View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008960 | phpList 3 application | Admin Management | public | 17-01-07 01:43 | 18-02-08 14:08 |
| Reporter | veroxii | ||||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2.10.4 | ||||
| Target Version | 2.10.7 | Fixed in Version | 2.10.5 | ||
| Summary | 0008960: No checking for duplicate admin on create | ||||
| Description | When trying to add a new admin to the system via the web interface, if you select a login name that already exists, the system will still try to insert the record in the database. (and gives a database error on the next page) There is no checking done to see if a user already exists. It then creates a record in the admin table with an empty loginname field which makes it impossible to add more admins until that record has been removed. I'm attaching a diff for a fix, which simply does a check in the database before creating a new admin. (/admin/admin.php) -Johann | ||||
| Tags | No tags attached. | ||||
| related to | 0003721 | closed | phplist 2.10.x |
|
17-01-07 01:43
|
admin.diff (1,121 bytes)
Index: public_html/lists/admin/admin.php
===================================================================
RCS file: /cvsroot/phplist/phplist/public_html/lists/admin/admin.php,v
retrieving revision 1.3.4.2
diff -u -p -r1.3.4.2 admin.php
--- public_html/lists/admin/admin.php 28 Apr 2006 16:04:29 -0000 1.3.4.2
+++ public_html/lists/admin/admin.php 17 Jan 2007 01:37:16 -0000
@@ -31,9 +31,19 @@ if ($noaccess) {
if (!empty($_POST["change"])) {
if (empty($_POST["id"])) {
# new one
- Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())',
+ $result = Sql_query(sprintf('SELECT count(*) FROM %s WHERE namelc="%s"',
$tables["admin"],strtolower(normalize($_POST["loginname"]))));
- $id = Sql_Insert_Id();
+
+ $totalres = Sql_fetch_Row($result);
+ $total = $totalres[0];
+
+ if (!$total) {
+ Sql_Query(sprintf('insert into %s (namelc,created) values("%s",now())',
+ $tables["admin"],strtolower(normalize($_POST["loginname"]))));
+ $id = Sql_Insert_Id();
+ } else {
+ $id = 0;
+ }
} else {
$id = sprintf('%d',$_POST["id"]);
}
|
|
|
Right, thank for the fix. |
