Not signed in (Sign In)

Vanilla: Discussion can be submitted outside any category.

Bottom of Page

1 to 12 of 12

  1.  
Dinoboff
 
Oct 7th 2007 edited
 
WallPhone
 
Oct 8th 2007 edited
 
That is wacky... Vanilla.Class.Discussion.php appears to set a default category of 0:
$this->CategoryID = ForceIncomingInt('CategoryID', 0);

Which trips an error message--at least I believe it does on my install...
WallPhone
 
Oct 8th 2007
 
Oh... I see... you specified a category of 100, but its not a valid CategoryID
WallPhone
 
Oct 8th 2007
 
Confirmed that this also allows one to post a discussion to a category they have no permission to view.

Can't see it, but could cause some disruption to people who do have permissions in the other category.
WallPhone
 
Nov 15th 2007 edited
 
fix, r675 added to DiscussionManager->SaveDiscussion():// Validate the Discussion topic
$Name = FormatStringForDatabaseInput($Discussion->Name);
Validate($this->Context->GetDefinition('DiscussionTopicLower'), 1, $Name, 100, '', $this->Context);

//Validate the category ID and role
$s = $this->Context->ObjectFactory->NewContextObject($this->Context, 'SqlBuilder');
$s->SetMainTable('Category', 'c');
$s->AddSelect('CategoryID', 'c');
$s->AddJoin('CategoryRoleBlock', 'crb', 'CategoryID', 'c', 'CategoryID', 'left join', ' and crb.'.$this->Context->DatabaseColumns['CategoryRoleBlock']['RoleID'].' = '.$this->Context->Session->User->RoleID);
$s->AddWhere('crb', 'Blocked', '', '0', '=', 'and', '', 1, 1);
$s->AddWhere('crb', 'Blocked', '', '0', '=', 'or', '', 0, 0);
$s->AddWhere('crb', 'Blocked', '', 'null', 'is', 'or', '', 0, 0);
$s->AddWhere('c', 'CategoryID', '', $Discussion->CategoryID, '=', 'and');
$s->EndWhereGroup();

$CategoryAllowed = $this->Context->Database->Select($s, $this->Name, 'SaveDiscussion', 'An error occurred while validating categories.');
if ($this->Context->Database->RowCount($CategoryAllowed) < 1) $Discussion->CategoryID = 0;

if ($Discussion->CategoryID <= 0) $this->Context->WarningCollector->Add($this->Context->GetDefinition('ErrSelectCategory'));

One other change further down to clear the SqlBuilder instead of calling the ObjectFactory again.
WallPhone
 
Mar 13th 2008 edited
 
Nevermind...
Dinoboff
 
Jun 6th 2008
 
You forgot this part:
if ($this->Context->Database->RowCount($CategoryAllowed) < 1) {
$Discussion->CategoryID = 0;
}
WallPhone
 
Jun 6th 2008
 
Didn't forget--left out on purpose. Its all the same to me.
Dinoboff
 
Jun 7th 2008 edited
 
I added this part back (r706):
if ($this->Context->Database->RowCount($CategoryAllowed) < 1) $Discussion->CategoryID = 0;
I shouldn't have?
WallPhone
 
Jun 7th 2008
 
I usually write IFs both with and without braces, and it looks like Mark does too.

I guess I'm saying lets not decide on a standard because I'll accidentally break it roughly half the time!
Dinoboff
 
Jun 7th 2008
 
The all test were missing from your patch:
Index: Vanilla.Class.DiscussionManager.php
===================================================================
--- Vanilla.Class.DiscussionManager.php (revision 674)
+++ Vanilla.Class.DiscussionManager.php (revision 675)
@@ -428,6 +428,20 @@
// Validate the Discussion topic
$Name = FormatStringForDatabaseInput($Discussion->Name);
Validate($this->Context->GetDefinition('DiscussionTopicLower'), 1, $Name, 100, '', $this->Context);
+
+ //Validate the category ID and role
+ $s = $this->Context->ObjectFactory->NewContextObject($this->Context, 'SqlBuilder');
+ $s->SetMainTable('Category', 'c');
+ $s->AddSelect('CategoryID', 'c');
+ $s->AddJoin('CategoryRoleBlock', 'crb', 'CategoryID', 'c', 'CategoryID', 'left join', ' and crb.'.$this->Context->DatabaseColumns['CategoryRoleBlock']['RoleID'].' = '.$this->Context->Session->User->RoleID);
+ $s->AddWhere('crb', 'Blocked', '', '0', '=', 'and', '', 1, 1);
+ $s->AddWhere('crb', 'Blocked', '', '0', '=', 'or', '', 0, 0);
+ $s->AddWhere('crb', 'Blocked', '', 'null', 'is', 'or', '', 0, 0);
+ $s->AddWhere('c', 'CategoryID', '', $Discussion->CategoryID, '=', 'and');
+ $s->EndWhereGroup();
+
+ $CategoryAllowed = $this->Context->Database->Select($s, $this->Name, 'SaveDiscussion', 'An error occurred while validating category permissions.');
+
if ($Discussion->CategoryID <= 0) $this->Context->WarningCollector->Add($this->Context->GetDefinition('ErrSelectCategory'));

// Validate first comment
@@ -452,7 +466,7 @@
if ($this->Context->WarningCollector->Count() == 0) $Discussion->Name = $Name;

if($this->Context->WarningCollector->Iif()) {
- $s = $this->Context->ObjectFactory->NewContextObject($this->Context, 'SqlBuilder');
+ $s->Clear();

// Update the user info & check for spam
if ($NewDiscussion) {
WallPhone
 
Jun 8th 2008
 
Oh I see. That makes sense.

Thanks!

1 to 12 of 12

  1.  

Issue information

  • 23
  • WallPhone

    WallPhone

    Bug Tracker

  • Resolved
  • Low
  • Bug

Vanilla 1.1.2 is a product of Lussumo. More Information: Documentation, Community Support.