Permalink
Browse files

Introduce helper functions and add more published checking.

  • Loading branch information...
1 parent 0737733 commit 490478fab7e9ce437514a3e31804dfb2bd6f5910 @dietrichm dietrichm committed Apr 6, 2012
Showing with 78 additions and 14 deletions.
  1. +1 −1 active.php
  2. +2 −2 config.php
  3. +1 −1 forum.php
  4. +3 −3 online.php
  5. +6 −4 rss.php
  6. +1 −0 search.php
  7. +61 −0 sources/functions.php
  8. +3 −3 topic.php
View
@@ -109,7 +109,7 @@
$max_age = intval($functions->get_config('active_topics_max_age'));
$max_age_query_part = ( $max_age > 0 ) ? " AND p2.post_time > ".(time() - $max_age * 86400) : "";
- $published_part = ( $functions->antispam_can_see_unpublished() ) ? "" : " AND p.published = 1";
+ $published_part = $functions->antispam_published_query_part('p');
$query = "SELECT t.id, t.forum_id, t.topic_title, t.last_post_id, t.count_replies, t.count_views, t.status_locked, t.status_sticky, p.poster_guest, p2.poster_guest AS last_poster_guest, p2.post_time AS last_post_time, u.id AS poster_id, u.displayed_name AS poster_name, u.level AS poster_level, u2.id AS last_poster_id, u2.displayed_name AS last_poster_name, u2.level AS last_poster_level FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members u ON p.poster_id = u.id, ".TABLE_PREFIX."posts p2 LEFT JOIN ".TABLE_PREFIX."members u2 ON p2.poster_id = u2.id WHERE t.forum_id IN(".join(', ', $forum_ids).") AND p.id = t.first_post_id".$published_part." AND p2.id = t.last_post_id".$max_age_query_part." ORDER BY p2.post_time DESC LIMIT ".$functions->get_config('active_topics_count');
View
@@ -95,7 +95,7 @@
$conf['cookie_path'] = '';
$conf['cookie_secure'] = 0;
$conf['date_format'] = 'D M d, Y g:i a';
-$conf['debug'] = 0;
+$conf['debug'] = 2;
$conf['disable_registrations'] = 0;
$conf['disable_registrations_reason'] = 'No new users allowed at this time.';
$conf['disable_xhtml_header'] = 1;
@@ -182,7 +182,7 @@
$conf['username_max_length'] = 30;
$conf['view_active_topics_min_level'] = 0;
$conf['view_contactadmin_min_level'] = 1;
-$conf['view_detailed_online_list_min_level'] = 1;
+$conf['view_detailed_online_list_min_level'] = 0;
$conf['view_forum_stats_box_min_level'] = 1;
$conf['view_hidden_email_addresses_min_level'] = 3;
$conf['view_memberlist_min_level'] = 1;
View
@@ -122,7 +122,7 @@
//
// Get the topic list information in one query
//
- $published_part = ( $functions->antispam_can_see_unpublished() ) ? "" : " AND p.published = 1";
+ $published_part = $functions->antispam_published_query_part('p');
$result = $db->query("SELECT t.id, t.topic_title, t.last_post_id, t.count_replies, t.count_views, t.status_locked, t.status_sticky, p.poster_guest, p2.poster_guest AS last_poster_guest, p2.post_time AS last_post_time, u.id AS poster_id, u.displayed_name AS poster_name, u.level AS poster_level, u2.id AS last_poster_id, u2.displayed_name AS last_poster_name, u2.level AS last_poster_level FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members u ON p.poster_id = u.id, ".TABLE_PREFIX."posts p2 LEFT JOIN ".TABLE_PREFIX."members u2 ON p2.poster_id = u2.id WHERE t.forum_id = ".$_GET['id']." AND p.id = t.first_post_id".$published_part." AND p2.id = t.last_post_id ORDER BY t.status_sticky DESC, p2.post_time DESC LIMIT ".$limit_start.", ".$limit_end);
