only allow users having the a_user permission to search by email address (later on there will most likely a new permission for general email visibility)

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8460 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/docs/CHANGELOG.html

@@ -143,6 +143,7 @@
 		<li>[Fix] Do not error out if php_uname function disabled / Authenticating on SMTP Server (Bug #22235 - patch by HoL)</li>
 		<li>[Fix] Correctly obtain to be ignored users within topic/forum notification (Bug #21795 - patch provided by dr.death)</li>
 		<li>[Fix] Correctly update board statistics for attaching orphaned files to existing posts (Bug #20185)</li>
+		<li>[Sec] Only allow searching by email address in memberlist for users having the a_user permission (reported by evil&lt;3)</li>
 
 	</ul>
 

phpBB/memberlist.php

@@ -880,20 +880,22 @@ switch ($mode)
 		$template_html = 'memberlist_body.html';
 
 		// Sorting
-		$sort_key_text = array('a' => $user->lang['SORT_USERNAME'], 'b' => $user->lang['SORT_LOCATION'], 'c' => $user->lang['SORT_JOINED'], 'd' => $user->lang['SORT_POST_COUNT'], 'e' => $user->lang['SORT_EMAIL'], 'f' => $user->lang['WEBSITE'], 'g' => $user->lang['ICQ'], 'h' => $user->lang['AIM'], 'i' => $user->lang['MSNM'], 'j' => $user->lang['YIM'], 'k' => $user->lang['JABBER']);
+		$sort_key_text = array('a' => $user->lang['SORT_USERNAME'], 'b' => $user->lang['SORT_LOCATION'], 'c' => $user->lang['SORT_JOINED'], 'd' => $user->lang['SORT_POST_COUNT'], 'f' => $user->lang['WEBSITE'], 'g' => $user->lang['ICQ'], 'h' => $user->lang['AIM'], 'i' => $user->lang['MSNM'], 'j' => $user->lang['YIM'], 'k' => $user->lang['JABBER']);
+		$sort_key_sql = array('a' => 'u.username_clean', 'b' => 'u.user_from', 'c' => 'u.user_regdate', 'd' => 'u.user_posts', 'f' => 'u.user_website', 'g' => 'u.user_icq', 'h' => 'u.user_aim', 'i' => 'u.user_msnm', 'j' => 'u.user_yim', 'k' => 'u.user_jabber');
+
+		if ($auth->acl_get('a_user'))
+		{
+			$sort_key_text['e'] = $user->lang['SORT_EMAIL'];
+			$sort_key_sql['e'] = 'u.user_email';
+		}
 
 		if ($auth->acl_get('u_viewonline'))
 		{
 			$sort_key_text['l'] = $user->lang['SORT_LAST_ACTIVE'];
-		}
-		$sort_key_text['m'] = $user->lang['SORT_RANK'];
-
-		$sort_key_sql = array('a' => 'u.username_clean', 'b' => 'u.user_from', 'c' => 'u.user_regdate', 'd' => 'u.user_posts', 'e' => 'u.user_email', 'f' => 'u.user_website', 'g' => 'u.user_icq', 'h' => 'u.user_aim', 'i' => 'u.user_msnm', 'j' => 'u.user_yim', 'k' => 'u.user_jabber');
-
-		if ($auth->acl_get('u_viewonline'))
-		{
 			$sort_key_sql['l'] = 'u.user_lastvisit';
 		}
+
+		$sort_key_text['m'] = $user->lang['SORT_RANK'];
 		$sort_key_sql['m'] = 'u.user_rank DESC, u.user_posts';
 
 		$sort_dir_text = array('a' => $user->lang['ASCENDING'], 'd' => $user->lang['DESCENDING']);
@@ -969,7 +971,7 @@ switch ($mode)
 			}
 
