X-Git-Url: https://git.r.bdr.sh/rbdr/mobius/blobdiff_plain/f56220e9c360d83ecc670560b012bbdec08c1a0f..4434fc431bef6b49b25ba5c5a0fd76b950c78ae1:/hotline/transaction_handlers.go

diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index abe2ea8..5a9ea5e 100644
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -805,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
 			newAccess := accessBitmap{}
 			copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
+			// Prevent account from creating new account with greater permission
+			for i := 0; i < 64; i++ {
+				if newAccess.IsSet(i) {
+					if !cc.Authorize(i) {
+						return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+					}
+				}
+			}
+
 			err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
 			if err != nil {
 				return []Transaction{}, err
@@ -834,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
 	newAccess := accessBitmap{}
 	copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
+	// Prevent account from creating new account with greater permission
+	for i := 0; i < 64; i++ {
+		if newAccess.IsSet(i) {
+			if !cc.Authorize(i) {
+				res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+				return res, err
+			}
+		}
+	}
+
 	if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
 		return []Transaction{}, err
 	}
@@ -1015,14 +1034,14 @@ func HandleTranOldPostNews(cc *ClientConn, t *Transaction) (res []Transaction, e
 	newsPost := fmt.Sprintf(newsTemplate+"\r", cc.UserName, time.Now().Format(newsDateTemplate), t.GetField(fieldData).Data)
 	newsPost = strings.Replace(newsPost, "\n", "\r", -1)
 
+	// update news in memory
+	cc.Server.FlatNews = append([]byte(newsPost), cc.Server.FlatNews...)
+
 	// update news on disk
 	if err := cc.Server.FS.WriteFile(filepath.Join(cc.Server.ConfigDir, "MessageBoard.txt"), cc.Server.FlatNews, 0644); err != nil {
 		return res, err
 	}
 
-	// update news in memory
-	cc.Server.FlatNews = append([]byte(newsPost), cc.Server.FlatNews...)
-
 	// Notify all clients of updated news
 	cc.sendAll(
 		tranNewMsg,
@@ -1274,7 +1293,7 @@ func HandleDelNewsItem(cc *ClientConn, t *Transaction) (res []Transaction, err e
 		}
 	}
 
-	if bytes.Compare(cats[delName].Type, []byte{0, 3}) == 0 {
+	if bytes.Equal(cats[delName].Type, []byte{0, 3}) {
 		if !cc.Authorize(accessNewsDeleteCat) {
 			return append(res, cc.NewErrReply(t, "You are not allowed to delete news categories.")), nil
 		}