forum security fix
This commit is contained in:
parent
dccdefeeea
commit
e69e464721
5 changed files with 48 additions and 23 deletions
|
|
@ -193,7 +193,16 @@ sub www_view {
|
|||
$templateId = $_[0]->get("templateId");
|
||||
}
|
||||
if ($session{form}{forumOp}) {
|
||||
return WebGUI::Forum::UI::forumOp($callback,$_[0]->get("title"),$_[0]->get("description"));
|
||||
unless ($!= $_[0]->get("wobjectId")) {
|
||||
WebGUI::ErrorHandler::security("access a forum that was not related to this message board (".$_[0]->get("wobjectId").")");
|
||||
return WebGUI::Privilege::insufficient();
|
||||
}
|
||||
return WebGUI::Forum::UI::forumOp({
|
||||
callback=>$callback,
|
||||
title=>$_[0]->get("title"),
|
||||
description=>$_[0]->get("description"),
|
||||
forumId=>$_[0]->get("forumId")
|
||||
});
|
||||
} else {
|
||||
return $_[0]->processTemplate($templateId,\%var);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -166,13 +166,16 @@ sub www_moveForumUp {
|
|||
sub www_view {
|
||||
my $callback = WebGUI::URL::page("func=view&wid=".$_[0]->get("wobjectId"));
|
||||
if ($session{form}{forumOp}) {
|
||||
my ($title, $description);
|
||||
if ($session{form}{forumId} ne "") {
|
||||
($title,$description) = WebGUI::SQL->quickArray("select title,description from MessageBoard_forums where forumId=".$session{form}{forumId});
|
||||
my $forumParam = "forumId=".$session{form}{forumId};
|
||||
$callback = WebGUI::URL::append($callback,$forumParam);
|
||||
}
|
||||
return WebGUI::Forum::UI::forumOp($callback,$title,$description);
|
||||
my ($forumId, $title, $description) = WebGUI::SQL->quickArray("select forumId, title, description from MessageBoard_forums
|
||||
where wobjectId=".$_[0]->get("wobjectId")." and forumId=".$session{form}{forumId});
|
||||
my $forumParam = "forumId=".$forumId;
|
||||
$callback = WebGUI::URL::append($callback,$forumParam);
|
||||
return WebGUI::Forum::UI::forumOp({
|
||||
callback=>$callback,
|
||||
title=>$title,
|
||||
description=>$description,
|
||||
forumId=>$forumId
|
||||
});
|
||||
}
|
||||
my %var;
|
||||
$var{title} = $_[0]->get("title");
|
||||
|
|
|
|||
|
|
@ -545,7 +545,11 @@ sub www_viewSubmission {
|
|||
return $_[0]->www_view unless ($submission->{USS_submissionId});
|
||||
my $callback = WebGUI::URL::page("func=viewSubmission&wid=".$_[0]->get("wobjectId")."&sid=".$submission->{USS_submissionId});
|
||||
if ($session{form}{forumOp}) {
|
||||
return WebGUI::Forum::UI::forumOp($callback,$submission->{title});
|
||||
return WebGUI::Forum::UI::forumOp({
|
||||
callback=>$callback,
|
||||
title=>$submission->{title},
|
||||
forumId=>$submission->{forumId}
|
||||
});
|
||||
}
|
||||
WebGUI::SQL->write("update USS_submission set views=views+1 where USS_submissionId=$session{form}{sid}");
|
||||
$var{title} = $submission->{title};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue