Security: Only allow angels with admin_news_html privilege to use HTML

1 files changed, 13 insertions, 9 deletions

diff --git a/db/update.sql b/db/update.sql
index dd203a86..5d93e230 100644
--- a/db/update.sql
+++ b/db/update.sql
@@ -8,19 +8,23 @@ ALTER TABLE `User` ADD COLUMN `email_by_human_allowed` BOOLEAN NOT NULL;
 -- No Self Sign Up for some Angel Types
 ALTER TABLE AngelTypes ADD no_self_signup TINYINT(1) NOT NULL;
 
-ALTER TABLE `AngelTypes`  
-  ADD `contact_user_id` INT NULL,  
-  ADD `contact_name` VARCHAR(250) NULL,  
-  ADD `contact_dect` VARCHAR(5) NULL,  
-  ADD `contact_email` VARCHAR(250) NULL,  
+ALTER TABLE `AngelTypes`
+  ADD `contact_user_id` INT NULL,
+  ADD `contact_name` VARCHAR(250) NULL,
+  ADD `contact_dect` VARCHAR(5) NULL,
+  ADD `contact_email` VARCHAR(250) NULL,
   ADD INDEX  (`contact_user_id`);
-ALTER TABLE `AngelTypes` 
+ALTER TABLE `AngelTypes`
   ADD  FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE;
 
-  
 INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype');
 
-
 -- DB Performance
 ALTER TABLE `Shifts` ADD INDEX(`start`);
-ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
\ No newline at end of file
+ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
+
+-- Security
+UPDATE `Groups` SET UID = UID * 10;
+INSERT INTO `Groups` (Name, UID) VALUES ('News Admin', -65);
+INSERT INTO `Privileges` (id, name, `desc`) VALUES (42, 'admin_news_html', 'Use HTML in news');
+INSERT INTO `GroupPrivileges` (group_id, privilege_id) VALUES (-65, 14), (-65, 42);