admins with default ACL "deny" are no longer allowed to change their default ACL
[mailer.git] / inc / libs / admins_functions.php
index fa205b2..d4ced65 100644 (file)
@@ -200,9 +200,6 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
 
                        // Rewrite cookie when it's own account
                        if ($aid == $id) {
-                               // Timeout
-                               $TIMEOUT = time() + bigintval($_SESSION['admin_to']);
-
                                // Set timeout cookie
                                set_session("admin_last", time());
 
@@ -219,8 +216,18 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) {
 
                        }
 
+                       // Get default ACL from admin to check if we can allow him to change the default ACL
+                       $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1",
+                        array($_SESSION['admin_login']), __FILE__, __LINE__);
+                       list($default) = SQL_FETCHROW($result);
+
+                       // Free result
+                       SQL_FREERESULT($result);
+
                        // Update admin account
-                       $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
+                       if ($default == "allow") {
+                               // Allow changing default ACL
+                               $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
 login='%s'".$ADD.",
 email='%s',
 default_acl='%s',
@@ -233,6 +240,20 @@ WHERE id=%d LIMIT 1",
        $POST['la_mode'][$id],
        $id
 ), __FILE__, __LINE__);
+                       } else {
+                               // Do not allow it here
+                               $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_admins SET
+login='%s'".$ADD.",
+email='%s',
+la_mode='%s'
+WHERE id=%d LIMIT 1",
+ array(
+       $login,
+       $POST['email'][$id],
+       $POST['la_mode'][$id],
+       $id
+), __FILE__, __LINE__);
+                       }
 
                        // Admin account saved
                        $MSG = ADMIN_ACCOUNT_SAVED;
@@ -272,7 +293,15 @@ function ADMINS_EDIT_ADMIN_ACCOUNTS ($POST) {
                        // Prepare some more data for the template
                        $content['sw']          = $SW;
                        $content['id']          = $id;
-                       $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(ADMINS_ALLOW_MODE, ADMINS_DENY_MODE), $content['mode']);
+
+                       // Shall we allow changing default ACL?
+                       if ($content['mode'] == "allow") {
+                               // Allow chaning it
+                               $content['mode']    = ADD_OPTION_LINES("/ARRAY/", array("allow", "deny"), array(ADMINS_ALLOW_MODE, ADMINS_DENY_MODE), $content['mode']);
+                       } else {
+                               // Don't allow it
+                               $content['mode'] = " ";
+                       }
                        $content['la_mode'] = ADD_OPTION_LINES("/ARRAY/", array("global", "OLD", "NEW"), array(ADMINS_GLOBAL_LA_SETTING, ADMINS_OLD_LA_SETTING, ADMINS_NEW_LA_SETTING), $content['la_mode']);
 
                        // Load row template and switch color