From d5161e8e059a064f8955a0676d763ad1be84ce5c Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Sun, 11 Oct 2015 14:28:36 +0545 Subject: Redmine #5294 Do not delete a system group This code checks if the user has somehow posted a group deletion for a group that has "system" scope. If so, then the delete is not done and an input error is displayed. Note that in normal use the group manager page does not display a delete button for "system" groups, so normally this does not happen - only if the user manually messes with the $POST variables. --- usr/local/www/system_groupmanager.php | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'usr/local') diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index 7132a45..8a80476 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -70,14 +70,22 @@ if ($act == "delgroup") { exit; } - conf_mount_rw(); - local_group_del($a_group[$id]); - conf_mount_ro(); - $groupdeleted = $a_group[$id]['name']; - unset($a_group[$id]); - write_config(); - $savemsg = gettext("Group")." {$groupdeleted} ". - gettext("successfully deleted")."
"; + $saved_groupname = $a_group[$id]['name']; + + if ($a_group[$id]['scope'] != "system") { + conf_mount_rw(); + local_group_del($a_group[$id]); + conf_mount_ro(); + unset($a_group[$id]); + write_config(); + $savemsg = gettext("Group")." {$saved_groupname} ". + gettext("successfully deleted")."
"; + } else { + unset($id); + unset($deletion_errors); + $deletion_errors[] = gettext("Group") . " {$saved_groupname} " . + gettext("is a system group. Deletion is not allowed."); + } } if ($act == "delpriv") { @@ -277,6 +285,8 @@ function presubmit() { -- cgit v1.1