From 258fa3b40c0c60adad284ad3bc09ed33c5dc53a1 Mon Sep 17 00:00:00 2001
From: rub <rub@piwigo.org>
Date: Sat, 21 Oct 2006 12:28:07 +0000
Subject: Resolved Issue ID 0000356:   o Increase security on adviser mode

First modifications of n modifications.
All the others modifications will be done on BSF branch.


Merge branch-1_6 1568:1570 into BSF

git-svn-id: http://piwigo.org/svn/trunk@1571 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 admin/notification_by_mail.php | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

(limited to 'admin/notification_by_mail.php')

diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php
index 1c3a2e829..073f78b34 100644
--- a/admin/notification_by_mail.php
+++ b/admin/notification_by_mail.php
@@ -419,7 +419,7 @@ switch ($page['mode'])
     $result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\'');
     while ($nbm_user = mysql_fetch_array($result))
     {
-      if (isset($_POST['param_submit']))
+      if (isset($_POST['param_submit']) and !is_adviser())
       {
         if (isset($_POST[$nbm_user['param']]))
         {
@@ -441,7 +441,7 @@ where
 
       // if the parameter is present in $_POST array (if a form is submited), we
       // override it with the submited value
-      if (isset($_POST[$nbm_user['param']]))
+      if (isset($_POST[$nbm_user['param']]) and !is_adviser())
       {
         $conf[$nbm_user['param']] = stripslashes($_POST[$nbm_user['param']]);
       }
@@ -461,23 +461,26 @@ where
   }
   case 'subscribe' :
   {
-    if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+    if (!is_adviser())
     {
-      $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
-      do_timeout_treatment('cat_true', $check_key_treated);
-    }
-    else
-    if (isset($_POST['trueify']) and isset($_POST['cat_false']))
-    {
-      $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
-      do_timeout_treatment('cat_false', $check_key_treated);
+      if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+      {
+        $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
+        do_timeout_treatment('cat_true', $check_key_treated);
+      }
+      else
+      if (isset($_POST['trueify']) and isset($_POST['cat_false']))
+      {
+        $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
+        do_timeout_treatment('cat_false', $check_key_treated);
+      }
     }
     break;
   }
 
   case 'send' :
   {
-    if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']))
+    if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']) and !is_adviser())
     {
       $check_key_treated = do_action_send_mail_notification('send', $_POST['send_selection'], stripslashes($_POST['send_customize_mail_content']));
       do_timeout_treatment('send_selection', $check_key_treated);
-- 
cgit v1.2.3