Fix code that was designed to block non-superadmins from changing users in the superadmin group. Hide superadmin accounts from users that are not in the superadmin group.

core/users/index.php

@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2013
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -49,7 +49,7 @@ else {
 	echo "	<table width='100%' border='0'>";
 	echo "		<tr>";
 	echo "		<td align='left' width='100%'>";
-	require_once "userlist.php";
+	require_once "users.php";
 	echo "				<br />";
 	echo "				<br />";
 	echo "				<br />";

core/users/userlist.php

@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2013
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -78,17 +78,27 @@ echo "	<td align=\"center\">\n";
 	echo "</td>\n";
 	echo "</tr>\n";
 
-//get the user list from the database
-	$sql = "select * from v_users ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
+//get the list of superadmins
+	$superadmins = superadmin_list($db);
+
+//get the users from the database
+	$sql = "select count(*) as num_rows from v_users ";
+	$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
 	if (strlen($field_name) > 0 && strlen($field_value) > 0) {
 		$sql .= "and $field_name = '$field_value' ";
 	}
 	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$num_rows = count($result);
+	$prep_statement = $db->prepare($sql);
+	if ($prep_statement) {
+		$prep_statement->execute();
+		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
+		if ($row['num_rows'] > 0) {
+			$num_rows = $row['num_rows'];
+		}
+		else {
+			$num_rows = '0';
+		}
+	}
 	unset ($prep_statement, $result, $sql);
 	$rows_per_page = 200;
 	$param = "";
@@ -136,26 +146,30 @@ echo "	<td align=\"center\">\n";
 
 	if ($result_count > 0) {
 		foreach($result as $row) {
-			echo "<tr >\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>";
-			if ($row['user_enabled'] == 'true') {
-				echo $text['option-true'];
-			}
-			else {
-				echo $text['option-false'];
-			}
-			echo "&nbsp;</td>\n";
-			echo "	<td valign='top' align='right'>\n";
-			if (permission_exists('user_edit')) {
-				echo "		<a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
-			}
-			if (permission_exists('user_delete')) {
-				echo "		<a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
+			if (if_superadmin($superadmins, $row['user_uuid']) && !if_group("superadmin")) {
+				//hide
+			} else {
+				echo "<tr >\n";
+				echo "	<td valign='top' class='".$row_style[$c]."'>".$row['username']."&nbsp;</td>\n";
+				echo "	<td valign='top' class='".$row_style[$c]."'>";
+				if ($row['user_enabled'] == 'true') {
+					echo $text['option-true'];
+				}
+				else {
+					echo $text['option-false'];
+				}
+				echo "&nbsp;</td>\n";
+				echo "	<td valign='top' align='right'>\n";
+				if (permission_exists('user_edit')) {
+					echo "		<a href='usersupdate.php?id=".$row['user_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
+				}
+				if (permission_exists('user_delete')) {
+					echo "		<a href='userdelete.php?id=".$row['user_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
+				}
+				echo "	</td>\n";
+				echo "</tr>\n";
+				if ($c==0) { $c=1; } else { $c=0; }
 			}
-			echo "	</td>\n";
-			echo "</tr>\n";
-			if ($c==0) { $c=1; } else { $c=0; }
 		} //end foreach
 		unset($sql, $result, $row_count);
 	} //end if results

core/users/usersupdate.php

@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <[email protected]>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2013
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -63,16 +63,15 @@ else {
 	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
 	foreach ($result as &$row) {
 		$username = $row["username"];
-		break; //limit to 1 row
 	}
 	unset ($prep_statement);
 
 //required to be a superadmin to update an account that is a member of the superadmin group
-	$superadmin_list = superadmin_list($db);
-	if (if_superadmin($superadmin_list, $_SESSION['user_uuid'])) {
+	$superadmins = superadmin_list($db);
+	if (if_superadmin($superadmins, $user_uuid)) {
 		if (!if_group("superadmin")) {
 			echo "access denied";
-			return;
+			exit;
 		}
 	}
 
@@ -116,7 +115,7 @@ else {
 		}
 	}
 
-if (count($_POST)>0 && $_POST["persistform"] != "1") {
+if (count($_POST) > 0 && $_POST["persistform"] != "1") {
 	$user_uuid = $_REQUEST["id"];
 	$password = check_str($_POST["password"]);
 	$confirm_password = check_str($_POST["confirm_password"]);