aboutsummaryrefslogtreecommitdiffstats
path: root/admin
diff options
context:
space:
mode:
authorrub <rub@piwigo.org>2006-10-21 12:07:00 +0000
committerrub <rub@piwigo.org>2006-10-21 12:07:00 +0000
commitbc7b43345722917274a352dde49895e909fec6aa (patch)
treeb0f86667d1aa9f10b0d1e98103d51f9b6e58e1a0 /admin
parent60866f64c883091a7264299e3094c2ce733bfe91 (diff)
Resolved Issue ID 0000356:
o Increase security on adviser mode First modifications of n modifications. All the others modifications will be done on BSF branch. Merge branch-1_6 1558:1559 into BSF git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1569 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
-rw-r--r--admin/comments.php6
-rw-r--r--admin/configuration.php4
-rw-r--r--admin/notification_by_mail.php27
-rw-r--r--admin/picture_modify.php18
-rw-r--r--admin/tags.php6
5 files changed, 36 insertions, 25 deletions
diff --git a/admin/comments.php b/admin/comments.php
index 3d6d83268..3debab9d0 100644
--- a/admin/comments.php
+++ b/admin/comments.php
@@ -46,7 +46,7 @@ if (isset($_POST))
$to_validate = array();
$to_reject = array();
- if (isset($_POST['submit']))
+ if (isset($_POST['submit']) and !is_adviser())
{
foreach (explode(',', $_POST['list']) as $comment_id)
{
@@ -68,11 +68,11 @@ if (isset($_POST))
}
}
}
- else if (isset($_POST['validate-all']) and !empty($_POST['list']))
+ else if (isset($_POST['validate-all']) and !empty($_POST['list']) and !is_adviser())
{
$to_validate = explode(',', $_POST['list']);
}
- else if (isset($_POST['reject-all']) and !empty($_POST['list']))
+ else if (isset($_POST['reject-all']) and !empty($_POST['list']) and !is_adviser())
{
$to_reject = explode(',', $_POST['list']);
}
diff --git a/admin/configuration.php b/admin/configuration.php
index 9f01849f6..5890739d6 100644
--- a/admin/configuration.php
+++ b/admin/configuration.php
@@ -53,7 +53,7 @@ while ($row = mysql_fetch_array($result))
$conf[$row['param']] = $row['value'];
// if the parameter is present in $_POST array (if a form is submited), we
// override it with the submited value
- if (isset($_POST[$row['param']]))
+ if (isset($_POST[$row['param']]) and !is_adviser())
{
$conf[$row['param']] = $_POST[$row['param']];
if ( 'page_banner'==$row['param'] )
@@ -63,7 +63,7 @@ while ($row = mysql_fetch_array($result))
}
}
//------------------------------ verification and registration of modifications
-if (isset($_POST['submit']))
+if (isset($_POST['submit']) and !is_adviser())
{
$int_pattern = '/^\d+$/';
switch ($page['section'])
diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php
index 1c3a2e829..073f78b34 100644
--- a/admin/notification_by_mail.php
+++ b/admin/notification_by_mail.php
@@ -419,7 +419,7 @@ switch ($page['mode'])
$result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\'');
while ($nbm_user = mysql_fetch_array($result))
{
- if (isset($_POST['param_submit']))
+ if (isset($_POST['param_submit']) and !is_adviser())
{
if (isset($_POST[$nbm_user['param']]))
{
@@ -441,7 +441,7 @@ where
// if the parameter is present in $_POST array (if a form is submited), we
// override it with the submited value
- if (isset($_POST[$nbm_user['param']]))
+ if (isset($_POST[$nbm_user['param']]) and !is_adviser())
{
$conf[$nbm_user['param']] = stripslashes($_POST[$nbm_user['param']]);
}
@@ -461,23 +461,26 @@ where
}
case 'subscribe' :
{
- if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+ if (!is_adviser())
{
- $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
- do_timeout_treatment('cat_true', $check_key_treated);
- }
- else
- if (isset($_POST['trueify']) and isset($_POST['cat_false']))
- {
