[geeklog-cvs] geeklog-1.3/public_html/admin block.php,1.54,1.55 event.php,1.44,1.45 group.php,1.33,1.34 link.php,1.39,1.40 poll.php,1.36,1.37 story.php,1.110,1.111 topic.php,1.39,1.40
dhaun at geeklog.net
dhaun at geeklog.net
Sun Jan 18 09:41:24 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html/admin
In directory geeklog_prod:/tmp/cvs-serv23767
Modified Files:
block.php event.php group.php link.php poll.php story.php
topic.php
Log Message:
Implemented additional checks before deleting an object.
Index: block.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/block.php,v
retrieving revision 1.54
retrieving revision 1.55
diff -C2 -d -r1.54 -r1.55
*** block.php 13 Jan 2004 19:15:51 -0000 1.54
--- block.php 18 Jan 2004 14:41:22 -0000 1.55
***************
*** 606,609 ****
--- 606,630 ----
}
+ /**
+ * Delete a block
+ *
+ */
+ function deleteBlock ($bid)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ $result = DB_query ("SELECT tid,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['blocks']} WHERE bid ='$bid'");
+ $A = DB_fetchArray($result);
+ $access = SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
+ $A['perm_group'], $A['perm_members'], $A['perm_anon']);
+ if (($access < 3) || (hasBlockTopicAccess ($A['tid']) < 3)) {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete block $bid.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/block.php');
+ }
+
+ DB_delete ($_TABLES['blocks'], 'bid', $bid);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/block.php?msg=12');
+ }
// MAIN
***************
*** 630,634 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
} else {
! DB_delete($_TABLES['blocks'],'bid',$bid,$_CONF['site_admin_url'] . '/block.php?msg=12');
}
} else if (($mode == $LANG21[54]) && !empty ($LANG21[54])) { // save
--- 651,655 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/block.php');
} else {
! $display .= deleteBlock ($bid);
}
} else if (($mode == $LANG21[54]) && !empty ($LANG21[54])) { // save
***************
*** 640,644 ****
.editblock($bid)
.COM_siteFooter();
! } else if ($mode == "move") {
$display .= COM_siteHeader();
$display .= moveBlock();
--- 661,665 ----
.editblock($bid)
.COM_siteFooter();
! } else if ($mode == 'move') {
$display .= COM_siteHeader();
$display .= moveBlock();
Index: event.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/event.php,v
retrieving revision 1.44
retrieving revision 1.45
diff -C2 -d -r1.44 -r1.45
*** event.php 13 Jan 2004 19:15:51 -0000 1.44
--- event.php 18 Jan 2004 14:41:22 -0000 1.45
***************
*** 89,93 ****
$retval .= $LANG22[17];
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit story $sid.");
return $retval;
}
--- 89,93 ----
$retval .= $LANG22[17];
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit event $eid.");
return $retval;
}
***************
*** 344,348 ****
$display .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
$display .= COM_siteFooter();
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit story $sid.");
echo $display;
exit;
--- 344,348 ----
$display .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
$display .= COM_siteFooter();
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit event $eid.");
echo $display;
exit;
***************
*** 487,490 ****
--- 487,513 ----
}
+ /**
+ * Delete an event
+ *
+ */
+ function deleteEvent ($eid)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ $result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['events']} WHERE eid = '$eid'");
+ $A = DB_fetchArray ($result);
+ $access = SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
+ $A['perm_group'], $A['perm_members'], $A['perm_anon']);
+ if ($access < 3) {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete event $eid.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/event.php');
+ }
+
+ DB_delete ($_TABLES['events'], 'eid', $eid);
+ DB_delete ($_TABLES['personal_events'], 'eid', $eid);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/event.php?msg=18');
+ }
+
// MAIN
***************
*** 494,500 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/event.php');
} else {