while ( $topicdata = $db->fetch_result($result) ) {
View
@@ -140,8 +140,6 @@
}
- $published_part = ( $functions->antispam_can_see_unpublished() ) ? "" : " AND p.published = 1";
-
if ( count($ids['forums']) ) {
$result = $db->query("SELECT id, name, auth FROM ".TABLE_PREFIX."forums WHERE id IN(".join(', ', $ids['forums']).")");
@@ -156,6 +154,7 @@
if ( count($ids['topics']) ) {
+ $published_part = $functions->antispam_published_query_part('p');
$result = $db->query("SELECT t.id, t.topic_title, t.forum_id, f.auth FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."forums f, ".TABLE_PREFIX."posts p WHERE t.id IN(".join(', ', $ids['topics']).") AND f.id = t.forum_id AND p.id = t.first_post_id".$published_part);
while ( $topicdata = $db->fetch_result($result) ) {
@@ -168,7 +167,8 @@
if ( count($ids['posts']) ) {
- $result = $db->query("SELECT p.id, t.topic_title, t.forum_id, f.auth FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."posts p, ".TABLE_PREFIX."forums f WHERE p.id IN(".join(', ', $ids['posts']).") AND t.id = p.topic_id AND f.id = t.forum_id".$published_part);
+ $published_part = $functions->antispam_published_query_part(array('p', 'p1'));
+ $result = $db->query("SELECT p.id, t.topic_title, t.forum_id, f.auth FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."posts p, ".TABLE_PREFIX."posts p1, ".TABLE_PREFIX."forums f WHERE p.id IN(".join(', ', $ids['posts']).") AND t.id = p.topic_id AND p1.id = t.first_post_id AND f.id = t.forum_id".$published_part);
while ( $topicdata = $db->fetch_result($result) ) {
if ( $functions->auth($topicdata['auth'], 'view', $topicdata['forum_id']) )
View
@@ -164,7 +164,8 @@ function usebb_check_rss_access() {
$add_to_query = count($add_to_query) ? ', '.implode(', ', $add_to_query) : '';
- $result = $db->query("SELECT t.id, t.topic_title, p.poster_id, p.poster_guest, p.post_time, m.displayed_name".$add_to_query." FROM ".TABLE_PREFIX."topics t LEFT JOIN ".TABLE_PREFIX."posts p ON t.first_post_id = p.id LEFT JOIN ".TABLE_PREFIX."members m ON p.poster_id = m.id WHERE t.forum_id = ".$_GET['forum']." ORDER BY p.post_time DESC LIMIT ".$functions->get_config('rss_items_count'));
+ $published_part = $functions->antispam_published_query_part('p');
+ $result = $db->query("SELECT t.id, t.topic_title, p.poster_id, p.poster_guest, p.post_time, m.displayed_name".$add_to_query." FROM ".TABLE_PREFIX."topics t LEFT JOIN ".TABLE_PREFIX."posts p ON t.first_post_id = p.id LEFT JOIN ".TABLE_PREFIX."members m ON p.poster_id = m.id WHERE t.forum_id = ".$_GET['forum'].$published_part." ORDER BY p.post_time DESC LIMIT ".$functions->get_config('rss_items_count'));
while ( $topicdata = $db->fetch_result($result) ) {
@@ -204,7 +205,7 @@ function usebb_check_rss_access() {
//
// Get information about the topic and forum
//
- $result = $db->query("SELECT t.id, t.forum_id, t.topic_title, t.first_post_id, f.name AS forum_name, f.auth FROM ".TABLE_PREFIX."forums f, ".TABLE_PREFIX."topics t WHERE f.id = t.forum_id AND t.id = ".$_GET['topic']);
+ $result = $db->query("SELECT t.id, t.forum_id, t.topic_title, t.first_post_id, f.name AS forum_name, f.auth, p.published, p.poster_id FROM ".TABLE_PREFIX."forums f, ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."posts p WHERE f.id = t.forum_id AND t.id = ".$_GET['topic']." AND p.id = t.first_post_id");
