xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): re-check admin rank in addUsers Mod (defense-in-depth) [#139] (#240)

Browse Source
This commit is contained in:
Ferywir
2026-06-18 18:09:02 +02:00
committed by GitHub
parent 1b978470c6
commit 9c726a05b9
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/Mods/addUsers.php
+10
View File
@@ -26,6 +26,16 @@ include_once($autoprefix."GameEngine/Session.php");
include_once($autoprefix."GameEngine/Automation.php");
include_once($autoprefix."GameEngine/Database.php");
// Admin-rank guard (defense-in-depth). Reaching any file under /Admin already
// requires an admin session: Session.php's checkLogin() gates the whole /Admin
// path on $_SESSION['admin_username'], so a plain player session is bounced to
// login.php before this point. This re-check aligns addUsers with its sibling
// Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank
// here too; it is a redundant safety net, not the sole guard.
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
}
$wgarray = array(1=>1200,1700,2300,3100,4000,5000,6300,7800,9600,11800,14400,17600,21400,25900,31300,37900,45700,55100,66400,80000);
foreach ($_POST as $key => $value) {