From 3a3b9eb8efe08f086bcbd1d88a34355e31df7650 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 21 Aug 2008 15:50:21 +0000 Subject: [PATCH] merge git-svn-id: file:///svn/phpbb/trunk@8776 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/functions.php | 31 +++++++++++++++++++++++++ phpBB/includes/functions_display.php | 26 ++++++++++++++++----- phpBB/includes/functions_posting.php | 4 ++-- phpBB/language/en/common.php | 2 ++ phpBB/language/en/viewtopic.php | 1 + phpBB/posting.php | 3 ++- phpBB/viewtopic.php | 34 ++++++++++++++++------------ 7 files changed, 78 insertions(+), 23 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 15936d2091..427c372957 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2014,6 +2014,37 @@ function meta_refresh($time, $url) //Form validation + +/** +* Add a secret hash for use in links/GET requests +* @param string $link_name The name of the link; has to match the name used in check_form_key, otherwise no restrictions apply +* @param int $length The length of the key to generate +* @return sting the hash + +*/ +function generate_link_hash($link_name) +{ + global $user; + if (!isset($user->data["hash_$link_name"])) + { + $user->data["hash_$link_name"] = substr(sha1($user->data['user_form_salt'] . $link_name), 0, 8); + } + return $user->data["hash_$link_name"]; +} + + +/** +* checks a link hash - for GET requests +* @param string $token the submitted token +* @param string $link_name The name of the link; has to match the name used in check_form_key, otherwise no restrictions apply +* @param int $length The length of the key to check +* @return boolean true if all is fine +*/ +function check_link_hash($token, $link_name) +{ + return $token === generate_link_hash($link_name); +} + /** * Add a secret token to the form (requires the S_FORM_TOKEN template variable) * @param string $form_name The name of the form; has to match the name used in check_form_key, otherwise no restrictions apply diff --git a/phpBB/includes/functions_display.php b/phpBB/includes/functions_display.php index f2bcf36859..f90f451801 100644 --- a/phpBB/includes/functions_display.php +++ b/phpBB/includes/functions_display.php @@ -985,8 +985,8 @@ function watch_topic_forum($mode, &$s_watching, $user_id, $forum_id, $topic_id, $table_sql = ($mode == 'forum') ? FORUMS_WATCH_TABLE : TOPICS_WATCH_TABLE; $where_sql = ($mode == 'forum') ? 'forum_id' : 'topic_id'; $match_id = ($mode == 'forum') ? $forum_id : $topic_id; - - $u_url = ($mode == 'forum') ? 'f' : 'f=' . $forum_id . '&t'; + $u_url = "uid={$user->data['user_id']}&hash=" . generate_link_hash("{$mode}_$topic_id"); + $u_url .= ($mode == 'forum') ? '&f' : '&f=' . $forum_id . '&t'; // Is user watching this thread? if ($user_id != ANONYMOUS) @@ -1007,8 +1007,16 @@ function watch_topic_forum($mode, &$s_watching, $user_id, $forum_id, $topic_id, if (!is_null($notify_status) && $notify_status !== '') { + if (isset($_GET['unwatch'])) { + $uid = request_var('uid', 0); + if ($uid != $user_id) + { + $redirect_url = append_sid("{$phpbb_root_path}view$mode.$phpEx", "$u_url=$match_id&start=$start"); + $message = $user->lang['ERR_UNWATCHING'] . '

' . sprintf($user->lang['RETURN_' . strtoupper($mode)], '', ''); + trigger_error($message); + } if ($_GET['unwatch'] == $mode) { $is_watching = 0; @@ -1044,19 +1052,25 @@ function watch_topic_forum($mode, &$s_watching, $user_id, $forum_id, $topic_id, { if (isset($_GET['watch'])) { - if ($_GET['watch'] == $mode) + $token = request_var('hash', ''); + $redirect_url = append_sid("view$mode", "$u_url=$match_id&start=$start"); + + if ($_GET['watch'] == $mode && check_link_hash($token, "{$mode}_$topic_id")) { $is_watching = true; $sql = 'INSERT INTO ' . $table_sql . " (user_id, $where_sql, notify_status) VALUES ($user_id, $match_id, 0)"; $db->sql_query($sql); + $message = $user->lang['ARE_WATCHING_' . strtoupper($mode)] . '

