Add missing auth check for function 'SetupEditServer'

Thanks to vellichor for finding this issue
sbpp · Oct 6, 2021 · 5f14636 · 5f14636
1 parent b227894
commit 5f14636
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/web/includes/sb-callback.php b/web/includes/sb-callback.php
@@ -1887,6 +1887,14 @@ function SetupEditServer($sid)
 {
     $objResponse = new xajaxResponse();
     $sid = (int)$sid;
+
+    if(!$userbank->HasAccess(ADMIN_OWNER|ADMIN_SERVER_SETTINGS|ADMIN_SERVER_ADD))
+    {
+        $objResponse->redirect("index.php?p=login&m=no_access", 0);
+        $log = new CSystemLog("w", "Hacking Attempt", $username . " tried to edit a server, but doesn't have access.");
+        return $objResponse;
+    }
+
     $server = $GLOBALS['db']->GetRow("SELECT * FROM ".DB_PREFIX."_servers WHERE sid = $sid");
 
     // clear any old stuff