From: Richard Kettlewell Date: Sun, 31 Jul 2011 15:55:51 +0000 (+0100) Subject: SECURITY: server: don't allow local connections to adduser/deluser. X-Git-Tag: 5.0.3~1^2~1 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/commitdiff_plain/a6e44aa251cf09f060dbc794d35be732d71ce131?hp=06bedf43ec0e56b352be511d817f0eab3d0ba539 SECURITY: server: don't allow local connections to adduser/deluser. As of this change, the only thing that needs only RIGHT__LOCAL is 'reminder'. This has been wrong since eb5dc014179415a0e5476e986519ac96c36221f9 (December 2007) and was first released in DisOrder 3.0. --- diff --git a/server/server.c b/server/server.c index 858edbc..0ebfb4f 100644 --- a/server/server.c +++ b/server/server.c @@ -1855,12 +1855,12 @@ static const struct command { */ rights_type rights; } commands[] = { - { "adduser", 2, 3, c_adduser, RIGHT_ADMIN|RIGHT__LOCAL }, + { "adduser", 2, 3, c_adduser, RIGHT_ADMIN }, { "adopt", 1, 1, c_adopt, RIGHT_PLAY }, { "allfiles", 0, 2, c_allfiles, RIGHT_READ }, { "confirm", 1, 1, c_confirm, 0 }, { "cookie", 1, 1, c_cookie, 0 }, - { "deluser", 1, 1, c_deluser, RIGHT_ADMIN|RIGHT__LOCAL }, + { "deluser", 1, 1, c_deluser, RIGHT_ADMIN }, { "dirs", 0, 2, c_dirs, RIGHT_READ }, { "disable", 0, 1, c_disable, RIGHT_GLOBAL_PREFS }, { "edituser", 3, 3, c_edituser, RIGHT_ADMIN|RIGHT_USERINFO }, @@ -1897,7 +1897,7 @@ static const struct command { { "random-enabled", 0, 0, c_random_enabled, RIGHT_READ }, { "recent", 0, 0, c_recent, RIGHT_READ }, { "reconfigure", 0, 0, c_reconfigure, RIGHT_ADMIN }, - { "register", 3, 3, c_register, RIGHT_REGISTER|RIGHT__LOCAL }, + { "register", 3, 3, c_register, RIGHT_REGISTER }, { "reminder", 1, 1, c_reminder, RIGHT__LOCAL }, { "remove", 1, 1, c_remove, RIGHT_REMOVE__MASK }, { "rescan", 0, INT_MAX, c_rescan, RIGHT_RESCAN },