#365 Min_user_viewing_level variable not referenced in User List

[Anonymous]

The variable $min_user_viewing_level is not checked when a user views the User List. As a result a user without admin rights can see the full list of registed users in the system. Ideally, if they don't have the right level of access they should only see their own record. This can be fixed by changing the SQL query to populate the user table in edit_users.php.
At line 849 change
$res = sql_query("SELECT * FROM $tbl_users ORDER BY level DESC, name");
to
if ($level >= $min_user_viewing_level) / Administrators get the right to view all users /
{
$res = sql_query("SELECT * FROM $tbl_users ORDER BY level DESC, name");
} else {
$res = sql_query("SELECT * FROM $tbl_users WHERE name = '$user' ORDER BY level DESC, name");
}

[Campbell Morrison]

I think the code is working as expected. $min_user_viewing_level defines the lowest level of admin allowed to view other users, not the lowest level of user, and is only used if you only want admins to be able to see other users. If you want to stop ordinary users viewing other users set

$auth['only_admin_can_see_other_users'] = TRUE;

I have fixed an error in the comments in systemdefaults.inc.php in changeset 35e9b7736f57.

[Anonymous]

Thanks. I'll correct my config.