Harden validation of typ value, #6888

helmo · helmo · commit 1d80ca5ffaac · 2025-06-12T17:00:06.000+02:00
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
@@ -54,7 +54,7 @@ function onBeforeInsert() {
 		global $app, $conf;
 		
 		//* Security settings check
-		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+		if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ'])) {
 			$app->auth->check_security_permissions('admin_allow_new_admin');
 		}
 
@@ -63,7 +63,7 @@ function onBeforeInsert() {
 		}
 		
 		//* Do not add users here
-		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'user') {
+		if(isset($this->dataRecord['typ']) && in_array('user', $this->dataRecord['typ'])) {
 			$app->tform->errorMessage .= $app->tform->wordbook['no_user_insert'];
 		}
 		
@@ -75,7 +75,7 @@ function onBeforeUpdate() {
 		if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
 
 		//* Security settings check
-		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
+		if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ'])) {
 			$app->auth->check_security_permissions('admin_allow_new_admin');
 		}
 
@@ -86,12 +86,12 @@ function onBeforeUpdate() {
 		$this->oldDataRecord = $app->tform->getDataRecord($this->id);
 		
 		//* A user that belongs to a client record (client or reseller) may not have typ admin
-		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin'  && $this->oldDataRecord['client_id'] > 0) {
+		if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ']) && $this->oldDataRecord['client_id'] > 0) {
 			$app->tform->errorMessage .= $app->tform->wordbook['client_not_admin_err'];
 		}
 		
 		//* Users have to belong to clients
-		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'user'  && $this->oldDataRecord['client_id'] == 0) {
+		if(isset($this->dataRecord['typ']) && in_array('user', $this->dataRecord['typ']) && $this->oldDataRecord['client_id'] == 0) {
 			$app->tform->errorMessage .= $app->tform->wordbook['no_user_insert'];
 		}
 		

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ function onBeforeInsert() {`
`54`	`54`	`global $app, $conf;`
`55`	`55`
`56`	`56`	`//* Security settings check`
`57`		`- if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {`
	`57`	`+ if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ'])) {`
`58`	`58`	`$app->auth->check_security_permissions('admin_allow_new_admin');`
`59`	`59`	`}`
`60`	`60`
`@@ -63,7 +63,7 @@ function onBeforeInsert() {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`//* Do not add users here`
`66`		`- if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'user') {`
	`66`	`+ if(isset($this->dataRecord['typ']) && in_array('user', $this->dataRecord['typ'])) {`
`67`	`67`	`$app->tform->errorMessage .= $app->tform->wordbook['no_user_insert'];`
`68`	`68`	`}`
`69`	`69`
`@@ -75,7 +75,7 @@ function onBeforeUpdate() {`
`75`	`75`	`if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');`
`76`	`76`
`77`	`77`	`//* Security settings check`
`78`		`- if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {`
	`78`	`+ if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ'])) {`
`79`	`79`	`$app->auth->check_security_permissions('admin_allow_new_admin');`
`80`	`80`	`}`
`81`	`81`
`@@ -86,12 +86,12 @@ function onBeforeUpdate() {`
`86`	`86`	`$this->oldDataRecord = $app->tform->getDataRecord($this->id);`
`87`	`87`
`88`	`88`	`//* A user that belongs to a client record (client or reseller) may not have typ admin`
`89`		`- if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin' && $this->oldDataRecord['client_id'] > 0) {`
	`89`	`+ if(isset($this->dataRecord['typ']) && in_array('admin', $this->dataRecord['typ']) && $this->oldDataRecord['client_id'] > 0) {`
`90`	`90`	`$app->tform->errorMessage .= $app->tform->wordbook['client_not_admin_err'];`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`//* Users have to belong to clients`
`94`		`- if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'user' && $this->oldDataRecord['client_id'] == 0) {`
	`94`	`+ if(isset($this->dataRecord['typ']) && in_array('user', $this->dataRecord['typ']) && $this->oldDataRecord['client_id'] == 0) {`
`95`	`95`	`$app->tform->errorMessage .= $app->tform->wordbook['no_user_insert'];`
`96`	`96`	`}`
`97`	`97`