Index: docs/CHANGELOG.html
===================================================================
--- docs/CHANGELOG.html	(revision 9327)
+++ docs/CHANGELOG.html	(working copy)
@@ -105,6 +105,7 @@
 		<li>[Change] Default difference view is now 'inline' instead of 'side by side'</li>
 		<li>[Change] Added new option for merging differences to conflicting files in automatic updater</li>
 		<li>[Change] Added new options for visual confirmation.</li>
+		<li>[Sec] Prevent accounts from being activated by users when admin activation is turned on.</li>
 	</ul>
 
 	<a name="v303"></a><h3>1.ii. Changes since 3.0.3</h3>
Index: includes/ucp/ucp_activate.php
===================================================================
--- includes/ucp/ucp_activate.php	(revision 9324)
+++ includes/ucp/ucp_activate.php	(working copy)
@@ -56,6 +56,17 @@
 			trigger_error('WRONG_ACTIVATION');
 		}
 
+		// Do not allow activating by non administrators when admin activation is on
+		// Only activation type the user should be able to do is INACTIVE_REMIND
+		if ($user_row['user_inactive_reason'] != INACTIVE_REMIND && $config['require_activation'] == USER_ACTIVATION_ADMIN && !$auth->acl_get('a_user'))
+		{
+			if (!$user->data['is_registered'])
+			{
+				login_box('', $user->lang['NO_AUTH_OPERATION']);
+			}
+			trigger_error('NO_AUTH_OPERATION');
+		}
+
 		$update_password = ($user_row['user_newpasswd']) ? true : false;
 
 		if ($update_password)