! DB_delete($_TABLES['events'],'eid',$eid);
! DB_delete($_TABLES['personal_events'],'eid',$eid);
! $display = COM_refresh ($_CONF['site_admin_url'] . '/event.php?msg=18');
}
} else if (($mode == $LANG22[20]) && !empty ($LANG22[20])) { // save
--- 517,521 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/event.php');
} else {
! $display .= deleteEvent ($eid);
}
} else if (($mode == $LANG22[20]) && !empty ($LANG22[20])) { // save
Index: group.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/group.php,v
retrieving revision 1.33
retrieving revision 1.34
diff -C2 -d -r1.33 -r1.34
*** group.php 13 Jan 2004 19:15:52 -0000 1.33
--- group.php 18 Jan 2004 14:41:22 -0000 1.34
***************
*** 638,642 ****
}
! function savegroupusers($groupid,$groupmembers) {
global $_CONF, $_TABLES;
--- 638,643 ----
}
! function savegroupusers($groupid,$groupmembers)
! {
global $_CONF, $_TABLES;
***************
*** 647,652 ****
DB_query("INSERT INTO {$_TABLES['group_assignments']} (ug_main_grp_id, ug_uid) VALUES ('$groupid', '$adduser[$i]')");
}
! echo COM_refresh($_CONF['site_admin_url'] . '/group.php?msg=49');
}
// MAIN
if (($mode == $LANG_ACCESS['delete']) && !empty ($LANG_ACCESS['delete'])) {
--- 648,677 ----
DB_query("INSERT INTO {$_TABLES['group_assignments']} (ug_main_grp_id, ug_uid) VALUES ('$groupid', '$adduser[$i]')");
}
!
! return COM_refresh($_CONF['site_admin_url'] . '/group.php?msg=49');
}
+
+ /**
+ * Delete a group
+ *
+ */
+ function deleteGroup ($grp_id)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ if (!SEC_inGroup ('Root') && (DB_getItem ($_TABLES['groups'], 'grp_name',
+ "grp_id = $grp_id") == 'Root')) {
+ COM_accessLog ("User {$_USER['username']} tried to delete the Root group with insufficient privileges.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/group.php');
+ }
+
+ DB_delete ($_TABLES['access'], 'acc_grp_id', $grp_id);
+ DB_delete ($_TABLES['group_assignments'], 'ug_grp_id', $grp_id);
+ DB_delete ($_TABLES['group_assignments'], 'ug_main_grp_id', $grp_id);
+ DB_delete ($_TABLES['groups'], 'grp_id', $grp_id);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/group.php?msg=50');
+ }
+
// MAIN
if (($mode == $LANG_ACCESS['delete']) && !empty ($LANG_ACCESS['delete'])) {
***************
*** 655,668 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/group.php');
} else {
! DB_delete ($_TABLES['access'], 'acc_grp_id', $grp_id);
! DB_delete ($_TABLES['group_assignments'], 'ug_grp_id', $grp_id);
! DB_delete ($_TABLES['group_assignments'], 'ug_main_grp_id', $grp_id);
! DB_delete ($_TABLES['groups'], 'grp_id', $grp_id);
! $display = COM_refresh($_CONF['site_admin_url'] . '/group.php?msg=50');
}
} else if (($mode == $LANG_ACCESS['save']) && !empty ($LANG_ACCESS['save'])) {
$display .= savegroup($grp_id,$grp_name,$grp_descr,$grp_gl_core,$features,
$HTTP_POST_VARS[$_TABLES['groups']]);
! } else if ($mode == "savegroupusers") {
$display .= savegroupusers($grp_id, $HTTP_POST_VARS['groupmembers']);
} else if ($mode == 'edit') {
--- 680,689 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/group.php');
} else {
! $display .= deleteGroup ($grp_id);
}
} else if (($mode == $LANG_ACCESS['save']) && !empty ($LANG_ACCESS['save'])) {
$display .= savegroup($grp_id,$grp_name,$grp_descr,$grp_gl_core,$features,
$HTTP_POST_VARS[$_TABLES['groups']]);
! } else if ($mode == 'savegroupusers') {
$display .= savegroupusers($grp_id, $HTTP_POST_VARS['groupmembers']);
} else if ($mode == 'edit') {
Index: link.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/link.php,v
retrieving revision 1.39
retrieving revision 1.40
diff -C2 -d -r1.39 -r1.40
*** link.php 13 Jan 2004 19:15:52 -0000 1.39
--- link.php 18 Jan 2004 14:41:22 -0000 1.40
***************
*** 343,346 ****
--- 343,368 ----
}
+ /**
+ * Delete a link
+ *
+ */
+ function deleteLink ($lid)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ $result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['links']} WHERE lid ='$lid'");
+ $A = DB_fetchArray ($result);
+ $access = SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
