Changeset 1899 in ExiteCMS for trunk/albums.php

Timestamp:

10/22/08 17:49:46 (4 years ago)

Author:

hverton

Message:

fixed not checking write rights properly

File:

• trunk/albums.php (modified) (26 diffs)

trunk/albums.php

@@ -17 +17 @@
 
 // local function to check for album, gallery and/or photo access
-function has_photo_access($id=0, $type="", $photo_id=0) {
-    global $collection;
+function has_photo_access($id=0, $type="", $photo_id=0, $mode='read') {
+    global $collection, $settings, $userdata, $db_prefix;
 
     // validate the parameters
     if (empty($id) || empty($type)) return false;
+    if ($mode != 'read' && $mode != 'write') $mode = 'read';
+
+    // result cache
+    static $resultcache;
+    if (isset($resultcache[$type][$id][$mode])) {
+        return $resultcache[$type][$id][$mode];
+    }
 
     // check if the requested id and type are part of the collection
@@ -27 +34 @@
     foreach($collection as $item) {
         if ($item['type'] == $type && $item['id'] == $id) {
-            $match = true;
+            // match found.
+            if ($mode == 'write') {
+                // Does the user have write access?
+                switch ($type) {
+                    case "album":
+                        $album = dbarray(dbquery("SELECT * FROM ".$db_prefix."albums WHERE album_id = $id"));
+                        $match = $album && ((iMEMBER && $album['album_write'] == -1 && $album['album_owner'] == $userdata['user_id']) || checkgroup($album['album_write']));
+                        break;
+                    case "gallery":
+                        $gallery = dbarray(dbquery("SELECT * FROM ".$db_prefix."galleries WHERE gallery_id = $id"));
+                        $match = $gallery && ((iMEMBER && $gallery['gallery_write'] == -1 && $gallery['gallery_owner'] == $userdata['user_id']) || checkgroup($gallery['gallery_write']));
+                        break;
+                    default:
+                        $match = false;
+                        break;
+                }
+            } else {
+                $match = true;
+            }
             break;
         }
@@ -45 +70 @@
         }
     }
+    
+    // add the result to the resultcache
+    if (!isset($resultcache)) $resultcache = array();
+    if (!isset($resultcache[$type])) $resultcache[$type] = array();
+    if (!isset($resultcache[$type][$id])) $resultcache[$type][$id] = array();
+    $resultcache[$type][$id][$mode] = $match;
+    
+    // return the result
     return $match;
 }
@@ -184 +217 @@
 if (isset($_POST['SWFSESSIONID'])) {
     // check if the user has upload rights to this album
-    if (empty($_POST['album_id']) || !isNum($_POST['album_id']) || !has_photo_access($_POST['album_id'], "album", 0)) {
+    if (empty($_POST['album_id']) || !isNum($_POST['album_id']) || !has_photo_access($_POST['album_id'], "album", 0, "write")) {
         echo "error|".$locale['402'];
         exit(0);
@@ -250 +283 @@
 
