Permission policy updated

2019-06-02 14:09:48 +08:00 · 2019-06-02 14:09:48 +08:00 · 7bf8692753
commit 7bf8692753
parent 36078c850e
2 changed files with 7 additions and 0 deletions
--- a/admin/ajax/user.php
+++ b/admin/ajax/user.php
@ -75,6 +75,10 @@ if ($_SERVER["REQUEST_METHOD"] == "PATCH" || $_SERVER["REQUEST_METHOD"] == "POST
        } else if ($level < 0) {
            $level = 0;
        }
+        // you cannot promote user to level higher than youself
+        if ($level > $user->level) {
+            send_error(403, "lowlevel");
+        }

        $SQL->query("UPDATE `user` SET `muted`='%d', `level`='%d' WHERE `username`='%s'", array($muted, $level, $username));

--- a/admin/component/user.js
+++ b/admin/component/user.js
@ -192,6 +192,9 @@
                case "emailused":
                    pageManager.snackbar("信箱已被其他使用者使用");
                    break;
+                case "lowlevel":
+                    pageManager.snackbar("權限不足");
+                    break;
                default:
                    pageManager.snackbar("發生錯誤");
                    break;