' . sprintf($user->lang['RETURN_' . strtoupper($mode)], '', ''); } - - $redirect_url = append_sid("view$mode", "$u_url=$match_id&start=$start"); + else + { + $message = $user->lang['ERR_WATCHING'] . '

' . sprintf($user->lang['RETURN_' . strtoupper($mode)], '', ''); + } + meta_refresh(3, $redirect_url); - $message = $user->lang['ARE_WATCHING_' . strtoupper($mode)] . '

' . sprintf($user->lang['RETURN_' . strtoupper($mode)], '', ''); trigger_error($message); } else diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index d4b966c1df..e7219a3f63 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -1267,8 +1267,8 @@ function user_notification($mode, $subject, $topic_title, $forum_name, $forum_id 'U_FORUM' => generate_board_url() . '/viewforum.' . PHP_EXT . "?f=$forum_id", 'U_TOPIC' => generate_board_url() . '/viewtopic.' . PHP_EXT . "?f=$forum_id&t=$topic_id", 'U_NEWEST_POST' => generate_board_url() . '/viewtopic.' . PHP_EXT . "?f=$forum_id&t=$topic_id&p=$post_id&e=$post_id", - 'U_STOP_WATCHING_TOPIC' => generate_board_url() . '/viewtopic.' . PHP_EXT . "?f=$forum_id&t=$topic_id&unwatch=topic", - 'U_STOP_WATCHING_FORUM' => generate_board_url() . '/viewforum.' . PHP_EXT . "?f=$forum_id&unwatch=forum", + 'U_STOP_WATCHING_TOPIC' => generate_board_url() . '/viewtopic.' . PHP_EXT . "?uid={$addr['user_id']}&f=$forum_id&t=$topic_id&unwatch=topic", + 'U_STOP_WATCHING_FORUM' => generate_board_url() . '/viewforum.' . PHP_EXT . "?uid={$addr['user_id']}&f=$forum_id&unwatch=forum", )); $messenger->send($addr['method']); diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index 9b3c60319b..e62afdb199 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -169,6 +169,8 @@ $lang = array_merge($lang, array( 'ERR_JAB_AUTH' => 'Could not authorise on Jabber server.', 'ERR_JAB_CONNECT' => 'Could not connect to Jabber server.', 'ERR_UNABLE_TO_LOGIN' => 'The specified username or password is incorrect.', + 'ERR_UNWATCHING' => 'An error occured while trying to unsubscribe.', + 'ERR_WATCHING' => 'An error occured while trying to subscribe.', 'ERR_WRONG_PATH_TO_PHPBB' => 'The phpBB path specified appears to be invalid.', 'EXPAND_VIEW' => 'Expand view', 'EXTENSION' => 'Extension', diff --git a/phpBB/language/en/viewtopic.php b/phpBB/language/en/viewtopic.php index 337a21c11f..4252fa7542 100644 --- a/phpBB/language/en/viewtopic.php +++ b/phpBB/language/en/viewtopic.php @@ -40,6 +40,7 @@ $lang = array_merge($lang, array( 'ATTACHMENT_FUNCTIONALITY_DISABLED' => 'The attachments feature has been disabled.', 'BOOKMARK_ADDED' => 'Bookmarked topic successfully.', + 'BOOKMARK_ERR' => 'Bookmarking the topic failed. Please try again.', 'BOOKMARK_REMOVED' => 'Removed bookmarked topic successfully.', 'BOOKMARK_TOPIC' => 'Bookmark topic', 'BOOKMARK_TOPIC_REMOVE' => 'Remove from bookmarks', diff --git a/phpBB/posting.php b/phpBB/posting.php index 205f40ecc5..27e465974c 100644 --- a/phpBB/posting.php +++ b/phpBB/posting.php @@ -282,7 +282,8 @@ if ($mode == 'delete') // Handle bump mode... if ($mode == 'bump') { - if ($bump_time = bump_topic_allowed($forum_id, $post_data['topic_bumped'], $post_data['topic_last_post_time'], $post_data['topic_poster'], $post_data['topic_last_poster_id'])) + if ($bump_time = bump_topic_allowed($forum_id, $post_data['topic_bumped'], $post_data['topic_last_post_time'], $post_data['topic_poster'], $post_data['topic_last_poster_id']) + && check_link_hash(request_var('hash', ''),"topic_{$post_data['topic_id']}")) { $db->sql_transaction('begin'); diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index 545ee64271..3677d3da12 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -471,25 +471,31 @@ if (($config['email_enable'] || $config['jab_enable']) && $config['allow_topic_n // Bookmarks if ($config['allow_bookmarks'] && $user->data['is_registered'] && request_var('bookmark', 0)) { - if (!$topic_data['bookmarked']) + if (check_link_hash(request_var('hash', ''),"topic_$topic_id")) { - $sql = 'INSERT INTO ' . BOOKMARKS_TABLE . ' ' . $db->sql_build_array('INSERT', array( - 'user_id' => $user->data['user_id'], - 'topic_id' => $topic_id, - )); - $db->sql_query($sql); + if (!$topic_data['bookmarked']) + { + $sql = 'INSERT INTO ' . BOOKMARKS_TABLE . ' ' . $db->sql_build_array('INSERT', array( + 'user_id' => $user->data['user_id'], + 'topic_id' => $topic_id, + )); + $db->sql_query($sql); + } + else + { + $sql = 'DELETE FROM ' . BOOKMARKS_TABLE . " + WHERE user_id = {$user->data['user_id']} + AND topic_id = $topic_id"; + $db->sql_query($sql); + } + $message = (($topic_data['bookmarked']) ? $user->lang['BOOKMARK_REMOVED'] : $user->lang['BOOKMARK_ADDED']) . '

' . sprintf($user->lang['RETURN_TOPIC'], '', ''); } else { - $sql = 'DELETE FROM ' . BOOKMARKS_TABLE . " - WHERE user_id = {$user->data['user_id']} - AND topic_id = $topic_id"; - $db->sql_query($sql); + $message = $user->lang['BOOKMARK_ERR'] . '

' . sprintf($user->lang['RETURN_TOPIC'], '', ''); } - meta_refresh(3, $viewtopic_url); - $message = (($topic_data['bookmarked']) ? $user->lang['BOOKMARK_REMOVED'] : $user->lang['BOOKMARK_ADDED']) . '

' . sprintf($user->lang['RETURN_TOPIC'], '', ''); trigger_error($message); } @@ -616,12 +622,12 @@ $template->assign_vars(array( 'L_WATCH_TOPIC' => $s_watching_topic['title'], 'S_WATCHING_TOPIC' => $s_watching_topic['is_watching'], - 'U_BOOKMARK_TOPIC' => ($user->data['is_registered'] && $config['allow_bookmarks']) ? $viewtopic_url . '&bookmark=1' : '', + 'U_BOOKMARK_TOPIC' => ($user->data['is_registered'] && $config['allow_bookmarks']) ? $viewtopic_url . '&bookmark=1&hash=' . generate_link_hash("topic_$topic_id") : '', 'L_BOOKMARK_TOPIC' => ($user->data['is_registered'] && $config['allow_bookmarks'] && $topic_data['bookmarked']) ? $user->lang['BOOKMARK_TOPIC_REMOVE'] : $user->lang['BOOKMARK_TOPIC'], 'U_POST_NEW_TOPIC' => ($auth->acl_get('f_post', $forum_id) || $user->data['user_id'] == ANONYMOUS) ? append_sid('posting', "mode=post&f=$forum_id") : '', 'U_POST_REPLY_TOPIC' => ($auth->acl_get('f_reply', $forum_id) || $user->data['user_id'] == ANONYMOUS) ? append_sid('posting', "mode=reply&f=$forum_id&t=$topic_id") : '', - 'U_BUMP_TOPIC' => (bump_topic_allowed($forum_id, $topic_data['topic_bumped'], $topic_data['topic_last_post_time'], $topic_data['topic_poster'], $topic_data['topic_last_poster_id'])) ? append_sid('posting', "mode=bump&f=$forum_id&t=$topic_id") : '') + 'U_BUMP_TOPIC' => (bump_topic_allowed($forum_id, $topic_data['topic_bumped'], $topic_data['topic_last_post_time'], $topic_data['topic_poster'], $topic_data['topic_last_poster_id'])) ? append_sid('posting', "mode=bump&f=$forum_id&t=$topic_id&hash=" . generate_link_hash("topic_$topic_id")) : '') ); // Does this topic contain a poll?