From 98213ec03cd2cc51e575ed2a028f9437d268ac2a Mon Sep 17 00:00:00 2001
From: phibel <phibel@tsp-insider.com>
Date: Sun, 30 Sep 2018 17:21:05 +0200
Subject: [PATCH] FIX check if user has moderator permissions for the
 thread/forum

Without admin permissions (member of user class 254) it was not possible
to delete a post in the forum. This fix add the threadId to the ajax query
and fetchs the forum-moderator for the thread which will then checked
against the user permissions/classes.

I added also an additional error message, if something goes wrong.
---
 e107_plugins/forum/forum_class.php            | 58 +++++++++++--------
 .../forum/languages/English/English_front.php |  1 +
 .../shortcodes/batch/view_shortcodes.php      |  2 +-
 3 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/e107_plugins/forum/forum_class.php b/e107_plugins/forum/forum_class.php
index c283a4749..0f81a11e9 100644
--- a/e107_plugins/forum/forum_class.php
+++ b/e107_plugins/forum/forum_class.php
@@ -370,29 +370,39 @@ class e107forum
 	
 	public function ajaxModerate()
 	{
-		
-		if(!$this->isModerator(USERID)) //FIXME check permissions per forum. 
+		$ret = array('hide' => false, 'msg' => 'unkown', 'status' => 'error');
+		$modArray = array();
+
+		// get moderator-class for the thread to check permissions of the user
+		if (isset($_POST['thread']))
 		{
-			exit; 	
+			$threadId = intval($_POST['thread']);
+
+			$sql = e107::getDb();
+			$query = "SELECT f.forum_moderators
+	                  FROM #forum AS f
+	                  INNER JOIN #forum_thread AS ft ON f.forum_id = ft.thread_forum_id
+	                  WHERE ft.thread_id = ". $threadId;
+			$sql->gen($query);
+			$row = $sql->fetch();
+			$modArray = $this->forumGetMods($row[forum_moderators]);
 		}
-		
-			if(!vartrue($_POST['thread']) && !vartrue($_POST['post']))
-			{
-				exit;	
-			}
-			
-			$id = intval($_POST['thread']);
-			
-		//	print_r($_POST);
-			
-			$ret = array('hide' => false, 'msg' => '', 'status' => null); 
-			
+
+		// Check if user has moderator permissions for this thread
+		if(!in_array(USERID, array_keys($modArray)))
+		{
+			$ret['msg'] 	= ''.LAN_FORUM_8030.' '. json_encode($_POST);
+			$ret['hide'] 	= false;
+			$ret['status'] 	= 'error';
+		}
+		else
+		{
 			switch ($_POST['action']) 
 			{
 				case 'delete':
-					if($this->threadDelete($id))
+					if($this->threadDelete($threadId))
 					{
-						$ret['msg'] 	= ''.LAN_FORUM_8020.' #'.$id;
+						$ret['msg'] 	= ''.LAN_FORUM_8020.' #'.$threadId;
 						$ret['hide'] 	= true; 
 						$ret['status'] 	= 'ok';	
 					}
@@ -426,7 +436,7 @@ class e107forum
 				break;
 				
 				case 'lock':
-					if(e107::getDb()->update('forum_thread', 'thread_active=0 WHERE thread_id='.$id))
+					if(e107::getDb()->update('forum_thread', 'thread_active=0 WHERE thread_id='.$threadId))
 					{
 						$ret['msg'] 	= LAN_FORUM_CLOSE; 
 						$ret['status'] 	= 'ok';	
@@ -439,7 +449,7 @@ class e107forum
 				break;
 
 				case 'unlock':
-					if(e107::getDb()->update('forum_thread', 'thread_active=1 WHERE thread_id='.$id))
+					if(e107::getDb()->update('forum_thread', 'thread_active=1 WHERE thread_id='.$threadId))
 					{
 						$ret['msg'] = LAN_FORUM_OPEN; 
 						$ret['status'] 	= 'ok';	
@@ -452,7 +462,7 @@ class e107forum
 				break;
 
 				case 'stick':
-					if(e107::getDb()->update('forum_thread', 'thread_sticky=1 WHERE thread_id='.$id))
+					if(e107::getDb()->update('forum_thread', 'thread_sticky=1 WHERE thread_id='.$threadId))
 					{
 						$ret['msg'] = LAN_FORUM_STICK; 
 						$ret['status'] 	= 'ok';	
@@ -465,7 +475,7 @@ class e107forum
 				break;
 
 				case 'unstick':
-					if(e107::getDb()->update('forum_thread', 'thread_sticky=0 WHERE thread_id='.$id))
+					if(e107::getDb()->update('forum_thread', 'thread_sticky=0 WHERE thread_id='.$threadId))
 					{
 						$ret['msg'] = LAN_FORUM_UNSTICK; 
 						$ret['status'] 	= 'ok';		
@@ -486,10 +496,10 @@ class e107forum
 					$ret['msg'] 	= LAN_FORUM_8027;
 				break;
 			}
-						
-			echo json_encode($ret);  
+		}
+		echo json_encode($ret);
 			
-			exit;
+		exit();
 	}
 				
 				
diff --git a/e107_plugins/forum/languages/English/English_front.php b/e107_plugins/forum/languages/English/English_front.php
index 8455ecb7c..8b0ec1b7b 100644
--- a/e107_plugins/forum/languages/English/English_front.php
+++ b/e107_plugins/forum/languages/English/English_front.php
@@ -345,6 +345,7 @@ define("LAN_FORUM_8026", "Failed to unstick thread");
 define("LAN_FORUM_8027", "No action selected");
 define("LAN_FORUM_8028", "Return"); 
 define("LAN_FORUM_8029", "New topic created!");
+define("LAN_FORUM_8030", "Couldn't delete post (moderator permission needed)");
 
 /*  THIS WILL BE DELETED ONCE THE REWRITE IS DONE
 ==================================================
diff --git a/e107_plugins/forum/shortcodes/batch/view_shortcodes.php b/e107_plugins/forum/shortcodes/batch/view_shortcodes.php
index d96bde48d..956f7db93 100644
--- a/e107_plugins/forum/shortcodes/batch/view_shortcodes.php
+++ b/e107_plugins/forum/shortcodes/batch/view_shortcodes.php
@@ -889,7 +889,7 @@
 				//	if(!$this->forum->threadDetermineInitialPost($this->postInfo['post_id']))
 				if(empty($this->postInfo['thread_start']))
 				{
-					$text .= "<li class='text-right'><a href='" . e_REQUEST_URI . "' data-forum-action='deletepost' data-forum-post='" . $this->postInfo['post_id'] . "'>" . LAN_DELETE . " " . $tp->toGlyph('trash') . "</a></li>";
+					$text .= "<li class='text-right'><a href='" . e_REQUEST_URI . "' data-forum-action='deletepost' data-forum-thread='" . $this->postInfo['post_thread'] . "' data-forum-post='" . $this->postInfo['post_id'] . "'>" . LAN_DELETE . " " . $tp->toGlyph('trash') . "</a></li>";
 				}
 
 				if($type == 'thread')