[geeklog-cvs] geeklog: Fixed handling of user security.
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Thu May 20 19:52:41 EDT 2010
changeset 7939:ec64768e2d38
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/ec64768e2d38
user: Tom <websitemaster at cogeco.net>
date: Thu May 20 15:39:22 2010 -0400
description:
Fixed handling of user security.
diffstat:
plugins/polls/functions.inc | 27 +++++++++++++++++----------
1 files changed, 17 insertions(+), 10 deletions(-)
diffs (66 lines):
diff -r dfbd40194f57 -r ec64768e2d38 plugins/polls/functions.inc
--- a/plugins/polls/functions.inc Sun May 16 19:43:27 2010 +0200
+++ b/plugins/polls/functions.inc Thu May 20 15:39:22 2010 -0400
@@ -1258,6 +1258,7 @@
// the URL (so that $fields isn't emtpy)
$fields[] = 'pid';
$fields[] = 'hideresults';
+ $fields[] = 'owner_id';
break;
default:
@@ -1323,12 +1324,14 @@
} else {
$userid = $_USER['uid'];
}
- // Users who have already voted but cannot see the results cannot view link
- if ($userid == 2 || ($userid != 2 && !($A['hideresults'] == 1 && (isset($_COOKIE['poll-' . $A['pid']]) || POLLS_ipAlreadyVoted($A['pid']))))) {
- $props['url'] = $_CONF['site_url']
- . '/polls/index.php?pid=' . $A['pid'];
- // . '&aid=-1';
+ // Users who have already voted but cannot see the results cannot view link (unless they are the admin or the owner)
+ $has_Permissions = false;
+ if (($A['hideresults'] == 0) || (isset($_USER['uid']) && ($_USER['uid'] == $A['owner_id'])) || SEC_inGroup('Root')) {
+ $has_Permissions = true;
}
+ if ($has_Permissions || (!$has_Permissions && !($A['hideresults'] == 1 && (isset($_COOKIE['poll-' . $A['pid']]) || POLLS_ipAlreadyVoted($A['pid']))))) {
+ $props['url'] = $_CONF['site_url'] . '/polls/index.php?pid=' . $A['pid']; // . '&aid=-1';
+ }
}
break;
default:
@@ -1526,7 +1529,7 @@
$datecolumn = 'created';
}
$sql = array();
- $sql['mysql'] = "SELECT pid, topic, hideresults
+ $sql['mysql'] = "SELECT pid, topic, hideresults, owner_id
FROM {$_TABLES['polltopics']}
WHERE ({$datecolumn} >= (DATE_SUB(NOW(), INTERVAL {$_PO_CONF['newpollsinterval']} SECOND)))
" . COM_getPermSQL('AND') . "
@@ -1534,7 +1537,7 @@
$sql['mssql'] = $sql['mysql'];
- $sql['pgsql'] = "SELECT pid, topic, hideresults
+ $sql['pgsql'] = "SELECT pid, topic, hideresults, owner_id
FROM {$_TABLES['polltopics']}
WHERE ({$datecolumn} >= (NOW() - INTERVAL '{$_PO_CONF['newpollsinterval']} SECONDS'))
" . COM_getPermSQL('AND') . "
@@ -1548,9 +1551,13 @@
for ($x = 0; $x < $nrows; $x++) {
$A = DB_fetchArray($result);
-
- // Users who have already voted but cannot see the results cannot view link
- if ($_USER['uid'] == 2 || ($_USER['uid'] != 2 && !($A['hideresults'] == 1 && (isset($_COOKIE['poll-' . $A['pid']]) || POLLS_ipAlreadyVoted($A['pid']))))) {
+ // Users who have already voted but cannot see the results cannot view link (unless they are the admin or the owner)
+ $has_Permissions = false;
+ if (($A['hideresults'] == 0) || (isset($_USER['uid']) && ($_USER['uid'] == $A['owner_id'])) || SEC_inGroup('Root')) {
+ $has_Permissions = true;
+ }
+ if ($has_Permissions || (!$has_Permissions && !($A['hideresults'] == 1 && (isset($_COOKIE['poll-' . $A['pid']]) || POLLS_ipAlreadyVoted($A['pid']))))) {
+ //if ($_USER['uid'] == 2 || ($_USER['uid'] != 2 && !($A['hideresults'] == 1 && (isset($_COOKIE['poll-' . $A['pid']]) || POLLS_ipAlreadyVoted($A['pid']))))) {
$url = $_CONF['site_url'] . '/polls/index.php?pid=' . $A['pid'];
$title = COM_undoSpecialChars(stripslashes( $A['topic']));
$titletouse = COM_truncate($title, $_PO_CONF['title_trim_length'],
More information about the geeklog-cvs
mailing list