MDL-23774 only local users can be admins - more security and fewer "l…

…ost admin account" problems
abgreeve · Aug 12, 2010 · d44df69 · d44df69
1 parent e985de2
commit d44df69
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/admin/roles/lib.php b/admin/roles/lib.php
@@ -1507,15 +1507,16 @@ public function __construct() {
     }
 
     public function find_users($search) {
-        global $DB;
+        global $CFG, $DB;
         list($wherecondition, $params) = $this->search_sql($search, '');
 
         $fields      = 'SELECT ' . $this->required_fields_sql('');
         $countfields = 'SELECT COUNT(1)';
 
         $sql = " FROM {user}
-                WHERE $wherecondition";
+                WHERE $wherecondition AND mnethostid = :localmnet";
         $order = ' ORDER BY lastname ASC, firstname ASC';
+        $params['localmnet'] = $CFG->mnet_localhost_id; // it could be dangerous to make remote users admins and also this could lead to other problems
 
         $availableusers = $DB->get_records_sql($fields . $sql . $order, $params);