From bc7b43345722917274a352dde49895e909fec6aa Mon Sep 17 00:00:00 2001
From: rub <rub@piwigo.org>
Date: Sat, 21 Oct 2006 12:07:00 +0000
Subject: Resolved Issue ID 0000356:   o Increase security on adviser mode

First modifications of n modifications.
All the others modifications will be done on BSF branch.


Merge branch-1_6 1558:1559 into BSF

git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1569 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 admin/comments.php               |  6 +++---
 admin/configuration.php          |  4 ++--
 admin/notification_by_mail.php   | 27 +++++++++++++++------------
 admin/picture_modify.php         | 18 +++++++++++++-----
 admin/tags.php                   |  6 +++---
 include/page_header.php          |  3 ++-
 template/yoga/admin/comments.tpl |  4 ++--
 template/yoga/admin/tags.tpl     |  2 +-
 8 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/admin/comments.php b/admin/comments.php
index 3d6d83268..3debab9d0 100644
--- a/admin/comments.php
+++ b/admin/comments.php
@@ -46,7 +46,7 @@ if (isset($_POST))
   $to_validate = array();
   $to_reject = array();
 
-  if (isset($_POST['submit']))
+  if (isset($_POST['submit']) and !is_adviser())
   {    
     foreach (explode(',', $_POST['list']) as $comment_id)
     {
@@ -68,11 +68,11 @@ if (isset($_POST))
       }
     }
   }
-  else if (isset($_POST['validate-all']) and !empty($_POST['list']))
+  else if (isset($_POST['validate-all']) and !empty($_POST['list']) and !is_adviser())
   {
     $to_validate = explode(',', $_POST['list']);
   }
-  else if (isset($_POST['reject-all']) and !empty($_POST['list']))
+  else if (isset($_POST['reject-all']) and !empty($_POST['list']) and !is_adviser())
   {
     $to_reject = explode(',', $_POST['list']);
   }
diff --git a/admin/configuration.php b/admin/configuration.php
index 9f01849f6..5890739d6 100644
--- a/admin/configuration.php
+++ b/admin/configuration.php
@@ -53,7 +53,7 @@ while ($row = mysql_fetch_array($result))
   $conf[$row['param']] = $row['value'];
   // if the parameter is present in $_POST array (if a form is submited), we
   // override it with the submited value
-  if (isset($_POST[$row['param']]))
+  if (isset($_POST[$row['param']]) and !is_adviser())
   {
     $conf[$row['param']] = $_POST[$row['param']];
     if ( 'page_banner'==$row['param'] )
@@ -63,7 +63,7 @@ while ($row = mysql_fetch_array($result))
   }
 }
 //------------------------------ verification and registration of modifications
-if (isset($_POST['submit']))
+if (isset($_POST['submit']) and !is_adviser())
 {
   $int_pattern = '/^\d+$/';
   switch ($page['section'])
diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php
index 1c3a2e829..073f78b34 100644
--- a/admin/notification_by_mail.php
+++ b/admin/notification_by_mail.php
@@ -419,7 +419,7 @@ switch ($page['mode'])
     $result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\'');
     while ($nbm_user = mysql_fetch_array($result))
     {
-      if (isset($_POST['param_submit']))
+      if (isset($_POST['param_submit']) and !is_adviser())
       {
         if (isset($_POST[$nbm_user['param']]))
         {
@@ -441,7 +441,7 @@ where
 
       // if the parameter is present in $_POST array (if a form is submited), we
       // override it with the submited value
-      if (isset($_POST[$nbm_user['param']]))
+      if (isset($_POST[$nbm_user['param']]) and !is_adviser())
       {
         $conf[$nbm_user['param']] = stripslashes($_POST[$nbm_user['param']]);
       }
@@ -461,23 +461,26 @@ where
   }
   case 'subscribe' :
   {
-    if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+    if (!is_adviser())
     {
-      $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
-      do_timeout_treatment('cat_true', $check_key_treated);
-    }
-    else
-    if (isset($_POST['trueify']) and isset($_POST['cat_false']))
-    {
-      $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
-      do_timeout_treatment('cat_false', $check_key_treated);
+      if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+      {
+        $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
+        do_timeout_treatment('cat_true', $check_key_treated);
+      }
+      else
+      if (isset($_POST['trueify']) and isset($_POST['cat_false']))
+      {
+        $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
+        do_timeout_treatment('cat_false', $check_key_treated);
+      }
     }
     break;
   }
 
   case 'send' :
   {
-    if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']))
+    if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']) and !is_adviser())
     {
       $check_key_treated = do_action_send_mail_notification('send', $_POST['send_selection'], stripslashes($_POST['send_customize_mail_content']));
       do_timeout_treatment('send_selection', $check_key_treated);
diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index 130a43931..291d41bd0 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -70,7 +70,7 @@ if (isset($_POST['date_creation_action'])
   }
 }
 
