Implemented permission checks everywhere, manage is next.
This commit is contained in:
parent
1ae61e6a23
commit
7fd2a8d286
9 changed files with 39 additions and 19 deletions
|
|
@ -17,6 +17,15 @@ if (empty($forum) || ($forum['forum_type'] == MSZ_FORUM_TYPE_LINK && empty($foru
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $forum['forum_id'], $app->getUserId());
|
||||||
|
|
||||||
|
if (!perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM)) {
|
||||||
|
echo render_error(403);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
tpl_var('forum_perms', $perms);
|
||||||
|
|
||||||
if ($forum['forum_type'] == MSZ_FORUM_TYPE_LINK) {
|
if ($forum['forum_type'] == MSZ_FORUM_TYPE_LINK) {
|
||||||
forum_increment_clicks($forum['forum_id']);
|
forum_increment_clicks($forum['forum_id']);
|
||||||
header('Location: ' . $forum['forum_link']);
|
header('Location: ' . $forum['forum_link']);
|
||||||
|
|
|
||||||
|
|
@ -68,13 +68,18 @@ if (empty($forum)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($forum['forum_type'] != MSZ_FORUM_TYPE_DISCUSSION) {
|
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $forum['forum_id'], $app->getUserId());
|
||||||
echo render_error(400);
|
|
||||||
|
if ($forum['forum_archived']
|
||||||
|
|| !empty($topic['topic_locked'])
|
||||||
|
|| !perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM | MSZ_FORUM_PERM_CREATE_POST)
|
||||||
|
|| (empty($topic) && !perms_check($perms, MSZ_FORUM_PERM_CREATE_TOPIC))) {
|
||||||
|
echo render_error(403);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($forum['forum_archived'] || !empty($topic['topic_locked'])) {
|
if (!forum_may_have_topics($forum['forum_type'])) {
|
||||||
echo render_error(403);
|
echo render_error(400);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,13 @@ if (!$topic) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $topic['forum_id'], $app->getUserId());
|
||||||
|
|
||||||
|
if (!perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM)) {
|
||||||
|
echo render_error(403);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$posts = forum_post_listing($topic['topic_id'], $postsOffset, $postsRange);
|
$posts = forum_post_listing($topic['topic_id'], $postsOffset, $postsRange);
|
||||||
|
|
||||||
if (!$posts) {
|
if (!$posts) {
|
||||||
|
|
|
||||||
|
|
@ -294,11 +294,11 @@ class Application extends ApplicationBase
|
||||||
tpl_add_function('parse_text', true);
|
tpl_add_function('parse_text', true);
|
||||||
tpl_add_function('asset_url', true);
|
tpl_add_function('asset_url', true);
|
||||||
tpl_add_function('vsprintf', true);
|
tpl_add_function('vsprintf', true);
|
||||||
|
tpl_add_function('perms_check', true);
|
||||||
|
|
||||||
tpl_add_function('git_commit_hash');
|
tpl_add_function('git_commit_hash');
|
||||||
tpl_add_function('git_branch');
|
tpl_add_function('git_branch');
|
||||||
tpl_add_function('csrf_token', false, 'tmp_csrf_token');
|
tpl_add_function('csrf_token', false, 'tmp_csrf_token');
|
||||||
tpl_add_function('perms_check');
|
|
||||||
|
|
||||||
tpl_var('app', $this);
|
tpl_var('app', $this);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ function forum_perms_get_user_sql(
|
||||||
'
|
'
|
||||||
SELECT BIT_OR(`%1$s_perms`)
|
SELECT BIT_OR(`%1$s_perms`)
|
||||||
FROM `msz_forum_permissions_view`
|
FROM `msz_forum_permissions_view`
|
||||||
WHERE `forum_id` = %2$s
|
WHERE (`forum_id` = %2$s OR `forum_id` IS NULL)
|
||||||
AND (
|
AND (
|
||||||
(`user_id` IS NULL AND `role_id` IS NULL)
|
(`user_id` IS NULL AND `role_id` IS NULL)
|
||||||
OR (`user_id` = %3$s AND `role_id` IS NULL)
|
OR (`user_id` = %3$s AND `role_id` IS NULL)
|
||||||
|
|