     if ($action == "edit" && isset($_POST['save'])) {
-        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id)) {
+        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id, "write")) {
             $result = dbquery("UPDATE ".$db_prefix."album_photos SET 
                 album_photo_title = '".mysql_escape_string(stripinput($_POST['album_photo_title']))."',
@@ -259 +292 @@
             $action = "view";
         } else {
-            if (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id)) {
+            if (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id, "write")) {
                 $result = dbquery("UPDATE ".$db_prefix."gallery_photos SET 
                     gallery_photo_title = '".mysql_escape_string(stripinput($_POST['gallery_photo_title']))."',
@@ -290 +323 @@
                 $variables['photo']['parsed_description'] = parsemessage(array(), is_null($variables['photo']['album_photo_description'])?"":$variables['photo']['album_photo_description'], true, true);
                 // check if the user may edit the photo properties
-                $variables['can_edit'] = ($variables['is_moderator'] || (iMEMBER && $userdata['user_id'] == $variables['photo']['album_owner'])) ? 1 : 0;
+                $variables['can_edit'] = has_photo_access($album_id, "album", $photo_id, "write");
                 // find the previous and next photo
                 $result = dbquery("SELECT photo_id FROM ".$db_prefix."album_photos
@@ -345 +378 @@
                 $variables['photo']['parsed_description'] = parsemessage(array(), is_null($variables['photo']['gallery_photo_description'])?"":$variables['photo']['gallery_photo_description'], true, true);
                 // check if the user may edit the photo properties
-                $variables['can_edit'] = ($variables['is_moderator'] || (iMEMBER && $userdata['user_id'] == $variables['photo']['gallery_owner'])) ? 1 : 0;
+                $variables['can_edit'] = has_photo_access($gallery_id, "gallery", $photo_id, "write");
                 // find the previous and next photo
                 $result = dbquery("SELECT photo_id FROM ".$db_prefix."gallery_photos
@@ -397 +430 @@
     if ($action == "highlight") {
         // check if the user has access to this album
-        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id)) {
+        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id, "write")) {
             // set the photo as highlight
             $result = dbquery("UPDATE ".$db_prefix."albums SET album_highlight = $photo_id WHERE album_id = $album_id");
@@ -403 +436 @@
             // return to album view
             $type = "album"; $action = "view";
-        } elseif (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id)) {
+        } elseif (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id, "write")) {
             // set the photo as highlight
             $result = dbquery("UPDATE ".$db_prefix."galleries SET gallery_highlight = $photo_id WHERE gallery_id = $gallery_id");
@@ -423 +456 @@
     if ($action == "delete" && isset($_POST['delete'])) {
         // check if the user has access to this album and this photo
-        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id)) {
+        if (!empty($album_id) && has_photo_access($album_id, "album", $photo_id, "write")) {
             delete_photo($album_id, $photo_id);
             $variables['errormessages'][] = $locale['411'];
             // return to the album
             $type = "album"; $action = "view";
-        } elseif (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id)) {
+        } elseif (!empty($gallery_id) && has_photo_access($gallery_id, "gallery", $photo_id, "write")) {
             // delete the gallery_photo record
             $result = dbquery("DELETE FROM ".$db_prefix."gallery_photos WHERE gallery_id = $gallery_id AND photo_id = $photo_id");
@@ -464 +497 @@
             $variables['errormessages'][] = $locale['414'];
         }
-        if ($action == "edit" && !has_photo_access($variables['album']['album_id'], "album", 0)) {
+        if ($action == "edit" && !has_photo_access($variables['album']['album_id'], "album", 0, "write")) {
             $variables['errormessages'][] = $locale['415'];
         }
@@ -499 +532 @@
         $gallery_id = isset($_POST['gallery_id']) && isNum($_POST['gallery_id']) ? $_POST['gallery_id'] : 0;
         $photo_title = stripinput($_POST['photo_title']);
-        if ($photo_id && has_photo_access($album_id, "album", $photo_id) && has_photo_access($gallery_id, "gallery", 0)) {
+        if ($photo_id && has_photo_access($album_id, "album", $photo_id) && has_photo_access($gallery_id, "gallery", 0, "write")) {
             $result = dbquery("INSERT IGNORE INTO ".$db_prefix."gallery_photos (gallery_id, photo_id, gallery_photo_title, gallery_photo_datestamp) VALUES ($gallery_id, $photo_id, '".mysql_escape_string($photo_title)."', '".time()."')");
         }
@@ -509 +542 @@
 
