summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Weiske <cweiske@cweiske.de>2011-11-01 06:49:40 +0100
committerChristian Weiske <cweiske@cweiske.de>2011-11-01 06:49:40 +0100
commitd97b4589ade2dbde4048cfdce284f1b5b8bc9c6d (patch)
tree1411a013e875a68377ffff2bfb386de4e04dc3a0
parente81599e4375b4ae12ff7fe65e0810479ad719b4a (diff)
downloadsemanticscuttle-d97b4589ade2dbde4048cfdce284f1b5b8bc9c6d.tar.gz
semanticscuttle-d97b4589ade2dbde4048cfdce284f1b5b8bc9c6d.tar.bz2
Fix bug #3407728: Can't delete users from admin page
-rw-r--r--doc/ChangeLog1
-rw-r--r--www/admin.php5
2 files changed, 4 insertions, 2 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 50015c8..3bcd37b 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -10,6 +10,7 @@ ChangeLog for SemantiScuttle
- Fix bug #3393951: Logo images missing on bookmark page
- Fix bug #3388219: Incorrect URL when cancelling tag2tag-actions
- Fix bug #3399815: PHP error in opensearch API in 0.98.3
+- Fix bug #3407728: Can't delete users from admin page
0.98.3 - 2011-08-09
diff --git a/www/admin.php b/www/admin.php
index 1dc21bd..f9b9b8d 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -47,8 +47,9 @@ if ( !$currentUser->isAdmin() ) {
@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL;
-if ( $action
-&& (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') === 0) // Prevent CSRF attacks
+if ($action
+ && (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') <= 6)
+ // Prevent CSRF attacks. 6 is needed for "//example.org"-root urls
) {
switch ( $action ) {
case 'delete':