From bb0c24bd4fd159cc005f60a0808a4b37b91060b0 Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 4 Jan 2011 22:17:58 -0800 Subject: [PATCH] prevent admin hijacks --- mod/notifications.php | 2 +- mod/regmod.php | 5 +++++ mod/settings.php | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/mod/notifications.php b/mod/notifications.php index f11676ebfe..c425d092ed 100644 --- a/mod/notifications.php +++ b/mod/notifications.php @@ -127,7 +127,7 @@ function notifications_content(&$a) { notice( t('No notifications.') . EOL); if ($a->config['register_policy'] = REGISTER_APPROVE && - $a->config['admin_email'] = $a->user['email']){ + $a->config['admin_email'] === $a->user['email']){ $o .= load_view_file('view/registrations-top.tpl'); $r = q("SELECT `register`.*, `contact`.`name`, `user`.`email` diff --git a/mod/regmod.php b/mod/regmod.php index 772351ac55..eabbec090b 100644 --- a/mod/regmod.php +++ b/mod/regmod.php @@ -12,6 +12,11 @@ function regmod_content(&$a) { return $o; } + if((! (x($a->config,'admin_email'))) || ($a->config['admin_email'] !== $a->user['email'])) { + notice( t('Permission denied.') . EOL); + return ''; + } + if($a->argc != 3) killme(); diff --git a/mod/settings.php b/mod/settings.php index a40883f350..9a9fde5c6b 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -95,6 +95,10 @@ function settings_post(&$a) { $email_changed = true; if(! valid_email($email)) $err .= t(' Not valid email.'); + if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) { + $err .= t(' Cannot change to that email.'); + $email = $a->user['email']; + } } if(strlen($err)) { -- 2.39.5