FIX user can transfer his moderator permissions from one forum to an other forum

I am working further on the moderator permissions and discovered that my previous commit 692509f is a bad solution. Because the moderator submits the threadId and postID for the post who he wants to delete. This threadId was used to check the moderator permissions of the postId. So if a moderator has only permissions for one forum, he could change the transmitted threadId in an other forum to get there also moderator permisssions... Sorry that I did not noticed this glitch before I made the previous commit. :-/
2025-03-13 17:09:46 +01:00 · 2018-10-03 17:36:33 +02:00 · 2018-10-03 17:36:33 +02:00 · 9ca28b8fa4
commit 9ca28b8fa4
parent 690db62a88
2 changed files with 34 additions and 16 deletions
--- a/e107_plugins/forum/forum_class.php
+++ b/e107_plugins/forum/forum_class.php
@ -366,30 +366,48 @@ class e107forum
 		exit;

 	}
-	
-	
+
+
+	/**
+	 * get user ids with moderator permissions for the given $postId
+	 * @param $postId id of a forum post
+	 * @return an array with user ids how have moderator permissions for the $postId
+	 */
+	public function getModeratorUserIdsByPostId($postId)
+	{
+		$sql = e107::getDb();
+		$query = "SELECT f.forum_moderators
+                  FROM #forum AS f
+                  INNER JOIN #forum_thread AS ft ON f.forum_id = ft.thread_forum_id
+                  INNER JOIN #forum_post AS fp ON ft.thread_id = fp.post_thread
+                  WHERE fp.post_id = ". $postId;
+		if ($sql->gen($query) > 0)
+		{
+			$row = $sql->fetch();
+			return array_keys($this->forumGetMods($row['forum_moderators']));
+		}
+		return array();
+	}
+
+
 	public function ajaxModerate()
 	{
 		$ret = array('hide' => false, 'msg' => 'unkown', 'status' => 'error');
-		$modArray = array();
+		$moderatorUserIds = array();

-		// get moderator-class for the thread to check permissions of the user
-		if (isset($_POST['thread']))
+		if (isset($_POST['thread']) && is_numeric($_POST['thread']))
 		{
 			$threadId = intval($_POST['thread']);
+		}

-			$sql = e107::getDb();
-			$query = "SELECT f.forum_moderators
-	                  FROM #forum AS f
-	                  INNER JOIN #forum_thread AS ft ON f.forum_id = ft.thread_forum_id
-	                  WHERE ft.thread_id = ". $threadId;
-			$sql->gen($query);
-			$row = $sql->fetch();
-			$modArray = $this->forumGetMods($row[forum_moderators]);
+		if (isset($_POST['post']) && is_numeric($_POST['post']))
+		{
+			$postId = intval($_POST['post']);
+			$moderatorUserIds = $this->getModeratorUserIdsByPostId($postId);
 		}

 		// Check if user has moderator permissions for this thread
-		if(!in_array(USERID, array_keys($modArray)))
+		if(!in_array(USERID, $moderatorUserIds))
 		{
 			$ret['msg'] 	= ''.LAN_FORUM_8030.' '. json_encode($_POST);
 			$ret['hide'] 	= false;
@ -414,7 +432,7 @@ class e107forum
 				break;
 				
 				case 'deletepost':
-					if(!$postId = vartrue($_POST['post']))
+					if(!$postId)
 					{
 						// echo "No Post";
 						// exit;
--- a/e107_plugins/forum/shortcodes/batch/view_shortcodes.php
+++ b/e107_plugins/forum/shortcodes/batch/view_shortcodes.php
@ -889,7 +889,7 @@
 				//	if(!$this->forum->threadDetermineInitialPost($this->postInfo['post_id']))
 				if(empty($this->postInfo['thread_start']))
 				{
-					$text .= "<li class='text-right'><a href='" . e_REQUEST_URI . "' data-forum-action='deletepost' data-forum-thread='" . $this->postInfo['post_thread'] . "' data-forum-post='" . $this->postInfo['post_id'] . "'>" . LAN_DELETE . " " . $tp->toGlyph('trash') . "</a></li>";
+					$text .= "<li class='text-right'><a href='" . e_REQUEST_URI . "' data-forum-action='deletepost' data-forum-post='" . $this->postInfo['post_id'] . "'>" . LAN_DELETE . " " . $tp->toGlyph('trash') . "</a></li>";
 				}

 				if($type == 'thread')