diff options
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/access.php | 19 | ||||
-rw-r--r-- | engine/lib/sessions.php | 35 |
2 files changed, 48 insertions, 6 deletions
diff --git a/engine/lib/access.php b/engine/lib/access.php index 5ccf238c8..7edb2d012 100644 --- a/engine/lib/access.php +++ b/engine/lib/access.php @@ -225,14 +225,21 @@ END; if (!isset($owner)) { $owner = get_loggedin_userid(); } - if (!$owner) $owner = -1; - $access = get_access_list($owner); - - // do NOT use $is_admin global user here, since that only checks against + // do NOT use $is_admin global here, since that only checks against // the current logged in user. + // Can't use metadata here because because of recursion. + // (get_entity, get_*() calls this function.) + if (!$owner) { + $owner = -1; + $admin = false; + } else { + $admin = is_admin_user($owner); + } + + $access = get_access_list($owner); - if ($owner->admin == 'yes') { + if ($admin) { $sql = " (1 = 1) "; } else if ($owner != -1) { $friends_bit = $table_prefix.'access_id = '.ACCESS_FRIENDS.' AND '; @@ -729,4 +736,4 @@ END; // This function will let us know when 'init' has finished register_elgg_event_handler('init','system','access_init',9999); -?>
\ No newline at end of file +?> diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index 18fb9e73c..b34f07725 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -156,6 +156,41 @@ return false; } + /** + * Check if the given user is an admin. + * + * @param $user_guid + * @return bool + */ + function is_admin_user($user_guid) { + global $CONFIG; + + // caching is done at the db level so no need to here. + $query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e, {$CONFIG->dbprefix}metastrings as ms1, {$CONFIG->dbprefix}metastrings as ms2, {$CONFIG->dbprefix}metadata as md + WHERE ( + ms1.string = 'admin' AND ms2.string = 'yes' + AND md.name_id = ms1.id AND md.value_id = ms2.id + AND e.guid = md.entity_guid + AND e.guid = {$user_guid} + AND e.banned = 'no' + ) + OR ( + ms1.string = 'admin' AND ms2.string = '1' + AND md.name_id = ms1.id AND md.value_id = ms2.id + AND e.guid = md.entity_guid + AND e.guid = {$user_guid} + AND e.banned = 'no' + )"; + + // normalizing the results from get_data() + // See #1242 + $info = get_data($query); + if (!((is_array($info) && count($info) < 1) || $info === false)) { + return true; + } + return false; + } + /** * Perform standard authentication with a given username and password. * Returns an ElggUser object for use with login. |