Implemented permission checks everywhere, manage is next.
This commit is contained in:
parent
1ae61e6a23
commit
7fd2a8d286
9 changed files with 39 additions and 19 deletions
|
|
@ -17,6 +17,15 @@ if (empty($forum) || ($forum['forum_type'] == MSZ_FORUM_TYPE_LINK && empty($foru
|
|||
return;
|
||||
}
|
||||
|
||||
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $forum['forum_id'], $app->getUserId());
|
||||
|
||||
if (!perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM)) {
|
||||
echo render_error(403);
|
||||
return;
|
||||
}
|
||||
|
||||
tpl_var('forum_perms', $perms);
|
||||
|
||||
if ($forum['forum_type'] == MSZ_FORUM_TYPE_LINK) {
|
||||
forum_increment_clicks($forum['forum_id']);
|
||||
header('Location: ' . $forum['forum_link']);
|
||||
|
|
|
|||
|
|
@ -68,13 +68,18 @@ if (empty($forum)) {
|
|||
return;
|
||||
}
|
||||
|
||||
if ($forum['forum_type'] != MSZ_FORUM_TYPE_DISCUSSION) {
|
||||
echo render_error(400);
|
||||
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $forum['forum_id'], $app->getUserId());
|
||||
|
||||
if ($forum['forum_archived']
|
||||
|| !empty($topic['topic_locked'])
|
||||
|| !perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM | MSZ_FORUM_PERM_CREATE_POST)
|
||||
|| (empty($topic) && !perms_check($perms, MSZ_FORUM_PERM_CREATE_TOPIC))) {
|
||||
echo render_error(403);
|
||||
return;
|
||||
}
|
||||
|
||||
if ($forum['forum_archived'] || !empty($topic['topic_locked'])) {
|
||||
echo render_error(403);
|
||||
if (!forum_may_have_topics($forum['forum_type'])) {
|
||||
echo render_error(400);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,13 @@ if (!$topic) {
|
|||
return;
|
||||
}
|
||||
|
||||
$perms = forum_perms_get_user(MSZ_FORUM_PERMS_GENERAL, $topic['forum_id'], $app->getUserId());
|
||||
|
||||
if (!perms_check($perms, MSZ_FORUM_PERM_VIEW_FORUM)) {
|
||||
echo render_error(403);
|
||||
return;
|
||||
}
|
||||
|
||||
$posts = forum_post_listing($topic['topic_id'], $postsOffset, $postsRange);
|
||||
|
||||
if (!$posts) {
|
||||
|
|
|
|||
|
|
@ -294,11 +294,11 @@ class Application extends ApplicationBase
|
|||
tpl_add_function('parse_text', true);
|
||||
tpl_add_function('asset_url', true);
|
||||
tpl_add_function('vsprintf', true);
|
||||
tpl_add_function('perms_check', true);
|
||||
|
||||
tpl_add_function('git_commit_hash');
|
||||
tpl_add_function('git_branch');
|
||||
tpl_add_function('csrf_token', false, 'tmp_csrf_token');
|
||||
tpl_add_function('perms_check');
|
||||
|
||||
tpl_var('app', $this);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ function forum_perms_get_user_sql(
|
|||
'
|
||||
SELECT BIT_OR(`%1$s_perms`)
|
||||
FROM `msz_forum_permissions_view`
|
||||
WHERE `forum_id` = %2$s
|
||||
WHERE (`forum_id` = %2$s OR `forum_id` IS NULL)
|
||||
AND (
|
||||
(`user_id` IS NULL AND `role_id` IS NULL)
|
||||
OR (`user_id` = %3$s AND `role_id` IS NULL)
|
||||
|
|
@ -72,8 +72,8 @@ function forum_perms_get_user(string $prefix, int $forum, int $user): int
|
|||
|
||||
$getPerms = Database::prepare(forum_perms_get_user_sql($prefix));
|
||||
$getPerms->bindValue('perm_forum_id', $forum);
|
||||
$getPerms->bindValue('perm_user_id_1', $user);
|
||||
$getPerms->bindValue('perm_user_id_2', $user);
|
||||
$getPerms->bindValue('perm_user_id_user', $user);
|
||||
$getPerms->bindValue('perm_user_id_role', $user);
|
||||
return $getPerms->execute() ? (int)$getPerms->fetchColumn() : 0;
|
||||
}
|
||||
|
||||
|
|
@ -84,12 +84,9 @@ function forum_perms_get_role(string $prefix, int $forum, int $role): int
|
|||
}
|
||||
|
||||
$getPerms = Database::prepare("
|
||||
SELECT `{$prefix}_perms_allow` &~ `{$prefix}_perms_deny`
|
||||
FROM `msz_forum_permissions`
|
||||
WHERE (
|
||||
`forum_id` = :forum_id
|
||||
OR `forum_id` IS NULL
|
||||
)
|
||||
SELECT BIT_OR(`{$prefix}_perms`)
|
||||
FROM `msz_forum_permissions_view`
|
||||
WHERE (`forum_id` = :forum_id OR `forum_id` IS NULL)
|
||||
AND `role_id` = :role_id
|
||||
AND `user_id` IS NULL
|
||||
");
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ function forum_post_find(int $postId): array
|
|||
');
|
||||
$getPostInfo->bindValue('post_id', $postId);
|
||||
|
||||
return $getPostInfo->execute() ? $getPostInfo->fetch() : false;
|
||||
return $getPostInfo->execute() ? $getPostInfo->fetch() : [];
|
||||
}
|
||||
|
||||
define('MSZ_FORUM_POST_LISTING_QUERY_STANDARD', '
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<?php
|
||||
define('MSZ_TOPIC_TITLE_LENGTH_MIN', 5);
|
||||
define('MSZ_TOPIC_TITLE_LENGTH_MAX', 100);
|
||||
define('MSZ_POST_TEXT_LENGTH_MIN', 5);
|
||||
define('MSZ_POST_TEXT_LENGTH_MIN', 3);
|
||||
define('MSZ_POST_TEXT_LENGTH_MAX', 60000);
|
||||
|
||||
function forum_validate_title(string $title): string
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
{% endif %}
|
||||
|
||||
{% if forum_info.forum_type == 0 %}
|
||||
{% set fcbuttons = app.hasActiveSession ? forum_category_buttons(forum_info) : '' %}
|
||||
{% set fcbuttons = app.hasActiveSession ? forum_category_buttons(forum_info, forum_perms) : '' %}
|
||||
{% set fcpagination = pagination(
|
||||
forum_info.forum_topic_count,
|
||||
forum_range,
|
||||
|
|
|
|||
|
|
@ -17,9 +17,11 @@
|
|||
</div>
|
||||
{% endmacro %}
|
||||
|
||||
{% macro forum_category_buttons(forum) %}
|
||||
{% macro forum_category_buttons(forum, perms) %}
|
||||
<div class="forum__actions forum__actions__content">
|
||||
<a href="/forum/posting.php?f={{ forum.forum_id }}" class="input__button forum__actions__button">New Topic</a>
|
||||
{% if perms|perms_check(constant('MSZ_FORUM_PERM_CREATE_TOPIC')) %}
|
||||
<a href="/forum/posting.php?f={{ forum.forum_id }}" class="input__button forum__actions__button">New Topic</a>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endmacro %}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue