Commit 5f6d733b authored by Kjartan's avatar Kjartan

- node security fixes.

- fixing the UI to represent what actually happens when you are an admin.
parent d62d65ae
......@@ -205,6 +205,12 @@ function blog_page_last() {
function blog_form(&$node, &$help, &$error) {
global $nid, $iid;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (isset($node->body)) {
/*
......
......@@ -205,6 +205,12 @@ function blog_page_last() {
function blog_form(&$node, &$help, &$error) {
global $nid, $iid;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (isset($node->body)) {
/*
......
......@@ -170,6 +170,12 @@ function book_delete(&$node) {
function book_form(&$node, &$help, &$error) {
global $user, $op;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
$output .= form_select(t("Parent"), "parent", $node->parent, book_toc(), t("The parent subject or category the page belongs in."));
if ($node->format) {
......
......@@ -170,6 +170,12 @@ function book_delete(&$node) {
function book_form(&$node, &$help, &$error) {
global $user, $op;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
$output .= form_select(t("Parent"), "parent", $node->parent, book_toc(), t("The parent subject or category the page belongs in."));
if ($node->format) {
......
......@@ -55,6 +55,12 @@ function forum_view($node) {
function forum_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (function_exists("taxonomy_node_form")) {
$output = implode("", taxonomy_node_form("forum", $node));
}
......
......@@ -55,6 +55,12 @@ function forum_view($node) {
function forum_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (function_exists("taxonomy_node_form")) {
$output = implode("", taxonomy_node_form("forum", $node));
}
......
......@@ -861,7 +861,6 @@ function node_form($edit) {
if (user_access("administer nodes")) {
$output .= "</td><td align=\"left\" valign=\"top\">";
$output .= form_textfield(t("Authored by"), "name", $edit->name, 20, 25, $error["name"]);
$output .= form_textfield(t("Authored on"), "date", $edit->date, 20, 25, $error["date"]);
$output .= "<br />";
......@@ -883,6 +882,10 @@ function node_form($edit) {
function node_add($type) {
global $user;
if (!user_access("post content")) {
return message_access();
}
/*
** If a node type has been specified, validate it existence. If no
** (valid) node type has been provied, display a node type overview.
......@@ -916,6 +919,10 @@ function node_add($type) {
function node_edit($id) {
global $user;
if (!user_access("post content")) {
return message_access();
}
$node = node_load(array("nid" => $id));
if (node_access("update", $node)) {
......@@ -930,6 +937,10 @@ function node_edit($id) {
function node_preview($node) {
if (!user_access("post content")) {
return message_access();
}
/*
** Convert the array to an object:
*/
......@@ -989,6 +1000,10 @@ function node_preview($node) {
function node_submit($node) {
global $theme, $user, $tid;
if (!user_access("post content")) {
return message_access();
}
$context->tid = $tid;
if (user_access("post content", $context)) {
......@@ -1125,6 +1140,10 @@ function node_submit($node) {
function node_delete($edit) {
if (!user_access("post content")) {
return message_access();
}
$node = node_load(array("nid" => $edit["nid"]));
if (node_access("delete", $node)) {
......@@ -1212,32 +1231,34 @@ function node_page() {
$theme->box($title, node_delete($edit));
break;
default:
// prepare query
if ($or) {
foreach ((explode(",", $or)) as $t) {
$terms[] = "'".check_query($t)."'";
if (user_access("access content")) {
// prepare query
if ($or) {
foreach ((explode(",", $or)) as $t) {
$terms[] = "'".check_query($t)."'";
}
}
}
else if ($and) {
foreach ((explode(",", $and)) as $t) {
$terms[] = "'".check_query($t)."'";
else if ($and) {
foreach ((explode(",", $and)) as $t) {
$terms[] = "'".check_query($t)."'";
}
}
}
if ($or) {
// this is an OR of terms
$result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else if ($and) {
// this is an AND
$result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else {
$result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
if ($or) {
// this is an OR of terms
$result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else if ($and) {
// this is an AND
$result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else {
$result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
while ($node = db_fetch_object($result)) {
node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1);
while ($node = db_fetch_object($result)) {
node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1);
}
}
}
......@@ -1263,4 +1284,4 @@ function node_update_index() {
"select" => "SELECT n.nid as lno, n.title as text1, n.body as text2 FROM node n WHERE n.status = 1 AND moderate = 0 and (created > " . variable_get("node_cron_last", 1) . " or changed > " . variable_get("node_cron_last", 1) . ")");
}
?>
?>
\ No newline at end of file
......@@ -861,7 +861,6 @@ function node_form($edit) {
if (user_access("administer nodes")) {
$output .= "</td><td align=\"left\" valign=\"top\">";
$output .= form_textfield(t("Authored by"), "name", $edit->name, 20, 25, $error["name"]);
$output .= form_textfield(t("Authored on"), "date", $edit->date, 20, 25, $error["date"]);
$output .= "<br />";
......@@ -883,6 +882,10 @@ function node_form($edit) {
function node_add($type) {
global $user;
if (!user_access("post content")) {
return message_access();
}
/*
** If a node type has been specified, validate it existence. If no
** (valid) node type has been provied, display a node type overview.
......@@ -916,6 +919,10 @@ function node_add($type) {
function node_edit($id) {
global $user;
if (!user_access("post content")) {
return message_access();
}
$node = node_load(array("nid" => $id));
if (node_access("update", $node)) {
......@@ -930,6 +937,10 @@ function node_edit($id) {
function node_preview($node) {
if (!user_access("post content")) {
return message_access();
}
/*
** Convert the array to an object:
*/
......@@ -989,6 +1000,10 @@ function node_preview($node) {
function node_submit($node) {
global $theme, $user, $tid;
if (!user_access("post content")) {
return message_access();
}
$context->tid = $tid;
if (user_access("post content", $context)) {
......@@ -1125,6 +1140,10 @@ function node_submit($node) {
function node_delete($edit) {
if (!user_access("post content")) {
return message_access();
}
$node = node_load(array("nid" => $edit["nid"]));
if (node_access("delete", $node)) {
......@@ -1212,32 +1231,34 @@ function node_page() {
$theme->box($title, node_delete($edit));
break;
default:
// prepare query
if ($or) {
foreach ((explode(",", $or)) as $t) {
$terms[] = "'".check_query($t)."'";
if (user_access("access content")) {
// prepare query
if ($or) {
foreach ((explode(",", $or)) as $t) {
$terms[] = "'".check_query($t)."'";
}
}
}
else if ($and) {
foreach ((explode(",", $and)) as $t) {
$terms[] = "'".check_query($t)."'";
else if ($and) {
foreach ((explode(",", $and)) as $t) {
$terms[] = "'".check_query($t)."'";
}
}
}
if ($or) {
// this is an OR of terms
$result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else if ($and) {
// this is an AND
$result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else {
$result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
if ($or) {
// this is an OR of terms
$result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else if ($and) {
// this is an AND
$result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
else {
$result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10)));
}
while ($node = db_fetch_object($result)) {
node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1);
while ($node = db_fetch_object($result)) {
node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1);
}
}
}
......@@ -1263,4 +1284,4 @@ function node_update_index() {
"select" => "SELECT n.nid as lno, n.title as text1, n.body as text2 FROM node n WHERE n.status = 1 AND moderate = 0 and (created > " . variable_get("node_cron_last", 1) . " or changed > " . variable_get("node_cron_last", 1) . ")");
}
?>
?>
\ No newline at end of file
......@@ -129,6 +129,12 @@ function page_view($node, $main = 0) {
function page_form(&$node, &$help, &$error) {
global $op;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if ($node->format) {
if ($op != t("Preview")) {
$node->body = addslashes($node->body);
......
......@@ -129,6 +129,12 @@ function page_view($node, $main = 0) {
function page_form(&$node, &$help, &$error) {
global $op;
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if ($node->format) {
if ($op != t("Preview")) {
$node->body = addslashes($node->body);
......
......@@ -40,6 +40,12 @@ function poll_delete($node) {
}
function poll_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
$admin = user_access("administer nodes");
$_duration = array(0 => t("Unlimited"), 86400 => format_interval(86400), 172800 => format_interval(172800), 345600 => format_interval(345600), 604800 => format_interval(604800), 1209600 => format_interval(1209600), 2419200 => format_interval(2419200), 4838400 => format_interval(4838400), 9676800 => format_interval(9676800), 31536000 => format_interval(31536000));
......
......@@ -40,6 +40,12 @@ function poll_delete($node) {
}
function poll_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
$admin = user_access("administer nodes");
$_duration = array(0 => t("Unlimited"), 86400 => format_interval(86400), 172800 => format_interval(172800), 345600 => format_interval(345600), 604800 => format_interval(604800), 1209600 => format_interval(1209600), 2419200 => format_interval(2419200), 4838400 => format_interval(4838400), 9676800 => format_interval(9676800), 31536000 => format_interval(31536000));
......
......@@ -65,6 +65,12 @@ function story_link($type) {
function story_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (isset($node->body)) {
/*
......
......@@ -65,6 +65,12 @@ function story_link($type) {
function story_form(&$node, &$help, &$error) {
if (!$node->status) {
$node->status = 1;
$node->moderate = 1;
$node->comment = 2;
}
if (isset($node->body)) {
/*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment