Merge pull request #5387 from senky/ticket/15593

[ticket/15593] Do not allow print view with direct URL
2025-07-31 14:00:31 +02:00 · 2018-10-27 23:48:53 +02:00
parent 0cded66ff2 f657ee51f8
commit 20393592d7
4 changed files with 14 additions and 0 deletions
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -170,6 +170,12 @@ class ucp_pm
 					trigger_error('NO_AUTH_READ_MESSAGE');
 				}

+				if ($view == 'print' && (!$config['print_pm'] || !$auth->acl_get('u_pm_printpm')))
+				{
+					send_status_line(403, 'Forbidden');
+					trigger_error('NO_AUTH_PRINT_MESSAGE');
+				}
+
 				// Do not allow hold messages to be seen
 				if ($folder_id == PRIVMSGS_HOLD_BOX)
 				{