Forum: Do not trust userid from hidden form field, use $USER->id inst…

…ead for db inserts
moodle · Nov 23, 2004 · 1a0c7e4 · 1a0c7e4
1 parent b442f81
commit 1a0c7e4
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/mod/forum/lib.php b/mod/forum/lib.php
@@ -2028,8 +2028,11 @@ function forum_add_attachment($post, $newfile) {
 
 function forum_add_new_post($post) {
 
+    global $USER;
+
     $post->created = $post->modified = time();
     $post->mailed = "0";
+    $post->userid = $USER->id;
 
     $newfile = $post->attachment;
     $post->attachment = "";
@@ -2051,7 +2054,10 @@ function forum_add_new_post($post) {
 
 function forum_update_post($post) {
 
+    global $USER;
+
     $post->modified = time();
+    $post->userid = $USER->id;
 
     if (!$post->parent) {   // Post is a discussion starter - update discussion title too
         set_field("forum_discussions", "name", $post->subject, "id", $post->discussion);
@@ -2108,6 +2114,7 @@ function forum_add_discussion($discussion) {
     $discussion->firstpost    = $post->id;
     $discussion->timemodified = $timenow;
     $discussion->usermodified = $post->userid;
+    $discussion->userid = $USER->id;
 
     if (! $discussion->id = insert_record("forum_discussions", $discussion) ) {
         delete_records("forum_posts", "id", $post->id);