diff options
| author | Kjartan Mannes <kjartan@2.no-reply.drupal.org> | 2002-05-22 23:28:48 +0000 |
|---|---|---|
| committer | Kjartan Mannes <kjartan@2.no-reply.drupal.org> | 2002-05-22 23:28:48 +0000 |
| commit | 5f6d733b70cdc374053e1e415d225008e04bbef4 (patch) | |
| tree | d220871eb4032ce56a15e745d94eb6fa62a081e5 | |
| parent | d62d65ae7ec31ea8e4e3435f06015673e45e9e2b (diff) | |
| download | brdo-5f6d733b70cdc374053e1e415d225008e04bbef4.tar.gz brdo-5f6d733b70cdc374053e1e415d225008e04bbef4.tar.bz2 | |
- node security fixes.
- fixing the UI to represent what actually happens when you are an admin.
| -rw-r--r-- | modules/blog.module | 6 | ||||
| -rw-r--r-- | modules/blog/blog.module | 6 | ||||
| -rw-r--r-- | modules/book.module | 6 | ||||
| -rw-r--r-- | modules/book/book.module | 6 | ||||
| -rw-r--r-- | modules/forum.module | 6 | ||||
| -rw-r--r-- | modules/forum/forum.module | 6 | ||||
| -rw-r--r-- | modules/node.module | 69 | ||||
| -rw-r--r-- | modules/node/node.module | 69 | ||||
| -rw-r--r-- | modules/page.module | 6 | ||||
| -rw-r--r-- | modules/page/page.module | 6 | ||||
| -rw-r--r-- | modules/poll.module | 6 | ||||
| -rw-r--r-- | modules/poll/poll.module | 6 | ||||
| -rw-r--r-- | modules/story.module | 6 | ||||
| -rw-r--r-- | modules/story/story.module | 6 |
14 files changed, 162 insertions, 48 deletions
diff --git a/modules/blog.module b/modules/blog.module index b41323538..2677f8e04 100644 --- a/modules/blog.module +++ b/modules/blog.module @@ -205,6 +205,12 @@ function blog_page_last() { function blog_form(&$node, &$help, &$error) { global $nid, $iid; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (isset($node->body)) { /* diff --git a/modules/blog/blog.module b/modules/blog/blog.module index b41323538..2677f8e04 100644 --- a/modules/blog/blog.module +++ b/modules/blog/blog.module @@ -205,6 +205,12 @@ function blog_page_last() { function blog_form(&$node, &$help, &$error) { global $nid, $iid; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (isset($node->body)) { /* diff --git a/modules/book.module b/modules/book.module index 925261196..055b3681e 100644 --- a/modules/book.module +++ b/modules/book.module @@ -170,6 +170,12 @@ function book_delete(&$node) { function book_form(&$node, &$help, &$error) { global $user, $op; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + $output .= form_select(t("Parent"), "parent", $node->parent, book_toc(), t("The parent subject or category the page belongs in.")); if ($node->format) { diff --git a/modules/book/book.module b/modules/book/book.module index 925261196..055b3681e 100644 --- a/modules/book/book.module +++ b/modules/book/book.module @@ -170,6 +170,12 @@ function book_delete(&$node) { function book_form(&$node, &$help, &$error) { global $user, $op; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + $output .= form_select(t("Parent"), "parent", $node->parent, book_toc(), t("The parent subject or category the page belongs in.")); if ($node->format) { diff --git a/modules/forum.module b/modules/forum.module index e5b487f09..69a26b289 100644 --- a/modules/forum.module +++ b/modules/forum.module @@ -55,6 +55,12 @@ function forum_view($node) { function forum_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (function_exists("taxonomy_node_form")) { $output = implode("", taxonomy_node_form("forum", $node)); } diff --git a/modules/forum/forum.module b/modules/forum/forum.module index e5b487f09..69a26b289 100644 --- a/modules/forum/forum.module +++ b/modules/forum/forum.module @@ -55,6 +55,12 @@ function forum_view($node) { function forum_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (function_exists("taxonomy_node_form")) { $output = implode("", taxonomy_node_form("forum", $node)); } diff --git a/modules/node.module b/modules/node.module index 8419f2ba4..a74dacaf3 100644 --- a/modules/node.module +++ b/modules/node.module @@ -861,7 +861,6 @@ function node_form($edit) { if (user_access("administer nodes")) { $output .= "</td><td align=\"left\" valign=\"top\">"; - $output .= form_textfield(t("Authored by"), "name", $edit->name, 20, 25, $error["name"]); $output .= form_textfield(t("Authored on"), "date", $edit->date, 20, 25, $error["date"]); $output .