[geeklog-cvs] Geeklog-1.x/system lib-story.php,1.104,1.105
Dirk Haun
dhaun at qs1489.pair.com
Mon Sep 17 14:13:50 EDT 2007
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv55660/system
Modified Files:
lib-story.php
Log Message:
Added missing check for 'story.edit' permissions and sanitize the story id (which also creates a sid if the client didn't include one)
Index: lib-story.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-story.php,v
retrieving revision 1.104
retrieving revision 1.105
diff -C2 -d -r1.104 -r1.105
*** lib-story.php 16 Sep 2007 16:50:00 -0000 1.104
--- lib-story.php 17 Sep 2007 18:13:48 -0000 1.105
***************
*** 999,1002 ****
--- 999,1013 ----
global $_CONF, $_TABLES, $_USER, $LANG24, $MESSAGE, $_GROUPS;
+ if (!SEC_hasRights('story.edit')) {
+ $output .= COM_siteHeader('menu', $MESSAGE[30]);
+ $output .= COM_startBlock($MESSAGE[30], '',
+ COM_getBlockTemplate('_msg_block', 'header'));
+ $output .= $MESSAGE[31];
+ $output .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer'));
+ $output .= COM_siteFooter();
+
+ return PLG_RET_AUTH_FAILED;
+ }
+
$gl_edit = $args['gl_edit'];
if ($gl_edit) {
***************
*** 1118,1121 ****
--- 1129,1133 ----
// END TEST CODE
+ $args['sid'] = COM_sanitizeID($args['sid']);
$story = new Story();
***************
*** 1138,1142 ****
$sid = $story->getSid();
- $output = '';
switch ($result) {
--- 1150,1153 ----
More information about the geeklog-cvs
mailing list