View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008960 | phpList 3 application | Admin Management | public | 17-01-07 01:43 | 18-02-08 14:08 |
Reporter | veroxii | ||||
Priority | normal | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 2.10.4 | ||||
Target Version | 2.10.7 | Fixed in Version | 2.10.5 | ||
Summary | 0008960: No checking for duplicate admin on create | ||||
Description | When trying to add a new admin to the system via the web interface, if you select a login name that already exists, the system will still try to insert the record in the database. (and gives a database error on the next page) There is no checking done to see if a user already exists. It then creates a record in the admin table with an empty loginname field which makes it impossible to add more admins until that record has been removed. I'm attaching a diff for a fix, which simply does a check in the database before creating a new admin. (/admin/admin.php) -Johann | ||||
Tags | No tags attached. | ||||
related to | 0003721 | closed | phplist 2.10.x |
17-01-07 01:43
|
admin.diff (1,121 bytes)
Index: public_html/lists/admin/admin.php =================================================================== RCS file: /cvsroot/phplist/phplist/public_html/lists/admin/admin.php,v retrieving revision 1.3.4.2 diff -u -p -r1.3.4.2 admin.php --- public_html/lists/admin/admin.php 28 Apr 2006 16:04:29 -0000 1.3.4.2 +++ public_html/lists/admin/admin.php 17 Jan 2007 01:37:16 -0000 @@ -31,9 +31,19 @@ if ($noaccess) { if (!empty($_POST["change"])) { if (empty($_POST["id"])) { # new one - Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())', + $result = Sql_query(sprintf('SELECT count(*) FROM %s WHERE namelc="%s"', $tables["admin"],strtolower(normalize($_POST["loginname"])))); - $id = Sql_Insert_Id(); + + $totalres = Sql_fetch_Row($result); + $total = $totalres[0]; + + if (!$total) { + Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())', + $tables["admin"],strtolower(normalize($_POST["loginname"])))); + $id = Sql_Insert_Id(); + } else { + $id = 0; + } } else { $id = sprintf('%d',$_POST["id"]); } |
|
Right, thank for the fix. |