mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-09 16:17:14 +02:00
Code Issues Releases Wiki Activity

Bugtracker #4520 - additional access checks

Browse Source
This commit is contained in:
e107steved
2008-10-07 19:22:20 +00:00
parent e9f9259253
commit ff756e9eb7
2 changed files with 59 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
e107_plugins/content/content_manager.php
View File

@@ -12,8 +12,8 @@
| GNU General Public License (http://gnu.org). | GNU General Public License (http://gnu.org).
| |
| $Source: /cvs_backup/e107_0.8/e107_plugins/content/content_manager.php,v $ | $Source: /cvs_backup/e107_0.8/e107_plugins/content/content_manager.php,v $
| $Revision: 1.7 $ | $Revision: 1.8 $
| $Date: 2008-06-27 21:22:02 $ | $Date: 2008-10-07 19:22:20 $
| $Author: e107steved $ | $Author: e107steved $
+---------------------------------------------------------------+ +---------------------------------------------------------------+
*/ */
@@ -52,6 +52,14 @@ if(e_QUERY){
$qs = explode(".", e_QUERY); $qs = explode(".", e_QUERY);
} }
if (!USER)
{ // non-user can never manage content
header("location:".$plugindir."content.php");
exit;
}
// define e_pagetitle // define e_pagetitle
$aa -> setPageTitle(); $aa -> setPageTitle();

