diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2007-03-17 19:52:39 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2007-03-17 19:52:39 +0000 |
| commit | 09e2b89917b52431d485e76087cd9d3c1f6c0be7 (patch) | |
| tree | 97ba65ff4fe2a41c4b715b5e0d462fec9775a6f7 /phpBB | |
| parent | c14916296224158c899ee1433faab5bc75ed2609 (diff) | |
| download | forums-09e2b89917b52431d485e76087cd9d3c1f6c0be7.tar forums-09e2b89917b52431d485e76087cd9d3c1f6c0be7.tar.gz forums-09e2b89917b52431d485e76087cd9d3c1f6c0be7.tar.bz2 forums-09e2b89917b52431d485e76087cd9d3c1f6c0be7.tar.xz forums-09e2b89917b52431d485e76087cd9d3c1f6c0be7.zip | |
check for permission when quoting post in pm (found by kellanved)
git-svn-id: file:///svn/phpbb/trunk@7205 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/includes/ucp/ucp_pm_compose.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index e9c67bcccf..a0bb036b87 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -125,7 +125,7 @@ function compose_pm($id, $mode, $action) if ($action == 'quotepost') { - $sql = 'SELECT p.post_id as msg_id, p.post_text as message_text, p.poster_id as author_id, p.post_time as message_time, p.bbcode_bitfield, p.bbcode_uid, p.enable_sig, p.enable_smilies, p.enable_magic_url, t.topic_title as message_subject, u.username as quote_username + $sql = 'SELECT p.post_id as msg_id, p.forum_id, p.post_text as message_text, p.poster_id as author_id, p.post_time as message_time, p.bbcode_bitfield, p.bbcode_uid, p.enable_sig, p.enable_smilies, p.enable_magic_url, t.topic_title as message_subject, u.username as quote_username FROM ' . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t, ' . USERS_TABLE . " u WHERE p.post_id = $msg_id AND t.topic_id = p.topic_id @@ -203,6 +203,14 @@ function compose_pm($id, $mode, $action) trigger_error('NO_MESSAGE'); } + if ($action == 'quotepost') + { + if (($post['forum_id'] && !$auth->acl_get('f_read', $post['forum_id'])) || (!$post['forum_id'] && !$auth->acl_getf_global('f_read'))) + { + trigger_error('NOT_AUTHORIZED'); + } + } + $msg_id = (int) $post['msg_id']; $folder_id = (isset($post['folder_id'])) ? $post['folder_id'] : 0; $message_text = (isset($post['message_text'])) ? $post['message_text'] : ''; |