- $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
- do_timeout_treatment('cat_false', $check_key_treated);
+ if (isset($_POST['falsify']) and isset($_POST['cat_true']))
+ {
+ $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']);
+ do_timeout_treatment('cat_true', $check_key_treated);
+ }
+ else
+ if (isset($_POST['trueify']) and isset($_POST['cat_false']))
+ {
+ $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']);
+ do_timeout_treatment('cat_false', $check_key_treated);
+ }
}
break;
}
case 'send' :
{
- if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']))
+ if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']) and !is_adviser())
{
$check_key_treated = do_action_send_mail_notification('send', $_POST['send_selection'], stripslashes($_POST['send_customize_mail_content']));
do_timeout_treatment('send_selection', $check_key_treated);
diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index 130a43931..291d41bd0 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -70,7 +70,7 @@ if (isset($_POST['date_creation_action'])
}
}
-if (isset($_POST['submit']) and count($page['errors']) == 0)
+if (isset($_POST['submit']) and count($page['errors']) == 0 and !is_adviser())
{
$data = array();
$data{'id'} = $_GET['image_id'];
@@ -119,7 +119,9 @@ if (isset($_POST['submit']) and count($page['errors']) == 0)
// associate the element to other categories than its storage category
if (isset($_POST['associate'])
and isset($_POST['cat_dissociated'])
- and count($_POST['cat_dissociated']) > 0)
+ and count($_POST['cat_dissociated']) > 0
+ and !is_adviser()
+ )
{
associate_images_to_categories(
array($_GET['image_id']),
@@ -129,7 +131,9 @@ if (isset($_POST['associate'])
// dissociate the element from categories (but not from its storage category)
if (isset($_POST['dissociate'])
and isset($_POST['cat_associated'])
- and count($_POST['cat_associated']) > 0)
+ and count($_POST['cat_associated']) > 0
+ and !is_adviser()
+ )
{
$query = '
DELETE FROM '.IMAGE_CATEGORY_TABLE.'
@@ -143,7 +147,9 @@ DELETE FROM '.IMAGE_CATEGORY_TABLE.'
// elect the element to represent the given categories
if (isset($_POST['elect'])
and isset($_POST['cat_dismissed'])
- and count($_POST['cat_dismissed']) > 0)
+ and count($_POST['cat_dismissed']) > 0
+ and !is_adviser()
+ )
{
$datas = array();
foreach ($_POST['cat_dismissed'] as $category_id)
@@ -159,7 +165,9 @@ if (isset($_POST['elect'])
// dismiss the element as representant of the given categories
if (isset($_POST['dismiss'])
and isset($_POST['cat_elected'])
- and count($_POST['cat_elected']) > 0)
+ and count($_POST['cat_elected']) > 0
+ and !is_adviser()
+ )
{
set_random_representant($_POST['cat_elected']);
}
diff --git a/admin/tags.php b/admin/tags.php
index 95c6f7d77..3b8048bc7 100644
--- a/admin/tags.php
+++ b/admin/tags.php
@@ -37,7 +37,7 @@ check_status(ACCESS_ADMINISTRATOR);
// | edit tags |
// +-----------------------------------------------------------------------+
-if (isset($_POST['submit']))
+if (isset($_POST['submit']) and !is_adviser())
{
$query = '
SELECT name
@@ -110,7 +110,7 @@ SELECT id, name
// | delete tags |
// +-----------------------------------------------------------------------+
-if (isset($_POST['delete']) and isset($_POST['tags']))
+if (isset($_POST['delete']) and isset($_POST['tags']) and !is_adviser())
{
$query = '
SELECT name
@@ -147,7 +147,7 @@ DELETE
// | add a tag |
// +-----------------------------------------------------------------------+
-if (isset($_POST['add']) and !empty($_POST['add_tag']))
+if (isset($_POST['add']) and !empty($_POST['add_tag']) and !is_adviser())
{
$tag_name = $_POST['add_tag'];