+ $A['perm_group'], $A['perm_members'], $A['perm_anon']);
+ if ($access < 3) {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete link $lid.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/link.php');
+ }
+
+ DB_delete ($_TABLES['links'], 'lid', $lid);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/link.php?msg=16');
+ }
+
// MAIN
***************
*** 350,354 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/link.php');
} else {
! DB_delete($_TABLES['links'],'lid',$lid,$_CONF['site_admin_url'] . '/link.php?msg=16');
}
} else if (($mode == $LANG23[21]) && !empty ($LANG23[21])) { // save
--- 372,376 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/link.php');
} else {
! $display .= deleteLink ($lid);
}
} else if (($mode == $LANG23[21]) && !empty ($LANG23[21])) { // save
Index: poll.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/poll.php,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** poll.php 13 Jan 2004 19:15:52 -0000 1.36
--- poll.php 18 Jan 2004 14:41:22 -0000 1.37
***************
*** 120,124 ****
$display .= COM_siteFooter (COM_getBlockTemplate ('_msg_block',
'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit poll $pid.");
echo $display;
exit;
--- 120,124 ----
$display .= COM_siteFooter (COM_getBlockTemplate ('_msg_block',
'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit poll $qid.");
echo $display;
exit;
***************
*** 206,211 ****
if (!empty ($qid)) {
! $question = DB_query("SELECT * FROM {$_TABLES["pollquestions"]} WHERE qid='$qid'");
! $answers = DB_query("SELECT answer,aid,votes FROM {$_TABLES["pollanswers"]} WHERE qid='$qid' ORDER BY aid");
$Q = DB_fetchArray($question);
--- 206,211 ----
if (!empty ($qid)) {
! $question = DB_query("SELECT * FROM {$_TABLES['pollquestions']} WHERE qid='$qid'");
! $answers = DB_query("SELECT answer,aid,votes FROM {$_TABLES['pollanswers']} WHERE qid='$qid' ORDER BY aid");
$Q = DB_fetchArray($question);
***************
*** 220,224 ****
$retval .= $LANG25[22];
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit poll $pid.");
return $retval;
}
--- 220,224 ----
$retval .= $LANG25[22];
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
! COM_accessLog("User {$_USER['username']} tried to illegally submit or edit poll $qid.");
return $retval;
}
***************
*** 369,372 ****
--- 369,395 ----
}
+ /**
+ * Delete a poll
+ *
+ */
+ function deletePoll ($qid)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ $result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['pollquestions']} WHERE qid = '$qid'");
+ $Q = DB_fetchArray ($result);
+ $access = SEC_hasAccess ($Q['owner_id'], $Q['group_id'], $Q['perm_owner'],
+ $Q['perm_group'], $Q['perm_members'], $Q['perm_anon']);
+ if ($access < 3) {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete poll $qid.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/poll.php');
+ }
+
+ DB_delete ($_TABLES['pollquestions'], 'qid', $qid);
+ DB_delete ($_TABLES['pollanswers'], 'qid', $qid);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/poll.php?msg=20');
+ }
+
// MAIN
***************
*** 400,406 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/poll.php');
} else {
! DB_delete($_TABLES['pollquestions'],'qid',$qid);
! DB_delete($_TABLES['pollanswers'],'qid',$qid);
! $display .= COM_refresh($_CONF['site_admin_url'] . '/poll.php?msg=20');
}
} else { // 'cancel' or no mode at all
--- 423,427 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/poll.php');
} else {
! $display .= deletePoll ($qid);
}
} else { // 'cancel' or no mode at all
Index: story.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/story.php,v
retrieving revision 1.110
retrieving revision 1.111
diff -C2 -d -r1.110 -r1.111
*** story.php 13 Jan 2004 19:15:52 -0000 1.110
--- story.php 18 Jan 2004 14:41:22 -0000 1.111
***************
*** 1003,1007 ****
function deletestory ($sid)
{
! global $_TABLES, $_CONF;
$result = DB_query ("SELECT ai_filename FROM {$_TABLES['article_images']} WHERE ai_sid = '$sid'");
--- 1003,1017 ----
function deletestory ($sid)
{
! global $_CONF, $_TABLES, $_USER;
!