= "<br />"; @@ -883,6 +882,10 @@ function node_form($edit) { function node_add($type) { global $user; + if (!user_access("post content")) { + return message_access(); + } + /* ** If a node type has been specified, validate it existence. If no ** (valid) node type has been provied, display a node type overview. @@ -916,6 +919,10 @@ function node_add($type) { function node_edit($id) { global $user; + if (!user_access("post content")) { + return message_access(); + } + $node = node_load(array("nid" => $id)); if (node_access("update", $node)) { @@ -930,6 +937,10 @@ function node_edit($id) { function node_preview($node) { + if (!user_access("post content")) { + return message_access(); + } + /* ** Convert the array to an object: */ @@ -989,6 +1000,10 @@ function node_preview($node) { function node_submit($node) { global $theme, $user, $tid; + if (!user_access("post content")) { + return message_access(); + } + $context->tid = $tid; if (user_access("post content", $context)) { @@ -1125,6 +1140,10 @@ function node_submit($node) { function node_delete($edit) { + if (!user_access("post content")) { + return message_access(); + } + $node = node_load(array("nid" => $edit["nid"])); if (node_access("delete", $node)) { @@ -1212,32 +1231,34 @@ function node_page() { $theme->box($title, node_delete($edit)); break; default: - // prepare query - if ($or) { - foreach ((explode(",", $or)) as $t) { - $terms[] = "'".check_query($t)."'"; + if (user_access("access content")) { + // prepare query + if ($or) { + foreach ((explode(",", $or)) as $t) { + $terms[] = "'".check_query($t)."'"; + } } - } - else if ($and) { - foreach ((explode(",", $and)) as $t) { - $terms[] = "'".check_query($t)."'"; + else if ($and) { + foreach ((explode(",", $and)) as $t) { + $terms[] = "'".check_query($t)."'"; + } } - } - if ($or) { - // this is an OR of terms - $result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } - else if ($and) { - // this is an AND - $result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } - else { - $result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } + if ($or) { + // this is an OR of terms + $result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } + else if ($and) { + // this is an AND + $result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } + else { + $result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } - while ($node = db_fetch_object($result)) { - node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1); + while ($node = db_fetch_object($result)) { + node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1); + } } } @@ -1263,4 +1284,4 @@ function node_update_index() { "select" => "SELECT n.nid as lno, n.title as text1, n.body as text2 FROM node n WHERE n.status = 1 AND moderate = 0 and (created > " . variable_get("node_cron_last", 1) . " or changed > " . variable_get("node_cron_last", 1) . ")"); } -?> +?>
\ No newline at end of file diff --git a/modules/node/node.module b/modules/node/node.module index 8419f2ba4..a74dacaf3 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -861,7 +861,6 @@ function node_form($edit) { if (user_access("administer nodes")) { $output .= "</td><td align=\"left\" valign=\"top\">"; - $output .= form_textfield(t("Authored by"), "name", $edit->name, 20, 25, $error["name"]); $output .= form_textfield(t("Authored on"), "date", $edit->date, 20, 25, $error["date"]); $output .= "<br />"; @@ -883,6 +882,10 @@ function node_form($edit) { function node_add($type) { global $user; + if (!user_access("post content")) { + return message_access(); + } + /* ** If a node type has been specified, validate it existence. If no ** (valid) node type has been provied, display a node type overview. @@ -916,6 +919,10 @@ function node_add($type) { function node_edit($id) { global $user; + if (!user_access("post content")) { + return message_access(); + } + $node = node_load(array("nid" => $id)); if (node_access("update", $node)) { @@ -930,6 +937,10 @@ function node_edit($id) { function node_preview($node) { + if (!user_access("post content")) { + return message_access(); + } + /* ** Convert the array to an object: */ @@ -989,6 +1000,10 @@ function node_preview($node) { function node_submit($node) { global $theme, $user, $tid; + if (!user_access("post content")) { + return message_access(); + } + $context->tid = $tid; if (user_access("post content", $context)) { @@ -1125,6 +1140,10 @@ function node_submit($node) { function node_delete($edit) { + if (!user_access("post content")) { + return message_access(); + } + $node = node_load(array("nid" => $edit["nid"])); if (node_access("delete", $node)) { @@ -1212,32 +1231,34 @@ function node_page() { $theme->box($title, node_delete($edit)); break; default: - // prepare query - if ($or) { - foreach ((explode(",", $or)) as $t) { - $terms[] = "'".check_query($t)."'"; + if (user_access("access content")) { + // prepare query + if ($or) { + foreach ((explode(",", $or)) as $t) { + $terms[] = "'".check_query($t)."'"; + } } - } - else if ($and) { - foreach ((explode(",", $and)) as $t) { - $terms[] = "'".check_query($t)."'"; + else if ($and) { + foreach ((explode(",", $and)) as $t) { + $terms[] = "'".check_query($t)."'"; + } } - } - if ($or) { - // this is an OR of terms - $result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } - else if ($and) { - // this is an AND - $result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } - else { - $result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); - } + if ($or) { + // this is an OR of terms + $result = db_query("SELECT DISTINCT(n.nid), type FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } + else if ($and) { + // this is an AND + $result = db_query("SELECT n.nid, type, count(*) AS c FROM node n LEFT JOIN term_node r ON n.nid = r.nid WHERE tid IN (".implode(",", $terms).") AND ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' GROUP BY n.nid HAVING c = ".count($terms)." ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } + else { + $result = db_query("SELECT nid, type FROM node WHERE ". ($id ? "nid = '$id'" : "promote = '1'") ." AND status = '1' ORDER BY static DESC, created DESC LIMIT ". ($user->nodes ? $user->nodes : variable_get("default_nodes_main", 10))); + } - while ($node = db_fetch_object($result)) { - node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1); + while ($node = db_fetch_object($result)) { + node_view(node_load(array("nid" => $node->nid, "type" => $node->type)), 1); + } } } @@ -1263,4 +1284,4 @@ function node_update_index() { "select" => "SELECT n.nid as lno, n.title as text1, n.body as text2 FROM node n WHERE n.status = 1 AND moderate = 0 and (created > " . variable_get("node_cron_last", 1) . " or changed > " . variable_get("node_cron_last", 1) . ")"); } -?> +?>
\ No newline at end of file diff --git a/modules/page.module b/modules/page.module index 06762b671..da8258888 100644 --- a/modules/page.module +++ b/modules/page.module @@ -129,6 +129,12 @@ function page_view($node, $main = 0) { function page_form(&$node, &$help, &$error) { global $op; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if ($node->format) { if ($op != t("Preview")) { $node->body = addslashes($node->body); diff --git a/modules/page/page.module b/modules/page/page.module index 06762b671..da8258888 100644 --- a/modules/page/page.module +++ b/modules/page/page.module @@ -129,6 +129,12 @@ function page_view($node, $main = 0) { function page_form(&$node, &$help, &$error) { global $op; + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if ($node->format) { if ($op != t("Preview")) { $node->body = addslashes($node->body); diff --git a/modules/poll.module b/modules/poll.module index 68b54eb58..2bfdd7d0d 100644 --- a/modules/poll.module +++ b/modules/poll.module @@ -40,6 +40,12 @@ function poll_delete($node) { } function poll_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + $admin = user_access("administer nodes"); $_duration = array(0 => t("Unlimited"), 86400 => format_interval(86400), 172800 => format_interval(172800), 345600 => format_interval(345600), 604800 => format_interval(604800), 1209600 => format_interval(1209600), 2419200 => format_interval(2419200), 4838400 => format_interval(4838400), 9676800 => format_interval(9676800), 31536000 => format_interval(31536000)); diff --git a/modules/poll/poll.module b/modules/poll/poll.module index 68b54eb58..2bfdd7d0d 100644 --- a/modules/poll/poll.module +++ b/modules/poll/poll.module @@ -40,6 +40,12 @@ function poll_delete($node) { } function poll_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + $admin = user_access("administer nodes"); $_duration = array(0 => t("Unlimited"), 86400 => format_interval(86400), 172800 => format_interval(172800), 345600 => format_interval(345600), 604800 => format_interval(604800), 1209600 => format_interval(1209600), 2419200 => format_interval(2419200), 4838400 => format_interval(4838400), 9676800 => format_interval(9676800), 31536000 => format_interval(31536000)); diff --git a/modules/story.module b/modules/story.module index f4366d0cb..5c84baa0d 100644 --- a/modules/story.module +++ b/modules/story.module @@ -65,6 +65,12 @@ function story_link($type) { function story_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (isset($node->body)) { /* diff --git a/modules/story/story.module b/modules/story/story.module index f4366d0cb..5c84baa0d 100644 --- a/modules/story/story.module +++ b/modules/story/story.module @@ -65,6 +65,12 @@ function story_link($type) { function story_form(&$node, &$help, &$error) { + if (!$node->status) { + $node->status = 1; + $node->moderate = 1; + $node->comment = 2; + } + if (isset($node->body)) { /* |