1 Reply by narayan

(3 replies, posted in PunBB 1.3 extensions)

Slavok wrote:

We are working on the new version of pun_tags, and users permissions will be taken into account in the next release.

Great! Looking forward to it.

Cheers,
Narayan

Go to forum: PunBB 1.3 extensions

2 Topic by narayan

(3 replies, posted in PunBB 1.3 extensions)

Again, thanks for this extension.

pun_tags can show post titles from forums which the user does not have access to. To fix this we need to modify the following code in manifest.xml around line 518.

                $query = array(
                    'SELECT'    => 't.id AS tid, t.poster, t.subject, t.first_post_id, t.posted, t.last_post, t.last_post_id, t.last_poster, t.num_replies, t.closed, t.sticky, t.forum_id, f.forum_name',
                    'FROM'        => 'topics AS t',
                    'JOINS'        => array(
                        array(
                            'INNER JOIN'    => 'forums AS f',
                            'ON'            => 'f.id=t.forum_id'
                        ),                       
                        array(
                            'LEFT JOIN'        => 'forum_perms AS fp',
                            'ON'            => '(fp.forum_id=f.id AND fp.group_id='.$forum_user['g_id'].')'
                        )                       
                    ),
                    'WHERE'        => 't.id IN('.implode(',', $search_ids).') AND (fp.read_forum IS NULL OR fp.read_forum=1)'
                );

Note the additional join and where clause using forum_perms.

Hope this will be added to the next release.

Warm regards,
Narayan

Go to forum: PunBB 1.3 extensions

3 Topic by narayan

(2 replies, posted in PunBB 1.3 extensions)

First, thanks for the extension, it is useful.

I have a few private forums where people should be able to upload files. But in the current version of pun_attachment, any logged in user can use the download url to download the file irrespective of whether the user has permissions to the forum.
Since the url looks like http://example.com/forums/misc.php?item … ownload=1, you can easily change the item id and get files which you should not have access to.

To fix this, the following code needs to be modified for hook id="mi_new_action". It is around line 1257 in manifest.xml in the version I am using.

                $query = array(
                    'SELECT'    => 'a.id, a.post_id, a.filename, a.file_ext, a.file_mime_type, a.size, a.file_path, a.topic_id',
                    'FROM'        => 'attach_files AS a',
                    'JOINS'        => array(
                        array(
                            'INNER JOIN'    => 'topics AS t',
                            'ON'        => 't.id=a.topic_id'
                        ),                       
                        array(
                            'INNER JOIN'    => 'forums AS f',
                            'ON'        => 'f.id=t.forum_id'
                        ),                       
                        array(
                            'LEFT JOIN'    => 'forum_perms AS fp',
                            'ON'        => '(fp.forum_id=f.id AND fp.group_id='.$forum_user['g_id'].')'
                        )                       
                    ),                   
                    'WHERE'        => 'a.id='.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum=1)'
                );

It would be great if you would add this to the next release so that I do not need to maintain a separate version.

Warm regards,
Narayan

Go to forum: PunBB 1.3 extensions