1 (edited by Smartys 2005-09-10 10:45)

Topic: admin_bans doesn't properly check username

I mean, it checks it properly up here

if (isset($_GET['add_ban']) || isset($_POST['add_ban']))
    {
        // If the id of the user to ban was provided through GET (a link from profile.php)
        if (isset($_GET['add_ban']))
        {
            $add_ban = intval($_GET['add_ban']);
            if ($add_ban < 2)
                message($lang_common['Bad request']);

            $user_id = $add_ban;

            $result = $db->query('SELECT group_id, username, email FROM '.$db->prefix.'users WHERE id='.$user_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
            if ($db->num_rows($result))
                list($group_id, $ban_user, $ban_email) = $db->fetch_row($result);
            else
                message('No user by that ID registered.');
        }
        else    // Otherwise the username is in POST
        {
            $ban_user = trim($_POST['new_ban_user']);

            if ($ban_user != '')
            {
                $result = $db->query('SELECT id, group_id, username, email FROM '.$db->prefix.'users WHERE username=\''.$db->escape($ban_user).'\' AND id>1') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
                if ($db->num_rows($result))
                    list($user_id, $group_id, $ban_user, $ban_email) = $db->fetch_row($result);
                else
                    message('No user by that username registered. If you want to add a ban not tied to a specific username just leave the username blank.');
            }
        }

However, when you're adding advanced settings, username isn't checked. That means you can ban an administrator (kind of, bans don't affect admins) or just randomly ban people.
And on that subject, the message about banning admins is redundant, since banning doesn't work on admins anyway: the check_bans function has

    // Admins aren't affected
    if ($pun_user['g_id'] == PUN_ADMIN || !$pun_bans)
        return;

Re: admin_bans doesn't properly check username

Smartys wrote:

However, when you're adding advanced settings, username isn't checked. That means you can ban an administrator (kind of, bans don't affect admins) or just randomly ban people.

*snip*

And on that subject, the message about banning admins is redundant, since banning doesn't work on admins anyway:

Well, since admins aren't affected by bans at all, the check is merely there to inform the user in question that the attempt is futile. I'm not sure it warrants an extra query to determine whether the user is an admin in the second case.

Randomly ban people?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: admin_bans doesn't properly check username

By randomly ban people, I mean that I could put in usernames that don't yet exist, and if a person registers with it they get banned wink

Re: admin_bans doesn't properly check username

But isn't that a feature? big_smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: admin_bans doesn't properly check username

lol tongue

Re: admin_bans doesn't properly check username

Mmm, I just noticed that it gives the administrator the Banned tag in the forums tongue