diff options
author | rub <rub@piwigo.org> | 2006-10-21 12:28:07 +0000 |
---|---|---|
committer | rub <rub@piwigo.org> | 2006-10-21 12:28:07 +0000 |
commit | 258fa3b40c0c60adad284ad3bc09ed33c5dc53a1 (patch) | |
tree | 71616e49e713f5fb26038343c80a3c7b89b2fa06 /admin | |
parent | eaacbc7b2d224524eac6def04e9b721949afd4b8 (diff) |
Resolved Issue ID 0000356:
o Increase security on adviser mode
First modifications of n modifications.
All the others modifications will be done on BSF branch.
Merge branch-1_6 1568:1570 into BSF
git-svn-id: http://piwigo.org/svn/trunk@1571 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
-rw-r--r-- | admin/comments.php | 6 | ||||
-rw-r--r-- | admin/configuration.php | 2 | ||||
-rw-r--r-- | admin/notification_by_mail.php | 27 | ||||
-rw-r--r-- | admin/picture_modify.php | 18 | ||||
-rw-r--r-- | admin/tags.php | 6 |
5 files changed, 35 insertions, 24 deletions
diff --git a/admin/comments.php b/admin/comments.php index 3d6d83268..3debab9d0 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -46,7 +46,7 @@ if (isset($_POST)) $to_validate = array(); $to_reject = array(); - if (isset($_POST['submit'])) + if (isset($_POST['submit']) and !is_adviser()) { foreach (explode(',', $_POST['list']) as $comment_id) { @@ -68,11 +68,11 @@ if (isset($_POST)) } } } - else if (isset($_POST['validate-all']) and !empty($_POST['list'])) + else if (isset($_POST['validate-all']) and !empty($_POST['list']) and !is_adviser()) { $to_validate = explode(',', $_POST['list']); } - else if (isset($_POST['reject-all']) and !empty($_POST['list'])) + else if (isset($_POST['reject-all']) and !empty($_POST['list']) and !is_adviser()) { $to_reject = explode(',', $_POST['list']); } diff --git a/admin/configuration.php b/admin/configuration.php index c7f204db6..d92435cdf 100644 --- a/admin/configuration.php +++ b/admin/configuration.php @@ -47,7 +47,7 @@ else $page['section'] = $_GET['section']; } //------------------------------ verification and registration of modifications -if (isset($_POST['submit'])) +if (isset($_POST['submit']) and !is_adviser()) { $int_pattern = '/^\d+$/'; switch ($page['section']) diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php index 1c3a2e829..073f78b34 100644 --- a/admin/notification_by_mail.php +++ b/admin/notification_by_mail.php @@ -419,7 +419,7 @@ switch ($page['mode']) $result = pwg_query('select param, value from '.CONFIG_TABLE.' where param like \'nbm\\_%\''); while ($nbm_user = mysql_fetch_array($result)) { - if (isset($_POST['param_submit'])) + if (isset($_POST['param_submit']) and !is_adviser()) { if (isset($_POST[$nbm_user['param']])) { @@ -441,7 +441,7 @@ where // if the parameter is present in $_POST array (if a form is submited), we // override it with the submited value - if (isset($_POST[$nbm_user['param']])) + if (isset($_POST[$nbm_user['param']]) and !is_adviser()) { $conf[$nbm_user['param']] = stripslashes($_POST[$nbm_user['param']]); } @@ -461,23 +461,26 @@ where } case 'subscribe' : { - if (isset($_POST['falsify']) and isset($_POST['cat_true'])) + if (!is_adviser()) { - $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']); - do_timeout_treatment('cat_true', $check_key_treated); - } - else - if (isset($_POST['trueify']) and isset($_POST['cat_false'])) - { - $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']); - do_timeout_treatment('cat_false', $check_key_treated); + if (isset($_POST['falsify']) and isset($_POST['cat_true'])) + { + $check_key_treated = unsubcribe_notification_by_mail(true, $_POST['cat_true']); + do_timeout_treatment('cat_true', $check_key_treated); + } + else + if (isset($_POST['trueify']) and isset($_POST['cat_false'])) + { + $check_key_treated = subcribe_notification_by_mail(true, $_POST['cat_false']); + do_timeout_treatment('cat_false', $check_key_treated); + } } break; } case 'send' : { - if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content'])) + if (isset($_POST['send_submit']) and isset($_POST['send_selection']) and isset($_POST['send_customize_mail_content']) and !is_adviser()) { $check_key_treated = do_action_send_mail_notification('send', $_POST['send_selection'], stripslashes($_POST['send_customize_mail_content'])); do_timeout_treatment('send_selection', $check_key_treated); diff --git a/admin/picture_modify.php b/admin/picture_modify.php index 130a43931..291d41bd0 100644 --- a/admin/picture_modify.php +++ b/admin/picture_modify.php @@ -70,7 +70,7 @@ if (isset($_POST['date_creation_action']) } } -if (isset($_POST['submit']) and count($page['errors']) == 0) +if (isset($_POST['submit']) and count($page['errors']) == 0 and !is_adviser()) { $data = array(); $data{'id'} = $_GET['image_id']; @@ -119,7 +119,9 @@ if (isset($_POST['submit']) and count($page['errors']) == 0) // associate the element to other categories than its storage category if (isset($_POST['associate']) and isset($_POST['cat_dissociated']) - and count($_POST['cat_dissociated']) > 0) + and count($_POST['cat_dissociated']) > 0 + and !is_adviser() + ) { associate_images_to_categories( array($_GET['image_id']), @@ -129,7 +131,9 @@ if (isset($_POST['associate']) // dissociate the element from categories (but not from its storage category) if (isset($_POST['dissociate']) and isset($_POST['cat_associated']) - and count($_POST['cat_associated']) > 0) + and count($_POST['cat_associated']) > 0 + and !is_adviser() + ) { $query = ' DELETE FROM '.IMAGE_CATEGORY_TABLE.' @@ -143,7 +147,9 @@ DELETE FROM '.IMAGE_CATEGORY_TABLE.' // elect the element to represent the given categories if (isset($_POST['elect']) and isset($_POST['cat_dismissed']) - and count($_POST['cat_dismissed']) > 0) + and count($_POST['cat_dismissed']) > 0 + and !is_adviser() + ) { $datas = array(); foreach ($_POST['cat_dismissed'] as $category_id) @@ -159,7 +165,9 @@ if (isset($_POST['elect']) // dismiss the element as representant of the given categories if (isset($_POST['dismiss']) and isset($_POST['cat_elected']) - and count($_POST['cat_elected']) > 0) + and count($_POST['cat_elected']) > 0 + and !is_adviser() + ) { set_random_representant($_POST['cat_elected']); } diff --git a/admin/tags.php b/admin/tags.php index 95c6f7d77..3b8048bc7 100644 --- a/admin/tags.php +++ b/admin/tags.php @@ -37,7 +37,7 @@ check_status(ACCESS_ADMINISTRATOR); // | edit tags | // +-----------------------------------------------------------------------+ -if (isset($_POST['submit'])) +if (isset($_POST['submit']) and !is_adviser()) { $query = ' SELECT name @@ -110,7 +110,7 @@ SELECT id, name // | delete tags | // +-----------------------------------------------------------------------+ -if (isset($_POST['delete']) and isset($_POST['tags'])) +if (isset($_POST['delete']) and isset($_POST['tags']) and !is_adviser()) { $query = ' SELECT name @@ -147,7 +147,7 @@ DELETE // | add a tag | // +-----------------------------------------------------------------------+ -if (isset($_POST['add']) and !empty($_POST['add_tag'])) +if (isset($_POST['add']) and !empty($_POST['add_tag']) and !is_adviser()) { $tag_name = $_POST['add_tag']; |