mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-06 06:38:00 +02:00
Code Issues Releases Wiki Activity

Merge pull request #3263 from SimSync/pref_post_script

Browse Source 
Limited allowed userclasses for 'post_script' to a smaller group:
This commit is contained in:
Cameron
2018-07-11 10:33:41 -07:00
committed by GitHub
parent a499d41481 8c0fee4cb1
commit e23e00c4de
1 changed files with 32 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
e107_admin/prefs.php
View File

@@ -55,7 +55,7 @@ $tp = e107::getParser();
/* RESET DISPLAY NAMES */ /* RESET DISPLAY NAMES */
if(isset($_POST['submit_resetdisplaynames'])) if(isset($_POST['submit_resetdisplaynames']))
{ {
e107::getDb()->db_Update('user', 'user_name=user_loginname'); e107::getDb()->update('user', 'user_name=user_loginname');
$mes->addInfo(PRFLAN_157); $mes->addInfo(PRFLAN_157);
} }
@@ -647,7 +647,8 @@ $ga = e107::getDate();
$date1 = $ga->convert_date(time(), "short"); $date1 = $ga->convert_date(time(), "short");
$date2 = $ga->convert_date(time(), "long"); $date2 = $ga->convert_date(time(), "long");
$date3 = $ga->convert_date(time(), "forum"); $date3 = $ga->convert_date(time(), "forum");
$date4 = e107::getDate()->convert(time(),"input"); //$core_pref$date4 = e107::getDate()->convert(time(),"input");
$date4 = $tp->toDate(time(),"input");
$text .= " $text .= "
<fieldset class='e-hideme' id='core-prefs-date'> <fieldset class='e-hideme' id='core-prefs-date'>
@@ -1086,14 +1087,37 @@ $text .= "
/* text render options */ /* text render options */
$savePrefs = false;
if(!isset($pref['post_html'])) if(!isset($pref['post_html']))
{ {
$pref['post_html'] = '250'; $pref['post_html'] = '250';
save_prefs(); $savePrefs = true;
//save_prefs();
} }
$text .= " // Make sure, the "post_script" setting is set and if not, set it to "No One" (255)
// This should close a possible security hole...
if(!isset($pref['post_script']))
{
$pref['post_script'] = '255';
$savePrefs = true;
//save_prefs();
}
else
{
// Make sure, that the pref is one of the allowed userclasses
// Close possible security hole
if (!array_key_exists($pref['post_script'], $e_userclass->uc_required_class_list('nobody,admin,main,classes,no-excludes', true)))
{
$pref['post_script'] = 255; //set to userclass "no one" if the old class isn't part of the list of allowed userclasses
$savePrefs = true;
}
}
if ($savePrefs) $core_pref->setPref($pref)->save(false, true);
$text .= "
<fieldset class='e-hideme' id='core-prefs-textpost'> <fieldset class='e-hideme' id='core-prefs-textpost'>
<legend>".PRFLAN_101."</legend> <legend>".PRFLAN_101."</legend>
<table class='table adminform'> <table class='table adminform'>
@@ -1186,7 +1210,9 @@ $text .= "
<tr> <tr>
<td><label for='post-script'>".PRFLAN_215.":</label></td> <td><label for='post-script'>".PRFLAN_215.":</label></td>
<td> <td>
".r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')." ".//r_userclass('post_script',$pref['post_script'],'off','nobody,member,admin,main,classes')
$e_userclass->uc_dropdown('post_script',$pref['post_script'],'off','nobody,admin,main,classes,no-excludes')
."
<div class='smalltext field-help'>".PRFLAN_216."</div> <div class='smalltext field-help'>".PRFLAN_216."</div>
</td> </td>
</tr> </tr>