diff options
| author |   Henry Sudhof <kellanved@phpbb.com> | 2008-03-22 13:44:20 +0000 |
|---|---|---|
| committer | Henry Sudhof <kellanved@phpbb.com> | 2008-03-22 13:44:20 +0000 |
| commit | 991f68a85b043aa020b21a7a4bc091e0e1475d1b (patch) | |
| tree | 9a78c49c4ca1271cb3daca0293b7c7ec15adc75d | |
| parent | only long notation (diff) | |
| download | forums-991f68a85b043aa020b21a7a4bc091e0e1475d1b.tar.gz forums-991f68a85b043aa020b21a7a4bc091e0e1475d1b.tar.bz2 forums-991f68a85b043aa020b21a7a4bc091e0e1475d1b.zip | |
Okay, let's be a little more paranoid.
git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@8457 89ea8834-ac86-4346-8a33-228a782c2dd0
| -rw-r--r-- | phpBB/admin/admin_users.php | 7 | ||||
| -rw-r--r-- | phpBB/admin/pagestart.php | 7 | ||||
| -rw-r--r-- | phpBB/includes/bbcode.php | 27 | ||||
| -rw-r--r-- | phpBB/includes/page_tail.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/sessions.php | 16 | ||||
| -rw-r--r-- | phpBB/install/schemas/mssql_schema.sql | 1 | ||||
| -rw-r--r-- | phpBB/install/schemas/mysql_schema.sql | 1 | ||||
| -rw-r--r-- | phpBB/install/schemas/postgres_schema.sql | 1 | ||||
| -rw-r--r-- | phpBB/install/update_to_latest.php | 30 | ||||
| -rw-r--r-- | phpBB/language/lang_english/lang_main.php | 1 | ||||
| -rw-r--r-- | phpBB/modcp.php | 49 | ||||
| -rwxr-xr-x | phpBB/templates/subSilver/bbcode.tpl | 1 | ||||
| -rw-r--r-- | phpBB/viewforum.php | 2 | ||||
| -rw-r--r-- | phpBB/viewtopic.php | 20 |
14 files changed, 124 insertions, 41 deletions
diff --git a/phpBB/admin/admin_users.php b/phpBB/admin/admin_users.php index cdd950ec4..eeb7ad0de 100644 --- a/phpBB/admin/admin_users.php +++ b/phpBB/admin/admin_users.php @@ -947,7 +947,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username']) $avatar = '<img src="../' . $board_config['avatar_path'] . '/' . $user_avatar . '" alt="" />'; break; case USER_AVATAR_REMOTE: - $avatar = '<img src="' . $user_avatar . '" alt="" />'; + $avatar = (isset($HTTP_GET_VARS['p_sid'])) ? $lang['Priv_Img'] . " $user_avatar" : '<img src="' . $user_avatar . '" alt="" />'; break; case USER_AVATAR_GALLERY: $avatar = '<img src="../' . $board_config['avatar_gallery_path'] . '/' . $user_avatar . '" alt="" />'; @@ -1143,8 +1143,9 @@ else 'U_SEARCH_USER' => append_sid("./../search.$phpEx?mode=searchuser"), - 'S_USER_ACTION' => append_sid("admin_users.$phpEx"), - 'S_USER_SELECT' => $select_list) + 'S_USER_ACTION' => "admin_users.$phpEx?sid=" . $userdata['session_id'], + 'S_USER_SELECT' => $select_list, + 'S_HIDDEN_FIELDS' => '<input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '"/>') ); $template->pparse('body'); diff --git a/phpBB/admin/pagestart.php b/phpBB/admin/pagestart.php index 2db4ad903..e674f0c2c 100644 --- a/phpBB/admin/pagestart.php +++ b/phpBB/admin/pagestart.php @@ -52,6 +52,13 @@ if ($HTTP_GET_VARS['sid'] != $userdata['session_id']) redirect("index.$phpEx?sid=" . $userdata['session_id']); } +$p_sid = (isset($HTTP_GET_VARS['p_sid'])) ? $HTTP_GET_VARS['p_sid'] : ((isset($HTTP_POST_VARS['p_sid'])) ? $HTTP_POST_VARS['p_sid'] : ''); + +if ($p_sid !== $userdata['priv_session_id']) +{ + redirect("index.$phpEx?sid=" . $userdata['session_id']); +} + if (!$userdata['session_admin']) { redirect(append_sid("login.$phpEx?redirect=admin/index.$phpEx&admin=1", true)); diff --git a/phpBB/includes/bbcode.php b/phpBB/includes/bbcode.php index 6971cd5af..d33233fc6 100644 --- a/phpBB/includes/bbcode.php +++ b/phpBB/includes/bbcode.php @@ -92,7 +92,7 @@ function prepare_bbcode_template($bbcode_tpl) $bbcode_tpl['code_open'] = str_replace('{L_CODE}', $lang['Code'], $bbcode_tpl['code_open']); - $bbcode_tpl['img'] = str_replace('{URL}', '\\1', $bbcode_tpl['img']); + $bbcode_tpl['img'] = str_replace('{URL}', '\\1', get_image_tag_replacement($bbcode_tpl)); // We do URLs in several different ways.. $bbcode_tpl['url1'] = str_replace('{URL}', '\\1', $bbcode_tpl['url']); @@ -116,6 +116,31 @@ function prepare_bbcode_template($bbcode_tpl) /** +* Disables the img tag for privileged pages. It also implements a compability hack for old templates. +*/ +function get_image_tag_replacement($bbcode_tpl) +{ + global $lang, $HTTP_POST_VARS, $HTTP_GET_VARS; + $bb_tmpl = ''; + if (isset($HTTP_POST_VARS['p_sid'])) + { + if (isset($bbcode_tpl['p_img'])) + { + $bb_tmpl = str_replace('{L_PRIV_IMG}', $lang['Priv_Img'], $bbcode_tpl['p_img']); + } + else + { + $bb_tmpl = $lang['Priv_Img'] . ': {URL}'; + } + } + else + { + $bb_tmpl = $bbcode_tpl['img']; + } + return $bb_tmpl; +} + +/** * Does second-pass bbencoding. This should be used before displaying the message in * a thread. Assumes the message is already first-pass encoded, and we are given the * correct UID as used in first-pass encoding. diff --git a/phpBB/includes/page_tail.php b/phpBB/includes/page_tail.php index 2386034cd..f33e9f08d 100644 --- a/phpBB/includes/page_tail.php +++ b/phpBB/includes/page_tail.php @@ -30,7 +30,7 @@ global $do_gzip_compress; // // Show the overall footer. // -$admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href="admin/index.' . $phpEx . '?sid=' . $userdata['session_id'] . '">' . $lang['Admin_panel'] . '</a><br /><br />' : ''; + $admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href="admin/index.' . $phpEx . '?sid=' . $userdata['session_id'] . '&p_sid=' . $userdata['priv_session_id'] . '">' . $lang['Admin_panel'] . '</a><br /><br />' : ''; $template->set_filenames(array( 'overall_footer' => ( empty($gen_simple_header) ) ? 'overall_footer.tpl' : 'simple_footer.tpl') diff --git a/phpBB/includes/sessions.php b/phpBB/includes/sessions.php index f2557b874..8953fb331 100644 --- a/phpBB/includes/sessions.php +++ b/phpBB/includes/sessions.php @@ -178,10 +178,11 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a if ( !$db->sql_query($sql) || !$db->sql_affectedrows() ) { $session_id = md5(dss_rand()); + $priv_session_id = md5(dss_rand()); $sql = "INSERT INTO " . SESSIONS_TABLE . " - (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) - VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin)"; + (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin, priv_session_id) + VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login, $admin, '$priv_session_id')"; if ( !$db->sql_query($sql) ) { message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); @@ -242,6 +243,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a } $userdata['session_id'] = $session_id; + $userdata['priv_session_id'] = $priv_session_id; $userdata['session_ip'] = $user_ip; $userdata['session_user_id'] = $user_id; $userdata['session_logged_in'] = $login; @@ -266,7 +268,7 @@ function session_begin($user_id, $user_ip, $page_id, $auto_create = 0, $enable_a function session_pagestart($user_ip, $thispage_id) { global $db, $lang, $board_config; - global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID; + global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID, $P_SID; $cookiename = $board_config['cookie_name']; $cookiepath = $board_config['cookie_path']; @@ -333,7 +335,7 @@ function session_pagestart($user_ip, $thispage_id) if ($ip_check_s == $ip_check_u) { $SID = ($sessionmethod == SESSION_METHOD_GET || defined('IN_ADMIN')) ? 'sid=' . $session_id : ''; - + $P_SID = (defined('IN_ADMIN')) ? 