| PyroCMS v0.9.7.4 - an open-source modular general purpose CMS |
[eluser]ray73864[/eluser]
[quote author="Phil Sturgeon" date="1244484050"]Arg so many bugs! I have created an issue for the / problem on github which is an easy fix. The user/admin issue is a strange one. Can you check in the database for me? Also running a exit($this->db->last_query()); after the updateUser() model call would she a bit of light.[/quote] ok, when i create a new user, the db definately has the role set to 'User'. This is when i create a new user: Code: INSERT INTO users (email, password, salt, first_name, last_name, role, is_active, activation_code, created_on, ip) VALUES ('[email protected]', 'a86b46ed18ae730181a0939419fde2c2ece08e0d', '29RBr', 'Test', 'User', 'user', 0, '1wXM4y7F', 1244496622, '127.0.0.1')and this is when i update the user to make them an Admin: Code: UPDATE users SET first_name = 'Test', last_name = 'User', email = '[email protected]', is_active = '1', role = 'user' WHERE `id` = '3'it is like the Code: $this->user_lib->create($username, $password);Update: Just checked modules/users/libraries/User_lib.php and it is indeed hardcoding the role to 'user' on line 82. I think if you put a check in there to see if an admin is logged in, and if so allow the role to be set to something else, otherwise hardcode it to 'user' that should fix the security risk and allow admins to create new admin accounts. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
