From 73db50564482a025279850940565a57ad7d9ea93 Mon Sep 17 00:00:00 2001 From: MrPMan Date: Sun, 3 Jan 2016 23:52:04 -0800 Subject: [PATCH 1/3] friends.php uses Level instead of PermissionID Fixes a coding inconsistency that allowed users with users_mod to always view LastSeen, which is intended behavior, but it worked for the wrong reasons. --- sections/friends/friends.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sections/friends/friends.php b/sections/friends/friends.php index 6d82599c..ce03c908 100644 --- a/sections/friends/friends.php +++ b/sections/friends/friends.php @@ -30,13 +30,14 @@ m.Username, m.Uploaded, m.Downloaded, - m.PermissionID, + p.Level, m.Paranoia, m.LastAccess, i.Avatar FROM friends AS f JOIN users_main AS m ON f.FriendID = m.ID JOIN users_info AS i ON f.FriendID = i.UserID + LEFT JOIN permissions AS p ON p.ID = m.PermissionID WHERE f.UserID = '$UserID' ORDER BY Username LIMIT $Limit"); From 1653cade95da04510bc6eacd6a06611282a12ef9 Mon Sep 17 00:00:00 2001 From: MrPMan Date: Sun, 3 Jan 2016 23:54:48 -0800 Subject: [PATCH 2/3] users_mod always overrides lastseen paranoia Users with users_mod always get PARANOIA_OVERRIDDEN for lastseen. This means moderators can now see the LastAccess for higher-ranked staff members, like they should have always been able to. --- classes/paranoia.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/paranoia.class.php b/classes/paranoia.class.php index ed575583..67e28a60 100644 --- a/classes/paranoia.class.php +++ b/classes/paranoia.class.php @@ -80,7 +80,7 @@ function check_paranoia($Property, $Paranoia, $UserClass, $UserID = false) { case 'ratio': case 'uploaded': case 'lastseen': - if (check_perms('users_mod', $UserClass)) + if (check_perms('users_mod')) return PARANOIA_OVERRIDDEN; break; case 'snatched': case 'snatched+': From 54bc9a7553fc44d8624f1e6d293fe186bf4734dd Mon Sep 17 00:00:00 2001 From: MrPMan Date: Sun, 3 Jan 2016 23:59:02 -0800 Subject: [PATCH 3/3] Removed unnecessary permissions code $UserInfo['Level'] will never be higher than $UserInfo['EffectiveClass'], as that's the whole point of EffectiveClass. As such, it is pointless to run a comparison against both Level and EffectiveClass in check_perms, as $UserInfo['EffectiveClass'] >= $UserInfo['Level'], so if $UserInfo['Level'] >= $MinClass, $UserInfo['EffectiveClass'] >= $MinClass. --- classes/permissions.class.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/classes/permissions.class.php b/classes/permissions.class.php index 4af3060e..ae57dbb5 100644 --- a/classes/permissions.class.php +++ b/classes/permissions.class.php @@ -14,8 +14,7 @@ public static function check_perms($PermissionName, $MinClass = 0) { return ( isset(G::$LoggedUser['Permissions'][$PermissionName]) && G::$LoggedUser['Permissions'][$PermissionName] - && (G::$LoggedUser['Class'] >= $MinClass - || G::$LoggedUser['EffectiveClass'] >= $MinClass + && (G::$LoggedUser['EffectiveClass'] >= $MinClass || $Override) ) ? true : false; }