'p_sid=' . $userdata['priv_session_id'] : ''; // // Only update session DB a minute or so after last update // @@ -565,12 +567,16 @@ function session_reset_keys($user_id, $user_ip) // function append_sid($url, $non_html_amp = false) { - global $SID; + global $SID, $P_SID; if ( !empty($SID) && !preg_match('#sid=#', $url) ) { $url .= ( ( strpos($url, '?') !== false ) ? ( ( $non_html_amp ) ? '&' : '&' ) : '?' ) . $SID; } + if ( !empty($P_SID) && !preg_match('#p_sid=#', $url) ) + { + $url .= ( ( strpos($url, '?') !== false ) ? ( ( $non_html_amp ) ? '&' : '&' ) : '?' ) . $P_SID; + } return $url; } diff --git a/phpBB/install/schemas/mssql_schema.sql b/phpBB/install/schemas/mssql_schema.sql index 74018873d..7a49f1134 100644 --- a/phpBB/install/schemas/mssql_schema.sql +++ b/phpBB/install/schemas/mssql_schema.sql @@ -193,6 +193,7 @@ CREATE TABLE [phpbb_sessions] ( [session_page] [int] NULL , [session_logged_in] [smallint] NULL, [session_admin] [smallint] NULL + [priv_session_id] [char] (32) NOT NULL , ) ON [PRIMARY] GO diff --git a/phpBB/install/schemas/mysql_schema.sql b/phpBB/install/schemas/mysql_schema.sql index 3a31b1b29..f1bcc2de0 100644 --- a/phpBB/install/schemas/mysql_schema.sql +++ b/phpBB/install/schemas/mysql_schema.sql @@ -307,6 +307,7 @@ CREATE TABLE phpbb_sessions ( session_page int(11) DEFAULT '0' NOT NULL, session_logged_in tinyint(1) DEFAULT '0' NOT NULL, session_admin tinyint(2) DEFAULT '0' NOT NULL, + priv_session_id char(32) DEFAULT '' NOT NULL, PRIMARY KEY (session_id), KEY session_user_id (session_user_id), KEY session_id_ip_user_id (session_id, session_ip, session_user_id) diff --git a/phpBB/install/schemas/postgres_schema.sql b/phpBB/install/schemas/postgres_schema.sql index f14c7503a..e019f5ae9 100644 --- a/phpBB/install/schemas/postgres_schema.sql +++ b/phpBB/install/schemas/postgres_schema.sql @@ -291,6 +291,7 @@ CREATE TABLE phpbb_sessions ( session_page int4 DEFAULT '0' NOT NULL, session_logged_in int2 DEFAULT '0' NOT NULL, session_admin int2 DEFAULT '0' NOT NULL, + priv_session_id char(32) DEFAULT '0' NOT NULL, CONSTRAINT phpbb_session_pkey PRIMARY KEY (session_id) ); CREATE INDEX session_user_id_phpbb_sessions_index ON phpbb_sessions (session_user_id); diff --git a/phpBB/install/update_to_latest.php b/phpBB/install/update_to_latest.php index 19d03503c..e9482ea55 100644 --- a/phpBB/install/update_to_latest.php +++ b/phpBB/install/update_to_latest.php @@ -671,6 +671,36 @@ switch ($row['config_value']) } break; + + case '.0.23': + + switch (SQL_LAYER) + { + case 'mysql': + case 'mysql4': + $sql[] = "ALTER TABLE " . SESSIONS_TABLE . " + ADD COLUMN priv_session_id char(32) DEFAULT '' NOT NULL"; + break; + + case 'postgresql': + $sql[] = "ALTER TABLE " . SESSIONS_TABLE . " + ADD COLUMN priv_session_id char(32)"; + $sql[] = "ALTER TABLE " . SESSIONS_TABLE . " + ALTER COLUMN priv_session_id SET DEFAULT ''"; + break; + + case 'mssql-odbc': + case 'mssql': + $sql[] = "ALTER TABLE " . SESSIONS_TABLE . " ADD + priv_session_id char (32) NOT NULL"; + break; + + case 'msaccess': + $sql[] = "ALTER TABLE " . SESSIONS_TABLE . " ADD + priv_session_id char (32) NOT NULL"; + break; + } + } echo "<h2>Updating database schema</h2>\n"; diff --git a/phpBB/language/lang_english/lang_main.php b/phpBB/language/lang_english/lang_main.php index 5c9b972f0..ab847fa75 100644 --- a/phpBB/language/lang_english/lang_main.php +++ b/phpBB/language/lang_english/lang_main.php @@ -283,6 +283,7 @@ $lang['Delete_post'] = 'Delete this post'; $lang['wrote'] = 'wrote'; // proceeds the username and is followed by the quoted text $lang['Quote'] = 'Quote'; // comes before bbcode quote output. $lang['Code'] = 'Code'; // comes before bbcode code output. +$lang['Priv_Img'] = 'Image