Index: docs/CHANGELOG.html
===================================================================
--- docs/CHANGELOG.html (revision 9327)
+++ docs/CHANGELOG.html (working copy)
@@ -105,6 +105,7 @@
[Change] Default difference view is now 'inline' instead of 'side by side'
[Change] Added new option for merging differences to conflicting files in automatic updater
[Change] Added new options for visual confirmation.
+ [Sec] Prevent accounts from being activated by users when admin activation is turned on.
1.ii. Changes since 3.0.3
Index: includes/ucp/ucp_activate.php
===================================================================
--- includes/ucp/ucp_activate.php (revision 9324)
+++ includes/ucp/ucp_activate.php (working copy)
@@ -56,6 +56,17 @@
trigger_error('WRONG_ACTIVATION');
}
+ // Do not allow activating by non administrators when admin activation is on
+ // Only activation type the user should be able to do is INACTIVE_REMIND
+ if ($user_row['user_inactive_reason'] != INACTIVE_REMIND && $config['require_activation'] == USER_ACTIVATION_ADMIN && !$auth->acl_get('a_user'))
+ {
+ if (!$user->data['is_registered'])
+ {
+ login_box('', $user->lang['NO_AUTH_OPERATION']);
+ }
+ trigger_error('NO_AUTH_OPERATION');
+ }
+
$update_password = ($user_row['user_newpasswd']) ? true : false;
if ($update_password)