[geeklog-cvs] geeklog-1.3/public_html comment.php,1.38.4.2,1.38.4.3
dhaun at geeklog.net
dhaun at geeklog.net
Mon Jan 19 15:10:32 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv8358
Modified Files:
Tag: geeklog_1_3_7sr2_1
comment.php
Log Message:
Don't let user browse comments when s/he doesn't have access to the story.
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.38.4.2
retrieving revision 1.38.4.3
diff -C2 -d -r1.38.4.2 -r1.38.4.3
*** comment.php 7 Dec 2003 10:03:58 -0000 1.38.4.2
--- comment.php 19 Jan 2004 20:10:30 -0000 1.38.4.3
***************
*** 9,17 ****
// | |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000,2001 by the following authors: |
// | |
! // | Authors: Tony Bibbs - tony at tonybibbs.com |
! // | Mark Limburg - mlimburg at users.sourceforge.net |
! // | Jason Wittenburg - jwhitten at securitygeeks.com |
// +---------------------------------------------------------------------------+
// | |
--- 9,17 ----
// | |
// +---------------------------------------------------------------------------+
! // | Copyright (C) 2000-2004 by the following authors: |
// | |
! // | Authors: Tony Bibbs - tony at tonybibbs.com |
! // | Mark Limburg - mlimburg at users.sourceforge.net |
! // | Jason Whittenburg - jwhitten at securitygeeks.com |
// +---------------------------------------------------------------------------+
// | |
***************
*** 332,335 ****
--- 332,388 ----
}
+ // a quick import from Geeklog 1.3.8 ...
+ function Comment_getPermSQL($type = 'WHERE', $u_id = 0, $access = 2, $table = '')
+ {
+ global $_USER, $_GROUPS;
+
+ if( !empty( $table ))
+ {
+ $table .= '.';
+ }
+
+ if( $u_id <= 0 )
+ {
+ $uid = $_USER['uid'];
+ $GROUPS = $_GROUPS;
+ }
+ else
+ {
+ $uid = $u_id;
+ $GROUPS = SEC_getUserGroups( $uid );
+ }
+
+ if( empty( $_GROUPS ))
+ {
+ // this shouldn't really happen, but if it does, handle user
+ // like an anonymous user
+ $uid = 1;
+ }
+
+ if( SEC_inGroup( 'Root', $uid ))
+ {
+ return '';
+ }
+
+ $sql = ' ' . $type . ' (';
+
+ if( $uid > 1 )
+ {
+ $sql .= "(({$table}owner_id = '{$uid}') AND ({$table}perm_owner >= $access)) OR ";
+
+ $sql .= "(({$table}group_id IN (" . implode (',', $_GROUPS)
+ . ")) AND ({$table}perm_group >= $access)) OR ";
+ $sql .= "({$table}perm_members >= $access)";
+ }
+ else
+ {
+ $sql .= "{$table}perm_anon >= $access";
+ }
+
+ $sql .= ')';
+
+ return $sql;
+ }
+
// MAIN
$title = strip_tags ($title);
***************
*** 346,353 ****
$display .= deletecomment (strip_tags ($cid), strip_tags ($sid), $type);
break;
! case display:
! $display .= COM_siteHeader()
! . COM_userComments($sid,$title,$type,$order,'threaded',$pid)
! . COM_siteFooter();
break;
default:
--- 399,424 ----
$display .= deletecomment (strip_tags ($cid), strip_tags ($sid), $type);
break;
! case 'display':
! if (!empty ($sid) && !empty ($type)) {
! $allowed = 1;
! if ($type == 'article') {
! $result = DB_query ("SELECT COUNT(*) AS count FROM {$_TABLES['stories']} WHERE (sid = '$sid') AND (draft_flag = 0) AND (date <= NOW())" . Comment_getPermSQL ('AND'));
! $A = DB_fetchArray ($result);
! $allowed = $A['count'];
! } else if ($type == 'poll') {
! $result = DB_query ("SELECT COUNT(*) AS count FROM {$_TABLES['pollquestions']} WHERE (qid = '$sid')" . Comment_getPermSQL ('AND'));
! $A = DB_fetchArray ($result);
! $allowed = $A['count'];
! }
! if ($allowed == 1) {
! $display .= COM_siteHeader()
! . COM_userComments($sid,$title,$type,$order,'threaded',$pid)
! . COM_siteFooter();
! } else {
! $display .= COM_refresh($_CONF['site_url'] . '/index.php');
! }
! } else {
! $display .= COM_refresh($_CONF['site_url'] . '/index.php');
! }
break;
default:
More information about the geeklog-cvs
mailing list