aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--engine/lib/access.php19
-rw-r--r--engine/lib/sessions.php35
2 files changed, 48 insertions, 6 deletions
diff --git a/engine/lib/access.php b/engine/lib/access.php
index 5ccf238c8..7edb2d012 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -225,14 +225,21 @@ END;
if (!isset($owner)) {
$owner = get_loggedin_userid();
}
- if (!$owner) $owner = -1;
- $access = get_access_list($owner);
-
- // do NOT use $is_admin global user here, since that only checks against
+ // do NOT use $is_admin global here, since that only checks against
// the current logged in user.
+ // Can't use metadata here because because of recursion.
+ // (get_entity, get_*() calls this function.)
+ if (!$owner) {
+ $owner = -1;
+ $admin = false;
+ } else {
+ $admin = is_admin_user($owner);
+ }
+
+ $access = get_access_list($owner);
- if ($owner->admin == 'yes') {
+ if ($admin) {
$sql = " (1 = 1) ";
} else if ($owner != -1) {
$friends_bit = $table_prefix.'access_id = '.ACCESS_FRIENDS.' AND ';
@@ -729,4 +736,4 @@ END;
// This function will let us know when 'init' has finished
register_elgg_event_handler('init','system','access_init',9999);
-?> \ No newline at end of file
+?>
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 18fb9e73c..b34f07725 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -156,6 +156,41 @@
return false;
}
+ /**
+ * Check if the given user is an admin.
+ *
+ * @param $user_guid
+ * @return bool
+ */
+ function is_admin_user($user_guid) {
+ global $CONFIG;
+
+ // caching is done at the db level so no need to here.
+ $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e, {$CONFIG->dbprefix}metastrings as ms1, {$CONFIG->dbprefix}metastrings as ms2, {$CONFIG->dbprefix}metadata as md
+ WHERE (
+ ms1.string = 'admin' AND ms2.string = 'yes'
+ AND md.name_id = ms1.id AND md.value_id = ms2.id
+ AND e.guid = md.entity_guid
+ AND e.guid = {$user_guid}
+ AND e.banned = 'no'
+ )
+ OR (
+ ms1.string = 'admin' AND ms2.string = '1'
+ AND md.name_id = ms1.id AND md.value_id = ms2.id
+ AND e.guid = md.entity_guid
+ AND e.guid = {$user_guid}
+ AND e.banned = 'no'
+ )";
+
+ // normalizing the results from get_data()
+ // See #1242
+ $info = get_data($query);
+ if (!((is_array($info) && count($info) < 1) || $info === false)) {
+ return true;
+ }
+ return false;
+ }
+
/**
* Perform standard authentication with a given username and password.
* Returns an ElggUser object for use with login.