Security fix: delete & save not accessible to non admins

François Jacquet · François Jacquet · commit 1585a9d2465a · 2013-11-21T15:06:04.000-05:00
diff --git a/modules/Students/AddressFields.php b/modules/Students/AddressFields.php
@@ -2,7 +2,7 @@
 DrawHeader(ProgramTitle());
 //$_ROSARIO['allow_edit'] = true;
 
-if($_REQUEST['tables'] && $_POST['tables'])
+if($_REQUEST['tables'] && $_POST['tables'] && AllowEdit())
 {
 	$table = $_REQUEST['table'];
 	foreach($_REQUEST['tables'] as $id=>$columns)
@@ -113,7 +113,7 @@
 	unset($_REQUEST['tables']);
 }
 
-if($_REQUEST['modfunc']=='delete')
+if($_REQUEST['modfunc']=='delete' && AllowEdit())
 {
 	if($_REQUEST['id'])
 	{
diff --git a/modules/Students/PeopleFields.php b/modules/Students/PeopleFields.php
@@ -2,7 +2,7 @@
 DrawHeader(ProgramTitle());
 //$_ROSARIO['allow_edit'] = true;
 
-if($_REQUEST['tables'] && $_POST['tables'])
+if($_REQUEST['tables'] && $_POST['tables'] && AllowEdit())
 {
 	$table = $_REQUEST['table'];
 	foreach($_REQUEST['tables'] as $id=>$columns)
@@ -113,7 +113,7 @@
 	unset($_REQUEST['tables']);
 }
 
-if($_REQUEST['modfunc']=='delete')
+if($_REQUEST['modfunc']=='delete' && AllowEdit())
 {
 	if($_REQUEST['id'])
 	{
diff --git a/modules/Students/StudentFields.php b/modules/Students/StudentFields.php
@@ -2,7 +2,7 @@
 DrawHeader(ProgramTitle());
 //$_ROSARIO['allow_edit'] = true;
 
-if($_REQUEST['tables'] && $_POST['tables'])
+if($_REQUEST['tables'] && $_POST['tables'] && AllowEdit())
 {
 	$table = $_REQUEST['table'];
 	foreach($_REQUEST['tables'] as $id=>$columns)
@@ -118,7 +118,7 @@
 	unset($_REQUEST['tables']);
 }
 
-if($_REQUEST['modfunc']=='delete')
+if($_REQUEST['modfunc']=='delete' && AllowEdit())
 {
 	if($_REQUEST['id'])
 	{
diff --git a/modules/Users/UserFields.php b/modules/Users/UserFields.php
@@ -2,7 +2,7 @@
 DrawHeader(ProgramTitle());
 //$_ROSARIO['allow_edit'] = true;
 
-if($_REQUEST['tables'] && $_POST['tables'])
+if($_REQUEST['tables'] && $_POST['tables'] && AllowEdit())
 {
 	$table = $_REQUEST['table'];
 	foreach($_REQUEST['tables'] as $id=>$columns)
@@ -118,7 +118,7 @@
 	unset($_REQUEST['tables']);
 }
 
-if($_REQUEST['modfunc']=='delete')
+if($_REQUEST['modfunc']=='delete' && AllowEdit())
 {
 	if($_REQUEST['id'])
 	{

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`DrawHeader(ProgramTitle());`
`3`	`3`	`//$_ROSARIO['allow_edit'] = true;`
`4`	`4`
`5`		`-if($_REQUEST['tables'] && $_POST['tables'])`
	`5`	`+if($_REQUEST['tables'] && $_POST['tables'] && AllowEdit())`
`6`	`6`	`{`
`7`	`7`	`$table = $_REQUEST['table'];`
`8`	`8`	`foreach($_REQUEST['tables'] as $id=>$columns)`
`@@ -113,7 +113,7 @@`
`113`	`113`	`unset($_REQUEST['tables']);`
`114`	`114`	`}`
`115`	`115`
`116`		`-if($_REQUEST['modfunc']=='delete')`
	`116`	`+if($_REQUEST['modfunc']=='delete' && AllowEdit())`
`117`	`117`	`{`
`118`	`118`	`if($_REQUEST['id'])`
`119`	`119`	`{`