Minor security problem, discovered internally. Requires the user to know the activation key which is not normally possible when admin activation is turned on. #41625

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9498 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/docs/CHANGELOG.html

@@ -167,6 +167,7 @@
 		<li>[Feature] db_tools now support create table and drop table.</li>
 		<li>[Feature] Database updater checks for incompatible db schema (MySQL 3.x/4.x against MySQL 4.1.x/5.x/6.x)</li>
 		<li>[Feature] New search option: Maximum number of words allowed to search for.</li>
+		<li>[Sec] Prevent accounts from being activated by users when admin activation is turned on and the correct activation key is known.</li>
 	</ul>
 
 	<a name="v303"></a><h3>1.ii. Changes since 3.0.3</h3>

phpBB/includes/ucp/ucp_activate.php

@@ -56,6 +56,17 @@ class ucp_activate
 			trigger_error('WRONG_ACTIVATION');
 		}
 
+		// Do not allow activating by non administrators when admin activation is on
+		// Only activation type the user should be able to do is INACTIVE_REMIND
+		if ($user_row['user_inactive_reason'] != INACTIVE_REMIND && $config['require_activation'] == USER_ACTIVATION_ADMIN && !$auth->acl_get('a_user'))
+		{
+			if (!$user->data['is_registered'])
+			{
+				login_box('', $user->lang['NO_AUTH_OPERATION']);
+			}
+			trigger_error('NO_AUTH_OPERATION');
+		}
+
 		$update_password = ($user_row['user_newpasswd']) ? true : false;
 
 		if ($update_password)