mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-11 00:54:49 +02:00
Code Issues Releases Wiki Activity

FIX check moderator permissions for thread-operations

Browse Source 
Without admin permissions (member of user class 254) it was not possible to modify threads in
the forum. This fix get the forum-moderator permissions by the threadId to modify this thread.
This commit is contained in:
phibel
2018-10-03 17:42:14 +02:00
parent 37d086c418
commit c644a8b9d2
3 changed files with 63 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
e107_plugins/forum/forum_class.php
View File

@@ -390,6 +390,49 @@ class e107forum
}
/**
* get user ids with moderator permissions for the given $threadId
* @param $threadId id of a forum thread
* @return an array with user ids how have moderator permissions for the $threadId
*/
public function getModeratorUserIdsByThreadId($threadId)
{
// get moderator-class for the thread to check permissions of the user
$sql = e107::getDb();
$query = "SELECT f.forum_moderators
FROM #forum AS f
INNER JOIN #forum_thread AS ft ON f.forum_id = ft.thread_forum_id
WHERE ft.thread_id = ". $threadId;
if ($sql->gen($query) > 0)
{
$row = $sql->fetch();
return array_keys($this->forumGetMods($row['forum_moderators']));
}
return array();
}
/**
* get user ids with moderator permissions for the given $forumId
* @param $forumId id of a forum
* @return an array with user ids how have moderator permissions for the $forumId
*/
public function getModeratorUserIdsByForumId($forumId)
{
// get moderator-class for the thread to check permissions of the user
$sql = e107::getDb();
$query = "SELECT f.forum_moderators
FROM #forum AS f
WHERE f.forum_id = ". $forumId;
if ($sql->gen($query) > 0)
{
$row = $sql->fetch();
return array_keys($this->forumGetMods($row['forum_moderators']));
}
return array();
}
public function ajaxModerate()
{
$ret = array('hide' => false, 'msg' => 'unkown', 'status' => 'error');
@@ -398,8 +441,13 @@ class e107forum
if (isset($_POST['thread']) && is_numeric($_POST['thread']))
{
$threadId = intval($_POST['thread']);
$moderatorUserIds = $this->getModeratorUserIdsByThreadId($threadId);
}
/* If both, a thread-operation and a post-operation is submitted, the
* thread-permissions MUST be overwritten by the post-permissions!
* Otherwise it is possible that a moderator can transfer his
* permissions from one forum to another forum, where he has no permissions. */
if (isset($_POST['post']) && is_numeric($_POST['post']))
{
$postId = intval($_POST['post']);