Submission now only shows edit and approve option if user has correct…

… article and topic permissions Fix for #1133
Geeklog-Core · Jun 24, 2022 · 4a99bc8 · 4a99bc8
1 parent a5fc684
commit 4a99bc8
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 48 deletions.
diff --git a/public_html/admin/moderation.php b/public_html/admin/moderation.php
@@ -460,44 +460,49 @@ function moderation($mid, $action, $type, $count)
 
             case 'approve':
                 if ($type === 'story') {
-                    $sql = "SELECT *, ta.tid
-                    FROM {$_TABLES['storysubmission']}, {$_TABLES['topic_assignments']} ta
-                    WHERE ta.type = 'article' AND ta.id = sid  AND sid = '$mid[$i]'";
-
-                    $result = DB_query($sql);
-                    $A = DB_fetchArray($result);
-                    $A['related'] = DB_escapeString(implode("\n", STORY_extractLinks($A['introtext'])));
-                    $A['owner_id'] = $A['uid'];
-                    $A['title'] = DB_escapeString($A['title']);
-                    $A['introtext'] = DB_escapeString($A['introtext']);
-                    $A['bodytext'] = DB_escapeString($A['bodytext']);
-
-                    $result = DB_query("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon,archive_flag FROM {$_TABLES['topics']} WHERE tid = '{$A['tid']}'");
-                    $T = DB_fetchArray($result);
-                    if ($T['archive_flag'] == 1) {
-                        $frontPage = 0;
-                    } elseif (isset($_CONF['frontpage'])) {
-                        $frontPage = $_CONF['frontpage'];
-                    } else {
-                        $frontPage = 1;
-                    }
-
-                    SEC_setDefaultPermissions($A, $_CONF['default_permissions_story']);
-                    if (isset($_GROUPS['Story Admin'])) {
-                        $group_id = $_GROUPS['Story Admin'];
-                    } else {
-                        $group_id = SEC_getFeatureGroup('story.edit');
-                    }
-
-                    DB_save($_TABLES['stories'], 'sid,uid,title,introtext,bodytext,related,date,show_topic_icon,commentcode,trackbackcode,postmode,frontpage,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon',
-                        "'{$A['sid']}',{$A['uid']},'{$A['title']}','{$A['introtext']}','{$A['bodytext']}','{$A['related']}','{$A['date']}','{$_CONF['show_topic_icon']}','{$_CONF['comment_code']}','{$_CONF['trackback_code']}','{$A['postmode']}',$frontPage,{$A['owner_id']},$group_id,{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}");
-
-                    DB_delete($_TABLES['storysubmission'], "$id", $mid[$i]);
-
-                    $approved++;
-
-                    PLG_itemSaved($A['sid'], 'article');
-                    COM_rdfUpToDateCheck();
+					// Have topic access to approve?
+					if (TOPIC_hasMultiTopicAccess('article', $mid[$i]) == 3) {
+						$sql = "SELECT *, ta.tid
+						FROM {$_TABLES['storysubmission']}, {$_TABLES['topic_assignments']} ta
+						WHERE ta.type = 'article' AND ta.id = sid  AND sid = '$mid[$i]'";
+
+						$result = DB_query($sql);
+						$A = DB_fetchArray($result);
+						$A['related'] = DB_escapeString(implode("\n", STORY_extractLinks($A['introtext'])));
+						$A['owner_id'] = $A['uid'];
+						$A['title'] = DB_escapeString($A['title']);
+						$A['introtext'] = DB_escapeString($A['introtext']);
+						$A['bodytext'] = DB_escapeString($A['bodytext']);
+
+						$result = DB_query("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon,archive_flag FROM {$_TABLES['topics']} WHERE tid = '{$A['tid']}'");
+						$T = DB_fetchArray($result);
+						if ($T['archive_flag'] == 1) {
+							$frontPage = 0;
+						} elseif (isset($_CONF['frontpage'])) {
+							$frontPage = $_CONF['frontpage'];
+						} else {
+							$frontPage = 1;
+						}
+
+						SEC_setDefaultPermissions($A, $_CONF['default_permissions_story']);
+						if (isset($_GROUPS['Story Admin'])) {
+							$group_id = $_GROUPS['Story Admin'];
+						} else {
+							$group_id = SEC_getFeatureGroup('story.edit');
+						}
+
+						DB_save($_TABLES['stories'], 'sid,uid,title,introtext,bodytext,related,date,show_topic_icon,commentcode,trackbackcode,postmode,frontpage,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon',
+							"'{$A['sid']}',{$A['uid']},'{$A['title']}','{$A['introtext']}','{$A['bodytext']}','{$A['related']}','{$A['date']}','{$_CONF['show_topic_icon']}','{$_CONF['comment_code']}','{$_CONF['trackback_code']}','{$A['postmode']}',$frontPage,{$A['owner_id']},$group_id,{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}");
+
+						DB_delete($_TABLES['storysubmission'], "$id", $mid[$i]);
+
+						$approved++;
+
+						PLG_itemSaved($A['sid'], 'article');
+						COM_rdfUpToDateCheck();
+					} else {
+						COM_errorLog("Someone tried to approve an article submission who didn't have edit access to the topics assigned to it.");
+					}
                 } elseif ($type === 'comment') {
                     CMT_approveModeration($mid[$i]);
                     $approved++;

diff --git a/system/lib-admin.php b/system/lib-admin.php
@@ -1254,22 +1254,48 @@ function ADMIN_getListField_moderation($fieldName, $fieldValue, $A, $icon_arr)
 
     switch ($fieldName) {
         case 'edit':
-            $retval = COM_createLink($icon_arr['edit'], $A['edit']);
+			$retval = '';
+			$show = false;
+			if ($type === 'story') {
+				// See if user has topic access to edit article (article submissions do not have permissions yet just an owner id)
+				if (TOPIC_hasMultiTopicAccess('article', $A['id']) == 3) {
+					$show = true;
+				}
+			} else {
+				$show = true;
+			}
+			if ($show) {
+				$retval = COM_createLink($icon_arr['edit'], $A['edit']);
+			}
+
             break;
 
         case 'delete':
-            $retval = COM_createControl('type-radio', array(
-                'name' => "action[{$A['row']}]",
-                'value' => 'delete'
-            ));
+			$retval = COM_createControl('type-radio', array(
+				'name' => "action[{$A['row']}]",
+				'value' => 'delete'
+			));	
+			// Include id here as any story admin user can delete but only those with appropriate topic permissions can approve
+			$retval .= "<input type=\"hidden\" name=\"id[{$A['row']}]\" value=\"{$A[0]}\"" . XHTML . ">";
             break;
 
         case 'approve':
-            $retval = COM_createControl('type-radio', array(
-                'name' => "action[{$A['row']}]",
-                'value' => 'approve'
-            ));
-            $retval .= "<input type=\"hidden\" name=\"id[{$A['row']}]\" value=\"{$A[0]}\"" . XHTML . ">";
+			$retval = '';
+			$show = false;
+			if ($type === 'story') {
+				// See if user has topic access to approve article to be published (article submissions do not have permissions yet just an owner id)
+				if (TOPIC_hasMultiTopicAccess('article', $A['id']) == 3) {
+					$show = true;
+				}
+			} else {
+				$show = true;
+			}
+			if ($show) {
+				$retval = COM_createControl('type-radio', array(
+					'name' => "action[{$A['row']}]",
+					'value' => 'approve'
+				));
+			}		
             break;
 
         case 'day':