mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-30 21:40:43 +02:00
Code Issues Releases Wiki Activity

Merge pull request #6516 from marc1706/ticket/17137

Browse Source 
[ticket/17137] Allow deleting user files only when post/pm can be changed
This commit is contained in:
Marc Alexander
2023-08-06 20:32:12 +02:00
parent e5db724d2c 6268693cff
commit a414a44e36
3 changed files with 411 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
phpBB/includes/ucp/ucp_attachments.php
View File

@@ -41,7 +41,7 @@ class ucp_attachments
if ($delete && count($delete_ids))
{
// Validate $delete_ids...
$sql = 'SELECT a.attach_id, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
$sql = 'SELECT a.attach_id, a.in_message, p.post_edit_locked, p.post_time, t.topic_status, f.forum_id, f.forum_status, pt.folder_id
FROM ' . ATTACHMENTS_TABLE . ' a
LEFT JOIN ' . POSTS_TABLE . ' p
ON (a.post_msg_id = p.post_id AND a.in_message = 0)
@@ -49,6 +49,10 @@ class ucp_attachments
ON (t.topic_id = p.topic_id AND a.in_message = 0)
LEFT JOIN ' . FORUMS_TABLE . ' f
ON (f.forum_id = t.forum_id AND a.in_message = 0)
LEFT JOIN ' . PRIVMSGS_TABLE . ' pr
ON (a.post_msg_id = pr.msg_id AND a.in_message = 1)
LEFT JOIN ' . PRIVMSGS_TO_TABLE . ' pt
ON (a.post_msg_id = pt.msg_id AND a.poster_id = pt.author_id AND a.poster_id = pt.user_id AND a.in_message = 1)
WHERE a.poster_id = ' . $user->data['user_id'] . '
AND a.is_orphan = 0
AND ' . $db->sql_in_set('a.attach_id', $delete_ids);
@@ -57,7 +61,7 @@ class ucp_attachments
$delete_ids = array();
while ($row = $db->sql_fetchrow($result))
{
if (!$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']))
if (!$this->can_delete_file($row))
{
continue;
}
@@ -135,12 +139,13 @@ class ucp_attachments
$pagination = $phpbb_container->get('pagination');
$start = $pagination->validate_start($start, $config['topics_per_page'], $num_attachments);
$sql = 'SELECT a.*, t.topic_title, pr.message_subject as message_title, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
$sql = 'SELECT a.*, t.topic_title, pr.message_subject as message_title, pr.message_time as message_time, pt.folder_id, p.post_edit_locked, p.post_time, t.topic_status, f.forum_id, f.forum_status
FROM ' . ATTACHMENTS_TABLE . ' a
LEFT JOIN ' . POSTS_TABLE . ' p ON (a.post_msg_id = p.post_id AND a.in_message = 0)
LEFT JOIN ' . TOPICS_TABLE . ' t ON (a.topic_id = t.topic_id AND a.in_message = 0)
LEFT JOIN ' . FORUMS_TABLE . ' f ON (f.forum_id = t.forum_id AND a.in_message = 0)
LEFT JOIN ' . PRIVMSGS_TABLE . ' pr ON (a.post_msg_id = pr.msg_id AND a.in_message = 1)
LEFT JOIN ' . PRIVMSGS_TO_TABLE . ' pt ON (a.post_msg_id = pt.msg_id AND a.poster_id = pt.author_id AND a.poster_id = pt.user_id AND a.in_message = 1)
WHERE a.poster_id = ' . $user->data['user_id'] . "
AND a.is_orphan = 0
ORDER BY $order_by";
@@ -177,7 +182,7 @@ class ucp_attachments
'TOPIC_ID' => $row['topic_id'],
'S_IN_MESSAGE' => $row['in_message'],
'S_LOCKED' => !$row['in_message'] && !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']),
'S_LOCKED' => !$this->can_delete_file($row),
'U_VIEW_ATTACHMENT' => append_sid("{$phpbb_root_path}download/file.$phpEx", 'id=' . $row['attach_id']),
'U_VIEW_TOPIC' => $view_topic)
@@ -216,4 +221,29 @@ class ucp_attachments
$this->tpl_name = 'ucp_attachments';
$this->page_title = 'UCP_ATTACHMENTS';
}
/**
* Check if the user can delete the file
*
* @param array $row
*
* @return bool True if user can delete the file, false if not
*/
private function can_delete_file(array $row): bool
{
global $auth, $config;
if ($row['in_message'])
{
return ($row['message_time'] > (time() - ($config['pm_edit_time'] * 60)) || !$config['pm_edit_time']) && $row['folder_id'] == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit');
}
else
{
$can_edit_time = !$config['edit_time'] || $row['post_time'] > (time() - ($config['edit_time'] * 60));
$can_delete_time = !$config['delete_time'] || $row['post_time'] > (time() - ($config['delete_time'] * 60));
$item_locked = !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']);
return !$item_locked && $can_edit_time && $can_delete_time;
}
}
}

4
phpBB/includes/ucp/ucp_pm_viewmessage.php
View File

@@ -213,6 +213,8 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
$u_jabber = append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contact&action=jabber&u=' . $author_id);
}
$can_edit_pm = ($message_row['message_time'] > time() - ($config['pm_edit_time'] * 60) || !$config['pm_edit_time']) && $folder_id == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit');
$msg_data = array(
'MESSAGE_AUTHOR_FULL' => get_username_string('full', $author_id, $user_info['username'], $user_info['user_colour'], $user_info['username']),
'MESSAGE_AUTHOR_COLOUR' => get_username_string('colour', $author_id, $user_info['username'], $user_info['user_colour'], $user_info['username']),
@@ -253,7 +255,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
'U_EMAIL' => $user_info['email'],
'U_REPORT' => ($config['allow_pm_report']) ? $phpbb_container->get('controller.helper')->route('phpbb_report_pm_controller', array('id' => $message_row['msg_id'])) : '',
'U_QUOTE' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=quote&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_EDIT' => (($message_row['message_time'] > time() - ($config['pm_edit_time'] * 60) || !$config['pm_edit_time']) && $folder_id == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit')) ? "$url&mode=compose&action=edit&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_EDIT' => $can_edit_pm ? "$url&mode=compose&action=edit&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_POST_REPLY_PM' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=reply&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_POST_REPLY_ALL' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=reply&f=$folder_id&reply_to_all=1&p=" . $message_row['msg_id'] : '',
'U_PREVIOUS_PM' => "$url&f=$folder_id&p=" . $message_row['msg_id'] . "&view=previous",