make sure only a superuser can access the access controls

admin/committees.php

@@ -168,10 +168,15 @@ if($_POST['add_member'])
 
 if($_POST['save'])
 {
-	//FIXME: deal with what the user can actually do based on their own permissions
+	if(auth_has_access("super"))
-	if($_POST['access_admin']=="Y") $a_admin='Y'; else $a_admin='N';
+	{
-	if($_POST['access_config']=="Y") $a_config='Y'; else $a_config='N';
+		//FIXME: deal with what the user can actually do based on their own permissions
-	if($_POST['access_super']=="Y") $a_super='Y'; else $a_super='N';
+		if($_POST['access_admin']=="Y") $a_admin='Y'; else $a_admin='N';
+		if($_POST['access_config']=="Y") $a_config='Y'; else $a_config='N';
+		if($_POST['access_super']=="Y") $a_super='Y'; else $a_super='N';
+
+		$access="access_admin='$a_admin', access_config='$a_config', access_super='$a_super', "; 
+	}
 	mysql_query("UPDATE committees_members SET ".
 		"name='".$_POST['name']."', ".
 		"password='".$_POST['password']."', ".
@@ -182,10 +187,8 @@ if($_POST['save'])
 		"phonework='".$_POST['phonework']."', ".
 		"phonecell='".$_POST['phonecell']."', ".
 		"fax='".$_POST['fax']."', ".
-		"access_admin='$a_admin', ".
+		$access.
-		"access_config='$a_config', ".
+		" displayemail='".$_POST['displayemail']."' ".
-		"access_super='$a_super', ".
-		"displayemail='".$_POST['displayemail']."' ".
 		" WHERE id='".$_POST['save']."'");
 
 	if($_POST['ord'])