Permalink
Browse files

Forum: Do not trust userid from hidden form field, use $USER->id inst…

…ead for db inserts
  • Loading branch information...
1 parent b442f81 commit 1a0c7e470b768d026016021354cb6d31105ec165 mjollnir_ committed Nov 23, 2004
Showing with 7 additions and 0 deletions.
  1. +7 −0 mod/forum/lib.php
View
@@ -2028,8 +2028,11 @@ function forum_add_attachment($post, $newfile) {
function forum_add_new_post($post) {
+ global $USER;
+
$post->created = $post->modified = time();
$post->mailed = "0";
+ $post->userid = $USER->id;
$newfile = $post->attachment;
$post->attachment = "";
@@ -2051,7 +2054,10 @@ function forum_add_new_post($post) {
function forum_update_post($post) {
+ global $USER;
+
$post->modified = time();
+ $post->userid = $USER->id;
if (!$post->parent) { // Post is a discussion starter - update discussion title too
set_field("forum_discussions", "name", $post->subject, "id", $post->discussion);
@@ -2108,6 +2114,7 @@ function forum_add_discussion($discussion) {
$discussion->firstpost = $post->id;
$discussion->timemodified = $timenow;
$discussion->usermodified = $post->userid;
+ $discussion->userid = $USER->id;
if (! $discussion->id = insert_record("forum_discussions", $discussion) ) {
delete_records("forum_posts", "id", $post->id);

0 comments on commit 1a0c7e4

Please sign in to comment.