     if ($action == "delete" && isset($_POST['delete'])) {
-        if (!has_photo_access($album_id, "album", 0)) {
+        if (!has_photo_access($album_id, "album", 0, "write")) {
             $variables['errormessages'][] = $locale['420'];
             $type = ""; $action = "";
@@ -546 +579 @@
             break;
         case "delete":
-            if (!has_photo_access($album_id, "album", 0)) {
+            if (!has_photo_access($album_id, "album", 0, "write")) {
                 $variables['errormessages'][] = $locale['420'];
                 $type = ""; $action = "";
@@ -572 +605 @@
             break;
         case "edit":
-            if (!has_photo_access($album_id, "album", 0)) {
+            if (!has_photo_access($album_id, "album", 0, "write")) {
                 $variables['errormessages'][] = $locale['415'];
                 $type = ""; $action = "";
@@ -628 +661 @@
                     // check if there are galleries present
                     $variables['album']['galleries'] = 0;
+                    $variables['album']['collection'] = array();
                     foreach($collection as $item) {
-                        if ($item['type'] == "gallery") {
+                        if ($item['type'] == "gallery" && has_photo_access($item['id'], $item['type'], 0, "write")) {
                             $variables['album']['galleries'] = 1;
                             // add the collection to the variables if any galleries found
-                            $variables['album']['collection'] = $collection;
+                            $variables['album']['collection'][] = $item;
                             break;
                         }
@@ -675 +709 @@
                         $variables['photos'] = array();
                         while ($data = dbarray($result)) {
-                            $data['can_edit'] = ($variables['is_moderator'] || (iMEMBER && $userdata['user_id'] == $variables['album']['album_owner'])) ? 1 : 0;
+                            $data['can_edit'] = has_photo_access($album_id, "album", 0, "write");
                             // update the thumb counter
                             $result2 = dbquery("UPDATE ".$db_prefix."photos SET photo_thumb_count = photo_thumb_count + 1 WHERE photo_id = ".$data['photo_id']);
@@ -690 +724 @@
             break;
         case "upload":
-            if (!has_photo_access($album_id, "album", 0)) {
+            if (!has_photo_access($album_id, "album", 0, "write")) {
                 $variables['errormessages'][] = $locale['402'];
                 $type = ""; $action = "";
@@ -775 +809 @@
             $variables['errormessages'][] = $locale['427'];
         }
-        if ($action == "edit" && !has_photo_access($variables['gallery']['gallery_id'], "gallery", 0)) {
+        if ($action == "edit" && !has_photo_access($variables['gallery']['gallery_id'], "gallery", 0, "write")) {
             $variables['errormessages'][] = $locale['428'];
         }
@@ -811 +845 @@
 
     if ($action == "delete" && isset($_POST['delete'])) {
-        if (!has_photo_access($gallery_id, "gallery", 0)) {
+        if (!has_photo_access($gallery_id, "gallery", 0, "write")) {
             $variables['errormessages'][] = $locale['433'];
             $type = ""; $action = "";
@@ -848 +882 @@
             break;
         case "delete":
-            if (!has_photo_access($gallery_id, "gallery", 0)) {
+            if (!has_photo_access($gallery_id, "gallery", 0, "write")) {
                 $variables['errormessages'][] = $locale['433'];
                 $type = ""; $action = "";
@@ -874 +908 @@
             break;
         case "edit":
-            if (!has_photo_access($gallery_id, "gallery", 0)) {
+            if (!has_photo_access($gallery_id, "gallery", 0, "write")) {
                 $variables['errormessages'][] = $locale['428'];
                 $type = ""; $action = "";
@@ -967 +1001 @@
                         $variables['photos'] = array();
                         while ($data = dbarray($result)) {
-                            $data['can_edit'] = ($variables['is_moderator'] || (iMEMBER && $userdata['user_id'] == $variables['gallery']['gallery_owner'])) ? 1 : 0;
+                            $data['can_edit'] = has_photo_access($gallery_id, "gallery", 0, "write");
                             // update the thumb counter
                             $result2 = dbquery("UPDATE ".$db_prefix."photos SET photo_thumb_count = photo_thumb_count + 1 WHERE photo_id = ".$data['photo_id']);
@@ -1059 +1093 @@
                 }
                 // check if this album is editable
-                $data['can_edit'] = ($variables['is_moderator'] || checkgroup($data['album_write']) || (iMEMBER && $userdata['user_id'] == $data['owner'])) ? 1 : 0;
+                $data['can_edit'] = has_photo_access($value['id'], "album", 0, "write");
                 break;
             case "gallery":
@@ -1082 +1116 @@
                     $data['slideshow'] = $slideshow;
                 // check if this album is editable
-                $data['can_edit'] = ($variables['is_moderator'] || checkgroup($data['gallery_write']) || (iMEMBER && $userdata['user_id'] == $data['owner'])) ? 1 : 0;
+                $data['can_edit'] = has_photo_access($value['id'], "gallery", 0, "write");
                 }
                 break;