display disabled'; // Explanation for missing images in the ModCP. $lang['Edited_time_total'] = 'Last edited by %s on %s; edited %d time in total'; // Last edited by me on 12 Oct 2001; edited 1 time in total $lang['Edited_times_total'] = 'Last edited by %s on %s; edited %d times in total'; // Last edited by me on 12 Oct 2001; edited 2 times in total diff --git a/phpBB/modcp.php b/phpBB/modcp.php index 699a636f3..24faa0860 100644 --- a/phpBB/modcp.php +++ b/phpBB/modcp.php @@ -116,6 +116,15 @@ else { $sid = ''; } +// privileged session id check +if (!empty($HTTP_POST_VARS['p_sid']) || !empty($HTTP_GET_VARS['p_sid'])) +{ + $p_sid = (!empty($HTTP_POST_VARS['p_sid'])) ? $HTTP_POST_VARS['p_sid'] : $HTTP_GET_VARS['p_sid']; +} +else +{ + $p_sid = ''; +} // // Obtain relevant data @@ -175,7 +184,7 @@ init_userprefs($userdata); // // session id check -if ($sid == '' || $sid != $userdata['session_id']) +if ($p_sid === '' || $p_sid !== $userdata['priv_session_id']) { message_die(GENERAL_ERROR, 'Invalid_session'); } @@ -398,12 +407,12 @@ switch( $mode ) if ( !empty($topic_id) ) { - $redirect_page = "viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id"); $l_redirect = sprintf($lang['Click_return_forum'], '<a href="' . $redirect_page . '">', '</a>'); } else { - $redirect_page = "modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id']); $l_redirect = sprintf($lang['Click_return_modcp'], '<a href="' . $redirect_page . '">', '</a>'); } @@ -421,7 +430,7 @@ switch( $mode ) message_die(GENERAL_MESSAGE, $lang['None_selected']); } - $hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />'; + $hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />'; if ( isset($HTTP_POST_VARS['topic_id_list']) ) { @@ -557,16 +566,16 @@ switch( $mode ) if ( !empty($topic_id) ) { - $redirect_page = "viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id"); $message .= sprintf($lang['Click_return_topic'], '<a href="' . $redirect_page . '">', '</a>'); } else { - $redirect_page = "modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id']); $message .= sprintf($lang['Click_return_modcp'], '<a href="' . $redirect_page . '">', '</a>'); } - $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . "viewforum.$phpEx?" . POST_FORUM_URL . "=$old_forum_id&sid=" . $userdata['session_id'] . '">', '</a>'); + $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . append_sid("viewforum.$phpEx?" . POST_FORUM_URL . "=$old_forum_id&p_sid=" . $userdata['priv_session_id']) . '">', '</a>'); $template->assign_vars(array( 'META' => '<meta http-equiv="refresh" content="3;url=' . $redirect_page . '">') @@ -581,7 +590,7 @@ switch( $mode ) message_die(GENERAL_MESSAGE, $lang['None_selected']); } - $hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />'; + $hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />'; if ( isset($HTTP_POST_VARS['topic_id_list']) ) { @@ -650,16 +659,16 @@ switch( $mode ) if ( !empty($topic_id) ) { - $redirect_page = "viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id"); $message = sprintf($lang['Click_return_topic'], '<a href="' . $redirect_page . '">', '</a>'); } else { - $redirect_page = "modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id']); $message = sprintf($lang['Click_return_modcp'], '<a href="' . $redirect_page . '">', '</a>'); } - $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . "viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id'] . '">', '</a>'); + $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . append_sid("viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id") . '">', '</a>'); $template->assign_vars(array( 'META' => '<meta http-equiv="refresh" content="3;url=' . $redirect_page . '">') @@ -695,16 +704,16 @@ switch( $mode ) if ( !empty($topic_id) ) { - $redirect_page = "viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("viewtopic.