@ -72,8 +72,8 @@ function forum_perms_get_user(string $prefix, int $forum, int $user): int
|
||||||
|
|
||||||
$getPerms = Database::prepare(forum_perms_get_user_sql($prefix));
|
$getPerms = Database::prepare(forum_perms_get_user_sql($prefix));
|
||||||
$getPerms->bindValue('perm_forum_id', $forum);
|
$getPerms->bindValue('perm_forum_id', $forum);
|
||||||
$getPerms->bindValue('perm_user_id_1', $user);
|
$getPerms->bindValue('perm_user_id_user', $user);
|
||||||
$getPerms->bindValue('perm_user_id_2', $user);
|
$getPerms->bindValue('perm_user_id_role', $user);
|
||||||
return $getPerms->execute() ? (int)$getPerms->fetchColumn() : 0;
|
return $getPerms->execute() ? (int)$getPerms->fetchColumn() : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -84,12 +84,9 @@ function forum_perms_get_role(string $prefix, int $forum, int $role): int
|
||||||
}
|
}
|
||||||
|
|
||||||
$getPerms = Database::prepare("
|
$getPerms = Database::prepare("
|
||||||
SELECT `{$prefix}_perms_allow` &~ `{$prefix}_perms_deny`
|
SELECT BIT_OR(`{$prefix}_perms`)
|
||||||
FROM `msz_forum_permissions`
|
FROM `msz_forum_permissions_view`
|
||||||
WHERE (
|
WHERE (`forum_id` = :forum_id OR `forum_id` IS NULL)
|
||||||
`forum_id` = :forum_id
|
|
||||||
OR `forum_id` IS NULL
|
|
||||||
)
|
|
||||||
AND `role_id` = :role_id
|
AND `role_id` = :role_id
|
||||||
AND `user_id` IS NULL
|
AND `user_id` IS NULL
|
||||||
");
|
");
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ function forum_post_find(int $postId): array
|
||||||
');
|
');
|
||||||
$getPostInfo->bindValue('post_id', $postId);
|
$getPostInfo->bindValue('post_id', $postId);
|
||||||
|
|
||||||
return $getPostInfo->execute() ? $getPostInfo->fetch() : false;
|
return $getPostInfo->execute() ? $getPostInfo->fetch() : [];
|
||||||
}
|
}
|
||||||
|
|
||||||
define('MSZ_FORUM_POST_LISTING_QUERY_STANDARD', '
|
define('MSZ_FORUM_POST_LISTING_QUERY_STANDARD', '
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
define('MSZ_TOPIC_TITLE_LENGTH_MIN', 5);
|
define('MSZ_TOPIC_TITLE_LENGTH_MIN', 5);
|
||||||
define('MSZ_TOPIC_TITLE_LENGTH_MAX', 100);
|
define('MSZ_TOPIC_TITLE_LENGTH_MAX', 100);
|
||||||
define('MSZ_POST_TEXT_LENGTH_MIN', 5);
|
define('MSZ_POST_TEXT_LENGTH_MIN', 3);
|
||||||
define('MSZ_POST_TEXT_LENGTH_MAX', 60000);
|
define('MSZ_POST_TEXT_LENGTH_MAX', 60000);
|
||||||
|
|
||||||
function forum_validate_title(string $title): string
|
function forum_validate_title(string $title): string
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if forum_info.forum_type == 0 %}
|
{% if forum_info.forum_type == 0 %}
|
||||||
{% set fcbuttons = app.hasActiveSession ? forum_category_buttons(forum_info) : '' %}
|
{% set fcbuttons = app.hasActiveSession ? forum_category_buttons(forum_info, forum_perms) : '' %}
|
||||||
{% set fcpagination = pagination(
|
{% set fcpagination = pagination(
|
||||||
forum_info.forum_topic_count,
|
forum_info.forum_topic_count,
|
||||||
forum_range,
|
forum_range,
|
||||||
|
|
|
||||||
|
|
@ -17,9 +17,11 @@
|
||||||
</div>
|
</div>
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
{% macro forum_category_buttons(forum) %}
|
{% macro forum_category_buttons(forum, perms) %}
|
||||||
<div class="forum__actions forum__actions__content">
|
<div class="forum__actions forum__actions__content">
|
||||||
<a href="/forum/posting.php?f={{ forum.forum_id }}" class="input__button forum__actions__button">New Topic</a>
|
{% if perms|perms_check(constant('MSZ_FORUM_PERM_CREATE_TOPIC')) %}
|
||||||
|
<a href="/forum/posting.php?f={{ forum.forum_id }}" class="input__button forum__actions__button">New Topic</a>
|
||||||
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue