[geeklog-cvs] geeklog: Forgot to check group membership again when sending the...

Sun Feb 1 03:49:16 EST 2009

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/99c4995f2ef1
changeset: 6743:99c4995f2ef1
user:      Dirk Haun <dirk at haun-online.de>
date:      Sun Feb 01 09:49:03 2009 +0100
description:
Forgot to check group membership again when sending the emails

diffstat:

1 file changed, 20 insertions(+), 12 deletions(-)
public_html/admin/mail.php |   32 ++++++++++++++++++++------------

diffs (64 lines):

diff -r 3ccf161b2de2 -r 99c4995f2ef1 public_html/admin/mail.php

--- a/public_html/admin/mail.php	Sat Jan 31 22:44:58 2009 +0100
+++ b/public_html/admin/mail.php	Sun Feb 01 09:49:03 2009 +0100
@@ -114,23 +114,31 @@
 * @return   string          HTML with success or error message
 *
 */
-function send_messages ($vars)
+function send_messages($vars)
 {
     global $_CONF, $_TABLES, $LANG31;
 
-    require_once($_CONF['path_system'] . 'lib-user.php');
+    require_once $_CONF['path_system'] . 'lib-user.php';
 
     $retval = '';
 
-    if (empty ($vars['fra']) OR empty ($vars['fraepost']) OR
-            empty ($vars['subject']) OR empty ($vars['message']) OR
-            empty ($vars['to_group'])) {
-        $retval .= COM_startBlock ($LANG31[1], '',
-                        COM_getBlockTemplate ('_msg_block', 'header'));
-        $retval .= $LANG31[26];
-        $retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
+    if (empty($vars['fra']) OR empty($vars['fraepost']) OR
+            empty($vars['subject']) OR empty($vars['message']) OR
+            empty($vars['to_group'])) {
+        $retval .= COM_showMessageText($LANG31[26]);
 
         return $retval;
+    }
+
+    $to_group = COM_applyFilter($vars['to_group'], true);
+    if ($to_group > 0) {
+        $group_name = DB_getItem($_TABLES['groups'], 'grp_name',
+                                 "grp_id = $to_group");
+        if (! SEC_inGroup($group_name)) {
+            return COM_refresh($_CONF['site_admin_url'] . '/mail.php');
+        }
+    } else {
+        return COM_refresh($_CONF['site_admin_url'] . '/mail.php');
     }
 
     // Urgent message!
@@ -147,16 +155,16 @@
         $html = false;
     }
 
-    $groupList = implode (',', USER_getChildGroups($vars['to_group']));
+    $groupList = implode(',', USER_getChildGroups($to_group));
 
     // and now mail it
     if (isset ($vars['overstyr'])) {
         $sql = "SELECT DISTINCT username,fullname,email FROM {$_TABLES['users']},{$_TABLES['group_assignments']} WHERE uid > 1";
-        $sql .= " AND {$_TABLES['users']}.status = 3 AND ((email is not null) and (email != ''))";
+        $sql .= " AND {$_TABLES['users']}.status = 3 AND ((email IS NOT NULL) and (email != ''))";
         $sql .= " AND {$_TABLES['users']}.uid = ug_uid AND ug_main_grp_id IN ({$groupList})";
     } else {
         $sql = "SELECT DISTINCT username,fullname,email,emailfromadmin FROM {$_TABLES['users']},{$_TABLES['userprefs']},{$_TABLES['group_assignments']} WHERE {$_TABLES['users']}.uid > 1";
-        $sql .= " AND {$_TABLES['users']}.status = 3 AND ((email is not null) and (email != ''))";
+        $sql .= " AND {$_TABLES['users']}.status = 3 AND ((email IS NOT NULL) and (email != ''))";
         $sql .= " AND {$_TABLES['users']}.uid = {$_TABLES['userprefs']}.uid AND emailfromadmin = 1";
         $sql .= " AND ug_uid = {$_TABLES['users']}.uid AND ug_main_grp_id IN ({$groupList})";
     }

