diff options
Diffstat (limited to 'phpBB/includes')
33 files changed, 415 insertions, 80 deletions
diff --git a/phpBB/includes/acp/acp_database.php b/phpBB/includes/acp/acp_database.php index c9d24f9254..982310fb05 100644 --- a/phpBB/includes/acp/acp_database.php +++ b/phpBB/includes/acp/acp_database.php @@ -38,6 +38,14 @@ class acp_database $action = $request->variable('action', ''); + $form_key = 'acp_database'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $template->assign_vars(array( 'MODE' => $mode )); diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 3ea9d81887..66bb630241 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -843,9 +843,26 @@ class acp_forums ORDER BY left_id"; $result = $db->sql_query($sql); - if ($row = $db->sql_fetchrow($result)) + $rowset = array(); + while ($row = $db->sql_fetchrow($result)) + { + $rowset[(int) $row['forum_id']] = $row; + } + $db->sql_freeresult($result); + + /** + * Modify the forum list data + * + * @event core.acp_manage_forums_modify_forum_list + * @var array rowset Array with the forums list data + * @since 3.1.10-RC1 + */ + $vars = array('rowset'); + extract($phpbb_dispatcher->trigger_event('core.acp_manage_forums_modify_forum_list', compact($vars))); + + if (!empty($rowset)) { - do + foreach ($rowset as $row) { $forum_type = $row['forum_type']; @@ -889,7 +906,6 @@ class acp_forums 'U_SYNC' => $url . '&action=sync') ); } - while ($row = $db->sql_fetchrow($result)); } else if ($this->parent_id) { @@ -905,7 +921,7 @@ class acp_forums 'U_SYNC' => $url . '&action=sync') ); } - $db->sql_freeresult($result); + unset($rowset); $template->assign_vars(array( 'ERROR_MSG' => (sizeof($errors)) ? implode('<br />', $errors) : '', diff --git a/phpBB/includes/acp/acp_groups.php b/phpBB/includes/acp/acp_groups.php index 6bd3e71c2e..305296d013 100644 --- a/phpBB/includes/acp/acp_groups.php +++ b/phpBB/includes/acp/acp_groups.php @@ -223,6 +223,7 @@ class acp_groups } else if ($action === 'delete' && $group_row['group_type'] == GROUP_SPECIAL) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -235,6 +236,7 @@ class acp_groups case 'delete': if (!$auth->acl_get('a_groupdel')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -313,6 +315,7 @@ class acp_groups if ($action == 'add' && !$auth->acl_get('a_groupadd')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } diff --git a/phpBB/includes/acp/acp_icons.php b/phpBB/includes/acp/acp_icons.php index 0293dca9d3..bea8da221c 100644 --- a/phpBB/includes/acp/acp_icons.php +++ b/phpBB/includes/acp/acp_icons.php @@ -40,6 +40,15 @@ class acp_icons $action = (isset($_POST['edit'])) ? 'edit' : $action; $action = (isset($_POST['import'])) ? 'import' : $action; $icon_id = $request->variable('id', 0); + $submit = $request->is_set_post('submit', false); + + $form_key = 'acp_icons'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } $mode = ($mode == 'smilies') ? 'smilies' : 'icons'; @@ -822,6 +831,11 @@ class acp_icons case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_icons')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + // Get current order id... $sql = "SELECT {$fields}_order as current_order FROM $table @@ -941,8 +955,8 @@ class acp_icons 'EMOTION' => (isset($row['emotion'])) ? $row['emotion'] : '', 'U_EDIT' => $this->u_action . '&action=edit&id=' . $row[$fields . '_id'], 'U_DELETE' => $this->u_action . '&action=delete&id=' . $row[$fields . '_id'], - 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start, - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start, + 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row[$fields . '_id'] . '&start=' . $pagination_start . '&hash=' . generate_link_hash('acp_icons'), )); if (!$spacer && !$row['display_on_posting']) diff --git a/phpBB/includes/acp/acp_inactive.php b/phpBB/includes/acp/acp_inactive.php index 7ec43f45cc..ec256e93ef 100644 --- a/phpBB/includes/acp/acp_inactive.php +++ b/phpBB/includes/acp/acp_inactive.php @@ -164,6 +164,7 @@ class acp_inactive { if (!$auth->acl_get('a_userdel')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } diff --git a/phpBB/includes/acp/acp_language.php b/phpBB/includes/acp/acp_language.php index 03172e475a..4baff921b6 100644 --- a/phpBB/includes/acp/acp_language.php +++ b/phpBB/includes/acp/acp_language.php @@ -244,6 +244,11 @@ class acp_language break; case 'install': + if (!check_link_hash($request->variable('hash', ''), 'acp_language')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $lang_iso = $request->variable('iso', ''); $lang_iso = basename($lang_iso); @@ -405,7 +410,7 @@ class acp_language 'ISO' => htmlspecialchars($lang_ary['iso']), 'LOCAL_NAME' => htmlspecialchars($lang_ary['local_name'], ENT_COMPAT, 'UTF-8'), 'NAME' => htmlspecialchars($lang_ary['name'], ENT_COMPAT, 'UTF-8'), - 'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso'])) + 'U_INSTALL' => $this->u_action . '&action=install&iso=' . urlencode($lang_ary['iso']) . '&hash=' . generate_link_hash('acp_language')) ); } } diff --git a/phpBB/includes/acp/acp_main.php b/phpBB/includes/acp/acp_main.php index f44bbbc88d..8697504c77 100644 --- a/phpBB/includes/acp/acp_main.php +++ b/phpBB/includes/acp/acp_main.php @@ -118,6 +118,7 @@ class acp_main case 'online': if (!$auth->acl_get('a_board')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -134,6 +135,7 @@ class acp_main case 'stats': if (!$auth->acl_get('a_board')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -189,6 +191,7 @@ class acp_main case 'user': if (!$auth->acl_get('a_board')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -256,6 +259,7 @@ class acp_main case 'date': if (!$auth->acl_get('a_board')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -372,6 +376,7 @@ class acp_main case 'purge_sessions': if ((int) $user->data['user_type'] !== USER_FOUNDER) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } diff --git a/phpBB/includes/acp/acp_modules.php b/phpBB/includes/acp/acp_modules.php index d3ecffe81e..4d90b2da8b 100644 --- a/phpBB/includes/acp/acp_modules.php +++ b/phpBB/includes/acp/acp_modules.php @@ -50,6 +50,9 @@ class acp_modules $user->add_lang('acp/modules'); $this->tpl_name = 'acp_modules'; + $form_key = 'acp_modules'; + add_form_key($form_key); + // module class $this->module_class = $mode; @@ -130,6 +133,11 @@ class acp_modules trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); } + if (!check_link_hash($request->variable('hash', ''), 'acp_modules')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + $sql = 'SELECT * FROM ' . MODULES_TABLE . " WHERE module_class = '" . $db->sql_escape($this->module_class) . "' @@ -161,6 +169,11 @@ class acp_modules trigger_error($user->lang['NO_MODULE_ID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); } + if (!check_link_hash($request->variable('hash', ''), 'acp_modules')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + $sql = 'SELECT * FROM ' . MODULES_TABLE . " WHERE module_class = '" . $db->sql_escape($this->module_class) . "' @@ -305,6 +318,11 @@ class acp_modules if ($submit) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); + } + if (!$module_data['module_langname']) { trigger_error($user->lang['NO_MODULE_LANGNAME'] . adm_back_link($this->u_action . '&parent_id=' . $this->parent_id), E_USER_WARNING); @@ -506,12 +524,12 @@ class acp_modules 'S_ACP_MODULE_MANAGEMENT' => ($this->module_class == 'acp' && ($row['module_basename'] == 'modules' || $row['module_langname'] == 'ACP_MODULE_MANAGEMENT')) ? true : false, 'U_MODULE' => $this->u_action . '&parent_id=' . $row['module_id'], - 'U_MOVE_UP' => $url . '&action=move_up', - 'U_MOVE_DOWN' => $url . '&action=move_down', + 'U_MOVE_UP' => $url . '&action=move_up&hash=' . generate_link_hash('acp_modules'), + 'U_MOVE_DOWN' => $url . '&action=move_down&hash=' . generate_link_hash('acp_modules'), 'U_EDIT' => $url . '&action=edit', 'U_DELETE' => $url . '&action=delete', - 'U_ENABLE' => $url . '&action=enable', - 'U_DISABLE' => $url . '&action=disable') + 'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'), + 'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules')) ); } while ($row = $db->sql_fetchrow($result)); @@ -538,8 +556,8 @@ class acp_modules 'U_EDIT' => $url . '&action=edit', 'U_DELETE' => $url . '&action=delete', - 'U_ENABLE' => $url . '&action=enable', - 'U_DISABLE' => $url . '&action=disable') + 'U_ENABLE' => $url . '&action=enable&hash=' . generate_link_hash('acp_modules'), + 'U_DISABLE' => $url . '&action=disable&hash=' . generate_link_hash('acp_modules')) ); } $db->sql_freeresult($result); diff --git a/phpBB/includes/acp/acp_permission_roles.php b/phpBB/includes/acp/acp_permission_roles.php index 93aca295d7..0bfe67830f 100644 --- a/phpBB/includes/acp/acp_permission_roles.php +++ b/phpBB/includes/acp/acp_permission_roles.php @@ -367,6 +367,11 @@ class acp_permission_roles case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_permission_roles')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT role_order FROM ' . ACL_ROLES_TABLE . " WHERE role_id = $role_id"; @@ -441,8 +446,8 @@ class acp_permission_roles 'U_EDIT' => $this->u_action . '&action=edit&role_id=' . $row['role_id'], 'U_REMOVE' => $this->u_action . '&action=remove&role_id=' . $row['role_id'], - 'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'], - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'], + 'U_MOVE_UP' => $this->u_action . '&action=move_up&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&role_id=' . $row['role_id'] . '&hash=' . generate_link_hash('acp_permission_roles'), 'U_DISPLAY_ITEMS' => ($row['role_id'] == $display_item) ? '' : $this->u_action . '&display_item=' . $row['role_id'] . '#assigned_to') ); diff --git a/phpBB/includes/acp/acp_permissions.php b/phpBB/includes/acp/acp_permissions.php index fdac7c4d00..df3e238bcc 100644 --- a/phpBB/includes/acp/acp_permissions.php +++ b/phpBB/includes/acp/acp_permissions.php @@ -315,6 +315,7 @@ class acp_permissions case 'apply_permissions': if (!isset($_POST['setting'])) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING); } if (!check_form_key($form_name)) @@ -328,6 +329,7 @@ class acp_permissions case 'apply_all_permissions': if (!isset($_POST['setting'])) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING); } if (!check_form_key($form_name)) @@ -687,6 +689,7 @@ class acp_permissions // Check the permission setting again if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -772,6 +775,7 @@ class acp_permissions // Check the permission setting again if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -884,6 +888,7 @@ class acp_permissions // Check the permission setting again if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING); } diff --git a/phpBB/includes/acp/acp_profile.php b/phpBB/includes/acp/acp_profile.php index 69672ebec0..c4888cfc7c 100644 --- a/phpBB/includes/acp/acp_profile.php +++ b/phpBB/includes/acp/acp_profile.php @@ -56,6 +56,9 @@ class acp_profile $error = array(); + $form_key = 'acp_profile'; + add_form_key($form_key); + if (!$field_id && in_array($action, array('delete','activate', 'deactivate', 'move_up', 'move_down', 'edit'))) { trigger_error($user->lang['NO_FIELD_ID'] . adm_back_link($this->u_action), E_USER_WARNING); @@ -166,6 +169,11 @@ class acp_profile case 'activate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT lang_id FROM ' . LANG_TABLE . " WHERE lang_iso = '" . $db->sql_escape($config['default_lang']) . "'"; @@ -206,6 +214,11 @@ class acp_profile case 'deactivate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'UPDATE ' . PROFILE_FIELDS_TABLE . " SET field_active = 0 WHERE field_id = $field_id"; @@ -235,6 +248,11 @@ class acp_profile case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT field_order FROM ' . PROFILE_FIELDS_TABLE . " WHERE field_id = $field_id"; @@ -584,6 +602,11 @@ class acp_profile if (!sizeof($error)) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save)) { $this->save_profile_field($cp, $field_type, $action); @@ -740,12 +763,12 @@ class acp_profile 'FIELD_TYPE' => $profile_field->get_name(), 'L_ACTIVATE_DEACTIVATE' => $user->lang[$active_lang], - 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id", + 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'U_EDIT' => $this->u_action . "&action=edit&field_id=$id", 'U_TRANSLATE' => $this->u_action . "&action=edit&field_id=$id&step=3", 'U_DELETE' => $this->u_action . "&action=delete&field_id=$id", - 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id", - 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id", + 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), + 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'S_NEED_EDIT' => $s_need_edit) ); diff --git a/phpBB/includes/acp/acp_reasons.php b/phpBB/includes/acp/acp_reasons.php index 0d221bba3c..b9b313c9db 100644 --- a/phpBB/includes/acp/acp_reasons.php +++ b/phpBB/includes/acp/acp_reasons.php @@ -281,6 +281,11 @@ class acp_reasons case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_reasons')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT reason_order FROM ' . REPORTS_REASONS_TABLE . " WHERE reason_id = $reason_id"; @@ -382,8 +387,8 @@ class acp_reasons 'U_EDIT' => $this->u_action . '&action=edit&id=' . $row['reason_id'], 'U_DELETE' => (!$other_reason) ? $this->u_action . '&action=delete&id=' . $row['reason_id'] : '', - 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'], - 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id']) + 'U_MOVE_UP' => $this->u_action . '&action=move_up&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons'), + 'U_MOVE_DOWN' => $this->u_action . '&action=move_down&id=' . $row['reason_id'] . '&hash=' . generate_link_hash('acp_reasons')) ); } $db->sql_freeresult($result); diff --git a/phpBB/includes/acp/acp_search.php b/phpBB/includes/acp/acp_search.php index 1f0e8ef539..9a72162c29 100644 --- a/phpBB/includes/acp/acp_search.php +++ b/phpBB/includes/acp/acp_search.php @@ -54,6 +54,13 @@ class acp_search global $config, $phpbb_admin_path, $phpEx; $submit = (isset($_POST['submit'])) ? true : false; + $form_key = 'acp_search'; + add_form_key($form_key); + + if ($submit && !check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } $search_types = $this->get_search_types(); @@ -244,6 +251,15 @@ class acp_search $this->state = array(); $this->save_state(); } + $submit = $request->is_set_post('submit', false); + + $form_key = 'acp_search'; + add_form_key($form_key); + + if (!check_form_key($form_key) && in_array($action, array('delete', 'create'))) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } if ($action) { diff --git a/phpBB/includes/acp/acp_update.php b/phpBB/includes/acp/acp_update.php index e42367d8a1..b88e6d3984 100644 --- a/phpBB/includes/acp/acp_update.php +++ b/phpBB/includes/acp/acp_update.php @@ -67,7 +67,7 @@ class acp_update // Incomplete update? if (phpbb_version_compare($config['version'], PHPBB_VERSION, '<')) { - $database_update_link = append_sid($phpbb_root_path . 'install/database_update.' . $phpEx); + $database_update_link = $phpbb_root_path . 'install/app.php/update'; $template->assign_vars(array( 'S_UPDATE_INCOMPLETE' => true, diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index 5091fcae7e..a37396a713 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -205,6 +205,7 @@ class acp_users { if (!$auth->acl_get('a_userdel')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING); } diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5f8519bb41..bec4dbc27a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2264,6 +2264,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa { $phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL'); } + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_ADMIN'); } @@ -2280,6 +2281,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa { $phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL'); } + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_ADMIN'); } @@ -2301,6 +2303,8 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa { // We log the attempt to use a different username... $phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL'); + + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_ADMIN_USER_DIFFER'); } diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index 5cf65e04ba..13b2b29274 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -65,7 +65,7 @@ function recalc_nested_sets(&$new_id, $pkey, $table, $parent_id = 0, $where = ar */ function make_forum_select($select_id = false, $ignore_id = false, $ignore_acl = false, $ignore_nonpost = false, $ignore_emptycat = true, $only_acl_post = false, $return_array = false) { - global $db, $auth; + global $db, $auth, $phpbb_dispatcher; // This query is identical to the jumpbox one $sql = 'SELECT forum_id, forum_name, parent_id, forum_type, forum_flags, forum_options, left_id, right_id @@ -73,16 +73,33 @@ function make_forum_select($select_id = false, $ignore_id = false, $ignore_acl = ORDER BY left_id ASC'; $result = $db->sql_query($sql, 600); + $rowset = array(); + while ($row = $db->sql_fetchrow($result)) + { + $rowset[(int) $row['forum_id']] = $row; + } + $db->sql_freeresult($result); + $right = 0; $padding_store = array('0' => ''); $padding = ''; $forum_list = ($return_array) ? array() : ''; + /** + * Modify the forum list data + * + * @event core.make_forum_select_modify_forum_list + * @var array rowset Array with the forums list data + * @since 3.1.10-RC1 + */ + $vars = array('rowset'); + extract($phpbb_dispatcher->trigger_event('core.make_forum_select_modify_forum_list', compact($vars))); + // Sometimes it could happen that forums will be displayed here not be displayed within the index page // This is the result of forums not displayed at index, having list permissions and a parent of a forum with no permissions. // If this happens, the padding could be "broken" - while ($row = $db->sql_fetchrow($result)) + foreach ($rowset as $row) { if ($row['left_id'] < $right) { @@ -133,8 +150,7 @@ function make_forum_select($select_id = false, $ignore_id = false, $ignore_acl = $forum_list .= '<option value="' . $row['forum_id'] . '"' . (($disabled) ? ' disabled="disabled" class="disabled-option"' : $selected) . '>' . $padding . $row['forum_name'] . '</option>'; } } - $db->sql_freeresult($result); - unset($padding_store); + unset($padding_store, $rowset); return $forum_list; } diff --git a/phpBB/includes/functions_content.php b/phpBB/includes/functions_content.php index 173ea49acc..e36eb8119b 100644 --- a/phpBB/includes/functions_content.php +++ b/phpBB/includes/functions_content.php @@ -163,16 +163,33 @@ function make_jumpbox($action, $forum_id = false, $select_all = false, $acl_list ORDER BY left_id ASC'; $result = $db->sql_query($sql, 600); + $rowset = array(); + while ($row = $db->sql_fetchrow($result)) + { + $rowset[(int) $row['forum_id']] = $row; + } + $db->sql_freeresult($result); + $right = $padding = 0; $padding_store = array('0' => 0); $display_jumpbox = false; $iteration = 0; + /** + * Modify the jumpbox forum list data + * + * @event core.make_jumpbox_modify_forum_list + * @var array rowset Array with the forums list data + * @since 3.1.10-RC1 + */ + $vars = array('rowset'); + extract($phpbb_dispatcher->trigger_event('core.make_jumpbox_modify_forum_list', compact($vars))); + // Sometimes it could happen that forums will be displayed here not be displayed within the index page // This is the result of forums not displayed at index, having list permissions and a parent of a forum with no permissions. // If this happens, the padding could be "broken" - while ($row = $db->sql_fetchrow($result)) + foreach ($rowset as $row) { if ($row['left_id'] < $right) { @@ -254,8 +271,7 @@ function make_jumpbox($action, $forum_id = false, $select_all = false, $acl_list } $iteration++; } - $db->sql_freeresult($result); - unset($padding_store); + unset($padding_store, $rowset); $url_parts = $phpbb_path_helper->get_url_parts($action); diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index 1659d4b252..d61ce3d098 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -254,11 +254,21 @@ function send_file_to_browser($attachment, $upload_dir, $category) send_status_line(206, 'Partial Content'); header('Content-Range: bytes ' . $range['byte_pos_start'] . '-' . $range['byte_pos_end'] . '/' . $range['bytes_total']); header('Content-Length: ' . $range['bytes_requested']); - } - while (!feof($fp)) + // First read chunks + while (!feof($fp) && ftell($fp) < $range['byte_pos_end'] - 8192) + { + echo fread($fp, 8192); + } + // Then, read the remainder + echo fread($fp, $range['bytes_requested'] % 8192); + } + else { - echo fread($fp, 8192); + while (!feof($fp)) + { + echo fread($fp, 8192); + } } fclose($fp); } @@ -284,7 +294,7 @@ function header_filename($file) // There be dragons here. // Not many follows the RFC... - if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Safari') !== false || strpos($user_agent, 'Konqueror') !== false) + if (strpos($user_agent, 'MSIE') !== false || strpos($user_agent, 'Konqueror') !== false) { return "filename=" . rawurlencode($file); } @@ -529,6 +539,9 @@ function phpbb_find_range_request() */ function phpbb_parse_range_request($request_array, $filesize) { + $first_byte_pos = -1; + $last_byte_pos = -1; + // Go through all ranges foreach ($request_array as $range_string) { @@ -540,62 +553,61 @@ function phpbb_parse_range_request($request_array, $filesize) continue; } + // Substitute defaults if ($range[0] === '') { - // Return last $range[1] bytes. - - if (!$range[1]) - { - continue; - } + $range[0] = 0; + } - if ($range[1] >= $filesize) - { - return false; - } + if ($range[1] === '') + { + $range[1] = $filesize - 1; + } - $first_byte_pos = $filesize - (int) $range[1]; - $last_byte_pos = $filesize - 1; + if ($last_byte_pos >= 0 && $last_byte_pos + 1 != $range[0]) + { + // We only support contiguous ranges, no multipart stuff :( + return false; } - else + + if ($range[1] && $range[1] < $range[0]) { - // Return bytes from $range[0] to $range[1] + // The requested range contains 0 bytes. + continue; + } + // Return bytes from $range[0] to $range[1] + if ($first_byte_pos < 0) + { $first_byte_pos = (int) $range[0]; - $last_byte_pos = (int) $range[1]; - - if ($last_byte_pos && $last_byte_pos < $first_byte_pos) - { - // The requested range contains 0 bytes. - continue; - } + } - if ($first_byte_pos >= $filesize) - { - // Requested range not satisfiable - return false; - } + $last_byte_pos = (int) $range[1]; - // Adjust last-byte-pos if it is absent or greater than the content. - if ($range[1] === '' || $last_byte_pos >= $filesize) - { - $last_byte_pos = $filesize - 1; - } + if ($first_byte_pos >= $filesize) + { + // Requested range not satisfiable + return false; } - // We currently do not support range requests that end before the end of the file - if ($last_byte_pos != $filesize - 1) + // Adjust last-byte-pos if it is absent or greater than the content. + if ($range[1] === '' || $last_byte_pos >= $filesize) { - continue; + $last_byte_pos = $filesize - 1; } + } - return array( - 'byte_pos_start' => $first_byte_pos, - 'byte_pos_end' => $last_byte_pos, - 'bytes_requested' => $last_byte_pos - $first_byte_pos + 1, - 'bytes_total' => $filesize, - ); + if ($first_byte_pos < 0 || $last_byte_pos < 0) + { + return false; } + + return array( + 'byte_pos_start' => $first_byte_pos, + 'byte_pos_end' => $last_byte_pos, + 'bytes_requested' => $last_byte_pos - $first_byte_pos + 1, + 'bytes_total' => $filesize, + ); } /** diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index d92934e59e..69c3dad9e6 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -801,6 +801,7 @@ function move_pm($user_id, $message_limit, $move_msg_ids, $dest_folder, $cur_fol if (!$row) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } @@ -965,6 +966,7 @@ function handle_mark_actions($user_id, $mark_action) if (!$auth->acl_get('u_pm_delete')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_DELETE_MESSAGE'); } diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index a3dfafb000..f29f974ccf 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -3020,7 +3020,7 @@ function remove_default_rank($group_id, $user_ids) */ function group_user_attributes($action, $group_id, $user_id_ary = false, $username_ary = false, $group_name = false, $group_attributes = false) { - global $db, $auth, $user, $phpbb_container, $phpbb_log; + global $db, $auth, $user, $phpbb_container, $phpbb_log, $phpbb_dispatcher; // We need both username and user_id info $result = user_get_id_name($user_id_ary, $username_ary); @@ -3152,6 +3152,28 @@ function group_user_attributes($action, $group_id, $user_id_ary = false, $userna break; } + /** + * Event to perform additional actions on setting user group attributes + * + * @event core.user_set_group_attributes + * @var int group_id ID of the group + * @var string group_name Name of the group + * @var array user_id_ary IDs of the users to set group attributes + * @var array username_ary Names of the users to set group attributes + * @var array group_attributes Group attributes which were changed + * @var string action Action to perform over the group members + * @since 3.1.10-RC1 + */ + $vars = array( + 'group_id', + 'group_name', + 'user_id_ary', + 'username_ary', + 'group_attributes', + 'action', + ); + extract($phpbb_dispatcher->trigger_event('core.user_set_group_attributes', compact($vars))); + // Clear permissions cache of relevant users $auth->acl_clear_prefetch($user_id_ary); diff --git a/phpBB/includes/mcp/mcp_forum.php b/phpBB/includes/mcp/mcp_forum.php index dc4d59cc46..e381210331 100644 --- a/phpBB/includes/mcp/mcp_forum.php +++ b/phpBB/includes/mcp/mcp_forum.php @@ -274,7 +274,7 @@ function mcp_forum_view($id, $mode, $action, $forum_info) 'TOPIC_ICON_IMG_WIDTH' => (!empty($icons[$row_ary['icon_id']])) ? $icons[$row_ary['icon_id']]['width'] : '', 'TOPIC_ICON_IMG_HEIGHT' => (!empty($icons[$row_ary['icon_id']])) ? $icons[$row_ary['icon_id']]['height'] : '', 'UNAPPROVED_IMG' => ($topic_unapproved || $posts_unapproved) ? $user->img('icon_topic_unapproved', ($topic_unapproved) ? 'TOPIC_UNAPPROVED' : 'POSTS_UNAPPROVED') : '', - 'DELETED_IMG' => ($topic_deleted) ? $user->img('icon_topic_deleted', 'POSTS_DELETED') : '', + 'DELETED_IMG' => ($topic_deleted) ? $user->img('icon_topic_deleted', 'TOPIC_DELETED') : '', 'TOPIC_AUTHOR' => get_username_string('username', $row_ary['topic_poster'], $row_ary['topic_first_poster_name'], $row_ary['topic_first_poster_colour']), 'TOPIC_AUTHOR_COLOUR' => get_username_string('colour', $row_ary['topic_poster'], $row_ary['topic_first_poster_name'], $row_ary['topic_first_poster_colour']), diff --git a/phpBB/includes/mcp/mcp_logs.php b/phpBB/includes/mcp/mcp_logs.php index fca0412321..c34c915a40 100644 --- a/phpBB/includes/mcp/mcp_logs.php +++ b/phpBB/includes/mcp/mcp_logs.php @@ -83,6 +83,7 @@ class mcp_logs if (!in_array($forum_id, $forum_list)) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } @@ -101,6 +102,7 @@ class mcp_logs if (!in_array($forum_id, $forum_list)) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } diff --git a/phpBB/includes/mcp/mcp_queue.php b/phpBB/includes/mcp/mcp_queue.php index 1ccced7a2f..9060cc1098 100644 --- a/phpBB/includes/mcp/mcp_queue.php +++ b/phpBB/includes/mcp/mcp_queue.php @@ -622,6 +622,7 @@ class mcp_queue if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve'))) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } @@ -877,6 +878,7 @@ class mcp_queue if (!phpbb_check_ids($topic_id_list, TOPICS_TABLE, 'topic_id', array('m_approve'))) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } @@ -1074,6 +1076,7 @@ class mcp_queue if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve'))) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } diff --git a/phpBB/includes/mcp/mcp_reports.php b/phpBB/includes/mcp/mcp_reports.php index 3809ea2616..1462acf110 100644 --- a/phpBB/includes/mcp/mcp_reports.php +++ b/phpBB/includes/mcp/mcp_reports.php @@ -542,6 +542,7 @@ function close_report($report_id_list, $mode, $action, $pm = false) { if (!$auth->acl_getf_global('m_report')) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } } @@ -549,6 +550,7 @@ function close_report($report_id_list, $mode, $action, $pm = false) { if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_report'))) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } } diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php index 00044340df..1e54c18dc1 100644 --- a/phpBB/includes/ucp/ucp_activate.php +++ b/phpBB/includes/ucp/ucp_activate.php @@ -67,6 +67,7 @@ class ucp_activate { login_box('', $user->lang['NO_AUTH_OPERATION']); } + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_OPERATION'); } diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index faffbe5bdc..352b7d1ec3 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -87,6 +87,7 @@ class ucp_groups if (!$auth->acl_get('u_chggrp')) { + send_status_line(403, 'Forbidden'); trigger_error($user->lang['NOT_AUTHORISED'] . $return_page); } diff --git a/phpBB/includes/ucp/ucp_main.php b/phpBB/includes/ucp/ucp_main.php index 217d46b767..77ac1dfb54 100644 --- a/phpBB/includes/ucp/ucp_main.php +++ b/phpBB/includes/ucp/ucp_main.php @@ -35,7 +35,7 @@ class ucp_main function main($id, $mode) { - global $config, $db, $user, $auth, $template, $phpbb_root_path, $phpEx; + global $config, $db, $user, $auth, $template, $phpbb_root_path, $phpEx, $phpbb_dispatcher; global $request; switch ($mode) @@ -215,6 +215,14 @@ class ucp_main $unwatch = (isset($_POST['unwatch'])) ? true : false; + /** + * Read and potentially modify the post data used to remove subscriptions to forums/topics + * + * @event core.ucp_main_subscribed_post_data + * @since 3.1.10-RC1 + */ + $phpbb_dispatcher->dispatch('core.ucp_main_subscribed_post_data'); + if ($unwatch) { if (check_form_key('ucp_front_subscribed')) @@ -299,6 +307,20 @@ class ucp_main $tracking_topics = ($tracking_topics) ? tracking_unserialize($tracking_topics) : array(); } + /** + * Modify the query used to retrieve a list of subscribed forums + * + * @event core.ucp_main_subscribed_forums_modify_query + * @var array sql_array The subscribed forums query + * @var array forbidden_forums The list of forbidden forums + * @since 3.1.10-RC1 + */ + $vars = array( + 'sql_array', + 'forbidden_forums', + ); + extract($phpbb_dispatcher->trigger_event('core.ucp_main_subscribed_forums_modify_query', compact($vars))); + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); @@ -340,7 +362,7 @@ class ucp_main $last_post_time = $last_post_url = ''; } - $template->assign_block_vars('forumrow', array( + $template_vars = array( 'FORUM_ID' => $forum_id, 'FORUM_IMG_STYLE' => $folder_image, 'FORUM_FOLDER_IMG' => $user->img($folder_image, $folder_alt), @@ -359,8 +381,36 @@ class ucp_main 'S_UNREAD_FORUM' => $unread_forum, 'U_LAST_POST' => $last_post_url, - 'U_VIEWFORUM' => append_sid("{$phpbb_root_path}viewforum.$phpEx", 'f=' . $row['forum_id'])) + 'U_VIEWFORUM' => append_sid("{$phpbb_root_path}viewforum.$phpEx", 'f=' . $row['forum_id']) + ); + + /** + * Add template variables to a subscribed forum row. + * + * @event core.ucp_main_subscribed_forum_modify_template_vars + * @var array template_vars Array containing the template variables for the row + * @var array row Array containing the subscribed forum row data + * @var int forum_id Forum ID + * @var string folder_image Folder image + * @var string folder_alt Alt text for the folder image + * @var bool unread_forum Whether the forum has unread content or not + * @var string last_post_time The time of the most recent post, expressed as a formatted date string + * @var string last_post_url The URL of the most recent post in the forum + * @since 3.1.10-RC1 + */ + $vars = array( + 'template_vars', + 'row', + 'forum_id', + 'folder_image', + 'folder_alt', + 'unread_forum', + 'last_post_time', + 'last_post_url', ); + extract($phpbb_dispatcher->trigger_event('core.ucp_main_subscribed_forum_modify_template_vars', compact($vars))); + + $template->assign_block_vars('forumrow', $template_vars); } $db->sql_freeresult($result); } @@ -642,7 +692,7 @@ class ucp_main */ function assign_topiclist($mode = 'subscribed', $forbidden_forum_ary = array()) { - global $user, $db, $template, $config, $cache, $auth, $phpbb_root_path, $phpEx, $phpbb_container, $request; + global $user, $db, $template, $config, $cache, $auth, $phpbb_root_path, $phpEx, $phpbb_container, $request, $phpbb_dispatcher; /* @var $pagination \phpbb\pagination */ $pagination = $phpbb_container->get('pagination'); @@ -664,6 +714,23 @@ class ucp_main AND i.user_id = ' . $user->data['user_id'] . ' AND ' . $db->sql_in_set('t.forum_id', $forbidden_forum_ary, true, true), ); + + /** + * Modify the query used to retrieve the count of subscribed/bookmarked topics + * + * @event core.ucp_main_topiclist_count_modify_query + * @var array sql_array The subscribed/bookmarked topics query + * @var array forbidden_forum_ary The list of forbidden forums + * @var string mode The type of topic list ('subscribed' or 'bookmarks') + * @since 3.1.10-RC1 + */ + $vars = array( + 'sql_array', + 'forbidden_forum_ary', + 'mode', + ); + extract($phpbb_dispatcher->trigger_event('core.ucp_main_topiclist_count_modify_query', compact($vars))); + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query($sql); $topics_count = (int) $db->sql_fetchfield('topics_count'); @@ -732,6 +799,22 @@ class ucp_main $sql_array['SELECT'] .= ', tp.topic_posted'; } + /** + * Modify the query used to retrieve the list of subscribed/bookmarked topics + * + * @event core.ucp_main_topiclist_modify_query + * @var array sql_array The subscribed/bookmarked topics query + * @var array forbidden_forum_ary The list of forbidden forums + * @var string mode The type of topic list ('subscribed' or 'bookmarks') + * @since 3.1.10-RC1 + */ + $vars = array( + 'sql_array', + 'forbidden_forum_ary', + 'mode', + ); + extract($phpbb_dispatcher->trigger_event('core.ucp_main_topiclist_modify_query', compact($vars))); + $sql = $db->sql_build_query('SELECT', $sql_array); $result = $db->sql_query_limit($sql, $config['topics_per_page'], $start); @@ -797,7 +880,7 @@ class ucp_main $view_topic_url = append_sid("{$phpbb_root_path}viewtopic.$phpEx", $view_topic_url_params); // Send vars to template - $template->assign_block_vars('topicrow', array( + $template_vars = array( 'FORUM_ID' => $forum_id, 'TOPIC_ID' => $topic_id, 'FIRST_POST_TIME' => $user->format_date($row['topic_time']), @@ -839,7 +922,41 @@ class ucp_main 'U_LAST_POST' => append_sid("{$phpbb_root_path}viewtopic.$phpEx", $view_topic_url_params . '&p=' . $row['topic_last_post_id']) . '#p' . $row['topic_last_post_id'], 'U_VIEW_TOPIC' => $view_topic_url, 'U_VIEW_FORUM' => append_sid("{$phpbb_root_path}viewforum.$phpEx", 'f=' . $forum_id), - )); + ); + + /** + * Add template variables to a subscribed/bookmarked topic row. + * + * @event core.ucp_main_topiclist_topic_modify_template_vars + * @var array template_vars Array containing the template variables for the row + * @var array row Array containing the subscribed/bookmarked topic row data + * @var int forum_id ID of the forum containing the topic + * @var int topic_id Topic ID + * @var int replies Number of replies in the topic + * @var string topic_type Topic type + * @var string folder_img Folder image + * @var string folder_alt Alt text for the folder image + * @var array icons Array containing topic icons + * @var bool unread_topic Whether the topic has unread content or not + * @var string view_topic_url The URL of the topic + * @since 3.1.10-RC1 + */ + $vars = array( + 'template_vars', + 'row', + 'forum_id', + 'topic_id', + 'replies', + 'topic_type', + 'folder_img', + 'folder_alt', + 'icons', + 'unread_topic', + 'view_topic_url', + ); + extract($phpbb_dispatcher->trigger_event('core.ucp_main_topiclist_topic_modify_template_vars', compact($vars))); + + $template->assign_block_vars('topicrow', $template_vars); $pagination->generate_template_pagination(append_sid("{$phpbb_root_path}viewtopic.$phpEx", 'f=' . $row['forum_id'] . "&t=$topic_id"), 'topicrow.pagination', 'start', $replies + 1, $config['posts_per_page'], 1, true, true); } diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 33dff97fe6..d145d66f59 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -166,6 +166,7 @@ class ucp_pm if (!$auth->acl_get('u_readpm')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_READ_MESSAGE'); } diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index ad9a99204f..b61a9fab9f 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -171,6 +171,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) case 'post': if (!$auth->acl_get('u_sendpm')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_SEND_MESSAGE'); } break; @@ -186,6 +187,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) if (!$auth->acl_get('u_sendpm')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_SEND_MESSAGE'); } @@ -226,6 +228,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) case 'delete': if (!$auth->acl_get('u_pm_delete')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_DELETE_MESSAGE'); } @@ -251,11 +254,13 @@ function compose_pm($id, $mode, $action, $user_folders = array()) if ($action == 'forward' && (!$config['forward_pm'] || !$auth->acl_get('u_pm_forward'))) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_FORWARD_MESSAGE'); } if ($action == 'edit' && !$auth->acl_get('u_pm_edit')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_EDIT_MESSAGE'); } @@ -321,6 +326,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) { if (($post['forum_id'] && !$auth->acl_get('f_read', $post['forum_id'])) || (!$post['forum_id'] && !$auth->acl_getf_global('f_read'))) { + send_status_line(403, 'Forbidden'); trigger_error('NOT_AUTHORISED'); } @@ -456,6 +462,7 @@ function compose_pm($id, $mode, $action, $user_folders = array()) if (($to_group_id || isset($address_list['g'])) && (!$config['allow_mass_pm'] || !$auth->acl_get('u_masspm_group'))) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_GROUP_MESSAGE'); } diff --git a/phpBB/includes/ucp/ucp_pm_viewmessage.php b/phpBB/includes/ucp/ucp_pm_viewmessage.php index 2457ea9a2e..48d14a133c 100644 --- a/phpBB/includes/ucp/ucp_pm_viewmessage.php +++ b/phpBB/includes/ucp/ucp_pm_viewmessage.php @@ -41,6 +41,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row) $message = $user->lang['NO_AUTH_READ_REMOVED_MESSAGE']; $message .= '<br /><br />' . sprintf($user->lang['RETURN_FOLDER'], '<a href="' . $meta_info . '">', '</a>'); + send_status_line(403, 'Forbidden'); trigger_error($message); } diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php index a9f8e10eef..a86c4f2672 100644 --- a/phpBB/includes/ucp/ucp_profile.php +++ b/phpBB/includes/ucp/ucp_profile.php @@ -279,6 +279,7 @@ class ucp_profile // Do not display profile information panel if not authed to do so if (!$auth->acl_get('u_chgprofileinfo')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_PROFILEINFO'); } @@ -464,6 +465,7 @@ class ucp_profile if (!$auth->acl_get('u_sig')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_SIGNATURE'); } diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 0a46674fb1..a44f077693 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -79,6 +79,7 @@ class ucp_remind if (!$auth2->acl_get('u_chgpasswd')) { + send_status_line(403, 'Forbidden'); trigger_error('NO_AUTH_PASSWORD_REMINDER'); } |