diff options
author | rub <rub@piwigo.org> | 2006-10-21 12:07:00 +0000 |
---|---|---|
committer | rub <rub@piwigo.org> | 2006-10-21 12:07:00 +0000 |
commit | bc7b43345722917274a352dde49895e909fec6aa (patch) | |
tree | b0f86667d1aa9f10b0d1e98103d51f9b6e58e1a0 | |
parent | 60866f64c883091a7264299e3094c2ce733bfe91 (diff) |
Resolved Issue ID 0000356:
o Increase security on adviser mode
First modifications of n modifications.
All the others modifications will be done on BSF branch.
Merge branch-1_6 1558:1559 into BSF
git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1569 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r-- | admin/comments.php | 6 | ||||
-rw-r--r-- | admin/configuration.php | 4 | ||||
-rw-r--r-- | admin/notification_by_mail.php | 27 | ||||
-rw-r--r-- | admin/picture_modify.php | 18 | ||||
-rw-r--r-- | admin/tags.php | 6 | ||||
-rw-r--r-- | include/page_header.php | 3 | ||||
-rw-r--r-- | template/yoga/admin/comments.tpl | 4 | ||||
-rw-r--r-- | template/yoga/admin/tags.tpl | 2 |
8 files changed, 41 insertions, 29 deletions
diff --git a/admin/comments.php b/admin/comments.php index 3d6d83268..3debab9d0 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -46,7 +46,7 @@ if (isset($_POST)) $to_validate = array(); $to_reject = array(); - if (isset($_POST['submit'])) + if (isset($_POST['submit']) and !is_adviser()) { foreach (explode(',', $_POST['list']) as $comment_id) { @@ -68,11 +68,11 @@ if (isset($_POST)) } } } - else if (isset($_POST['validate-all']) and !empty($_POST['list'])) + else if (isset($_POST['validate-all']) and !empty($_POST['list']) and !is_adviser()) { $to_validate = explode(',', $_POST['list']); } - else if (isset($_POST['reject-all']) and !empty($_POST['list'])) + else if (isset($_POST['reject-all']) and !empty($_POST['list']) and !is_adviser()) { $to_reject = explode(',', $_POST['list']); } diff --git a/admin/configuration.php b/admin/configuration.php index 9f01849f6..5890739d6 100644 --- a/admin/configuration.php +++ b/admin/configuration.php @@ -53,7 +53,7 @@ while ($row = mysql_fetch_array($result)) $conf[$row['param']] = $row['value']; // if the parameter is present in $_POST array (if a form is submited), we // override it with the submited value - if (isset($_POST[$row['param']])) + if (isset($_POST[$row['param']]) and !is_adviser()) { $conf[$row['param']] = $_POST[$row['param']]; if ( 'page_banner'==$row['param'] ) @@ -63,7 +63,7 @@ while ($row = mysql_fetch_array($result)) } } //------------------------------ verification and registration of modifications -if (isset($_POST['submit'])) +if (isset($_POST['submit']) and !is_adviser()) { $int_pattern = '/^\d+$/'; switch ($page['section']) diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php index 1c3a2e829..073f78b34 100644 --- a/admin/notification_by_mail.php +++ b/admin/notification_by_mail.php @@ -419,7 +419,7 @@ switch ($page['mode']) $result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\''); while ($nbm_user = mysql_fetch_array($result)) { - if (isset($_POST['param_submit'])) + if (isset($_POST['param_submit']) and !is_adviser()) { if (isset($_POST[$nbm_user['param']])) { @@ -441,7 +441,7 @@ where // if the parameter is present in $_POST array (if a form is submited), we // override it with the submited value - if (isset($_POST[$nbm_user['param']])) + if (isset($_POST[$nbm_user['param']]) and !is_adviser()) { $conf[$nbm_user['param']] = stripslashes($_POST[$nbm_user['param']]); } @@ -461,23 +461,26 @@ where } case 'subscribe' : { - if (isset($_POST['falsify']) and isset($_POST['cat_true'])) + if (!is_adviser()) { - $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']); - do_timeout_treatment('cat_true', $check_key_treated); - } - else - if (isset($_POST['trueify']) and isset($_POST['cat_false'])) - { - $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']); - do_timeout_treatment('cat_false', $check_key_treated); + if (isset($_POST['falsify']) and isset($_POST['cat_true'])) + { + $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']); + do_timeout_treatment('cat_true', $check_key_treated); + } + else + if (isset($_POST['trueify']) and isset($_POST['cat_false'])) + { + $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']); + do_timeout_treatment('cat_false', $check_key_treated); + } } break; } case 'send' : { - if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content'])) + if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']) and !is_adviser()) { $check_key_treated = do_action_send_mail_notification('send', $_POST['send_selection'], stripslashes($_POST['send_customize_mail_content'])); do_timeout_treatment('send_selection', $check_key_treated); diff --git a/admin/picture_modify.php b/admin/picture_modify.php index 130a43931..291d41bd0 100644 --- a/admin/picture_modify.php +++ b/admin/picture_modify.php @@ -70,7 +70,7 @@ if (isset($_POST['date_creation_action']) } } -if (isset($_POST['submit']) and count($page['errors']) == 0) +if (isset($_POST['submit']) and count($page['errors']) == 0 and !is_adviser()) { $data = array(); $data{'id'} = $_GET['image_id']; @@ -119,7 +119,9 @@ if (isset($_POST['submit']) and count($page['errors']) == 0) // associate the element to other categories than its storage category if (isset($_POST['associate']) and isset($_POST['cat_dissociated']) - and count($_POST['cat_dissociated']) > 0) + and count($_POST['cat_dissociated']) > 0 + and !is_adviser() + ) { associate_images_to_categories( array($_GET['image_id']), @@ -129,7 +131,9 @@ if (isset($_POST['associate']) // dissociate the element from categories (but not from its storage category) if (isset($_POST['dissociate']) and isset($_POST['cat_associated']) - and count($_POST['cat_associated']) > 0) + and count($_POST['cat_associated']) > 0 + and !is_adviser() + ) { $query = ' DELETE FROM '.IMAGE_CATEGORY_TABLE.' @@ -143,7 +147,9 @@ DELETE FROM '.IMAGE_CATEGORY_TABLE.' // elect the element to represent the given categories if (isset($_POST['elect']) and isset($_POST['cat_dismissed']) - and count($_POST['cat_dismissed']) > 0) + and count($_POST['cat_dismissed']) > 0 + and !is_adviser() + ) { $datas = array(); foreach ($_POST['cat_dismissed'] as $category_id) @@ -159,7 +165,9 @@ if (isset($_POST['elect']) // dismiss the element as representant of the given categories if (isset($_POST['dismiss']) and isset($_POST['cat_elected']) - and count($_POST['cat_elected']) > 0) + and count($_POST['cat_elected']) > 0 + and !is_adviser() + ) { set_random_representant($_POST['cat_elected']); } diff --git a/admin/tags.php b/admin/tags.php index 95c6f7d77..3b8048bc7 100644 --- a/admin/tags.php +++ b/admin/tags.php @@ -37,7 +37,7 @@ check_status(ACCESS_ADMINISTRATOR); // | edit tags | // +-----------------------------------------------------------------------+ -if (isset($_POST['submit'])) +if (isset($_POST['submit']) and !is_adviser()) { $query = ' SELECT name @@ -110,7 +110,7 @@ SELECT id, name // | delete tags | // +-----------------------------------------------------------------------+ -if (isset($_POST['delete']) and isset($_POST['tags'])) +if (isset($_POST['delete']) and isset($_POST['tags']) and !is_adviser()) { $query = ' SELECT name @@ -147,7 +147,7 @@ DELETE // | add a tag | // +-----------------------------------------------------------------------+ -if (isset($_POST['add']) and !empty($_POST['add_tag'])) +if (isset($_POST['add']) and !empty($_POST['add_tag']) and !is_adviser()) { $tag_name = $_POST['add_tag']; diff --git a/include/page_header.php b/include/page_header.php index 6a48b4b81..ca698fa5a 100644 --- a/include/page_header.php +++ b/include/page_header.php @@ -49,7 +49,8 @@ $template->assign_vars( 'LANG'=>$lang_info['code'], 'DIR'=>$lang_info['direction'], - 'TAG_INPUT_ENABLED' => ((is_adviser()) ? 'disabled onclick="return false;"' : '') +// 'TAG_INPUT_ENABLED' => ((is_adviser()) ? 'disabled onclick="return false;"' : '') + 'TAG_INPUT_ENABLED' => ((is_adviser()) ? '' : '') )); // refresh diff --git a/template/yoga/admin/comments.tpl b/template/yoga/admin/comments.tpl index 065a1c8ee..3749443ee 100644 --- a/template/yoga/admin/comments.tpl +++ b/template/yoga/admin/comments.tpl @@ -16,8 +16,8 @@ <p class="bottomButtons"> <input type="hidden" name="list" value="{LIST}" /> <input type="submit" name="submit" value="{lang:Submit}" {TAG_INPUT_ENABLED}/> - <input type="submit" name="validate-all" value="{lang:Validate All}" /> - <input type="submit" name="reject-all" value="{lang:Reject All}" /> + <input type="submit" name="validate-all" value="{lang:Validate All}" {TAG_INPUT_ENABLED}/> + <input type="submit" name="reject-all" value="{lang:Reject All}" {TAG_INPUT_ENABLED}/> <input type="reset" value="{lang:Reset}" /> </p> diff --git a/template/yoga/admin/tags.tpl b/template/yoga/admin/tags.tpl index 8fe666b59..30a6e4124 100644 --- a/template/yoga/admin/tags.tpl +++ b/template/yoga/admin/tags.tpl @@ -45,7 +45,7 @@ {TAG_SELECTION} <p> - <input type="submit" name="edit" value="{lang:Edit selected tags}" {TAG_INPUT_ENABLED}/> + <input type="submit" name="edit" value="{lang:Edit selected tags}"/> <input type="submit" name="delete" value="{lang:Delete selected tags}" onclick="return confirm('{lang:Are you sure?}');" {TAG_INPUT_ENABLED}/> </p> </fieldset> |