$topicdata = $db->fetch_result($result);
//
@@ -216,7 +217,7 @@ function usebb_check_rss_access() {
//
// Topic is not accessible
//
- if ( !$functions->auth($topicdata['auth'], 'read', $topicdata['forum_id']) )
+ if ( !$functions->auth($topicdata['auth'], 'read', $topicdata['forum_id']) || !$functions->antispam_check_published_viewable($topicdata) )
usebb_rss_error(403);
$topic_name = unhtml(stripslashes($topicdata['topic_title']), true);
@@ -322,7 +323,8 @@ function usebb_check_rss_access() {
$template->parse('header', 'rss', $header_vars, true);
- $result = $db->query("SELECT p.id AS post_id, p.topic_id, t.forum_id, t.topic_title, t.count_replies, p.content, p.enable_bbcode, p.enable_smilies, p.enable_html, p.poster_id, m.displayed_name AS last_poster_name, m.level AS poster_level, m.active, p.poster_guest AS last_poster_guest, p.post_time FROM ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members m ON p.poster_id = m.id, ".TABLE_PREFIX."topics t WHERE t.forum_id IN(".join(', ', $forum_ids).") AND t.id = p.topic_id ORDER BY p.post_time DESC LIMIT ".$functions->get_config('rss_items_count'));
+ $published_part = $functions->antispam_published_query_part('p');
+ $result = $db->query("SELECT p.id AS post_id, p.topic_id, t.forum_id, t.topic_title, t.count_replies, p.content, p.enable_bbcode, p.enable_smilies, p.enable_html, p.poster_id, m.displayed_name AS last_poster_name, m.level AS poster_level, m.active, p.poster_guest AS last_poster_guest, p.post_time FROM ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members m ON p.poster_id = m.id, ".TABLE_PREFIX."topics t WHERE t.forum_id IN(".join(', ', $forum_ids).") AND t.id = p.topic_id".$published_part." ORDER BY p.post_time DESC LIMIT ".$functions->get_config('rss_items_count'));
$reply_counts = array();
View
@@ -245,6 +245,7 @@ function search_query_order_part($sort_items, $sort_by, $order, $show_mode) {
$query_where_parts[] = "f.id IN(".join(', ', $_REQUEST['forums']).")";
$query_sort_part = search_query_order_part($sort_items, $_REQUEST['sort_by'], $_REQUEST['order'], $_REQUEST['show_mode']);
+ $published_part = $functions->antispam_published_query_part('p'); // TODO first post
$result = $db->query("SELECT ".$query_select." FROM ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members u ON p.poster_id = u.id, ".TABLE_PREFIX."posts p2, ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."forums f WHERE p2.id = t.last_post_id AND t.id = p.topic_id AND f.id = t.forum_id AND ".join(' AND ', $query_where_parts)." ORDER BY ".$query_sort_part." LIMIT ".$functions->get_config('search_limit_results'));
$result_ids = array();
View
@@ -3664,6 +3664,67 @@ function antispam_can_see_unpublished() {
return ( $this->get_user_level() > LEVEL_MEMBER );
}
+
+ /**
+ * SQL part to filter unpublished posts
+ *
+ * @param array $tables Table name(s)
+ * @param bool $and Prepend AND
+ * @returns string SQL part for WHERE
+ */
+ function antispam_published_query_part($tables, $and = TRUE) {
+
+ global $session;
+
+ $tables = (array) $tables;
+
+ // Can see unpublished, so do not filter
+ if ( $this->antispam_can_see_unpublished() || count($tables) == 0 )
+ return '';
+
+ $query = array();
+ $guest = ( $this->get_user_level() == LEVEL_GUEST );
+
+ foreach ($tables as $table) {
+
+ // Must be published...
+ $part = $table.'.published = 1';
+
+ // ...or own post
+ if ( !$guest )
+ $part .= ' OR '.$table.'.poster_id = '.$session->sess_info['user_id'];
+
+ $query[] = '( '.$part.' )';
+
+ }
+
+ $query = join(' AND ', $query);
+
+ if ( $and )
+ $query = ' AND ' . $query;
+
+ return $query;
+
+ }
+
+ /**
+ * Check whether a post with (un)published status can be seen
+ *
+ * @param array $data Data with published and poster_id
+ * @returns bool Whether can see post
+ */
+ function antispam_check_published_viewable($data) {
+
+ return (
+ $data['published'] ||
+ $this->antispam_can_see_unpublished() ||
+ (
+ $this->get_user_level() >= LEVEL_MEMBER &&
+ $data['poster_id'] == $session->sess_info['user_id']
+ )
+ );
+
+ }
/**
* Can post links
View
@@ -121,7 +121,7 @@
//
require(ROOT_PATH.'sources/page_head.php');
- $result = $db->query("SELECT t.id, t.topic_title, t.status_locked, t.status_sticky, t.count_replies, t.forum_id, t.last_post_id, f.id AS forum_id, f.name AS forum_name, f.status AS forum_status, f.auth, f.hide_mods_list, p.published FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."forums f, ".TABLE_PREFIX."posts p WHERE t.id = ".$requested_topic." AND f.id = t.forum_id AND p.id = t.first_post_id");
+ $result = $db->query("SELECT t.id, t.topic_title, t.status_locked, t.status_sticky, t.count_replies, t.forum_id, t.last_post_id, f.id AS forum_id, f.name AS forum_name, f.status AS forum_status, f.auth, f.hide_mods_list, p.published, p.poster_id FROM ".TABLE_PREFIX."topics t, ".TABLE_PREFIX."forums f, ".TABLE_PREFIX."posts p WHERE t.id = ".$requested_topic." AND f.id = t.forum_id AND p.id = t.first_post_id");
$topicdata = $db->fetch_result($result);
if ( !$topicdata['id'] ) {
@@ -138,7 +138,7 @@
} else {
- if ( $functions->auth($topicdata['auth'], 'read', $topicdata['forum_id']) && ( $functions->antispam_can_see_unpublished() || $topicdata['published'] ) ) {
+ if ( $functions->auth($topicdata['auth'], 'read', $topicdata['forum_id']) && $functions->antispam_check_published_viewable($topicdata) ) {
//
// The user may view this topic
@@ -264,7 +264,7 @@
$userinfo_query_part = ( !$functions->get_config('hide_userinfo') ) ? ', u.posts, u.regdate, u.location' : '';
$signatures_query_part1 = ( !$functions->get_config('hide_signatures') ) ? ', p.enable_sig' : '';
$signatures_query_part2 = ( !$functions->get_config('hide_signatures') ) ? ', u.signature' : '';
- $published_part = ( $functions->antispam_can_see_unpublished() ) ? "" : " AND p.published = 1";
+ $published_part = $functions->antispam_published_query_part('p');
$result = $db->query("SELECT p.id, p.poster_id, p.poster_guest, p.poster_ip_addr, p.content, p.post_time, p.enable_bbcode, p.enable_smilies".$signatures_query_part1.", p.enable_html, p.post_edit_time, p.post_edit_by, u.displayed_name AS poster_name, u.level AS poster_level, u.rank, u.active".$avatars_query_part.$userinfo_query_part.$signatures_query_part2." FROM ( ".TABLE_PREFIX."posts p LEFT JOIN ".TABLE_PREFIX."members u ON p.poster_id = u.id ) WHERE p.topic_id = ".$requested_topic.$published_part." ORDER BY p.post_time ASC LIMIT ".$limit_start.", ".$limit_end);

0 comments on commit 490478f

Please sign in to comment.