View Issue Details

IDProjectCategoryView StatusLast Update
0017452phpList 3 applicationUser Managementpublic23-07-15 10:19
Reporterivilata 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
PlatformDebianOSDebian WheezyOS Version6.5
Product Version3.0.8 
Target Versionnext minorFixed in Version 
Summary0017452: Only show subscriber page to admins of their lists
DescriptionAny admin in a phpList setup is able to access the user page of any subscriber in the system. The attached patch to ``public_html/lists/admin/user.php`` limits acces to the user page to those administrators who own some list the subscriber is a member of. This is more amenable to a multi-user setup where administrators are unrelated as well as subscribers of their lists.
Tagsquick-fix

Activities

ivilata

07-10-14 10:48

reporter  

own-user.diff (1,075 bytes)
--- user.php.orig	2014-09-08 13:19:39.000000000 +0200
+++ user.php	2014-10-07 12:23:34.242879950 +0200
@@ -53,6 +53,21 @@
     $subselect = " and ".$tables["list"].".id = 0";
     $subselect_where = " where ".$tables["list"].".owner = 0";break;
 }
+
+if ($access != "all") {
+  /* Only allow access if the logged in admin owns
+     some of the lists the user is subscribed to. */
+  $admin_userlists = Sql_Fetch_Row_Query(sprintf("select count(*) from {$tables["list"]}
+    inner join {$tables["admin"]} on {$tables["list"]}.owner = {$tables["admin"]}.id
+    inner join {$tables["listuser"]} on {$tables["list"]}.id = {$tables["listuser"]}.listid
+    where {$tables["listuser"]}.userid = %d and {$tables["admin"]}.id = %d",
+                                                 $id, $_SESSION["logindetails"]["id"]));
+  if ($admin_userlists[0] == 0) {
+    print Error("This subscriber is not a member of any of your lists.");
+    return;
+  }
+}
+
 if ($access == "all") {
   $delete_message = '<br />'.s('Delete will remove subscriber from the list').'<br />';
 } else {
own-user.diff (1,075 bytes)

michiel

20-05-15 09:59

manager   ~0056113

would be great to get that as a PR on github