[geeklog-cvs] Geeklog-1.x/system lib-story.php,1.104,1.105

Dirk Haun dhaun at qs1489.pair.com
Mon Sep 17 14:13:50 EDT 2007


Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv55660/system

Modified Files:
	lib-story.php 
Log Message:
Added missing check for 'story.edit' permissions and sanitize the story id (which also creates a sid if the client didn't include one)


Index: lib-story.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-story.php,v
retrieving revision 1.104
retrieving revision 1.105
diff -C2 -d -r1.104 -r1.105
*** lib-story.php	16 Sep 2007 16:50:00 -0000	1.104
--- lib-story.php	17 Sep 2007 18:13:48 -0000	1.105
***************
*** 999,1002 ****
--- 999,1013 ----
      global $_CONF, $_TABLES, $_USER, $LANG24, $MESSAGE, $_GROUPS;
  
+     if (!SEC_hasRights('story.edit')) {
+         $output .= COM_siteHeader('menu', $MESSAGE[30]);
+         $output .= COM_startBlock($MESSAGE[30], '',
+                                   COM_getBlockTemplate('_msg_block', 'header'));
+         $output .= $MESSAGE[31];
+         $output .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer'));
+         $output .= COM_siteFooter();
+ 
+         return PLG_RET_AUTH_FAILED;
+     }
+ 
      $gl_edit = $args['gl_edit'];
      if ($gl_edit) {
***************
*** 1118,1121 ****
--- 1129,1133 ----
      // END TEST CODE
  
+     $args['sid'] = COM_sanitizeID($args['sid']);
      $story = new Story();
  
***************
*** 1138,1142 ****
  
      $sid = $story->getSid();
-     $output = '';
  
      switch ($result) {
--- 1150,1153 ----




More information about the geeklog-cvs mailing list