Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-9426

board system groups can be deleted

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • 3.0.3
    • 3.0.x
    • Other
    • None
    • PHP Environment: 5.2.6
      Database: MySQL 5.0.67

      users with permission (a_groupdel) can delete board system groups (group_type = 3) if they called manually url to delete a group and set groupid to a systemgroupid

      acp_groups.php do not check on delete is the group a systemgroup or not, its proceeded without check, we need this check to protect additional mods with own systemgroups from the admins as a hosting project

      and i mean this is bug, because in acp german stand, that system groups are not deletable

      an example working acp_groups.php + = inserts

      switch ($action)

      193 {

      194 case 'delete':

      195 if (!$auth->acl_get('a_groupdel'))

      196

      { 197 trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); 198 }

      + if ($group_row['group_type'] == GROUP_SPECIAL)
      +
      +

      { + + trigger_error($user->lang['NO_GROUP'] . adm_back_link($this->u_action), E_USER_WARNING); + + }

      +
      199
      200 $error = group_delete($group_id, $group_row['group_name']);

      201 break;

            Kellanved Kellanved [X] (Inactive)
            alîna alîna
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: