diff options
| author | Igor Wiedler <igor@wiedler.ch> | 2011-10-14 17:30:54 +0200 |
|---|---|---|
| committer | Igor Wiedler <igor@wiedler.ch> | 2011-10-14 17:37:12 +0200 |
| commit | 27279afa1ed75457e6e0d32c982bf9458f048f30 (patch) | |
| tree | 1840c7d681059f5a08a52caef52b0d34801b5530 /phpBB/includes/mcp | |
| parent | 1657339e6d0b9a04463ce63fefa6332cab8aad14 (diff) | |
| download | forums-27279afa1ed75457e6e0d32c982bf9458f048f30.tar forums-27279afa1ed75457e6e0d32c982bf9458f048f30.tar.gz forums-27279afa1ed75457e6e0d32c982bf9458f048f30.tar.bz2 forums-27279afa1ed75457e6e0d32c982bf9458f048f30.tar.xz forums-27279afa1ed75457e6e0d32c982bf9458f048f30.zip | |
[ticket/10377] Do not allow all moderators to sticky posts
In the mcp the change_topic_type does not properly check permissions,
allowing moderators to make any post sticky or announced by visiting the
correct URL.
PHPBB3-10377
Diffstat (limited to 'phpBB/includes/mcp')
| -rw-r--r-- | phpBB/includes/mcp/mcp_main.php | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/phpBB/includes/mcp/mcp_main.php b/phpBB/includes/mcp/mcp_main.php index ad10a52705..ffede11d37 100644 --- a/phpBB/includes/mcp/mcp_main.php +++ b/phpBB/includes/mcp/mcp_main.php @@ -286,14 +286,6 @@ function change_topic_type($action, $topic_ids) { global $auth, $user, $db, $phpEx, $phpbb_root_path; - // For changing topic types, we only allow operations in one forum. - $forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', array('f_announce', 'f_sticky', 'm_'), true); - - if ($forum_id === false) - { - return; - } - switch ($action) { case 'make_announce': @@ -316,11 +308,18 @@ function change_topic_type($action, $topic_ids) default: $new_topic_type = POST_NORMAL; - $check_acl = ''; + $check_acl = false; $l_new_type = (sizeof($topic_ids) == 1) ? 'MCP_MAKE_NORMAL' : 'MCP_MAKE_NORMALS'; break; } + $forum_id = check_ids($topic_ids, TOPICS_TABLE, 'topic_id', $check_acl, true); + + if ($forum_id === false) + { + return; + } + $redirect = request_var('redirect', build_url(array('action', 'quickmod'))); $s_hidden_fields = array( |