From 80c36479d370b8b15a974f333a11f82addb1e1b4 Mon Sep 17 00:00:00 2001
From: Nicolas Boisselier <nicolas.boisselier@gmail.com>
Date: Thu, 25 Jan 2018 02:54:52 +0000
Subject: [PATCH] www/dbq/dbq.php

---
 www/dbq/dbq.php | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/www/dbq/dbq.php b/www/dbq/dbq.php
index 8dbf539e..57a35068 100644
--- a/www/dbq/dbq.php
+++ b/www/dbq/dbq.php
@@ -172,26 +172,25 @@ class DbQ extends nb {
 	public function page_ldap() {
  		$this->deniedUnless($this->perm >= self::READ);
 
-		require_once(NB_ROOT.'/lib/php/ldap.php');
-		#debug($GLOBALS['DBQ_LDAP']);
+		require_once(NB_ROOT.'/lib/php/ldap.php'); #debug($GLOBALS['DBQ_LDAP']);
 		$ldap = new Ldap($GLOBALS['DBQ_LDAP']);
 
 		if ($this->params['table'] == 'add') {
-			#debug($this->params);
+ 			$this->deniedUnless($this->perm >= self::WRITE);
 			$rows = (int)$ldap->add($this->params['action'],$_POST);
-			#bye($_POST);
 			$this->page($rows);
 
 		} elseif ($this->params['table'] == 'update') {
+ 			$this->deniedUnless($this->perm >= self::WRITE);
 			$rows = (int)$ldap->update($this->params['action'],$_POST);
 			$this->page($rows);
 
 		} elseif ($this->params['table'] == 'rm') {
+ 			$this->deniedUnless($this->perm >= self::DELETE);
 			$rows = (int)$ldap->delete($this->params['action'],$_POST);
 			$this->page($rows);
 
-		} else {
-
+		} else { // Search
 			$filter = ($this->params['table'] ? $this->params['table'] : '');
 			$attrs = ($this->params['action'] ? explode(',',$this->params['action']) : []);
 
-- 
2.47.3