$phpEx?" . POST_TOPIC_URL . "=$topic_id"); $message = sprintf($lang['Click_return_topic'], '<a href="' . $redirect_page . '">', '</a>'); } else { - $redirect_page = "modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id']; + $redirect_page = append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id']); $message = sprintf($lang['Click_return_modcp'], '<a href="' . $redirect_page . '">', '</a>'); } - $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . "viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id'] . '">', '</a>'); + $message = $message . '<br \><br \>' . sprintf($lang['Click_return_forum'], '<a href="' . append_sid("viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id") . '">', '</a>'); $template->assign_vars(array( 'META' => '<meta http-equiv="refresh" content="3;url=' . $redirect_page . '">') @@ -1019,7 +1028,7 @@ switch( $mode ) 'IP' => $ip_this_post, - 'U_LOOKUP_IP' => "modcp.$phpEx?mode=ip&" . POST_POST_URL . "=$post_id&" . POST_TOPIC_URL . "=$topic_id&rdns=$ip_this_post&sid=" . $userdata['session_id']) + 'U_LOOKUP_IP' => append_sid("modcp.$phpEx?mode=ip&" . POST_POST_URL . "=$post_id&" . POST_TOPIC_URL . "=$topic_id&rdns=$ip_this_post&p_sid=" . $userdata['priv_session_id'])) ); // @@ -1060,7 +1069,7 @@ switch( $mode ) 'IP' => $ip, 'POSTS' => $row['postings'] . ' ' . ( ( $row['postings'] == 1 ) ? $lang['Post'] : $lang['Posts'] ), - 'U_LOOKUP_IP' => "modcp.$phpEx?mode=ip&" . POST_POST_URL . "=$post_id&" . POST_TOPIC_URL . "=$topic_id&rdns=" . $row['poster_ip'] . "&sid=" . $userdata['session_id']) + 'U_LOOKUP_IP' => append_sid("modcp.$phpEx?mode=ip&" . POST_POST_URL . "=$post_id&" . POST_TOPIC_URL . "=$topic_id&rdns=" . $row['poster_ip'] . "&p_sid=" . $userdata['priv_session_id'])) ); $i++; @@ -1100,7 +1109,7 @@ switch( $mode ) 'POSTS' => $row['postings'] . ' ' . ( ( $row['postings'] == 1 ) ? $lang['Post'] : $lang['Posts'] ), 'L_SEARCH_POSTS' => sprintf($lang['Search_user_posts'], $username), - 'U_PROFILE' => ($id == ANONYMOUS) ? "modcp.$phpEx?mode=ip&" . POST_POST_URL . "=" . $post_id . "&" . POST_TOPIC_URL . "=" . $topic_id . "&sid=" . $userdata['session_id'] : append_sid("profile.$phpEx?mode=viewprofile&" . POST_USERS_URL . "=$id"), + 'U_PROFILE' => ($id == ANONYMOUS) ? append_sid("modcp.$phpEx?mode=ip&" . POST_POST_URL . "=" . $post_id . "&" . POST_TOPIC_URL . "=" . $topic_id . "&p_sid=" . $userdata['priv_session_id']) : append_sid("profile.$phpEx?mode=viewprofile&" . POST_USERS_URL . "=$id"), 'U_SEARCHPOSTS' => append_sid("search.$phpEx?search_author=" . (($id == ANONYMOUS) ? 'Anonymous' : urlencode($username)) . "&showresults=topics")) ); @@ -1133,7 +1142,7 @@ switch( $mode ) 'L_SELECT' => $lang['Select'], 'U_VIEW_FORUM' => append_sid("viewforum.$phpEx?" . POST_FORUM_URL . "=$forum_id"), - 'S_HIDDEN_FIELDS' => '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />', + 'S_HIDDEN_FIELDS' => '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" />', 'S_MODCP_ACTION' => append_sid("modcp.$phpEx")) ); @@ -1221,7 +1230,7 @@ switch( $mode ) $topic_title = preg_replace($orig_word, $replacement_word, $topic_title); } - $u_view_topic = "modcp.$phpEx?mode=split&" . POST_TOPIC_URL . "=$topic_id&sid=" . $userdata['session_id']; + $u_view_topic = append_sid("modcp.