Bug 279398 Restrict access to usermanager for editors, and don't show themes/extension lists.

r=alanjstr

webtools/update/developers/appmanager.php

@@ -12,9 +12,7 @@ include"$page_header";
 include"inc_sidebar.php";
 ?>
 <?php
-if ($_SESSION["level"]=="admin") {
-    //Do Nothing, they're good. :-)
-} else {
+if ($_SESSION["level"]!="admin") {
     echo"<h1>Access Denied</h1>\n";
     echo"You do not have access to the Application Manager";
     include"$page_footer";

webtools/update/developers/inc_sidebar.php

@@ -24,9 +24,6 @@ if ($_SESSION["level"] == "user") {
 ?>
 <li><A HREF="usermanager.php?function=edituser&amp;userid=<?php echo"$_SESSION[uid]"; ?>">Your Profile</A></li>
 <li><A HREF="approval.php">Approval Queue <?php if ($skipqueue != "true") { echo"($queuenum)"; } ?></A></li>
-<li><A HREF="listmanager.php?type=T">Themes list</A></li>
-<li><A HREF="listmanager.php?type=E">Extensions list</A></li>
-<li><A HREF="usermanager.php">Users Manager</A></li>
 <li><a href="commentsmanger.php?function=flaggedcomments">Comments Manager <?php if ($skipcomments != "true") { echo"($commentsnum)"; } ?></a></li>
 <li><a href="reviewsmanager.php">Reviews Manager</a></li>
 <?php

webtools/update/developers/listmanager.php

@@ -11,20 +11,13 @@ $function = $_GET["function"];
 include"$page_header";
 include"inc_sidebar.php";
 
-//Kill access to items this user doesn't own...
-if ($_SESSION["level"] !=="admin" and $_SESSION["level"] !=="editor") {
-
-    $id = escape_string($_GET["id"]);
-    if (!$id) {$id = escape_string($_POST["id"]); }
-    $sql = "SELECT `UserID` from `authorxref` TAX WHERE `ID` = '$id' AND `UserID` = '$_SESSION[uid]' LIMIT 1";
-    $sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error ".mysql_errno().": ".mysql_error()."", E_USER_NOTICE);
-    if (mysql_num_rows($sql_result)=="0") {
-    echo"<h1>Access Denied</h1>\n";
-    echo"You do not have access to this item.";
-    include"$page_footer";
-    echo"</body></html>\n";
-    exit;
-    }
+//this screen is only for admins
+if ($_SESSION["level"] !=="admin") {
+  echo"<h1>Access Denied</h1>\n";
+  echo"You do not have access to this item.";
+  include"$page_footer";
+  echo"</body></html>\n";
+  exit;
 }
 ?>
 

webtools/update/developers/usermanager.php

@@ -59,12 +59,10 @@ class PermissionsManager {
 $function = $_GET["function"];
 $perms=new PermissionsManager($function);
 
-//Access Level: "user" code, to keep user from altering other profiles but their own.
-if ($_SESSION["level"] !=="admin" and $_SESSION["level"] !=="editor") {
+//Access Level: only admins can edit somebody else's profile
+if ($_SESSION["level"] !=="admin") {
   //Kill access to add user.
-  if ($function=="adduser" or $function=="postnewuser") {unset($function);}
-
-  if (!$function) { $function="edituser"; }
+  $function="edituser";
   $userid=$_SESSION["uid"];
 }