summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip Häusler <msquare@notrademark.de>2011-09-26 16:04:30 +0200
committerPhilip Häusler <msquare@notrademark.de>2011-09-26 16:04:30 +0200
commit8a5f510da2fa2a0a4d543d436a8ca96df5d74301 (patch)
treeaadc744b57c9b4af9f949ac1d9141d68ca7ac2aa
parent01463f0ac06ffc1fb23c267bbcb083576849b9d6 (diff)
fix issue #34, edit rights of righless users
-rw-r--r--includes/pages/admin_user.php49
-rw-r--r--includes/sys_auth.php2
-rw-r--r--includes/sys_mysql.php1
3 files changed, 29 insertions, 23 deletions
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 23c24619..7b3ab86e 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -117,11 +117,16 @@ function admin_user() {
$html .= "Hier kannst Du die Benutzergruppen des Engels festlegen:<form action=\"" . page_link_to("admin_user") . "&action=save_groups&id=" . $id . "\" method=\"post\">\n";
$html .= '<table>';
- list ($my_highest_group) = sql_select("SELECT * FROM `UserGroups` WHERE `uid`=" . sql_escape($user['UID']) . " ORDER BY `uid`");
- list ($his_highest_group) = sql_select("SELECT * FROM `UserGroups` WHERE `uid`=" . sql_escape($id) . " ORDER BY `uid`");
+ $my_highest_group = sql_select("SELECT * FROM `UserGroups` WHERE `uid`=" . sql_escape($user['UID']) . " ORDER BY `uid` LIMIT 1");
+ if (count($my_highest_group) > 0)
+ $my_highest_group = $my_highest_group[0]['group_id'];
+
+ $his_highest_group = sql_select("SELECT * FROM `UserGroups` WHERE `uid`=" . sql_escape($id) . " ORDER BY `uid` LIMIT 1");
+ if (count($his_highest_group) > 0)
+ $his_highest_group = $his_highest_group[0]['group_id'];
if ($id != $user['UID'] && $my_highest_group <= $his_highest_group) {
- $groups = sql_select("SELECT * FROM `Groups` LEFT OUTER JOIN `UserGroups` ON (`UserGroups`.`group_id` = `Groups`.`UID` AND `UserGroups`.`uid` = " . sql_escape($id) . ") WHERE `Groups`.`UID` >= " . sql_escape($my_highest_group['group_id']) . " ORDER BY `Groups`.`Name`");
+ $groups = sql_select("SELECT * FROM `Groups` LEFT OUTER JOIN `UserGroups` ON (`UserGroups`.`group_id` = `Groups`.`UID` AND `UserGroups`.`uid` = " . sql_escape($id) . ") WHERE `Groups`.`UID` >= " . sql_escape($my_highest_group) . " ORDER BY `Groups`.`Name`");
foreach ($groups as $group)
$html .= '<tr><td><input type="checkbox" name="groups[]" value="' . $group['UID'] . '"' . ($group['group_id'] != "" ? ' checked="checked"' : '') . ' /></td><td>' . $group['Name'] . '</td></tr>';
@@ -138,7 +143,7 @@ function admin_user() {
$html .= "</form>";
$html .= "<hr />";
- $html .= funktion_db_element_list_2row("Freeloader Shifts", "SELECT `Remove_Time`, `Length`, `Comment` FROM `ShiftFreeloader` WHERE UID=" . $_REQUEST['id']);
+ //$html .= funktion_db_element_list_2row("Freeloader Shifts", "SELECT `Remove_Time`, `Length`, `Comment` FROM `ShiftFreeloader` WHERE UID=" . $_REQUEST['id']);
} else {
switch ($_REQUEST['action']) {
case 'save_groups' :
@@ -195,7 +200,7 @@ function admin_user() {
"`Gekommen`= '" . sql_escape($_POST["eGekommen"]) . "', " .
"`Aktiv`= '" . sql_escape($_POST["eAktiv"]) . "', " .
"`Tshirt` = '" . sql_escape($_POST["eTshirt"]) . "', " .
- "`Hometown` = '" .sql_escape( $_POST["Hometown"]) . "' " .
+ "`Hometown` = '" . sql_escape($_POST["Hometown"]) . "' " .
"WHERE `UID` = '" . sql_escape($id) .
"' LIMIT 1;";
sql_query($SQL);
@@ -227,23 +232,23 @@ function admin_user() {
$html .= "Anzahl Engel: $Zeilen<br /><br />\n";
$html .= '
- <table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
- <tr class="contenttopic">
- <th>
- <a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
- </th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
- <th>
- <a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
- </th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Gr&ouml;&szlig;e</a></th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
- <th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registriert</a></th>
- <th>&Auml;nd.</th>
- </tr></thead>';
+ <table width="100%" class="border" cellpadding="2" cellspacing="1"> <thead>
+ <tr class="contenttopic">
+ <th>
+ <a href="' . page_link_to("admin_user") . '&OrderBy=Nick">Nick</a>
+ </th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Vorname">Vorname</a> <a href="' . page_link_to("admin_user") . '&OrderBy=Name">Name</a></th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Alter">Alter</a></th>
+ <th>
+ <a href="' . page_link_to("admin_user") . '&OrderBy=email">E-Mail</a>
+ </th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Size">Gr&ouml;&szlig;e</a></th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Gekommen">Gekommen</a></th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Aktiv">Aktiv</a></th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=Tshirt">T-Shirt</a></th>
+ <th><a href="' . page_link_to("admin_user") . '&OrderBy=CreateDate">Registriert</a></th>
+ <th>&Auml;nd.</th>
+ </tr></thead>';
$Gekommen = 0;
$Active = 0;
$Tshirt = 0;
diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index 15c5591a..d831f36a 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -10,7 +10,7 @@ function load_auth() {
if ($_SESSION['IP'] != $_SERVER['REMOTE_ADDR']) {
session_destroy();
- header("Location: " . link_to_page($start));
+ header("Location: " . link_to_page('start'));
}
$user = null;
diff --git a/includes/sys_mysql.php b/includes/sys_mysql.php
index c076be7c..e418ddb8 100644
--- a/includes/sys_mysql.php
+++ b/includes/sys_mysql.php
@@ -26,6 +26,7 @@ function sql_select($query) {
}
return $data;
} else {
+ print_r(debug_backtrace());
die('MySQL-query error: ' . $query . ", " . mysql_error($con));
}
}