Subject: | Deletions and $PROTECT_ADMINS, audit trail |
Protection of admin accounts against accidental deletion is missing when
$PROTECT_ADMINS is set.
The audit trail should show whether a password change was a separate
action, or whether it appeared in the course of adding a new user.
Subject: | user_manage.patch |
*** user_manage.orig Fri Dec 2 21:45:22 2005
--- user_manage Tue Apr 4 11:35:52 2006
***************
*** 90,96 ****
BEGIN {
if ($ENV{REQUEST_METHOD}) {
require CGI;
! CGI->import(qw(:standard :html3 font));
require CGI::Carp;
CGI::Carp->import('fatalsToBrowser');
}
--- 90,96 ----
BEGIN {
if ($ENV{REQUEST_METHOD}) {
require CGI;
! CGI->import(qw(:standard :html3 font escapeHTML));
require CGI::Carp;
CGI::Carp->import('fatalsToBrowser');
}
***************
*** 327,332 ****
--- 327,339 ----
sub delete_user {
my ($db,$admin,$user) = @_;
+ if ($PROTECT_ADMINS && $db->match_group($user, $ADMIN_GROUP)) {
+ error_msg('Error Deleting User',
+ 'User ', em($user), ' is member of group ',
+ em($ADMIN_GROUP), ' and cannot be deleted.');
+ print hr();
+ return;
+ }
if ($db->delete_user($user)) {
&audit_trail( "web $admin: deleted user '$user'" );
print h1('User Deleted'),
***************
*** 367,372 ****
--- 374,382 ----
# If the passwords are different from the current entry for the user, then
# we need to set it.
my $current = $db->passwd($user);
+ if ( !$current) {
+ &audit_trail("web $admin: adding user '$user'");
+ }
if ( !$current or ( ($current ne $password1) and !$db->match_passwd(-name=>$user,-passwd=>$password1)) ) {
if ($PROTECT_ADMINS && $user ne $admin
&& $db->match_group($user, $ADMIN_GROUP)) {