forum security fix

This commit is contained in:
JT Smith 2003-11-16 23:59:21 +00:00
parent dccdefeeea
commit e69e464721
5 changed files with 48 additions and 23 deletions

View file

@ -193,7 +193,16 @@ sub www_view {
$templateId = $_[0]->get("templateId");
}
if ($session{form}{forumOp}) {
return WebGUI::Forum::UI::forumOp($callback,$_[0]->get("title"),$_[0]->get("description"));
unless ($!= $_[0]->get("wobjectId")) {
WebGUI::ErrorHandler::security("access a forum that was not related to this message board (".$_[0]->get("wobjectId").")");
return WebGUI::Privilege::insufficient();
}
return WebGUI::Forum::UI::forumOp({
callback=>$callback,
title=>$_[0]->get("title"),
description=>$_[0]->get("description"),
forumId=>$_[0]->get("forumId")
});
} else {
return $_[0]->processTemplate($templateId,\%var);
}

View file

@ -166,13 +166,16 @@ sub www_moveForumUp {
sub www_view {
my $callback = WebGUI::URL::page("func=view&wid=".$_[0]->get("wobjectId"));
if ($session{form}{forumOp}) {
my ($title, $description);
if ($session{form}{forumId} ne "") {
($title,$description) = WebGUI::SQL->quickArray("select title,description from MessageBoard_forums where forumId=".$session{form}{forumId});
my $forumParam = "forumId=".$session{form}{forumId};
$callback = WebGUI::URL::append($callback,$forumParam);
}
return WebGUI::Forum::UI::forumOp($callback,$title,$description);
my ($forumId, $title, $description) = WebGUI::SQL->quickArray("select forumId, title, description from MessageBoard_forums
where wobjectId=".$_[0]->get("wobjectId")." and forumId=".$session{form}{forumId});
my $forumParam = "forumId=".$forumId;
$callback = WebGUI::URL::append($callback,$forumParam);
return WebGUI::Forum::UI::forumOp({
callback=>$callback,
title=>$title,
description=>$description,
forumId=>$forumId
});
}
my %var;
$var{title} = $_[0]->get("title");

View file

@ -545,7 +545,11 @@ sub www_viewSubmission {
return $_[0]->www_view unless ($submission->{USS_submissionId});
my $callback = WebGUI::URL::page("func=viewSubmission&wid=".$_[0]->get("wobjectId")."&sid=".$submission->{USS_submissionId});
if ($session{form}{forumOp}) {
return WebGUI::Forum::UI::forumOp($callback,$submission->{title});
return WebGUI::Forum::UI::forumOp({
callback=>$callback,
title=>$submission->{title},
forumId=>$submission->{forumId}
});
}
WebGUI::SQL->write("update USS_submission set views=views+1 where USS_submissionId=$session{form}{sid}");
$var{title} = $submission->{title};