From 27279afa1ed75457e6e0d32c982bf9458f048f30 Mon Sep 17 00:00:00 2001
From: Igor Wiedler <igor@wiedler.ch>
Date: Fri, 14 Oct 2011 17:30:54 +0200
Subject: [PATCH] [ticket/10377] Do not allow all moderators to sticky posts

In the mcp the change_topic_type does not properly check permissions,
allowing moderators to make any post sticky or announced by visiting the
correct URL.

PHPBB3-10377
---
 phpBB/includes/mcp/mcp_main.php | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/phpBB/includes/mcp/mcp_main.php b/phpBB/includes/mcp/mcp_main.php
index ad10a52705..ffede11d37 100644
--- a/phpBB/includes/mcp/mcp_main.php
+++ b/phpBB/includes/mcp/mcp_main.php
@@ -286,14 +286,6 @@ function change_topic_type($action, $topic_ids)
 {
 	global $auth, $user, $db, $phpEx, $phpbb_root_path;
 
-	// For changing topic types, we only allow operations in one forum.
-	$forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', array('f_announce', 'f_sticky', 'm_'), true);
-
-	if ($forum_id === false)
-	{
-		return;
-	}
-
 	switch ($action)
 	{
 		case 'make_announce':
@@ -316,11 +308,18 @@ function change_topic_type($action, $topic_ids)
 
 		default:
 			$new_topic_type = POST_NORMAL;
-			$check_acl = '';
+			$check_acl = false;
 			$l_new_type = (sizeof($topic_ids) == 1) ? 'MCP_MAKE_NORMAL' : 'MCP_MAKE_NORMALS';
 		break;
 	}
 
+	$forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', $check_acl, true);
+
+	if ($forum_id === false)
+	{
+		return;
+	}
+
 	$redirect = request_var('redirect', build_url(array('action', 'quickmod')));
 
 	$s_hidden_fields = array(