make sure only a superuser can access the access controls

2005-02-16 22:59:31 +00:00 · 2005-02-16 22:59:31 +00:00 · 3b1febd3fb
commit 3b1febd3fb
parent 82780d85f8
1 changed files with 11 additions and 8 deletions
--- a/admin/committees.php
+++ b/admin/committees.php
@ -168,10 +168,15 @@ if($_POST['add_member'])

 if($_POST['save'])
 {
-	//FIXME: deal with what the user can actually do based on their own permissions
-	if($_POST['access_admin']=="Y") $a_admin='Y'; else $a_admin='N';
-	if($_POST['access_config']=="Y") $a_config='Y'; else $a_config='N';
-	if($_POST['access_super']=="Y") $a_super='Y'; else $a_super='N';
+	if(auth_has_access("super"))
+	{
+		//FIXME: deal with what the user can actually do based on their own permissions
+		if($_POST['access_admin']=="Y") $a_admin='Y'; else $a_admin='N';
+		if($_POST['access_config']=="Y") $a_config='Y'; else $a_config='N';
+		if($_POST['access_super']=="Y") $a_super='Y'; else $a_super='N';
+
+		$access="access_admin='$a_admin', access_config='$a_config', access_super='$a_super', "; 
+	}
 	mysql_query("UPDATE committees_members SET ".
 		"name='".$_POST['name']."', ".
 		"password='".$_POST['password']."', ".
@ -182,10 +187,8 @@ if($_POST['save'])
 		"phonework='".$_POST['phonework']."', ".
 		"phonecell='".$_POST['phonecell']."', ".
 		"fax='".$_POST['fax']."', ".
-		"access_admin='$a_admin', ".
-		"access_config='$a_config', ".
-		"access_super='$a_super', ".
-		"displayemail='".$_POST['displayemail']."' ".
+		$access.
+		" displayemail='".$_POST['displayemail']."' ".
 		" WHERE id='".$_POST['save']."'");

 	if($_POST['ord'])