Alliance forum fixes part 1

Fixed the majority of security issues:

+Fixed a bug that permitted to edit, delete and create a forum in any
alliance, without any permissions
+Fixed a bug that permitted to edit, create and delete any kind of
thread, with any kind of permission
+Fixed a bug that permitted to edit, modify and delete every kind of
post, without any kind of permission
+Fixed a bug that din't permit to create posts and threads
+Fixed a bug that permitted to create forum and threads with empty
name/topic
+Fixed a bug that permitted to move a thread to an invalid forum
+Fixed a bug that permitted to create an invalid type of forum
+Fixed a bug that didn't permit to move forums, to the top and the
bottom of their forum type (in reality, it wasn't even coded)
+Added a sorting column for supporting the "move to top/bottom"
functionality
+Minor improvements and bug fixing/code indentation/removal of redundant
code

NOTE: For playing this version, you HAVE to add a new column to the table "s1_forum_cat", you can simply do that by running this query (where "s1_" is the prefix of your server): ALTER TABLE s1_forum_cat ADD `sorting` int(11) NOT NULL AFTER `id`
This commit is contained in:
iopietro
2018-05-18 00:28:48 +02:00
parent 6909ba4e58
commit e5d823cda0
16 changed files with 1073 additions and 1247 deletions
+43 -34
View File
@@ -41,22 +41,23 @@ if (!$autoloader_found) {
class Alliance {
public $gotInvite = false;
public $inviteArray = array();
public $allianceArray = array();
public $userPermArray = array();
public $inviteArray = [];
public $allianceArray = [];
public $userPermArray = [];
public function procAlliance($get) {
global $session, $database;
if($session->alliance != 0) {
if($session->alliance > 0) {
$this->allianceArray = $database->getAlliance($session->alliance);
// Permissions Array
// [id] => id [uid] => uid [alliance] => alliance [opt1] => X [opt2] => X [opt3] => X [opt4] => X [opt5] => X [opt6] => X [opt7] => X [opt8] => X
$this->userPermArray = $database->getAlliPermissions($session->uid, $session->alliance);
} else {
$this->inviteArray = $database->getInvitation($session->uid);
$this->gotInvite = count($this->inviteArray) == 0 ? false : true;
$this->gotInvite = count($this->inviteArray) > 0;
}
if(isset($get['a'])) {
switch($get['a']) {
case 2:
@@ -65,8 +66,6 @@ class Alliance {
case 3:
$this->acceptInvite($get);
break;
default:
break;
}
}
if(isset($get['o'])) {
@@ -74,20 +73,37 @@ class Alliance {
case 4:
$this->delInvite($get);
break;
default:
break;
}
}
}
/**
* Redirects to the option menu if some errors were generated
* Determines if a player can act with the forum (edit/delete/create things, etc.)
*
* @param array $datas The array which contains: [aid, alliance, forum_perm, admin, owner]
* @return bool Returns true if you are able to act, false otherwise
*/
public function redirect()
public static function canAct($datas, $mode = 0){
global $database, $session;
return ($database->CheckEditRes($datas['aid']) == 1 && ((($database->isAllianceOwner($session->uid) == $datas['alliance'] ||
($datas['forum_perm'] == 1 && $session->alliance == $datas['alliance'])) &&
($mode || (isset($datas['admin']) && !empty($datas['admin']) && $datas['admin'] == "switch_admin"))) ||
$datas['owner'] == $session->uid));
}
/**
* Redirects to the forum selection
*
* @param array $get Contains the values of a GET request
*/
public function redirect($get)
{
header("location: allianz.php?s=5");
exit;
header("Location: allianz.php?s=2".(isset($get['fid']) && !empty($get['fid']) ? "&fid=".$get['fid']."" : "").
