Fix for PM Send permissions.

2025-07-31 20:00:37 +02:00 · 2016-04-25 09:31:55 -07:00
parent 8762cf82ca
commit 79c6e80c4f
5 changed files with 57 additions and 5 deletions
--- a/e107_handlers/userclass_class.php
+++ b/e107_handlers/userclass_class.php
@@ -531,7 +531,7 @@ class user_class

 		if (count($opt_arr) == 0)
 		{
-			$opt_arr = array('public' => 1, 'guest' => 1, 'nobody' => 1, 'member' => 1, 'classes' => 1);
+			$opt_arr = array('public' => 1, 'guest' => 1, 'new'=>1, 'nobody' => 1, 'member' => 1, 'classes' => 1);
 		}

 		if (isset($opt_arr['all']))
--- a/e107_plugins/pm/e_shortcode.php
+++ b/e107_plugins/pm/e_shortcode.php
@@ -75,8 +75,10 @@ class pm_shortcodes extends e_shortcode
 	}


-
-
+	/**
+	 * @param int $parm - User ID.
+	 * @return null|string
+	 */
 	function sc_sendpm($parm='')
 	{

@@ -86,8 +88,12 @@ class pm_shortcodes extends e_shortcode

 		$url = e107::url('pm','index').'?send.'.$parm;

+		require_once(e_PLUGIN."pm/pm_class.php");

-		if(check_class($pm_prefs['pm_class']))
+		$pm = new private_message;
+
+
+		if(check_class($pm_prefs['pm_class']) && $pm->canSendTo($parm)) // check $this->pmPrefs['send_to_class'].
 		{
 		    if(deftrue('FONTAWESOME') && deftrue('BOOTSTRAP'))
 		    {
--- a/e107_plugins/pm/languages/English.php
+++ b/e107_plugins/pm/languages/English.php
@@ -88,4 +88,5 @@ define("LAN_PM_111", "Read");
 define("LAN_PM_112", "User(s)");

 define("LAN_PM_113", "Read Message");
+define("LAN_PM_114", "You do not have access to send to this user.");
 ?>
--- a/e107_plugins/pm/pm.php
+++ b/e107_plugins/pm/pm.php
@@ -148,8 +148,16 @@ class pm_extended extends private_message
 			$to_uid = $pm_info['pm_from'];
 		}

+
+
 		if(!empty($to_uid))
 		{
+
+			if($this->canSendTo($to_uid) == false)
+			{
+				return "<div class='alert alert-danger'>".LAN_PM_114."</div>";// sending to this user is not permitted.
+			}
+
 			$sql2 = e107::getDb('sql2');
 			if($sql2->select('user', 'user_name', 'user_id = '.intval($to_uid))) //TODO add a check for userclass.
 			{
--- a/e107_plugins/pm/pm_class.php
+++ b/e107_plugins/pm/pm_class.php
@@ -35,7 +35,8 @@ class private_message
 	public	function __construct($prefs=null)
 	{
 		$this->e107 = e107::getInstance();
-		$this->pmPrefs = $prefs;	}
+		$this->pmPrefs = e107::pref('pm');
+	}


 	/**
@@ -262,6 +263,10 @@ class private_message
 		else
 		{	// Sending to a single person
 			$info['pm_to'] = intval($vars['to_info']['user_id']);		// Sending to a single user now
+
+
+
+
 			if($pmid = $sql->insert('private_msg', $info))
 			{
 				$info['pm_id'] = $pmid;
@@ -634,6 +639,7 @@ class private_message
 	function get_users_inclass($class)
 	{
 		$sql = e107::getDb();
+
 		if($class == e_UC_MEMBER)
 		{
 			$qry = "SELECT user_id, user_name, user_email, user_class FROM `#user` WHERE 1";
@@ -658,6 +664,37 @@ class private_message
 	}


+	/**
+	 * Check permission to send a PM to someone.
+	 * @param int $uid user_id of the person to send to
+	 * @return bool
+	 */
+	function canSendTo($uid)
+	{
+		if(empty($uid))
+		{
+			return false;
+		}
+
+		$user = e107::user($uid);
+
+		$uclass = explode(",", $user['user_class']);
+
+		if($this->pmPrefs['send_to_class'] == 'matchclass')
+		{
+			$tmp = explode(",", USERCLASS);
+			$result = array_intersect($uclass, $tmp);
+
+			return !empty($result);
+		}
+
+		return in_array($this->pmPrefs['send_to_class'], $uclass);
+
+	}
+
+
+
+
 	/**
 	 *	Get inbox - up to $limit messages from $from
 	 *