-if (isset($_POST['submit']) and count($page['errors']) == 0)
+if (isset($_POST['submit']) and count($page['errors']) == 0 and !is_adviser())
 {
   $data = array();
   $data{'id'} = $_GET['image_id'];
@@ -119,7 +119,9 @@ if (isset($_POST['submit']) and count($page['errors']) == 0)
 // associate the element to other categories than its storage category
 if (isset($_POST['associate'])
     and isset($_POST['cat_dissociated'])
-    and count($_POST['cat_dissociated']) > 0)
+    and count($_POST['cat_dissociated']) > 0
+    and !is_adviser()
+  )
 {
   associate_images_to_categories(
     array($_GET['image_id']),
@@ -129,7 +131,9 @@ if (isset($_POST['associate'])
 // dissociate the element from categories (but not from its storage category)
 if (isset($_POST['dissociate'])
     and isset($_POST['cat_associated'])
-    and count($_POST['cat_associated']) > 0)
+    and count($_POST['cat_associated']) > 0
+    and !is_adviser()
+  )
 {
   $query = '
 DELETE FROM '.IMAGE_CATEGORY_TABLE.'
@@ -143,7 +147,9 @@ DELETE FROM '.IMAGE_CATEGORY_TABLE.'
 // elect the element to represent the given categories
 if (isset($_POST['elect'])
     and isset($_POST['cat_dismissed'])
-    and count($_POST['cat_dismissed']) > 0)
+    and count($_POST['cat_dismissed']) > 0
+    and !is_adviser()
+  )
 {
   $datas = array();
   foreach ($_POST['cat_dismissed'] as $category_id)
@@ -159,7 +165,9 @@ if (isset($_POST['elect'])
 // dismiss the element as representant of the given categories
 if (isset($_POST['dismiss'])
     and isset($_POST['cat_elected'])
-    and count($_POST['cat_elected']) > 0)
+    and count($_POST['cat_elected']) > 0
+    and !is_adviser()
+  )
 {
   set_random_representant($_POST['cat_elected']);
 }
diff --git a/admin/tags.php b/admin/tags.php
index 95c6f7d77..3b8048bc7 100644
--- a/admin/tags.php
+++ b/admin/tags.php
@@ -37,7 +37,7 @@ check_status(ACCESS_ADMINISTRATOR);
 // |                                edit tags                              |
 // +-----------------------------------------------------------------------+
 
-if (isset($_POST['submit']))
+if (isset($_POST['submit']) and !is_adviser())
 {
   $query = '
 SELECT name
@@ -110,7 +110,7 @@ SELECT id, name
 // |                               delete tags                             |
 // +-----------------------------------------------------------------------+
 
-if (isset($_POST['delete']) and isset($_POST['tags']))
+if (isset($_POST['delete']) and isset($_POST['tags']) and !is_adviser())
 {
   $query = '
 SELECT name
@@ -147,7 +147,7 @@ DELETE
 // |                               add a tag                               |
 // +-----------------------------------------------------------------------+
 
-if (isset($_POST['add']) and !empty($_POST['add_tag']))
+if (isset($_POST['add']) and !empty($_POST['add_tag']) and !is_adviser())
 {
   $tag_name = $_POST['add_tag'];
 
diff --git a/include/page_header.php b/include/page_header.php
index 6a48b4b81..ca698fa5a 100644
--- a/include/page_header.php
+++ b/include/page_header.php
@@ -49,7 +49,8 @@ $template->assign_vars(
     'LANG'=>$lang_info['code'],
     'DIR'=>$lang_info['direction'],
 
-    'TAG_INPUT_ENABLED' => ((is_adviser()) ? 'disabled onclick="return false;"' : '')
+//    'TAG_INPUT_ENABLED' => ((is_adviser()) ? 'disabled onclick="return false;"' : '')
+    'TAG_INPUT_ENABLED' => ((is_adviser()) ? '' : '')
     ));
 
 // refresh
diff --git a/template/yoga/admin/comments.tpl b/template/yoga/admin/comments.tpl
index 065a1c8ee..3749443ee 100644
--- a/template/yoga/admin/comments.tpl
+++ b/template/yoga/admin/comments.tpl
@@ -16,8 +16,8 @@
   <p class="bottomButtons">
     <input type="hidden" name="list" value="{LIST}" />
     <input type="submit" name="submit" value="{lang:Submit}" {TAG_INPUT_ENABLED}/>
-    <input type="submit" name="validate-all" value="{lang:Validate All}" />
-    <input type="submit" name="reject-all" value="{lang:Reject All}" />
+    <input type="submit" name="validate-all" value="{lang:Validate All}" {TAG_INPUT_ENABLED}/>
+    <input type="submit" name="reject-all" value="{lang:Reject All}" {TAG_INPUT_ENABLED}/>
     <input type="reset" value="{lang:Reset}" />
   </p>
 
diff --git a/template/yoga/admin/tags.tpl b/template/yoga/admin/tags.tpl
index 8fe666b59..30a6e4124 100644
--- a/template/yoga/admin/tags.tpl
+++ b/template/yoga/admin/tags.tpl
@@ -45,7 +45,7 @@
     {TAG_SELECTION}
 
     <p>
-      <input type="submit" name="edit" value="{lang:Edit selected tags}" {TAG_INPUT_ENABLED}/>
+      <input type="submit" name="edit" value="{lang:Edit selected tags}"/>
       <input type="submit" name="delete" value="{lang:Delete selected tags}" onclick="return confirm('{lang:Are you sure?}');" {TAG_INPUT_ENABLED}/>
     </p>
   </fieldset>
-- 
cgit v1.2.3