From 5f14636469d58715a3102ca2593ed9526170ce77 Mon Sep 17 00:00:00 2001
From: Marvin Lukaschek <Groruk@googlemail.com>
Date: Wed, 6 Oct 2021 20:18:26 +0200
Subject: [PATCH] Add missing auth check for function 'SetupEditServer'

Thanks to vellichor for finding this issue
---
 web/includes/sb-callback.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/web/includes/sb-callback.php b/web/includes/sb-callback.php
index a4107ca0a..2152ac4c7 100644
--- a/web/includes/sb-callback.php
+++ b/web/includes/sb-callback.php
@@ -1887,6 +1887,14 @@ function SetupEditServer($sid)
 {
     $objResponse = new xajaxResponse();
     $sid = (int)$sid;
+
+    if(!$userbank->HasAccess(ADMIN_OWNER|ADMIN_SERVER_SETTINGS|ADMIN_SERVER_ADD))
+    {
+        $objResponse->redirect("index.php?p=login&m=no_access", 0);
+        $log = new CSystemLog("w", "Hacking Attempt", $username . " tried to edit a server, but doesn't have access.");
+        return $objResponse;
+    }
+
     $server = $GLOBALS['db']->GetRow("SELECT * FROM ".DB_PREFIX."_servers WHERE sid = $sid");
 
     // clear any old stuff