! $result = DB_query ("SELECT tid,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['stories']} WHERE sid = '$sid'");
! $A = DB_fetchArray ($result);
! $access = SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
! $A['perm_group'], $A['perm_members'], $A['perm_anon']);
! $access = min ($access, SEC_hasTopicAccess ($A['tid']));
! if ($access < 3) {
! COM_accessLog ("User {$_USER['username']} tried to illegally delete story $sid.");
! return COM_refresh ($_CONF['site_admin_url'] . '/story.php');
! }
$result = DB_query ("SELECT ai_filename FROM {$_TABLES['article_images']} WHERE ai_sid = '$sid'");
***************
*** 1045,1050 ****
echo COM_refresh ($_CONF['site_admin_url'] . '/story.php');
} else if ($type == 'submission') {
! DB_delete ($_TABLES['storysubmission'], 'sid', $sid,
! $_CONF['site_admin_url'] . '/moderation.php');
} else {
echo deletestory ($sid);
--- 1055,1066 ----
echo COM_refresh ($_CONF['site_admin_url'] . '/story.php');
} else if ($type == 'submission') {
! $tid = DB_getItem ($_TABLES['storysubmission'], 'tid', "sid = '$sid'");
! if (hasTopicAccess ($tid) < 3) {
! COM_accessLog ("User {$_USER['username']} tried to illegally delete story submission $sid.");
! return COM_refresh ($_CONF['site_admin_url'] . '/index.php');
! } else {
! DB_delete ($_TABLES['storysubmission'], 'sid', $sid,
! $_CONF['site_admin_url'] . '/moderation.php');
! }
} else {
echo deletestory ($sid);
Index: topic.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/admin/topic.php,v
retrieving revision 1.39
retrieving revision 1.40
diff -C2 -d -r1.39 -r1.40
*** topic.php 13 Jan 2004 19:15:52 -0000 1.39
--- topic.php 18 Jan 2004 14:41:22 -0000 1.40
***************
*** 304,307 ****
--- 304,332 ----
}
+ /**
+ * Delete a topic
+ *
+ */
+ function deleteTopic ($tid)
+ {
+ global $_CONF, $_TABLES, $_USER;
+
+ $result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['topics']} WHERE tid ='$tid'");
+ $A = DB_fetchArray ($result);
+ $access = SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
+ $A['perm_group'], $A['perm_members'], $A['perm_anon']);
+ if ($access < 3) {
+ COM_accessLog ("User {$_USER['username']} tried to illegally delete topic $tid.");
+ return COM_refresh ($_CONF['site_admin_url'] . '/topic.php');
+ }
+
+ DB_delete ($_TABLES['stories'], 'tid', $tid);
+ DB_delete ($_TABLES['storysubmission'], 'tid', $tid);
+ DB_delete ($_TABLES['blocks'], 'tid', $tid);
+ DB_delete ($_TABLES['topics'], 'tid', $tid);
+
+ return COM_refresh ($_CONF['site_admin_url'] . '/topic.php?msg=14');
+ }
+
###############################################################################
# MAIN
***************
*** 313,320 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/topic.php');
} else {
! DB_delete($_TABLES['stories'],'tid',$tid);
! DB_delete($_TABLES['storysubmission'],'tid',$tid);
! DB_delete($_TABLES['blocks'],'tid',$tid);
! DB_delete($_TABLES['topics'],'tid',$tid,$_CONF['site_admin_url'] . '/topic.php?msg=14');
}
} else if (($mode == $LANG27[19]) && !empty ($LANG27[19])) { // save
--- 338,342 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/topic.php');
} else {
! $display .= deleteTopic ($tid);
}
} else if (($mode == $LANG27[19]) && !empty ($LANG27[19])) { // save
More information about the geeklog-cvs
mailing list