$phpEx?mode=split&" . POST_TOPIC_URL . "=$topic_id&p_sid=" . $userdata['priv_session_id']); $topic_replies = $row['topic_replies']; $last_post_time = create_date($board_config['default_dateformat'], $row['post_time'], $board_config['board_timezone']); @@ -1241,7 +1250,7 @@ switch( $mode ) } $template->assign_vars(array( - 'PAGINATION' => generate_pagination("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id'], $forum_topics, $board_config['topics_per_page'], $start), + 'PAGINATION' => generate_pagination("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id'], $forum_topics, $board_config['topics_per_page'], $start), 'PAGE_NUMBER' => sprintf($lang['Page_of'], ( floor( $start / $board_config['topics_per_page'] ) + 1 ), ceil( $forum_topics / $board_config['topics_per_page'] )), 'L_GOTO_PAGE' => $lang['Goto_page']) ); diff --git a/phpBB/templates/subSilver/bbcode.tpl b/phpBB/templates/subSilver/bbcode.tpl index 6f86f5535..ab5f0a21e 100755 --- a/phpBB/templates/subSilver/bbcode.tpl +++ b/phpBB/templates/subSilver/bbcode.tpl @@ -54,6 +54,7 @@ <!-- BEGIN size_close --></span><!-- END size_close --> <!-- BEGIN img --><img src="{URL}" border="0" /><!-- END img --> +<!-- BEGIN p_img -->{L_PRIV_IMG}:{URL}<!-- END p_img --> <!-- BEGIN url --><a href="{URL}" target="_blank" class="postlink">{DESCRIPTION}</a><!-- END url --> diff --git a/phpBB/viewforum.php b/phpBB/viewforum.php index 92d4f7f54..dfb254230 100644 --- a/phpBB/viewforum.php +++ b/phpBB/viewforum.php @@ -372,7 +372,7 @@ $s_auth_can .= ( ( $is_auth['auth_vote'] ) ? $lang['Rules_vote_can'] : $lang['Ru if ( $is_auth['auth_mod'] ) { - $s_auth_can .= sprintf($lang['Rules_moderate'], "<a href=\"modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&start=" . $start . "&sid=" . $userdata['session_id'] . '">', '</a>'); + $s_auth_can .= sprintf($lang['Rules_moderate'], '<a href="' . append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&start=" . $start . "&p_sid=" . $userdata['priv_session_id']) . '">', '</a>'); } // diff --git a/phpBB/viewtopic.php b/phpBB/viewtopic.php index 8a0c73521..fee84e2d1 100644 --- a/phpBB/viewtopic.php +++ b/phpBB/viewtopic.php @@ -590,15 +590,15 @@ $topic_mod = ''; if ( $is_auth['auth_mod'] ) { - $s_auth_can .= sprintf($lang['Rules_moderate'], "<a href=\"modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&sid=" . $userdata['session_id'] . '">', '</a>'); + $s_auth_can .= sprintf($lang['Rules_moderate'], '<a href="' . append_sid("modcp.$phpEx?" . POST_FORUM_URL . "=$forum_id&p_sid=" . $userdata['priv_session_id']) . '">', '</a>'); - $topic_mod .= "<a href=\"modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=delete&sid=" . $userdata['session_id'] . '"><img src="' . $images['topic_mod_delete'] . '" alt="' . $lang['Delete_topic'] . '" title="' . $lang['Delete_topic'] . '" border="0" /></a> '; + $topic_mod .= '<a href="' . append_sid("modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=delete&p_sid=" . $userdata['priv_session_id']) . '"><img src="' . $images['topic_mod_delete'] . '" alt="' . $lang['Delete_topic'] . '" title="' . $lang['Delete_topic'] . '" border="0" /></a> '; - $topic_mod .= "<a href=\"modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=move&sid=" . $userdata['session_id'] . '"><img src="' . $images['topic_mod_move'] . '" alt="' . $lang['Move_topic'] . '" title="' . $lang['Move_topic'] . '" border="0" /></a> '; + $topic_mod .= '<a href="' . append_sid("modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=move&p_sid=" . $userdata['priv_session_id']) . '"><img src="' . $images['topic_mod_move'] . '" alt="' . $lang['Move_topic'] . '" title="' . $lang['Move_topic'] . '" border="0" /></a> '; - $topic_mod .