View Issue Details

IDProjectCategoryView StatusLast Update
0008960phplist applicationUser Managementpublic18-02-08 14:08
Reporterveroxii 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.10.4 
Target Version2.10.7Fixed in Version2.10.5 
Summary0008960: No checking for duplicate admin on create
DescriptionWhen trying to add a new admin to the system via the web interface, if you select a login name that already exists, the system will still try to insert the record in the database. (and gives a database error on the next page)

There is no checking done to see if a user already exists. It then creates a record in the admin table with an empty loginname field which makes it impossible to add more admins until that record has been removed.

I'm attaching a diff for a fix, which simply does a check in the database before creating a new admin. (/admin/admin.php)

-Johann
TagsNo tags attached.

Relationships

related to 0003721 closed phplist 2.10.x 

Activities

17-01-07 01:43

 

admin.diff (1,121 bytes)
Index: public_html/lists/admin/admin.php
===================================================================
RCS file: /cvsroot/phplist/phplist/public_html/lists/admin/admin.php,v
retrieving revision 1.3.4.2
diff -u -p -r1.3.4.2 admin.php
--- public_html/lists/admin/admin.php	28 Apr 2006 16:04:29 -0000	1.3.4.2
+++ public_html/lists/admin/admin.php	17 Jan 2007 01:37:16 -0000
@@ -31,9 +31,19 @@ if ($noaccess) {
 if (!empty($_POST["change"])) {
   if (empty($_POST["id"])) {
     # new one
-    Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())',
+    $result = Sql_query(sprintf('SELECT count(*) FROM %s WHERE namelc="%s"',
       $tables["admin"],strtolower(normalize($_POST["loginname"]))));
-    $id = Sql_Insert_Id();
+      
+    $totalres = Sql_fetch_Row($result);
+    $total = $totalres[0];
+    
+    if (!$total) {
+      Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())',
+        $tables["admin"],strtolower(normalize($_POST["loginname"]))));
+      $id = Sql_Insert_Id();
+    } else {
+      $id = 0;
+    }
   } else {
     $id = sprintf('%d',$_POST["id"]);
   }
admin.diff (1,121 bytes)

user1308

07-08-07 17:37

  ~0030170

Right, thank for the fix.