73
e107_plugins/content/handlers/content_db_class.php
View File

@@ -12,9 +12,9 @@
| GNU General Public License (http://gnu.org). | GNU General Public License (http://gnu.org).
| |
| $Source: /cvs_backup/e107_0.8/e107_plugins/content/handlers/content_db_class.php,v $ | $Source: /cvs_backup/e107_0.8/e107_plugins/content/handlers/content_db_class.php,v $
| $Revision: 1.9 $ | $Revision: 1.10 $
| $Date: 2007-04-16 22:11:09 $ | $Date: 2008-10-07 19:22:20 $
| $Author: lisa_ $ | $Author: e107steved $
+---------------------------------------------------------------+ +---------------------------------------------------------------+
*/ */
@@ -22,13 +22,14 @@ if (!defined('e107_INIT')) { exit; }
if (!defined('ADMIN_WIDTH')) { define("ADMIN_WIDTH", "width:98%;"); } if (!defined('ADMIN_WIDTH')) { define("ADMIN_WIDTH", "width:98%;"); }
$plugindir = e_PLUGIN."content/"; $plugindir = e_PLUGIN."content/";
$plugintable = "pcontent"; $plugintable = "pcontent"; //name of the table used in this plugin (never remove this, as it's being used throughout the plugin !!)
$datequery = " AND content_datestamp < ".time()." AND (content_enddate=0 || content_enddate>".time().") "; $datequery = " AND content_datestamp < ".time()." AND (content_enddate=0 || content_enddate>".time().") ";
//icon, file, image upload //icon, file, image upload
if(isset($_POST['uploadfile'])){ if(isset($_POST['uploadfile']))
{
if($_POST['uploadtype']){ if($_POST['uploadtype'])
{
$pref['upload_storagetype'] = "1"; $pref['upload_storagetype'] = "1";
require_once(e_HANDLER."upload_handler.php"); require_once(e_HANDLER."upload_handler.php");
$mainparent = $aa -> getMainParent(intval($_POST['parent1'])); $mainparent = $aa -> getMainParent(intval($_POST['parent1']));
@@ -44,7 +45,8 @@ if(isset($_POST['uploadfile'])){
} }
//icon //icon
if($_POST['uploadtype'] == "1"){ if($_POST['uploadtype'] == "1")
{
$pref['upload_storagetype'] = "1"; $pref['upload_storagetype'] = "1";
$pathtmp = $_POST['tmppathicon']; $pathtmp = $_POST['tmppathicon'];
$uploaded = file_upload($pathtmp); $uploaded = file_upload($pathtmp);
@@ -62,7 +64,9 @@ if(isset($_POST['uploadfile'])){
$message = ($new ? CONTENT_ADMIN_ITEM_LAN_106 : CONTENT_ADMIN_ITEM_LAN_107); $message = ($new ? CONTENT_ADMIN_ITEM_LAN_106 : CONTENT_ADMIN_ITEM_LAN_107);
//file //file
}elseif($_POST['uploadtype'] == "2"){ }
elseif($_POST['uploadtype'] == "2")
{
$pref['upload_storagetype'] = "1"; $pref['upload_storagetype'] = "1";
$pathtmp = $_POST['tmppathfile']; $pathtmp = $_POST['tmppathfile'];
$uploaded = file_upload($pathtmp); $uploaded = file_upload($pathtmp);
@@ -77,7 +81,9 @@ if(isset($_POST['uploadfile'])){
$message = ($new ? CONTENT_ADMIN_ITEM_LAN_108 : CONTENT_ADMIN_ITEM_LAN_109); $message = ($new ? CONTENT_ADMIN_ITEM_LAN_108 : CONTENT_ADMIN_ITEM_LAN_109);
//image //image
}elseif($_POST['uploadtype'] == "3"){ }
elseif($_POST['uploadtype'] == "3")
{
$pref['upload_storagetype'] = "1"; $pref['upload_storagetype'] = "1";
$pathtmp = $_POST['tmppathimage']; $pathtmp = $_POST['tmppathimage'];
$uploaded = file_upload($pathtmp); $uploaded = file_upload($pathtmp);
@@ -109,7 +115,9 @@ class contentdb{
$_POST['content_heading'] = $tp -> toDB(trim($_POST['content_heading'])); $_POST['content_heading'] = $tp -> toDB(trim($_POST['content_heading']));
$_POST['content_subheading'] = $tp -> toDB($_POST['content_subheading']); $_POST['content_subheading'] = $tp -> toDB($_POST['content_subheading']);
$_POST['content_summary'] = $tp -> toDB($_POST['content_summary']); $_POST['content_summary'] = $tp -> toDB($_POST['content_summary']);
if(e_WYSIWYG){
if(e_WYSIWYG)
{
$_POST['content_text'] = $tp->createConstants($_POST['content_text']); // convert e107_images/ to {e_IMAGE} etc. $_POST['content_text'] = $tp->createConstants($_POST['content_text']); // convert e107_images/ to {e_IMAGE} etc.
} }
//the problem with tiny_mce is it's storing e_HTTP with an image path, while it should only use the {e_xxx} variables //the problem with tiny_mce is it's storing e_HTTP with an image path, while it should only use the {e_xxx} variables
@@ -122,7 +130,8 @@ class contentdb{
$_POST['content_meta'] = $tp -> toDB($_POST['content_meta']); $_POST['content_meta'] = $tp -> toDB($_POST['content_meta']);
//content create //content create
if( isset($qs[0]) && $qs[0]=='content' && isset($qs[1]) && ($qs[1]=='create' || $qs[1]=='submit') && isset($qs[2]) && is_numeric($qs[2]) ){ if( isset($qs[0]) && $qs[0]=='content' && isset($qs[1]) && ($qs[1]=='create' || $qs[1]=='submit') && isset($qs[2]) && is_numeric($qs[2]) )
{
$parent = intval($_POST['parent1']); $parent = intval($_POST['parent1']);
//content edit //content edit
@@ -136,31 +145,47 @@ class contentdb{
} }
$_POST['parent'] = $parent; $_POST['parent'] = $parent;
if(USER){ if(USER)
if($_POST['content_author_id']){ {
if(!($_POST['content_author_id'] == USERID && $_POST['content_author_name'] == USERNAME && $_POST['content_author_email'] == USEREMAIL) ){ if($_POST['content_author_id'])
{
if(!($_POST['content_author_id'] == USERID && $_POST['content_author_name'] == USERNAME && $_POST['content_author_email'] == USEREMAIL) )
{
$author = $_POST['content_author_id']; $author = $_POST['content_author_id'];
if($_POST['content_author_name'] != CONTENT_ADMIN_ITEM_LAN_14){ if ($_POST['content_author_name'] != CONTENT_ADMIN_ITEM_LAN_14)
{
$author .= "^".$_POST['content_author_name']; $author .= "^".$_POST['content_author_name'];
} }
if($_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15){ if ($_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15)
{
$author .= "^".$_POST['content_author_email']; $author .= "^".$_POST['content_author_email'];
} }
}
}else{ else
{
$author = $_POST['content_author_id']; $author = $_POST['content_author_id'];
} }
}else{ }
else
{
$author = $_POST['content_author_name']; $author = $_POST['content_author_name'];
if($_POST['content_author_email'] != "" && $_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15){ if($_POST['content_author_email'] != "" && $_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15)
{
$author .= "^".$_POST['content_author_email']; $author .= "^".$_POST['content_author_email'];
} }
} }
}else{ }
else
{ // Non-user posting content
if ($type != 'submit')
{ // Naughty!
header("location:".$plugindir."content.php"); // but be kind
exit;
}
$author = $_POST['content_author_name']; $author = $_POST['content_author_name'];
if($_POST['content_author_email'] != "" && $_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15){ if($_POST['content_author_email'] != "" && $_POST['content_author_email'] != CONTENT_ADMIN_ITEM_LAN_15)
{
$author .= "^".$_POST['content_author_email']; $author .= "^".$_POST['content_author_email'];
} }
} }