[geeklog-cvs] geeklog-1.3/public_html profiles.php,1.24,1.24.2.1
dhaun at geeklog.net
dhaun at geeklog.net
Fri Dec 5 14:36:38 EST 2003
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv23950
Modified Files:
Tag: geeklog_1_3_8_1_1
profiles.php
Log Message:
Apply more strict checks before allowing someone to email a user. Also implemented a speed limit for emailing users.
Index: profiles.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/profiles.php,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -C2 -d -r1.24 -r1.24.2.1
*** profiles.php 25 Jun 2003 08:39:02 -0000 1.24
--- profiles.php 5 Dec 2003 19:36:36 -0000 1.24.2.1
***************
*** 52,55 ****
--- 52,80 ----
global $_TABLES, $_CONF, $_USER, $LANG08, $LANG_CHARSET;
+ // check for correct $_CONF permission
+ if (empty ($_USER['username']) && (($_CONF['loginrequired'] == 1) ||
+ ($_CONF['emailuserloginrequired'] == 1)) && ($uid != 2)) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
+ // check for correct 'to' user preferences
+ $result = DB_query ("SELECT emailfromadmin,emailfromuser FROM {$_TABLES['userprefs']} WHERE uid = '$uid'");
+ $P = DB_fetchArray ($result);
+ if (SEC_inGroup ('Root') || SEC_hasRights ('user.mail')) {
+ $isAdmin = true;
+ } else {
+ $isAdmin = false;
+ }
+ if ((($P['emailfromadmin'] != 1) && $isAdmin) ||
+ (($P['emailfromuser'] != 1) && !$isAdmin)) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
+ // check mail speedlimit
+ COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
+ if (COM_checkSpeedlimit ('mail') > 0) {
+ return COM_refresh ($_CONF['site_url'] . '/index.php');
+ }
+
if (!empty($author) && !empty($subject) && !empty($message)) {
if (COM_isemail($authoremail)) {
***************
*** 83,86 ****
--- 108,112 ----
"X-Mailer: GeekLog " . VERSION . "\r\n" .
"Content-Type: text/plain; charset=$charset");
+ COM_updateSpeedlimit ('mail');
$retval .= COM_refresh($_CONF['site_url'] . '/index.php?msg=27');
} else {
***************
*** 187,192 ****
function mailstory($sid,$to,$toemail,$from,$fromemail,$sid, $shortmsg)
{
! global $_TABLES, $_CONF, $LANG01, $LANG08, $A;
!
$sql = "SELECT uid,title,introtext,bodytext,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid' ";
$result = DB_query($sql);
--- 213,230 ----
function mailstory($sid,$to,$toemail,$from,$fromemail,$sid, $shortmsg)
{
! global $_CONF, $_TABLES, $_USER, $LANG01, $LANG08, $A;
!
! // check for correct $_CONF permission
! if (empty ($_USER['username']) && (($_CONF['loginrequired'] == 1) ||
! ($_CONF['emailstoryloginrequired'] == 1))) {
! return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
! }
!
! // check mail speedlimit
! COM_clearSpeedlimit ($_CONF['speedlimit'], 'mail');
! if (COM_checkSpeedlimit ('mail') > 0) {
! return COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
! }
!
$sql = "SELECT uid,title,introtext,bodytext,UNIX_TIMESTAMP(date) AS day FROM {$_TABLES['stories']} WHERE sid = '$sid' ";
$result = DB_query($sql);
***************
*** 218,221 ****
--- 256,260 ----
@mail($toemail,$subject,$mailtext,$mailfrom);
+ COM_updateSpeedlimit ('mail');
$retval .= COM_refresh("{$_CONF['site_url']}/article.php?story=$sid");
// Increment numemails counter for story
More information about the geeklog-cvs
mailing list