|
From: Joe S. <joe...@us...> - 2005-05-11 19:07:35
|
Commit in phpslash-dev on MAIN
CHANGES +6 -1 1.163 -> 1.164
Author.class +43 -13 1.4 -> 1.5
index.php +4 -4 1.5 -> 1.6
Story_base.class +24 -5 1.12 -> 1.13
+77 -23
4 modified files
<pre class="comment">
Author.class, author/index.php, Story_base.class - correct permission issues when saving profile and saving stories reported by tobozo and crashfr.
</pre>
<hr /><a name="file1" /><div class="file">
<span class="pathname">phpslash-dev<br /></span>
<div class="fileheader"><big><b>CHANGES</b></big> <small id="info">1.163 -> 1.164</small></div>
<pre class="diff"><small id="info">diff -u -r1.163 -r1.164
--- CHANGES 9 May 2005 02:24:19 -0000 1.163
+++ CHANGES 11 May 2005 19:07:22 -0000 1.164
@@ -1,4 +1,4 @@
</small></pre><pre class="diff" id="removed">-$Id: CHANGES,v 1.163 2005/05/09 02:24:19 lems1 Exp $
</pre><pre class="diff" id="added">+$Id: CHANGES,v 1.164 2005/05/11 19:07:22 joestewart Exp $
</pre><pre class="diff" id="context">
Changes Legend...
</pre><pre class="diff"><small id="info">@@ -12,6 +12,11 @@
</small></pre><pre class="diff" id="context"> W - General Work on something
9 - Removal of something (kill -9 :)
</pre><pre class="diff" id="added">+2005-May 11 Joe Stewart <jo...@ph...>
+[B] - Author.class, author/index.php, Story_base.class - correct permission
+ issues when saving profile and saving stories reported by tobozo and
+ crashfr.
+
</pre><pre class="diff" id="context"> 2005-May 08 Luis Mondesi <le...@ph...>
[B] - profile.php - turned off caching on user's profile updating page.
</pre></div>
<hr /><a name="file2" /><div class="file">
<span class="pathname">phpslash-dev/include/modules/author<br /></span>
<div class="fileheader"><big><b>Author.class</b></big> <small id="info">1.4 -> 1.5</small></div>
<pre class="diff"><small id="info">diff -u -r1.4 -r1.5
--- Author.class 29 Oct 2004 18:09:53 -0000 1.4
+++ Author.class 11 May 2005 19:07:23 -0000 1.5
@@ -1,6 +1,6 @@
</small></pre><pre class="diff" id="context"> <?php
</pre><pre class="diff" id="removed">-/* $Id: Author.class,v 1.4 2004/10/29 18:09:53 lems1 Exp $ */
</pre><pre class="diff" id="added">+/* $Id: Author.class,v 1.5 2005/05/11 19:07:23 joestewart Exp $ */
</pre><pre class="diff" id="context">
/**
* Provides an API to the PHPSlash Author Management.
</pre><pre class="diff"><small id="info">@@ -304,15 +304,12 @@
</small></pre><pre class="diff" id="context">
global $HTTP_COOKIE_VARS;
</pre><pre class="diff" id="removed">- if ($ary['author_name'] == "") {
- $this->message .= "There is no author_name in Author.class::saveProfile";
- return false;
- }
-
</pre><pre class="diff" id="added">+ // set the author id to the current user's session uid.
+ $ary['author_id'] = $this->auth->auth['uid'];
+ $ary['author_name'] = $this->auth->auth['uanme'];
+
</pre><pre class="diff" id="context"> /* addslashes for the (') AND str_replace for the (") */
$ary["quote"] = clean($ary["quote"]);
</pre><pre class="diff" id="removed">- $ary['author_name'] = clean($ary["author_name"]);
- // $ary['author_name'] = clean($ary["author_name"]);
</pre><pre class="diff" id="context"> $ary['author_realname'] = clean($ary["author_realname"]);
$optionname_ary = $ary[optionname];
</pre><pre class="diff"><small id="info">@@ -372,11 +369,11 @@
</small></pre><pre class="diff" id="context"> FROM psl_author
WHERE author_id = '".$ary['author_id']."'");
</pre><pre class="diff" id="added">+ // skip update if user id not found
</pre><pre class="diff" id="context"> if ($this->db->next_record()) {
if ($ary['password'] == "") {
$q = "UPDATE psl_author
</pre><pre class="diff" id="removed">- SET author_name = '$ary[author_name]',
- author_realname = '$ary[author_realname]',
</pre><pre class="diff" id="added">+ SET author_realname = '$ary[author_realname]',
</pre><pre class="diff" id="context"> url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
</pre><pre class="diff"><small id="info">@@ -384,8 +381,7 @@
</small></pre><pre class="diff" id="context"> WHERE author_id = '$ary[author_id]'";
} else {
$q = "UPDATE psl_author
</pre><pre class="diff" id="removed">- SET author_name = '$ary[author_name]',
- author_realname = '$ary[author_realname]',
</pre><pre class="diff" id="added">+ SET author_realname = '$ary[author_realname]',
</pre><pre class="diff" id="context"> url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
</pre><pre class="diff"><small id="info">@@ -825,6 +821,28 @@
</small></pre><pre class="diff" id="context"> };
}
</pre><pre class="diff" id="added">+ /**
+ * getEmail - return email assign to name
+ *
+ * when given an id, getEmail returns the email
+ *
+ * @param string name
+ * @access public
+ * return author_email
+ */
+ function getEmail($id) {
+ if (!$id) {
+ return false;
+ } else {
+ $id = (int) $id;
+ $q = "SELECT email
+ FROM psl_author
+ WHERE author_id = '$id' ";
+ $this->db->query($q);
+ $this->db->next_record();
+ return $this->db->f("email");
+ };
+ }
</pre><pre class="diff" id="context">
/**
* getAuthors - returns array with author ids and names
</pre><pre class="diff"><small id="info">@@ -1096,6 +1114,18 @@
</small></pre><pre class="diff" id="context"> }
return false;
}
</pre><pre class="diff" id="removed">- <span id="removedchars"> </span>
</pre><pre class="diff" id="added">+
+ /**
+ * getMessage - returns message text
+ *
+ * simply returns the contents of the message variable
+ *
+ * @access public
+ */
+ function getMessage() {
+ return pslgetText($this->message);
+ }
+
+
</pre><pre class="diff" id="context"> } /* end of Author.class */
?>
</pre></div>
<hr /><a name="file3" /><div class="file">
<span class="pathname">phpslash-dev/include/modules/author<br /></span>
<div class="fileheader"><big><b>index.php</b></big> <small id="info">1.5 -> 1.6</small></div>
<pre class="diff"><small id="info">diff -u -r1.5 -r1.6
--- index.php 7 Jul 2004 17:26:00 -0000 1.5
+++ index.php 11 May 2005 19:07:24 -0000 1.6
@@ -1,6 +1,6 @@
</small></pre><pre class="diff" id="context"> <?php
</pre><pre class="diff" id="removed">-/* $Id: index.php,v 1.5 2004/07/07 17:26:00 krabu Exp $ */
</pre><pre class="diff" id="added">+/* $Id: index.php,v 1.6 2005/05/11 19:07:24 joestewart Exp $ */
</pre><pre class="diff" id="context">
global $_PSL, $auth, $perm, $HTTP_GET_VARS, $HTTP_POST_VARS;
</pre><pre class="diff"><small id="info">@@ -32,14 +32,14 @@
</small></pre><pre class="diff" id="context"> case "update":
if ($perm->have_perm("authorprofileSave")) {
if($author->saveProfile($ary)) {
</pre><pre class="diff" id="removed">- $content .= getMessage("Profile Updated");
-
</pre><pre class="diff" id="added">+ $content .= getMessage($author->getMessage());
</pre><pre class="diff" id="context"> if (function_exists('jpcache_gc')) {
// expire cache for this session
jpcache_gc('string', "-slashSess-" . $sess->id, "100");
}
} else {
</pre><pre class="diff" id="removed">- $content .= getError("Profile not updated");
</pre><pre class="diff" id="added">+ <span id="addedchars"> </span>$content .= getError("Profile not updated");
+ $content .= getError($author->getMessage());
</pre><pre class="diff" id="context"> }
}
case "edit":
</pre></div>
<hr /><a name="file4" /><div class="file">
<span class="pathname">phpslash-dev/include/modules/story<br /></span>
<div class="fileheader"><big><b>Story_base.class</b></big> <small id="info">1.12 -> 1.13</small></div>
<pre class="diff"><small id="info">diff -u -r1.12 -r1.13
--- Story_base.class 4 Nov 2004 23:01:57 -0000 1.12
+++ Story_base.class 11 May 2005 19:07:24 -0000 1.13
@@ -1,6 +1,6 @@
</small></pre><pre class="diff" id="context"> <?php
</pre><pre class="diff" id="removed">-/* $Id: Story_base.class,v 1.1<span id="removedchars">2 2004/11/04 23:01:57</span> joestewart Exp $ */
</pre><pre class="diff" id="added">+/* $Id: Story_base.class,v 1.1<span id="addedchars">3 2005/05/11 19:07:24</span> joestewart Exp $ */
</pre><pre class="diff" id="context">
/*
* Class: Story_base
</pre><pre class="diff"><small id="info">@@ -464,11 +464,11 @@
</small></pre><pre class="diff" id="context"> */
function saveStory($ary) {
</pre><pre class="diff" id="removed">- // Normal users can't edit another user's stories
- if((!$this->perm->have_perm('storyeditothers')) AND
- ( $ary['author_id'] != $this->auth->auth['uid'])) {
</pre><pre class="diff" id="added">+ // Normal users can't edit another user's stories
+ if((!$this->perm->have_perm('storyeditothers')) AND (($this->authorStory($ary[story_id]) != $this->auth->auth['uid']) OR ( $ary['author_id'] != $this->auth->auth['uid']))) {
</pre><pre class="diff" id="context"> $this->message .= pslgetText("Sorry. You do not have the necessary privilege to view this page.");
</pre><pre class="diff" id="removed">- return false;
</pre><pre class="diff" id="added">+ logwrite("Possibly a sucker trying to crack Story_base::saveStory()", $_SERVER['REMOTE_ADDR']);
+ return false;
</pre><pre class="diff" id="context"> }
$isOK = true;
</pre><pre class="diff"><small id="info">@@ -901,6 +901,25 @@
</small></pre><pre class="diff" id="context"> }
}
</pre><pre class="diff" id="added">+ /*
+ * authorStory - return the Author id for a Story
+ *
+ * @param integer id
+ * @access public
+ *
+ */
+ function authorStory($id_story){
+ $q = "SELECT author_id
+ FROM psl_author, psl_story
+ WHERE psl_story.story_id = '$id_story'
+ AND psl_author.author_id = psl_story.user_id";
+ $this->db->query($q);
+ if($this->db->next_record()){
+ return $this->db->f("author_id");
+ }
+ return false;
+ }
+
</pre><pre class="diff" id="context"> } // end of Story_base
?>
</pre></div>
http://www.badgers-in-foil.co.uk/projects/cvsspam/ - CVSspam - 0.2.10
|
