mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-05-05 23:25:30 +02:00
Code Issues Releases Wiki Activity

Merge branch 'ticket/17137' into ticket/17137-master

Browse Source
This commit is contained in:
Marc Alexander 2023-07-28 20:44:38 +02:00
commit f9fca89ab6
No known key found for this signature in database
GPG Key ID: 50E0D2423696F995
3 changed files with 411 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
phpBB/includes/ucp/ucp_attachments.php
View File

@ -47,7 +47,7 @@ class ucp_attachments
if ($delete && count($delete_ids))
{
// Validate $delete_ids...
$sql = 'SELECT a.attach_id, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
$sql = 'SELECT a.attach_id, a.in_message, p.post_edit_locked, p.post_time, t.topic_status, f.forum_id, f.forum_status, pt.folder_id
FROM ' . ATTACHMENTS_TABLE . ' a
LEFT JOIN ' . POSTS_TABLE . ' p
ON (a.post_msg_id = p.post_id AND a.in_message = 0)
@ -55,6 +55,10 @@ class ucp_attachments
ON (t.topic_id = p.topic_id AND a.in_message = 0)
LEFT JOIN ' . FORUMS_TABLE . ' f
ON (f.forum_id = t.forum_id AND a.in_message = 0)
LEFT JOIN ' . PRIVMSGS_TABLE . ' pr
ON (a.post_msg_id = pr.msg_id AND a.in_message = 1)
LEFT JOIN ' . PRIVMSGS_TO_TABLE . ' pt
ON (a.post_msg_id = pt.msg_id AND a.poster_id = pt.author_id AND a.poster_id = pt.user_id AND a.in_message = 1)
WHERE a.poster_id = ' . $user->data['user_id'] . '
AND a.is_orphan = 0
AND ' . $db->sql_in_set('a.attach_id', $delete_ids);
@ -63,7 +67,7 @@ class ucp_attachments
$delete_ids = array();
while ($row = $db->sql_fetchrow($result))
{
if (!$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']))
if (!$this->can_delete_file($row))
{
continue;
}
@ -141,12 +145,13 @@ class ucp_attachments
$pagination = $phpbb_container->get('pagination');
$start = $pagination->validate_start($start, $config['topics_per_page'], $num_attachments);
$sql = 'SELECT a.*, t.topic_title, pr.message_subject as message_title, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
$sql = 'SELECT a.*, t.topic_title, pr.message_subject as message_title, pr.message_time as message_time, pt.folder_id, p.post_edit_locked, t.topic_status, f.forum_id, f.forum_status
FROM ' . ATTACHMENTS_TABLE . ' a
LEFT JOIN ' . POSTS_TABLE . ' p ON (a.post_msg_id = p.post_id AND a.in_message = 0)
LEFT JOIN ' . TOPICS_TABLE . ' t ON (a.topic_id = t.topic_id AND a.in_message = 0)
LEFT JOIN ' . FORUMS_TABLE . ' f ON (f.forum_id = t.forum_id AND a.in_message = 0)
LEFT JOIN ' . PRIVMSGS_TABLE . ' pr ON (a.post_msg_id = pr.msg_id AND a.in_message = 1)
LEFT JOIN ' . PRIVMSGS_TO_TABLE . ' pt ON (a.post_msg_id = pt.msg_id AND a.poster_id = pt.author_id AND a.poster_id = pt.user_id AND a.in_message = 1)
WHERE a.poster_id = ' . $user->data['user_id'] . "
AND a.is_orphan = 0
ORDER BY $order_by";
@ -183,7 +188,7 @@ class ucp_attachments
'TOPIC_ID' => $row['topic_id'],
'S_IN_MESSAGE' => $row['in_message'],
'S_LOCKED' => !$row['in_message'] && !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']),
'S_LOCKED' => !$this->can_delete_file($row),
'U_VIEW_ATTACHMENT' => $controller_helper->route(
'phpbb_storage_attachment',
@ -228,4 +233,29 @@ class ucp_attachments
$this->tpl_name = 'ucp_attachments';
$this->page_title = 'UCP_ATTACHMENTS';
}
/**
* Check if the user can delete the file
*
* @param array $row
*
* @return bool True if user can delete the file, false if not
*/
private function can_delete_file(array $row): bool
{
global $auth, $config;
if ($row['in_message'])
{
return ($row['message_time'] > time() - ($config['pm_edit_time'] * 60) || !$config['pm_edit_time']) && $row['folder_id'] == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit');
}
else
{
$can_edit_time = !$config['edit_time'] || $row['post_time'] > time() - ($config['edit_time'] * 60);
$can_delete_time = !$config['delete_time'] || $row['post_time'] > time() - ($config['delete_time'] * 60);
$item_locked = !$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']);
return !$item_locked && $can_edit_time && $can_delete_time;
}
}
}

4
phpBB/includes/ucp/ucp_pm_viewmessage.php
View File

@ -213,6 +213,8 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
$u_jabber = append_sid("{$phpbb_root_path}memberlist.$phpEx", 'mode=contact&action=jabber&u=' . $author_id);
}
$can_edit_pm = ($message_row['message_time'] > time() - ($config['pm_edit_time'] * 60) || !$config['pm_edit_time']) && $folder_id == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit');
$msg_data = array(
'MESSAGE_AUTHOR_FULL' => get_username_string('full', $author_id, $user_info['username'], $user_info['user_colour'], $user_info['username']),
'MESSAGE_AUTHOR_COLOUR' => get_username_string('colour', $author_id, $user_info['username'], $user_info['user_colour'], $user_info['username']),
@ -252,7 +254,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
'U_EMAIL' => $user_info['email'],
'U_REPORT' => ($config['allow_pm_report']) ? $phpbb_container->get('controller.helper')->route('phpbb_report_pm_controller', array('id' => $message_row['msg_id'])) : '',
'U_QUOTE' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=quote&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_EDIT' => (($message_row['message_time'] > time() - ($config['pm_edit_time'] * 60) || !$config['pm_edit_time']) && $folder_id == PRIVMSGS_OUTBOX && $auth->acl_get('u_pm_edit')) ? "$url&mode=compose&action=edit&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_EDIT' => $can_edit_pm ? "$url&mode=compose&action=edit&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_POST_REPLY_PM' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=reply&f=$folder_id&p=" . $message_row['msg_id'] : '',
'U_POST_REPLY_ALL' => ($auth->acl_get('u_sendpm') && $author_id != ANONYMOUS) ? "$url&mode=compose&action=reply&f=$folder_id&reply_to_all=1&p=" . $message_row['msg_id'] : '',
'U_PREVIOUS_PM' => "$url&f=$folder_id&p=" . $message_row['msg_id'] . "&view=previous",

374
tests/functional/ucp_attachments_test.php Normal file
View File

@ -0,0 +1,374 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
/**
* @group functional
*/
class phpbb_functional_ucp_attachments_test extends phpbb_functional_test_case
{
private $path;
protected function setUp(): void
{
parent::setUp();
$this->path = __DIR__ . '/fixtures/files/';
$this->add_lang('posting');
if (!$this->user_exists('ucp-file-test'))
{
$this->create_user('ucp-file-test');
}
}
protected function tearDown(): void
{
$iterator = new DirectoryIterator(__DIR__ . '/../../phpBB/files/');
foreach ($iterator as $fileinfo)
{
if ($fileinfo->isDot()
|| $fileinfo->isDir()
|| $fileinfo->getFilename() === 'index.htm'
|| $fileinfo->getFilename() === '.htaccess'
)
{
continue;
}
unlink($fileinfo->getPathname());
}
}
private function upload_file($filename, $mimetype)
{
$crawler = self::$client->request(
'GET',
'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid
);
$file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, 'posting.php?mode=reply&f=2&t=1&sid=' . $this->sid));
$file = array(
'tmp_name' => $this->path . $filename,
'name' => $filename,
'type' => $mimetype,
'size' => filesize($this->path . $filename),
'error' => UPLOAD_ERR_OK,
);
$crawler = self::$client->request(
'POST',
'posting.php?mode=reply&t=1&sid=' . $this->sid,
$file_form_data,
array('fileupload' => $file)
);
return $crawler;
}
private function upload_file_pm($filename, $mimetype)
{
$crawler = self::$client->request(
'GET',
'ucp.php?i=pm&mode=compose&sid=' . $this->sid
);
$file_form_data = array_merge(['add_file' => $this->lang('ADD_FILE')], $this->get_hidden_fields($crawler, 'ucp.php?i=pm&mode=compose&sid=' . $this->sid));
$file = array(
'tmp_name' => $this->path . $filename,
'name' => $filename,
'type' => $mimetype,
'size' => filesize($this->path . $filename),
'error' => UPLOAD_ERR_OK,
);
$crawler = self::$client->request(
'POST',
'ucp.php?i=pm&mode=compose&sid=' . $this->sid,
$file_form_data,
array('fileupload' => $file)
);
return $crawler;
}
public function test_ucp_list_attachments()
{
$this->login('ucp-file-test');
$this->add_lang(['common', 'posting']);
$crawler = $this->upload_file('valid.jpg', 'image/jpeg');
// Ensure there was no error message rendered
$this->assertStringNotContainsString('<h2>' . $this->lang('INFORMATION') . '</h2>', $this->get_content());
// Also the file name should be in the first row of the files table
$this->assertEquals('valid.jpg', $crawler->filter('span.file-name > a')->text());
$attach_link = $crawler->filter('span.file-name > a')->attr('href');
$attach_id = $this->get_parameter_from_link($attach_link, 'id');
// Submit post
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'message' => 'This is a test',
]);
$crawler = self::submit($form);
$this->assertStringContainsString('This is a test', $crawler->text());
$this->assertEquals('valid.jpg', $crawler->filter('img.postimage')->attr('alt'));
// Navigate to ucp attachments for user
$crawler = self::request('GET', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid);
$this->assertEquals(1, $crawler->filter('.attachment-filename')->count());
$attachment_filename = $crawler->filter('.attachment-filename');
$this->assertEquals('valid.jpg', $attachment_filename->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_filename->attr('href'));
$this->assertEquals('', $crawler->filter('[name="attachment[' . $attach_id . ']"]')->attr('disabled'));
}
public function test_ucp_delete_expired_attachment()
{
$this->login('ucp-file-test');
$this->add_lang(['common', 'posting']);
$this->set_flood_interval(0);
$crawler = $this->upload_file('valid.jpg', 'image/jpeg');
// Ensure there was no error message rendered
$this->assertStringNotContainsString('<h2>' . $this->lang('INFORMATION') . '</h2>', $this->get_content());
// Also the file name should be in the first row of the files table
$this->assertEquals('valid.jpg', $crawler->filter('span.file-name > a')->text());
$attach_link = $crawler->filter('span.file-name > a')->attr('href');
$attach_id = $this->get_parameter_from_link($attach_link, 'id');
// Submit post
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'message' => 'This is a test',
]);
$crawler = self::submit($form);
$post_url = $crawler->getUri();
$post_id = $this->get_parameter_from_link($post_url, 'p');
$this->assertStringContainsString('This is a test', $crawler->text());
$this->assertEquals('valid.jpg', $crawler->filter('img.postimage')->attr('alt'));
$this->set_flood_interval(15);
// Navigate to ucp attachments for user
$crawler = self::request('GET', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid);
$crawler->filter('.attachment-filename')->each(function ($node, $i) use ($attach_id, &$attachment_node)
{
if (strpos($node->attr('href'), 'file.php?id=' . $attach_id) !== false)
{
$attachment_node = $node;
}
});
$this->assertNotNull($attachment_node);
$this->assertEquals('valid.jpg', $attachment_node->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_node->attr('href'));
$this->logout();
// Switch to admin user
$this->login();
$this->admin_login();
$this->add_lang(['acp/board', 'acp/common']);
$crawler = self::request('GET', 'adm/index.php?i=acp_board&mode=post&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[edit_time]' => 1,
'config[delete_time]' => 1,
]);
self::submit($form);
// Update post time to at least one minute before current time
$sql = 'UPDATE ' . POSTS_TABLE . '
SET post_time = post_time - ' . 60 . '
WHERE post_id = ' . (int) $post_id;
$this->db->sql_query($sql);
// Log out and back in as test user
$this->logout();
$this->login('ucp-file-test');
// Navigate to ucp attachments for user, deleting should be disabled
$crawler = self::request('GET', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid);
$crawler->filter('.attachment-filename')->each(function ($node, $i) use ($attach_id, &$attachment_node)
{
if (strpos($node->attr('href'), 'file.php?id=' . $attach_id) !== false)
{
$attachment_node = $node;
}
});
$this->assertEquals('valid.jpg', $attachment_node->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_node->attr('href'));
$this->assertEquals('disabled', $crawler->filter('[name="attachment[' . $attach_id . ']"]')->attr('disabled'));
// It should not be possible to delete the attachment
$crawler = self::request('POST', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid, [
'delete' => true,
'attachment[' . $attach_id . ']' => $attach_id,
]);
$this->assertNotContainsLang('DELETE_ATTACHMENT_CONFIRM', $crawler->text());
$crawler->filter('.attachment-filename')->each(function ($node, $i) use ($attach_id, &$attachment_node)
{
if (strpos($node->attr('href'), 'file.php?id=' . $attach_id) !== false)
{
$attachment_node = $node;
}
});
$this->assertEquals('valid.jpg', $attachment_node->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_node->attr('href'));
$this->assertEquals('disabled', $crawler->filter('[name="attachment[' . $attach_id . ']"]')->attr('disabled'));
$this->logout();
// Switch to admin user
$this->login();
$this->admin_login();
$this->add_lang(['acp/board', 'acp/common']);
$crawler = self::request('GET', 'adm/index.php?i=acp_board&mode=post&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[edit_time]' => 0,
'config[delete_time]' => 0,
]);
self::submit($form);
// Update post time to original one
$sql = 'UPDATE ' . POSTS_TABLE . '
SET post_time = post_time + ' . 60 . '
WHERE post_id = ' . (int) $post_id;
$this->db->sql_query($sql);
}
public function test_pm_attachment()
{
$this->set_flood_interval(0);
// Switch to admin user
$this->login();
$this->admin_login();
$this->add_lang(['common', 'acp/attachments', 'acp/board', 'acp/common']);
$crawler = self::request('GET', 'adm/index.php?i=acp_attachments&mode=attach&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[allow_pm_attach]' => 1,
]);
self::submit($form);
$crawler = self::request('GET', 'adm/index.php?i=acp_board&mode=message&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[pm_edit_time]' => 60,
]);
self::submit($form);
$crawler = self::request('GET', 'adm/index.php?i=acp_attachments&mode=ext_groups&action=edit&g=1&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'allow_in_pm' => 1,
]);
self::submit($form);
$this->logout();
$this->login('ucp-file-test');
$this->add_lang(['ucp']);
$crawler = $this->upload_file_pm('valid.jpg', 'image/jpeg');
$attach_link = $crawler->filter('span.file-name > a')->attr('href');
$attach_id = $this->get_parameter_from_link($attach_link, 'id');
$form = $crawler->selectButton($this->lang('ADD'))->form([
'username_list' => 'admin'
]);
$crawler = self::submit($form);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'subject' => 'Test PM',
'message' => 'This is a test',
]);
$crawler = self::submit($form);
$this->assertContainsLang('MESSAGE_STORED', $crawler->text());
$refresh_data = explode(';', $crawler->filterXpath("//meta[@http-equiv='refresh']")->extract('content')[0]);
$pm_url = trim($refresh_data[1]);
$pm_id = $this->get_parameter_from_link($pm_url, 'p');
// Navigate to ucp attachments for user
$crawler = self::request('GET', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid);
$crawler->filter('.attachment-filename')->each(function ($node, $i) use ($attach_id, &$attachment_node)
{
if (strpos($node->attr('href'), 'file.php?id=' . $attach_id) !== false)
{
$attachment_node = $node;
}
});
$this->assertNotNull($attachment_node);
$this->assertEquals('valid.jpg', $attachment_node->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_node->attr('href'));
$this->assertEquals('', $crawler->filter('[name="attachment[' . $attach_id . ']"]')->attr('disabled'));
// Update message time to 60 minutes later
$sql = 'UPDATE ' . PRIVMSGS_TABLE . '
SET message_time = message_time - ' . 60 * 60 . '
WHERE msg_id = ' . (int) $pm_id;
$this->db->sql_query($sql);
$crawler = self::request('GET', 'ucp.php?i=ucp_attachments&mode=attachments&sid=' . $this->sid);
$crawler->filter('.attachment-filename')->each(function ($node, $i) use ($attach_id, &$attachment_node)
{
if (strpos($node->attr('href'), 'file.php?id=' . $attach_id) !== false)
{
$attachment_node = $node;
}
});
$this->assertNotNull($attachment_node);
$this->assertEquals('valid.jpg', $attachment_node->attr('title'));
$this->assertStringContainsString('download/file.php?id=' . $attach_id, $attachment_node->attr('href'));
$this->assertEquals('disabled', $crawler->filter('[name="attachment[' . $attach_id . ']"]')->attr('disabled'));
$this->set_flood_interval(15);
// Switch to admin user and disable extra settings again
$this->logout();
$this->login();
$this->admin_login();
$this->add_lang(['common', 'acp/attachments', 'acp/board', 'acp/common']);
$crawler = self::request('GET', 'adm/index.php?i=acp_attachments&mode=attach&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[allow_pm_attach]' => 0,
]);
self::submit($form);
$crawler = self::request('GET', 'adm/index.php?i=acp_board&mode=message&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form([
'config[pm_edit_time]' => 0,
]);
self::submit($form);
$crawler = self::request('GET', 'adm/index.php?i=acp_attachments&mode=ext_groups&action=edit&g=1&sid=' . $this->sid);
$form = $crawler->selectButton($this->lang('SUBMIT'))->form();
$form['allow_in_pm']->untick();
self::submit($form);
}
}