]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
Only administrators can delete other privileged users.
authorMikael Nordfeldth <mmn@hethane.se>
Fri, 12 Feb 2016 14:00:18 +0000 (15:00 +0100)
committerMikael Nordfeldth <mmn@hethane.se>
Fri, 12 Feb 2016 14:00:18 +0000 (15:00 +0100)
actions/deleteuser.php

index 6b74575ab435e0d149b53ef788ca4fafde95c4d5..6e0c6ebf7f2357ad1916b0a86814ba7bb46e136f 100644 (file)
@@ -27,9 +27,7 @@
  * @link      http://status.net/
  */
 
-if (!defined('STATUSNET') && !defined('LACONICA')) {
-    exit(1);
-}
+if (!defined('GNUSOCIAL')) { exit(1); }
 
 /**
  * Delete a user
@@ -44,33 +42,30 @@ class DeleteuserAction extends ProfileFormAction
 {
     var $user = null;
 
-    /**
-     * Take arguments for running
-     *
-     * @param array $args $_REQUEST args
-     *
-     * @return boolean success flag
-     */
-    function prepare($args)
+    function prepare(array $args=array())
     {
         if (!parent::prepare($args)) {
             return false;
         }
 
-        $cur = common_current_user();
+        assert($this->scoped instanceof Profile);
 
-        assert(!empty($cur)); // checked by parent
-
-        if (!$cur->hasRight(Right::DELETEUSER)) {
+        if (!$this->scoped->hasRight(Right::DELETEUSER)) {
             // TRANS: Client error displayed when trying to delete a user without having the right to delete users.
-            $this->clientError(_('You cannot delete users.'));
+            throw new AuthorizationException(_('You cannot delete users.'));
         }
 
-        $this->user = User::getKV('id', $this->profile->id);
-
-        if (empty($this->user)) {
+        try {
+            $this->user = $this->profile->getUser();
+        } catch (NoSuchUserException $e) {
             // TRANS: Client error displayed when trying to delete a non-local user.
-            $this->clientError(_('You can only delete local users.'));
+            throw new ClientException(_('You can only delete local users.'));
+        }
+
+        // Only administrators can delete other privileged users (such as others who have the right to silence).
+        if ($this->profile->isPrivileged() && !$this->scoped->hasRole(Profile_role::ADMINISTRATOR)) {
+            // TRANS: Client error displayed when trying to delete a user that has been granted moderation privileges
+            throw new AuthorizationException(_('You cannot delete other privileged users.'));
         }
 
         return true;