts.php (modified) (2 diffs)
• b2team.php (modified) (4 diffs)

trunk/wp-admin/b2edit.php

@@ -128 +128 @@
             $postdata = get_postdata($post);
             $authordata = get_userdata($postdata["Author_ID"]);
-            if ($user_level < $authordata[13])
+            if ($user_level < $authordata->user_level)
                 die ('You don&#8217;t have the right to edit <strong>'.$authordata[1].'</strong>&#8217;s posts.');
 
@@ -219 +219 @@
         $authordata = get_userdata($postdata["Author_ID"]);
 
-        if ($user_level < $authordata[13])
+        if ($user_level < $authordata->user_level)
             die ("You don't have the right to delete <b>".$authordata[1]."</b>'s posts.");
 

trunk/wp-admin/b2edit.showposts.php

@@ -236 +236 @@
                 <strong><?php the_time('Y/m/d @ H:i:s'); ?></strong> [ <a href="b2edit.php?p=<?php echo $id ?>&c=1"><?php comments_number('no comments', '1 comment', "% comments") ?></a>
                 <?php
-                if (($user_level > $authordata[13]) or ($user_login == $authordata[1])) {
+                if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) {
                 echo " - <a href='b2edit.php?action=edit&amp;post=$id";
                 if ($m)
@@ -275 +275 @@
                     <?php comment_date('Y/m/d') ?> @ <?php comment_time() ?> 
                     <?php 
-                    if (($user_level > $authordata[13]) or ($user_login == $authordata[1])) {
+                    if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) {
                         echo "[ <a href=\"b2edit.php?action=editcomment&amp;comment=".$commentdata->comment_ID."\">Edit</a>";
                         echo " - <a href=\"b2edit.php?action=deletecomment&amp;p=".$post->ID."&amp;comment=".$commentdata->comment_ID."\">Delete</a> ]";

trunk/wp-admin/b2team.php

@@ -34 +34 @@
 
     $user_data = get_userdata($id);
-    $usertopromote_level = $user_data[13];
+    $usertopromote_level = $user_data->user_level;
 
     if ($user_level <= $usertopromote_level) {
-        die('Can&#8217;t change the level of an user whose level is higher than yours.');
+        die('Can&#8217;t change the level of a user whose level is higher than yours.');
     }
 
@@ -66 +66 @@
 
     if ($user_level <= $usertodelete_level)
-        die('Can&#8217;t delete an user whose level is higher than yours.');
+        die('Can&#8217;t delete a user whose level is higher than yours.');
 
     $sql = "DELETE FROM $tableusers WHERE ID = $id";
@@ -84 +84 @@
     ?>
 
-<div class="wrap"><p>Click on an user&#8217;s login name to see his complete profile.<br />
+<div class="wrap"><p>Click on a user&#8217;s login name to see his complete profile.<br />
     To edit your profile, click on your login name.</p>
 </div>
@@ -192 +192 @@
     if ($user_level >= 3) { ?>
 <div class="wrap"> 
-  <p>To delete an user, bring his level to zero, then click on the red X.<br />
-    <strong>Warning:</strong> deleting an user also deletes all posts made by this user. 
+  <p>To delete a user, bring his level to zero, then click on the red X.<br />
+    <strong>Warning:</strong> deleting a user also deletes all posts made by this user. 
   </p>
 </div>