fix email leak in user search form
authorjoshuaruesweg <josh@joshsboard.de>
Wed, 20 May 2015 15:28:44 +0000 (17:28 +0200)
committerjoshuaruesweg <josh@joshsboard.de>
Wed, 20 May 2015 15:28:44 +0000 (17:28 +0200)
wcfsetup/install/files/acp/templates/userSearch.tpl
wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php

index d06c1c246c3d2cec9865b1c887b826846461a8d2..b18b97d1e44788d6508f73164728b7814c136004 100644 (file)
                                <dl>
                                        <dt><label>{lang}wcf.acp.user.search.display.columns.other{/lang}</label></dt>
                                        <dd>
-                                               <label><input type="checkbox" name="columns[]" value="email" {if "email"|in_array:$columns}checked="checked" {/if}/> {lang}wcf.user.email{/lang}</label>
+                                               {if $__wcf->session->getPermission('admin.user.canEditMailAddress')}
+                                                       <label><input type="checkbox" name="columns[]" value="email" {if "email"|in_array:$columns}checked="checked" {/if}/> {lang}wcf.user.email{/lang}</label>
+                                               {/if}
                                                <label><input type="checkbox" name="columns[]" value="registrationDate" {if "registrationDate"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.registrationDate{/lang}</label>
                                                <label><input type="checkbox" name="columns[]" value="lastActivityTime" {if "lastActivityTime"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.lastActivityTime{/lang}</label>
                                                <label><input type="checkbox" name="columns[]" value="profileHits" {if "profileHits"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.profileHits{/lang}</label>
index df27874eb1c35876c4df32d7593a6dbbe8d02e6f..ab5bcdb4c9026f9c6fb20582f7b843a598056309 100755 (executable)
@@ -314,6 +314,11 @@ class UserSearchForm extends UserOptionListForm {
        public function validate() {
                AbstractForm::validate();
                
+               // remove email column for not authorized users
+               if (!WCF::getSession()->getPermission('admin.user.canEditMailAddress') && ($key = array_search('email', $this->columns)) !== false) {
+                       unset($this->columns[$key]);    
+               }
+               
                // do search
                $this->search();