Merge branch 'maint'

INSTALL

@@ -44,39 +44,37 @@ Setup on Arch Linux:
 5) Configure PHP
    Make sure you have mysql and json enabled in PHP.
 
- - Edit php.ini and uncomment/add these lines:
+ - Edit php.ini and uncomment/add this line:
    extension=pdo_mysql.so
-   extension=json.so
 
-   If those php extensions are separate packages on your system, install
-   them.
+   If this PHP extension is a separate package on your system, install it.
 
 6) Configure MySQL
  - Start the MySQL service. Example:
-   # /etc/rc.d/mysqld start
+   # systemctl start mysqld
 
  - Create database
    # mysqladmin -p create AUR
 
  - Connect to the mysql client
-   # mysql -uroot -p AUR
+   $ mysql -uroot -p AUR
 
  - Issue the following commands to the mysql client
    mysql> GRANT ALL PRIVILEGES ON AUR.* to aur@localhost
-        > identified by 'aur';
+       -> identified by 'aur';
    mysql> FLUSH PRIVILEGES;
    mysql> quit
 
  - Load the schema file
-   # mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql
+   $ mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql
    (give password 'aur' at the prompt)
 
  - Optionally load some test data for development purposes.
-   # pacman -S words mysql-python
-   # cd ~/aur/support/schema/
-   # python gendummydata.py dummy-data.sql
-   # bzip2 dummy-data.sql
-   # bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR
+   # pacman -S words fortune-mod
+   $ cd ~/aur/support/schema/
+   $ python gendummydata.py dummy-data.sql
+   $ bzip2 dummy-data.sql
+   $ bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR
    (give password 'aur' at the prompt)
 
    If your test data consists of real people and real email addresses consider
@@ -85,7 +83,7 @@ Setup on Arch Linux:
    mysql> UPDATE Users SET Email = RAND() * RAND();
 
 7) Copy the config.inc.php.proto file to config.inc.php. Modify as needed.
-   # cd ~/aur/web/lib/
-   # cp config.inc.php.proto config.inc.php
+   $ cd ~/aur/web/lib/
+   $ cp config.inc.php.proto config.inc.php
 
 8) Point your browser to http://aur

web/html/account.php

@@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "UpdateAccount") {
-		# user is submitting their modifications to an existing account
-		#
-		if (check_token()) {
+		$uid = uid_from_sid($_COOKIE['AURSID']);
+
+		/* Details for account being updated */
+		$acctinfo = account_details(in_request('ID'), in_request('U'));
+
+		/* Verify user permissions and that the request is a valid POST */
+		if (can_edit_account($atype, $acctinfo, $uid) && check_token()) {
+			/* Update the details for the existing account */
 			process_account_form($atype, "edit", "UpdateAccount",
 					in_request("U"), in_request("T"), in_request("S"),
 					in_request("E"), in_request("P"), in_request("C"),

web/lib/acctfuncs.inc.php

@@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		$error = __("The PGP key fingerprint is invalid.");
 	}
 
-	if ($UTYPE == "Trusted User" && $T == 3) {
-		$error = __("A Trusted User cannot assign Developer status.");
+	if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) {
+		$error = __("Cannot increase account permissions.");
 	}
 	if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
 		$error = __("Language is not currently supported.");
@@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
 	$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")";
 	$result = $dbh->exec($q);
 }
+
+/**
+ * Verify a user has the proper permissions to edit an account
+ *
+ * @param string $atype Account type of the editing user
+ * @param array $acctinfo User account information for edited account
+ * @param int $uid User ID of the editing user
+ *
+ * @return bool True if permission to edit the account, otherwise false
+ */
+function can_edit_account($atype, $acctinfo, $uid) {
+	/* Developers can edit any account */
+	if ($atype == 'Developer') {
+		return true;
+	}
+
+	/* Trusted Users can edit all accounts except Developer accounts */
+	if ($atype == 'Trusted User' &&
+		$acctinfo['AccountType'] != 'Developer') {
+			return true;
+	}
+
+	/* Users can edit only their own account */
+	if ($acctinfo['ID'] == $uid) {
+		return true;
+	}
+
+	return false;
+}