 			$sql_where .= ($username) ? ' AND u.username_clean ' . $db->sql_like_expression(str_replace('*', $db->any_char, utf8_clean_string($username))) : '';
-			$sql_where .= ($email) ? ' AND u.user_email ' . $db->sql_like_expression(str_replace('*', $db->any_char, $email)) . ' ' : '';
+			$sql_where .= ($auth->acl_get('a_user') && $email) ? ' AND u.user_email ' . $db->sql_like_expression(str_replace('*', $db->any_char, $email)) . ' ' : '';
 			$sql_where .= ($icq) ? ' AND u.user_icq ' . $db->sql_like_expression(str_replace('*', $db->any_char, $icq)) . ' ' : '';
 			$sql_where .= ($aim) ? ' AND u.user_aim ' . $db->sql_like_expression(str_replace('*', $db->any_char, $aim)) . ' ' : '';
 			$sql_where .= ($yahoo) ? ' AND u.user_yim ' . $db->sql_like_expression(str_replace('*', $db->any_char, $yahoo)) . ' ' : '';
@@ -1286,6 +1288,7 @@ switch ($mode)
 				'IP'		=> $ipdomain,
 
 				'S_IP_SEARCH_ALLOWED'	=> ($auth->acl_getf_global('m_info')) ? true : false,
+				'S_EMAIL_SEARCH_ALLOWED'=> ($auth->acl_get('a_user')) ? true : false,
 				'S_IN_SEARCH_POPUP'		=> ($form && $field) ? true : false,
 				'S_SEARCH_USER'			=> true,
 				'S_FORM_NAME'			=> $form,
@@ -1485,9 +1488,9 @@ function show_profile($data)
 	$rank_title = $rank_img = $rank_img_src = '';
 	get_user_rank($data['user_rank'], $data['user_posts'], $rank_title, $rank_img, $rank_img_src);
 
-	if (!empty($data['user_allow_viewemail']) || $auth->acl_get('a_email'))
+	if (!empty($data['user_allow_viewemail']) || $auth->acl_get('a_user'))
 	{
-		$email = ($config['board_email_form'] && $config['email_enable']) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=email&u=' . $user_id) : (($config['board_hide_emails'] && !$auth->acl_get('a_email')) ? '' : 'mailto:' . $data['user_email']);
+		$email = ($config['board_email_form'] && $config['email_enable']) ? append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=email&u=' . $user_id) : (($config['board_hide_emails'] && !$auth->acl_get('a_user')) ? '' : 'mailto:' . $data['user_email']);
 	}
 	else
 	{

phpBB/styles/prosilver/template/memberlist_search.html

@@ -53,10 +53,12 @@ function insert_single(user)
 		<dt><label for="username">{L_USERNAME}:</label></dt>
 		<dd><input type="text" name="username" id="username" value="{USERNAME}" class="inputbox" /></dd>
 	</dl>
+<!-- IF S_EMAIL_SEARCH_ALLOWED -->
 	<dl>
 		<dt><label for="email">{L_EMAIL}:</label></dt>
 		<dd><input type="text" name="email" id="email" value="{EMAIL}" class="inputbox" /></dd>
 	</dl>
+<!-- ENDIF -->
 	<dl>
 		<dt><label for="icq">{L_ICQ}:</label></dt>
 		<dd><input type="text" name="icq" id="icq" value="{ICQ}" class="inputbox" /></dd>

phpBB/styles/subsilver2/template/memberlist_search.html

@@ -84,8 +84,12 @@
 	<td class="row2"><input class="post" type="text" name="icq" value="{ICQ}" /></td>
 </tr>
 <tr>
+<!-- IF S_EMAIL_SEARCH_ALLOWED -->
 	<td class="row1"><b class="genmed">{L_EMAIL}:</b></td>
 	<td class="row2"><input class="post" type="text" name="email" value="{EMAIL}" /></td>
+<!-- ELSE -->
+	<td colspan="2" class="row1">&nbsp;</td>
+<!-- ENDIF -->
 	<td class="row1"><b class="genmed">{L_AIM}:</b></td>
 	<td class="row2"><input class="post" type="text" name="aim" value="{AIM}" /></td>
 </tr>