mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-21 18:44:37 +02:00
Code Issues Releases Wiki Activity

[ticket/10377] Do not allow all moderators to sticky posts

Browse Source 
In the mcp the change_topic_type does not properly check permissions,
allowing moderators to make any post sticky or announced by visiting the
correct URL.

PHPBB3-10377
This commit is contained in:
Igor Wiedler
2011-10-14 17:30:54 +02:00
parent 1657339e6d
commit 27279afa1e
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
phpBB/includes/mcp/mcp_main.php
View File

@ -286,14 +286,6 @@ function change_topic_type($action, $topic_ids)
{
global $auth, $user, $db, $phpEx, $phpbb_root_path;
// For changing topic types, we only allow operations in one forum.
$forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', array('f_announce', 'f_sticky', 'm_'), true);
if ($forum_id === false)
{
return;
}
switch ($action)
{
case 'make_announce':
@ -316,11 +308,18 @@ function change_topic_type($action, $topic_ids)
default:
$new_topic_type = POST_NORMAL;
$check_acl = '';
$check_acl = false;
$l_new_type = (sizeof($topic_ids) == 1) ? 'MCP_MAKE_NORMAL' : 'MCP_MAKE_NORMALS';
break;
}
$forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', $check_acl, true);
if ($forum_id === false)
{
return;
}
$redirect = request_var('redirect', build_url(array('action', 'quickmod')));
$s_hidden_fields = array(