v2.0.2

Signed-off-by: Diego Andrés <diegoandres_cortes@outlook.com>

Author: DiegoAndresCortes

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+#### 2.0.2 - 10 November 2022
+- ![Bug Fix](https://smftricks.com/assets/changelog/bug--minus.png) Prevent non creators from managing other users quizzes.
+
 #### 2.0.1 - 07 November 2022
 - ![Bug Fix](https://smftricks.com/assets/changelog/bug--minus.png) Fixed stats issue when there are no quizzes/questions created.
 

Sources/Quiz/Quiz.php

@@ -186,6 +186,10 @@ function GetQuestionsData()
 {
 	global $context;
 
+	// They need a quiz to access here...
+	if (!isset($_GET['id_quiz']) || empty($_GET['id_quiz']))
+		fatal_lang_error('no_access', false);
+
 	if (isset($_GET['questionId']))
 	{
 		QuestionScript();
@@ -810,14 +814,18 @@ function GetNewQuestionData()
 
 function GetEditQuizData()
 {
-	global $context;
+	global $context, $user_info;
 
 	QuizScript();
 
 	AddShowImageScript();
 
 	GetQuiz($context['id_quiz']);
 
+	// Only the quiz creator can edit the quiz
+	if ($user_info['id'] != $context['SMFQuiz']['quiz'][0]['creator_id'] && !allowedTo('quiz_admin'))
+		fatal_lang_error('no_access', false);
+
 	// The edit quiz page also shows a list of categories, so we must get this data
 	GetAllCategoryDetails();
 
@@ -1009,11 +1017,20 @@ function GetKeysFromPost($id)
 
 function GetDeleteQuizData()
 {
-	global $context;
+	global $context, $user_info;
+
+	// Get the key ids for the questions to delete. This function returns a string containing a comma separated list of id's
 
 	// Get the key ids for the quiz leagues to delete. This function returns a string containing a comma separated list of id's
 	$deleteKeys = GetKeysFromPost('quiz');
 
+	// Get quiz info
+	GetQuiz($context['id_quiz']);
+
+	// Check if the user is the owner of the quiz
+	if ($user_info['id'] != $context['SMFQuiz']['quiz'][0]['creator_id'] && !allowedTo('quiz_admin'))
+		fatal_lang_error('no_access', false);
+
 	if (!empty($context['id_quiz']))
 		DeleteQuizes($context['id_quiz']);
 

Themes/default/Quiz/Quiz.template.php

@@ -2263,10 +2263,6 @@ function template_edit_quiz()
 
 	foreach ($context['SMFQuiz']['quiz'] as $row)
 	{
-		// Only the creator should be able to edit the quiz
-		if ($context['user']['id'] != $row['creator_id'])
-			break;
-
 		echo '
 			<input type="hidden" name="id_quiz" value="' , $context['id_quiz'] , '"/>
 			<table border="0" width="100%" cellspacing="1" cellpadding="4" class="bordercolor">

package-info.xml

@@ -3,7 +3,7 @@
 <package-info xmlns="http://www.simplemachines.org/xml/package-info" xmlns:smf="http://www.simplemachines.org/">
 	<id>SMF_Modding:SMFQuiz</id>
 	<name>SMF Quiz</name>
-	<version>2.0.1</version>
+	<version>2.0.2</version>
 	<type>modification</type>
 
 	<!-- Install -->