prevent admin hijacks

diff --git a/mod/notifications.php b/mod/notifications.php
index f11676ebfe10190420cf4fb2bea772b699ea0acc..c425d092ed1e71073246d26f22c47e27b5bdd417 100644 (file)
--- a/mod/notifications.php
+++ b/mod/notifications.php
@@ -127,7 +127,7 @@ function notifications_content(&$a) {
                notice( t('No notifications.') . EOL);
 
        if ($a->config['register_policy'] = REGISTER_APPROVE && 
-               $a->config['admin_email'] = $a->user['email']){
+               $a->config['admin_email'] === $a->user['email']){
                $o .= load_view_file('view/registrations-top.tpl');
                
                $r = q("SELECT `register`.*, `contact`.`name`, `user`.`email`

diff --git a/mod/regmod.php b/mod/regmod.php
index 772351ac55ab477bf4af2bafb1007be2a6f0512e..eabbec090b92ef9d445f58951f8b1fbd058db786 100644 (file)
--- a/mod/regmod.php
+++ b/mod/regmod.php
@@ -12,6 +12,11 @@ function regmod_content(&$a) {
                return $o;
        }
 
+       if((! (x($a->config,'admin_email'))) || ($a->config['admin_email'] !== $a->user['email'])) {
+               notice( t('Permission denied.') . EOL);
+               return '';
+       }
+
        if($a->argc != 3)
                killme();
 

diff --git a/mod/settings.php b/mod/settings.php
index a40883f350f3932c06133270cc4b07516c7f3319..9a9fde5c6b4eee911fbcaed5430962e41bc0dd16 100644 (file)
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -95,6 +95,10 @@ function settings_post(&$a) {
                $email_changed = true;
         if(! valid_email($email))
                        $err .= t(' Not valid email.');
+               if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) {
+                       $err .= t(' Cannot change to that email.');
+                       $email = $a->user['email'];
+               }
        }
 
        if(strlen($err)) {