Merge pull request #120 from dokufreaks/listingsacl

Check for forbidden access in queries
dokufreaks · May 16, 2015 · 3c66b9a · 3c66b9a
2 parents 93a3fec + fe19b13
commit 3c66b9a
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 9 deletions.
diff --git a/helper/comments.php b/helper/comments.php
@@ -570,6 +570,7 @@ public function tpl_recentcomments($tpl='default',$num=5,$blogs=array('default')
                      AND A.pid = B.pid
                      $tquery
                      AND B.status = 'visible'
+                     AND GETACCESSLEVEL(A.page) >= ".AUTH_READ."
                 ORDER BY B.created DESC
                    LIMIT ".(int) $num;
 

diff --git a/helper/entry.php b/helper/entry.php
@@ -59,7 +59,9 @@ public function load_by_pid($pid) {
             msg('BlogTNG plugin: failed to load sqlite helper plugin', -1);
             return self::RET_ERR_DB;
         }
-        $query = 'SELECT pid, page, title, blog, image, created, lastmod, author, login, mail, commentstatus FROM entries WHERE pid = ?';
+        $query = 'SELECT pid, page, title, blog, image, created, lastmod, author, login, mail, commentstatus
+                    FROM entries
+                   WHERE pid = ?';
         $resid = $this->sqlitehelper->getDB()->query($query, $pid);
         if ($resid === false) {
             msg('BlogTNG plugin: failed to load entry!', -1);
@@ -259,7 +261,6 @@ public function xhtml_tagsearch($conf, &$renderer=null){
     public function xhtml_pagination($conf){
         if(!$this->sqlitehelper->ready()) return '';
 
-        $sortkey = ($conf['sortby'] == 'random') ? 'Random()' : $conf['sortby'];
         $blog_query = '(blog = '.
                       $this->sqlitehelper->getDB()->quote_and_join($conf['blog'],
                                                           ' OR blog = ').')';
@@ -273,9 +274,10 @@ public function xhtml_pagination($conf){
         }
 
         // get the number of all matching entries
-        $query = 'SELECT A.pid
+        $query = 'SELECT A.pid, A.page
                     FROM entries A'.$tag_table.'
-                   WHERE '.$blog_query.$tag_query;
+                   WHERE '.$blog_query.$tag_query.'
+                   AND GETACCESSLEVEL(page) >= '.AUTH_READ;
         $resid = $this->sqlitehelper->getDB()->query($query);
         if (!$resid) return '';
         $count = $this->sqlitehelper->getDB()->res2count($resid);
@@ -558,6 +560,7 @@ public function tpl_related($num=5,$blogs=array('default'),$id=false,$tags=array
                      AND A.pid != '$pid'
                      AND A.pid = B.pid
                      AND B.tag IN ($tags)
+                     AND GETACCESSLEVEL(page) >= ".AUTH_READ."
                 GROUP BY B.pid HAVING cnt > 0
                 ORDER BY cnt DESC, created DESC
                    LIMIT ".(int) $num;
@@ -704,6 +707,7 @@ public function get_posts($conf) {
                          lastmod, login, author, mail, commentstatus
                     FROM entries A'.$tag_table.'
                    WHERE '.$blog_query.$tag_query.'
+                     AND GETACCESSLEVEL(page) >= '.AUTH_READ.'
                 GROUP BY A.pid
                 ORDER BY '.$sortkey.' '.$conf['sortorder'].
                  ' LIMIT '.$conf['limit'].
@@ -809,6 +813,7 @@ public function getAdjacentLinks($id = false) {
                          AND A.pid != B.pid
                          AND A.created ' . (($type == 'prev') ? '<' : '>') . ' B.created
                          AND A.blog = B.blog
+                         AND GETACCESSLEVEL(A.page) >= '.AUTH_READ.'
                     ORDER BY A.created ' . (($type == 'prev') ? 'DESC' : 'ASC') . '
                        LIMIT 1';
             $res = $this->sqlitehelper->getDB()->query($query, $pid);

diff --git a/helper/linkback.php b/helper/linkback.php
@@ -15,7 +15,7 @@ public function linkbackAllowed() {
         $entry = $this->getPost();
         return !plugin_isdisabled('blogtng') &&
                $this->getConf('receive_linkbacks') &&
-               $entry['blog'] !== '' &&
+               $entry['blog'] !== '' && $entry['blog'] !== null &&
                $entry['commentstatus'] === 'enabled';
     }
 

diff --git a/helper/sqlite.php b/helper/sqlite.php
@@ -43,5 +43,4 @@ public function getDB() {
         }
         return $this->db;
     }
-
 }
diff --git a/helper/tags.php b/helper/tags.php
@@ -63,7 +63,10 @@ public function load($pid) {
             $this->tags = array();
             return false;
         }
-        $query = 'SELECT tag FROM tags WHERE pid = ? ORDER BY tag ASC';
+        $query = 'SELECT tag
+                    FROM tags
+                   WHERE pid = ?
+                ORDER BY tag ASC';
         $resid = $this->sqlitehelper->getDB()->query($query, $this->pid);
         if ($resid === false) {
             msg('blogtng plugin: failed to load tags!', -1);
@@ -95,7 +98,9 @@ public function count($pid) {
         }
 
         $pid = trim($pid);
-        $query = 'SELECT COUNT(tag) AS tagcount FROM tags WHERE pid = ?';
+        $query = 'SELECT COUNT(tag) AS tagcount
+                    FROM tags
+                   WHERE pid = ?';
 
         $resid = $this->sqlitehelper->getDB()->query($query, $pid);
         if ($resid === false) {
@@ -113,7 +118,11 @@ public function count($pid) {
     public function load_by_blog($blogs) {
         if(!$this->sqlitehelper->ready()) return false;
 
-        $query = 'SELECT tags.tag AS tag, tags.pid AS pid FROM tags, entries WHERE tags.pid = entries.pid AND entries.blog IN ("' . implode('","', $blogs) . '")';
+        $query = 'SELECT tags.tag AS tag, tags.pid AS pid
+                    FROM tags, entries
+                   WHERE tags.pid = entries.pid
+                     AND entries.blog IN ("' . implode('","', $blogs) . '")
+                     AND GETACCESSLEVEL(page) >= '.AUTH_READ;
 
         $resid = $this->sqlitehelper->getDB()->query($query);
         if($resid) {