]> code.citadel.org Git - citadel.git/blobdiff - citadel/msgbase.c
projects / citadel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
* msgbase.c: cmd_move(): Fix the security logic for non-aides trying to
[citadel.git] / citadel / msgbase.c
diff --git a/citadel/msgbase.c b/citadel/msgbase.c
index 057c55b8b9b106b483d3e107f84a447de18c24d0..507ef25c3ba42cd6dc48707c5ffa3596ed038824 100644 (file)
--- a/citadel/msgbase.c
+++ b/citadel/msgbase.c
@@ -2930,6 +2930,7 @@ void cmd_move(char *args)
        struct ctdlroom qtemp;
        int err;
        int is_copy = 0;
+       int ra;
 
        num = extract_long(args, 0);
        extract(targ, args, 1);
@@ -2942,16 +2943,19 @@ void cmd_move(char *args)
        }
 
        getuser(&CC->user, CC->curr_user);
+       ra = CtdlRoomAccess(&qtemp, &CC->user);
        /* Aides can move/copy */
        if ((CC->user.axlevel < 6)
            /* Roomaides can move/copy */
            && (CC->user.usernum != CC->room.QRroomaide)
-           /* Permit move/copy to/from personal rooms */
+           /* Permit move/copy from personal rooms */
            && (!((CC->room.QRflags & QR_MAILBOX)
                            && (qtemp.QRflags & QR_MAILBOX)))
            /* Permit only copy from public to personal room */
-           && (!(is_copy && !(CC->room.QRflags & QR_MAILBOX)
-                           && (qtemp.QRflags & QR_MAILBOX)))) {
+           && (!(is_copy && (CC->room.QRflags & QR_MAILBOX)
+                           || (qtemp.QRflags & QR_MAILBOX)))
+           /* User must have access to target room */
+           && !((ra & UA_KNOWN))) {
                cprintf("%d Higher access required.\n",
                        ERROR + HIGHER_ACCESS_REQUIRED);
                return;
Citadel server, clients, utilities