From bb0c24bd4fd159cc005f60a0808a4b37b91060b0 Mon Sep 17 00:00:00 2001
From: Friendika <info@friendika.com>
Date: Tue, 4 Jan 2011 22:17:58 -0800
Subject: [PATCH] prevent admin hijacks

---
 mod/notifications.php | 2 +-
 mod/regmod.php        | 5 +++++
 mod/settings.php      | 4 ++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/mod/notifications.php b/mod/notifications.php
index f11676ebfe..c425d092ed 100644
--- a/mod/notifications.php
+++ b/mod/notifications.php
@@ -127,7 +127,7 @@ function notifications_content(&$a) {
 		notice( t('No notifications.') . EOL);
 
 	if ($a->config['register_policy'] = REGISTER_APPROVE &&	
-		$a->config['admin_email'] = $a->user['email']){
+		$a->config['admin_email'] === $a->user['email']){
 		$o .= load_view_file('view/registrations-top.tpl');
 		
 		$r = q("SELECT `register`.*, `contact`.`name`, `user`.`email`
diff --git a/mod/regmod.php b/mod/regmod.php
index 772351ac55..eabbec090b 100644
--- a/mod/regmod.php
+++ b/mod/regmod.php
@@ -12,6 +12,11 @@ function regmod_content(&$a) {
 		return $o;
 	}
 
+	if((! (x($a->config,'admin_email'))) || ($a->config['admin_email'] !== $a->user['email'])) {
+		notice( t('Permission denied.') . EOL);
+		return '';
+	}
+
 	if($a->argc != 3)
 		killme();
 
diff --git a/mod/settings.php b/mod/settings.php
index a40883f350..9a9fde5c6b 100644
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -95,6 +95,10 @@ function settings_post(&$a) {
 		$email_changed = true;
         if(! valid_email($email))
 			$err .= t(' Not valid email.');
+		if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0)) {
+			$err .= t(' Cannot change to that email.');
+			$email = $a->user['email'];
+		}
 	}
 
 	if(strlen($err)) {