(isset($get['admin']) && !empty($get['admin']) ? "&admin=switch_admin" : ""));
exit;
}
public function procAlliForm($post) {
@@ -99,27 +115,20 @@ class Alliance {
}
}
if(isset($post['dipl']) && isset($post['a_name'])) {
$this->changediplomacy($post);
}
if(isset($post['dipl']) && isset($post['a_name'])) $this->changediplomacy($post);
if(isset($post['s'])) {
if(isset($post['o'])) {
switch($post['o']) {
case 1:
if(isset($_POST['a'])) {
$this->changeUserPermissions($post);
}
if(isset($_POST['a'])) $this->changeUserPermissions($post);
break;
case 2:
if(isset($_POST['a_user'])) {
$this->kickAlliUser($post);
}
if(isset($_POST['a_user'])) $this->kickAlliUser($post);
break;
case 4:
if(isset($_POST['a']) && $_POST['a'] == 4) {
$this->sendInvite($post);
}
if(isset($_POST['a']) && $_POST['a'] == 4) $this->sendInvite($post);
break;
case 3:
$this->updateAlliProfile($post);
@@ -446,16 +455,16 @@ class Alliance {
public function Vote($post) {
global $database, $session;
if($session->access != BANNED){
if($database->checkSurvey($post['tid']) && !$database->checkVote($post['tid'], $session->uid)){
$survey = $database->getSurvey($post['tid']);
$text = ''.$survey['voted'].','.$session->uid.',';
$database->Vote($post['tid'], $post['vote'], $text);
}
header("Location: allianz.php?s=2&fid2=".$post['fid2']."&pid=".$post['pid']."&tid=".$post['tid']);
exit;
if($database->checkSurvey($post['tid']) && !$database->checkVote($post['tid'], $session->uid)){
$survey = $database->getSurvey($post['tid']);
$text = ''.$survey['voted'].','.$session->uid.',';
$database->Vote($post['tid'], $post['vote'], $text);
}
header("Location: allianz.php?s=2&fid2=".$post['fid2']."&tid=".$post['tid']);
exit;
}else{
header("Location: banned.php");
exit;
header("Location: banned.php");
exit;
}
}
/*****************************************
+25 -21
View File
@@ -2373,7 +2373,7 @@ class MYSQLi_DB implements IDbConnection {
function ForumCat($id) {
list($id) = $this->escape_input($id);
$q = "SELECT * from " . TB_PREFIX . "forum_cat where alliance = '$id' ORDER BY id";
$q = "SELECT * from " . TB_PREFIX . "forum_cat where alliance = '$id' ORDER BY sorting DESC, id";
$result = mysqli_query($this->dblink,$q);
return $this->mysqli_fetch_all($result);
}
@@ -2413,11 +2413,7 @@ class MYSQLi_DB implements IDbConnection {
$q = "SELECT Count(*) as Total from " . TB_PREFIX . "forum_topic where cat = $id";
$result = mysqli_fetch_array(mysqli_query($this->dblink,$q), MYSQLI_ASSOC);
if ($result['Total']) {
return true;
} else {
return false;
}
return $result['Total'] > 0;
}
// no need to cache this method
@@ -2426,11 +2422,7 @@ class MYSQLi_DB implements IDbConnection {
$q = "SELECT Count(*) as Total from " . TB_PREFIX . "forum_edit where alliance = $alli";
$result = mysqli_fetch_array(mysqli_query($this->dblink,$q), MYSQLI_ASSOC);
if ($result['Total']) {
return true;
} else {
return false;
}
return $result['Total'] > 0;
}
// no need to cache this method
@@ -2510,6 +2502,18 @@ class MYSQLi_DB implements IDbConnection {
}
}
function MoveForum($id, $area, $ally, $mode){
list($id, $area, $ally, $mode) = $this->escape_input((int) $id, (int) $area, (int) $ally, $mode);
$q = "UPDATE
".TB_PREFIX."forum_cat
SET
