From fc7f4e880ddfed812438fabc791c5f5056f541e6 Mon Sep 17 00:00:00 2001
From: cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Wed, 17 Nov 2010 12:38:14 +0000
Subject: Closes #1422 admin user actions now check for self before banning,
 deleting, or removing admin privileges

git-svn-id: http://code.elgg.org/elgg/trunk@7332 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 actions/admin/user/ban.php           | 13 +++++++++----
 actions/admin/user/delete.php        | 15 ++++++++++-----
 actions/admin/user/removeadmin.php   |  5 +++++
 actions/admin/user/resetpassword.php | 14 +++++++-------
 actions/admin/user/unban.php         |  6 +++---
 5 files changed, 34 insertions(+), 19 deletions(-)

(limited to 'actions/admin/user')

diff --git a/actions/admin/user/ban.php b/actions/admin/user/ban.php
index 6622673e6..5ad6c29c5 100644
--- a/actions/admin/user/ban.php
+++ b/actions/admin/user/ban.php
@@ -12,10 +12,15 @@
 admin_gatekeeper();
 
 $guid = get_input('guid');
-$obj = get_entity($guid);
+$user = get_entity($guid);
 
-if (($obj instanceof ElggUser) && ($obj->canEdit())) {
-	if ($obj->ban('banned')) {
+if ($guid == get_loggedin_userid()) {
+	register_error(elgg_echo('admin:user:self:ban:no'));
+	forward(REFERER);
+}
+
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->ban('banned')) {
 		system_message(elgg_echo('admin:user:ban:yes'));
 	} else {
 		register_error(elgg_echo('admin:user:ban:no'));
@@ -24,4 +29,4 @@ if (($obj instanceof ElggUser) && ($obj->canEdit())) {
 	register_error(elgg_echo('admin:user:ban:no'));
 }
 
-forward('pg/admin/user/');
\ No newline at end of file
+forward(REFERER);
\ No newline at end of file
diff --git a/actions/admin/user/delete.php b/actions/admin/user/delete.php
index e8d835722..a5e1886ec 100644
--- a/actions/admin/user/delete.php
+++ b/actions/admin/user/delete.php
@@ -15,13 +15,18 @@ admin_gatekeeper();
 
 // Get the user
 $guid = get_input('guid');
-$obj = get_entity($guid);
+$user = get_entity($guid);
 
-$name = $obj->name;
-$username = $obj->username;
+if ($guid == get_loggedin_userid()) {
+	register_error(elgg_echo('admin:user:self:delete:no'));
+	forward(REFERER);
+}
+
+$name = $user->name;
+$username = $user->username;
 
-if (($obj instanceof ElggUser) && ($obj->canEdit())) {
-	if ($obj->delete()) {
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->delete()) {
 		system_message(elgg_echo('admin:user:delete:yes', array($name)));
 	} else {
 		register_error(elgg_echo('admin:user:delete:no'));
diff --git a/actions/admin/user/removeadmin.php b/actions/admin/user/removeadmin.php
index 468670940..97bfc396b 100644
--- a/actions/admin/user/removeadmin.php
+++ b/actions/admin/user/removeadmin.php
@@ -11,6 +11,11 @@ admin_gatekeeper();
 $guid = get_input('guid');
 $user = get_entity($guid);
 
+if ($guid == get_loggedin_userid()) {
+	register_error(elgg_echo('admin:user:self:removeadmin:no'));
+	forward(REFERER);
+}
+
 if (($user instanceof ElggUser) && ($user->canEdit())) {
 	if ($user->removeAdmin()) {
 		system_message(elgg_echo('admin:user:removeadmin:yes'));
diff --git a/actions/admin/user/resetpassword.php b/actions/admin/user/resetpassword.php
index 24127eb8b..14de69cb6 100644
--- a/actions/admin/user/resetpassword.php
+++ b/actions/admin/user/resetpassword.php
@@ -17,22 +17,22 @@
 admin_gatekeeper();
 
 $guid = get_input('guid');
-$obj = get_entity($guid);
+$user = get_entity($guid);
 
-if (($obj instanceof ElggUser) && ($obj->canEdit())) {
+if (($user instanceof ElggUser) && ($user->canEdit())) {
 	$password = generate_random_cleartext_password();
 
 	// Always reset the salt before generating the user password.
-	$obj->salt = generate_random_cleartext_password();
-	$obj->password = generate_user_password($obj, $password);
+	$user->salt = generate_random_cleartext_password();
+	$user->password = generate_user_password($user, $password);
 
-	if ($obj->save()) {
+	if ($user->save()) {
 		system_message(elgg_echo('admin:user:resetpassword:yes'));
 
-		notify_user($obj->guid,
+		notify_user($user->guid,
 			$CONFIG->site->guid,
 			elgg_echo('email:resetpassword:subject'),
-			elgg_echo('email:resetpassword:body', array($obj->username, $password)),
+			elgg_echo('email:resetpassword:body', array($user->username, $password)),
 			NULL,
 			'email');
 	} else {
diff --git a/actions/admin/user/unban.php b/actions/admin/user/unban.php
index 66173623a..883e074ed 100644
--- a/actions/admin/user/unban.php
+++ b/actions/admin/user/unban.php
@@ -12,10 +12,10 @@ $access_status = access_get_show_hidden_status();
 access_show_hidden_entities(true);
 
 $guid = get_input('guid');
-$obj = get_entity($guid);
+$user = get_entity($guid);
 
-if (($obj instanceof ElggUser) && ($obj->canEdit())) {
-	if ($obj->unban()) {
+if (($user instanceof ElggUser) && ($user->canEdit())) {
+	if ($user->unban()) {
 		system_message(elgg_echo('admin:user:unban:yes'));
 	} else {
 		register_error(elgg_echo('admin:user:unban:no'));
-- 
cgit v1.2.3