This patch is partly to address validation of user input, but mostly
to address a security and dead links issue where users see links to
messages that they don't actually have access to during a search.
Also patched in /search directory and in search-subject and
search-pls-subject.
Load the following SQL:
-- pl/sql function that performs the tcl function
-- bboard_user_can_view_topic_p declared in /tcl/bboard-defs.tcl
-- returns 'f' if the person is not allowed to view, 't' if he is
create or replace function bboard_user_can_view_topic_p ( v_user_id IN
integer, v_topic_id IN integer)
return char
IS
v_read_access varchar(16);
v_group_id integer;
v_count integer;
BEGIN
select read_access, group_id into v_read_access, v_group_id
from bboard_topics
where topic_id = v_topic_id;
IF v_read_access = 'any' or v_read_access = 'public' THEN
RETURN 't';
END IF;
-- now, we know that it's in some group, let's make sure this person is in it
select count(*) into v_count
from user_group_map
where user_id = v_user_id
and group_id = v_group_id;
IF v_count > 0 THEN
RETURN 't';
END IF;
-- if we're up to here, then this person is not allowed to view this page
RETURN 'f';
END;
/
show errors
In the file: /www/bboard/contributions.tcl
Replace
set_form_variables
with
ad_page_variables {
user_id
}
page_validation {
set user_id [validate_integer "User ID" $user_id]
}
After
set_form_variables
add
set current_user_id [ad_verify_and_get_user_id]
After
bboard_topics.topic
add
, bboard_topics.topic_id
After
and bboard.topic_id = bboard_topics.topic_id
add
and bboard_user_can_view_topic_p($current_user_id,bboard.topic_id)='t'
Replace
[bboard_msg_url $presentation_type $thread_start_msg_id $topic]
with
[bboard_msg_url $presentation_type $thread_start_msg_id $topic_id $topic]