sorting = (SELECT * FROM(SELECT ".(!$mode ? "MIN" : "MAX")."(sorting) FROM ".TB_PREFIX."forum_cat WHERE forum_area = $area AND alliance = $ally AND id != $id) f) ".(!$mode ? "-" : "+")." 1
WHERE
id = $id";
return mysqli_query($this->dblink, $q);
}
function UpdateEditTopic($id, $title, $cat) {
list($id, $title, $cat) = $this->escape_input((int) $id, $title, $cat);
@@ -2517,17 +2521,17 @@ class MYSQLi_DB implements IDbConnection {
return mysqli_query($this->dblink,$q);
}
function UpdateEditForum($id, $name, $des) {
list($id, $name, $des) = $this->escape_input((int) $id, $name, $des);
function UpdateEditForum($id, $name, $des, $ally) {
list($id, $name, $des, $ally) = $this->escape_input((int) $id, $name, $des, (int) $ally);
$q = "UPDATE " . TB_PREFIX . "forum_cat set forum_name = '$name', forum_des = '$des' where id = $id";
$q = "UPDATE " . TB_PREFIX . "forum_cat SET forum_name = '$name', forum_des = '$des' WHERE id = $id AND alliance = $ally";
return mysqli_query($this->dblink,$q);
}
function StickTopic($id, $mode) {
list($id, $mode) = $this->escape_input((int) $id, $mode);
list($id, $mode) = $this->escape_input((int) $id, (int) $mode);
$q = "UPDATE " . TB_PREFIX . "forum_topic set stick = '$mode' where id = $id";
$q = "UPDATE " . TB_PREFIX . "forum_topic SET stick = $mode WHERE id = $id";
return mysqli_query($this->dblink,$q);
}
@@ -2579,7 +2583,7 @@ class MYSQLi_DB implements IDbConnection {
function CreatForum($owner, $alli, $name, $des, $area) {
list($owner, $alli, $name, $des, $area) = $this->escape_input($owner, $alli, $name, $des, $area);
$q = "INSERT into " . TB_PREFIX . "forum_cat values (0,'$owner','$alli','$name','$des','$area')";
$q = "INSERT into " . TB_PREFIX . "forum_cat values (0, 0,'$owner','$alli','$name','$des','$area')";
mysqli_query($this->dblink,$q);
return mysqli_insert_id($this->dblink);
}
@@ -2719,7 +2723,8 @@ class MYSQLi_DB implements IDbConnection {
list($id, $post, $alliance, $player, $coor, $report) = $this->escape_input((int) $id, $post, (int) $alliance, (int) $player, (int) $coor, (int) $report);
$q = "UPDATE " . TB_PREFIX . "forum_topic set post = '$post', alliance0 = $alliance, player0 = $player, coor0 = $coor, report0 = $report where id = $id";
return mysqli_query($this->dblink,$q);
return mysqli_query($this->dblink, $q);
}
function EditUpdatePost($id, $post, $alliance, $player, $coor, $report) {
@@ -2840,9 +2845,8 @@ class MYSQLi_DB implements IDbConnection {
if(mysqli_num_rows($result)) {
$result = mysqli_fetch_assoc($result);
$result = $result['id'];
} else {
$result = false;
}
}
else $result = false;
self::$allianceOwnerCheckCache[$id] = $result;
return self::$allianceOwnerCheckCache[$id];
+1
View File
@@ -88,6 +88,7 @@ define("OFFERED_CONFED_TO","offered a confederation to");
define("ALLY_TOO_MUCH_PACTS","Either You cannot offer more pacts of this kind or this alliance has reached the limit for this kind of patcs");
define("ALLY_PERMISSIONS_UPDATED","Permissions updated");
define("ALLY_FORUM_LINK_UPDATED", "Forum link updated");
define("NO_FORUMS_YET","There are no forums yet.");
define("ALLY_USER_KICKED"," has been kicked from the alliance");
define("NOT_OPENED_YET","Server not started yet.");
define("REGISTER_CLOSED","The register is closed. You can't register to this server.");