= ( $forum_topic_data['topic_status'] == TOPIC_UNLOCKED ) ? "<a href=\"modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=lock&sid=" . $userdata['session_id'] . '"><img src="' . $images['topic_mod_lock'] . '" alt="' . $lang['Lock_topic'] . '" title="' . $lang['Lock_topic'] . '" border="0" /></a> ' : "<a href=\"modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=unlock&sid=" . $userdata['session_id'] . '"><img src="' . $images['topic_mod_unlock'] . '" alt="' . $lang['Unlock_topic'] . '" title="' . $lang['Unlock_topic'] . '" border="0" /></a> '; + $topic_mod .= ( $forum_topic_data['topic_status'] == TOPIC_UNLOCKED ) ? '<a href="' . append_sid("modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=lock&p_sid=" . $userdata['priv_session_id']) . '"><img src="' . $images['topic_mod_lock'] . '" alt="' . $lang['Lock_topic'] . '" title="' . $lang['Lock_topic'] . '" border="0" /></a> ' : '<a href="' . append_sid("modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=unlock&p_sid=" . $userdata['priv_session_id']) . '"><img src="' . $images['topic_mod_unlock'] . '" alt="' . $lang['Unlock_topic'] . '" title="' . $lang['Unlock_topic'] . '" border="0" /></a> '; - $topic_mod .= "<a href=\"modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=split&sid=" . $userdata['session_id'] . '"><img src="' . $images['topic_mod_split'] . '" alt="' . $lang['Split_topic'] . '" title="' . $lang['Split_topic'] . '" border="0" /></a> '; + $topic_mod .= '<a href="' . append_sid("modcp.$phpEx?" . POST_TOPIC_URL . "=$topic_id&mode=split&p_sid=" . $userdata['priv_session_id']) . '"><img src="' . $images['topic_mod_split'] . '" alt="' . $lang['Split_topic'] . '" title="' . $lang['Split_topic'] . '" border="0" /></a> '; } // @@ -1008,13 +1008,13 @@ for($i = 0; $i < $total_posts; $i++) if ( $is_auth['auth_mod'] ) { - $temp_url = "modcp.$phpEx?mode=ip&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&" . POST_TOPIC_URL . "=" . $topic_id . "&sid=" . $userdata['session_id']; + $temp_url = "modcp.$phpEx?mode=ip&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&" . POST_TOPIC_URL . "=" . $topic_id . "&p_sid=" . $userdata['priv_session_id']; $ip_img = '<a href="' . $temp_url . '"><img src="' . $images['icon_ip'] . '" alt="' . $lang['View_IP'] . '" title="' . $lang['View_IP'] . '" border="0" /></a>'; $ip = '<a href="' . $temp_url . '">' . $lang['View_IP'] . '</a>'; - $temp_url = "posting.$phpEx?mode=delete&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&sid=" . $userdata['session_id']; + $temp_url = "posting.$phpEx?mode=delete&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&p_sid=" . $userdata['priv_session_id']; $delpost_img = '<a href="' . $temp_url . '"><img src="' . $images['icon_delpost'] . '" alt="' . $lang['Delete_post'] . '" title="' . $lang['Delete_post'] . '" border="0" /></a>'; - $delpost = '<a href="' . $temp_url . '">' . $lang['Delete_post'] . '</a>'; + $delpost = '<a href="' . append_sid($temp_url) . '">' . $lang['Delete_post'] . '</a>'; } else { @@ -1023,9 +1023,9 @@ for($i = 0; $i < $total_posts; $i++) if ( $userdata['user_id'] == $poster_id && $is_auth['auth_delete'] && $forum_topic_data['topic_last_post_id'] == $postrow[$i]['post_id'] ) { - $temp_url = "posting.$phpEx?mode=delete&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&sid=" . $userdata['session_id']; + $temp_url = "posting.$phpEx?mode=delete&" . POST_POST_URL . "=" . $postrow[$i]['post_id'] . "&p_sid=" . $userdata['priv_session_id']; $delpost_img = '<a href="' . $temp_url . '"><img src="' . $images['icon_delpost'] . '" alt="' . $lang['Delete_post'] . '" title="' . $lang['Delete_post'] . '" border="0" /></a>'; - $delpost = '<a href="' . $temp_url . '">' . $lang['Delete_post'] . '</a>'; + $delpost = '<a href="' . append_sid($temp_url) . '">' . $lang['Delete_post'] . '</a>'; } else { |