[Scoop-checkins] scoop/lib/Scoop/Admin EditUser.pm

Tue Oct 3 12:36:32 PDT 2006

Update of /cvs/scoop/scoop/lib/Scoop/Admin
In directory lithium.sabren.com:/tmp/cvs-serv25566/lib/Scoop/Admin

Modified Files:
	EditUser.pm 
Log Message:
File delete fix. Stop any user with file upload permission being able to
delete admin files.


Index: EditUser.pm
===================================================================
RCS file: /cvs/scoop/scoop/lib/Scoop/Admin/EditUser.pm,v
retrieving revision 1.137
retrieving revision 1.138
diff -C2 -d -r1.137 -r1.138
*** EditUser.pm	14 Oct 2005 20:07:09 -0000	1.137
--- EditUser.pm	3 Oct 2006 19:36:29 -0000	1.138
***************
*** 37,49 ****
  	# check for delete activity
  	if ( $S->{CGI}->param('confirm_delete') && $S->{CGI}->param('delete') && $file_name ) {
- 		my $path;
- 		return 'Permission Denied' if ($uid ne $S->{UID}) || !$S->var('upload_delete');
  		if ( $S->{CGI}->param('list_type') eq 'user' ) {
! 			$path = $S->var('upload_path_user') . "$uid/";
  		} else {
! 			$path = $S->var('upload_path_admin');
  		};
  
- 		unlink "$path$file_name";
  
  		$page .= qq{<tr><td>%%norm_font%%<b><font color="red">$file_name deleted.</font></b>%%norm_font_end%%<br/>&nbsp;</td></tr>};
--- 37,48 ----
  	# check for delete activity
  	if ( $S->{CGI}->param('confirm_delete') && $S->{CGI}->param('delete') && $file_name ) {
  		if ( $S->{CGI}->param('list_type') eq 'user' ) {
! 			return 'Permission Denied' if ($uid ne $S->{UID}) || !$S->var('upload_delete');
! 			$S->delete_user_file($file_name);
  		} else {
! 			return 'Permission Denied' if !($S->var('upload_admin') && $S->var('upload_delete'));
! 			$S->delete_admin_file($file_name);
  		};
  
  
  		$page .= qq{<tr><td>%%norm_font%%<b><font color="red">$file_name deleted.</font></b>%%norm_font_end%%<br/>&nbsp;</td></tr>};
***************
*** 55,62 ****
  		my $file_name_new = $S->clean_filename($S->{CGI}->param('rename_filename'));
  
- 		return 'Permission Denied' if ($uid ne $S->{UID}) || !$S->var('upload_rename');
  		if ( $S->{CGI}->param('list_type') eq 'user' ) {
  			$path = $S->var('upload_path_user') . "$uid/";
  		} else {
  			$path = $S->var('upload_path_admin');
  		};
--- 54,62 ----
  		my $file_name_new = $S->clean_filename($S->{CGI}->param('rename_filename'));
  
  		if ( $S->{CGI}->param('list_type') eq 'user' ) {
+ 			return 'Permission Denied' if ($uid ne $S->{UID}) || !$S->var('upload_rename');
  			$path = $S->var('upload_path_user') . "$uid/";
  		} else {
+ 			return 'Permission Denied' if !($S->var('upload_admin') && $S->var('upload_rename'));
  			$path = $S->var('upload_path_admin');
  		};
***************
*** 112,116 ****
  	my $file_list = qq{
  		<tr>
! 			<TD BGCOLOR="%%title_bgcolor%%">%%title_font%%<B>$title</B>%%title_font_end%%</TD>
  		</tr>
  		<tr>
--- 112,116 ----
  	my $file_list = qq{
  		<tr>
! 			<td bgcolor="%%title_bgcolor%%">%%title_font%%<b>$title</b>%%title_font_end%%</td>
  		</tr>
  		<tr>