Fossil SCM

More cases of incorrect permission checks.

drh 2018-07-14 22:16 trunk

Commit a2e1f9fb40a8b29cd1c91002be6e7c733ed3b2902c5aa608b63b6fc5767db4d8

Parent 023ce4edde8ceb2…

2 files changed +2 -2 +5 -2

M src/moderate.c

+2 -2

		--- src/moderate.c
		+++ src/moderate.c
		@@ -144,12 +144,12 @@
144	144	void modreq_page(void){
145	145	Blob sql;
146	146	Stmt q;
147	147
148	148	login_check_credentials();
149		- if( !g.perm.RdWiki && !g.perm.RdTkt ){
150		- login_needed(g.anon.RdWiki && g.anon.RdTkt);
	149	+ if( !g.perm.ModWiki && !g.perm.ModTkt ){
	150	+ login_needed(g.anon.ModWiki && g.anon.ModTkt);
151	151	return;
152	152	}
153	153	style_header("Pending Moderation Requests");
154	154	@ <h2>All Pending Moderation Requests</h2>
155	155	if( moderation_table_exists() ){
156	156

	--- src/moderate.c
	+++ src/moderate.c
	@@ -144,12 +144,12 @@
144	void modreq_page(void){
145	Blob sql;
146	Stmt q;
147
148	login_check_credentials();
149	if( !g.perm.RdWiki && !g.perm.RdTkt ){
150	login_needed(g.anon.RdWiki && g.anon.RdTkt);
151	return;
152	}
153	style_header("Pending Moderation Requests");
154	@ <h2>All Pending Moderation Requests</h2>
155	if( moderation_table_exists() ){
156

	--- src/moderate.c
	+++ src/moderate.c
	@@ -144,12 +144,12 @@
144	void modreq_page(void){
145	Blob sql;
146	Stmt q;
147
148	login_check_credentials();
149	if( !g.perm.ModWiki && !g.perm.ModTkt ){
150	login_needed(g.anon.ModWiki && g.anon.ModTkt);
151	return;
152	}
153	style_header("Pending Moderation Requests");
154	@ <h2>All Pending Moderation Requests</h2>
155	if( moderation_table_exists() ){
156

M src/skins.c

+5 -2

		--- src/skins.c
		+++ src/skins.c
		@@ -720,16 +720,19 @@
720	720	iSkin = atoi(PD("sk","1"));
721	721	if( iSkin<1 \|\| iSkin>9 ) iSkin = 1;
722	722
723	723	/* Check that the user is authorized to edit this skin. */
724	724	if( !g.perm.Setup ){
725		- char *zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
	725	+ char *zAllowedEditors = "";
726	726	Glob *pAllowedEditors;
727	727	int isMatch = 0;
	728	+ if( login_is_individual() ){
	729	+ zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
	730	+ }
728	731	if( zAllowedEditors[0] ){
729	732	pAllowedEditors = glob_create(zAllowedEditors);
730		- isMatch = glob_match(pAllowedEditors, zAllowedEditors);
	733	+ isMatch = glob_match(pAllowedEditors, g.zLogin);
731	734	glob_free(pAllowedEditors);
732	735	}
733	736	if( isMatch==0 ){
734	737	login_needed(0);
735	738	return;
736	739

	--- src/skins.c
	+++ src/skins.c
	@@ -720,16 +720,19 @@
720	iSkin = atoi(PD("sk","1"));
721	if( iSkin<1 \|\| iSkin>9 ) iSkin = 1;
722
723	/* Check that the user is authorized to edit this skin. */
724	if( !g.perm.Setup ){
725	char *zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
726	Glob *pAllowedEditors;
727	int isMatch = 0;



728	if( zAllowedEditors[0] ){
729	pAllowedEditors = glob_create(zAllowedEditors);
730	isMatch = glob_match(pAllowedEditors, zAllowedEditors);
731	glob_free(pAllowedEditors);
732	}
733	if( isMatch==0 ){
734	login_needed(0);
735	return;
736

	--- src/skins.c
	+++ src/skins.c
	@@ -720,16 +720,19 @@
720	iSkin = atoi(PD("sk","1"));
721	if( iSkin<1 \|\| iSkin>9 ) iSkin = 1;
722
723	/* Check that the user is authorized to edit this skin. */
724	if( !g.perm.Setup ){
725	char *zAllowedEditors = "";
726	Glob *pAllowedEditors;
727	int isMatch = 0;
728	if( login_is_individual() ){
729	zAllowedEditors = db_get_mprintf("", "draft%d-users", iSkin);
730	}
731	if( zAllowedEditors[0] ){
732	pAllowedEditors = glob_create(zAllowedEditors);
733	isMatch = glob_match(pAllowedEditors, g.zLogin);
734	glob_free(pAllowedEditors);
735	}
736	if( isMatch==0 ){
737	login_needed(0);
738	return;
739