[Scoop-checkins] scoop/lib/Scoop/Admin AdminStories.pm

[scoop at lithium.sabren.com]

Update of /cvs/scoop/scoop/lib/Scoop/Admin
In directory lithium.sabren.com:/tmp/cvs-serv30231/lib/Scoop/Admin

Modified Files:
	AdminStories.pm 
Log Message:
Committing XSS (and some others janra found, as I recall) security fixes 
and some stuff found in the K5 upgrade. -j


Index: AdminStories.pm
===================================================================
RCS file: /cvs/scoop/scoop/lib/Scoop/Admin/AdminStories.pm,v
retrieving revision 1.153
retrieving revision 1.154
diff -C2 -d -r1.153 -r1.154
*** AdminStories.pm	26 Jul 2006 20:27:00 -0000	1.153
--- AdminStories.pm	6 Aug 2006 04:22:45 -0000	1.154
***************
*** 580,583 ****
--- 580,630 ----
                          return (0, 'Please include at least one tag with your story.') unless $params{tags};
                          }
+ 	} elsif ($mode eq 'full' && !$S->have_perm('story_admin')) {
+ 		my $filter_errors;
+ 
+ 		# gotta set displaystatus to whatever it was before, since
+ 		# it's not set if you can't select the display status
+ 		if(!$S->have_perm('story_displaystatus_select')){
+ 			my ($rv, $sth) = $S->db_select({
+ 				WHAT => 'displaystatus',
+ 				FROM => 'stories',
+ 				WHERE => "sid = '$sid'"
+ 				});
+ 			my $r = $sth->fetchrow;
+ 			$sth->finish;
+ 			$params{displaystatus} = $r;
+ 			}
+ 		# might as well get comment status too
+ 		unless($S->have_perm('story_commentstatus_select')){
+ 			my ($rv, $sth) = $S->db_select({
+ 				WHAT => 'commentstatus',
+ 				FROM => 'stories',
+ 				WHERE => "sid = '$sid'"
+ 				});
+ 			my $c = $sth->fetchrow;
+ 			$sth->finish;
+ 			$params{comment_status} = ($c) ? $c : $S->dbh->quote(0);
+ 			}
+ 
+                 $params{introtext} = $S->filter_comment($params{introtext}, 'intro', $posttype);
+                 $filter_errors = $S->html_checker->errors_as_string;
+                 return (0, $filter_errors) if $filter_errors;
+ 
+                 $params{bodytext} = $S->filter_comment($params{bodytext}, 'body', $posttype);
+                 $filter_errors = $S->html_checker->errors_as_string;
+                 return (0, $filter_errors) if $filter_errors;
+ 
+ 		$params{title} = $S->filter_subject($params{title});
+                 $params{dept} = $S->filter_subject($params{dept});
+ 
+                 # one more constraint on posting: title length
+                 # if it's more than 100 (the db field size), don't let them post
+ 		if (length($params{title}) > 100) {
+                         return (0, 'Please choose a shorter title.');
+                         }
+                 # and make sure we have tags
+                 if($S->var('use_tags') && $S->var('require_tags')){
+                         return (0, 'Please include at least one tag with your story.') unless $params{tags};
+                         }
  	} else {
  		# check to see if story is moving out of edit queue
***************
*** 923,926 ****
--- 970,981 ----
  	my $section = $S->cgi->param('section');
  	my $sid = $S->cgi->param('sid');
+ 	# if we're editing an existing story, we won't have the section in the
+ 	# cgi params when we first load it. It doesn't seem to matter to
+ 	# folks with story_admin, but it does for normal users, so...
+ 	if($sid && !$section){
+ 		my $s = $S->story_data([$sid]);
+ 		$section = $s->[0]->{section}; # voila
+ 		}
+ 
  	if (!$S->var('diary_topics')) {
  		if ($S->have_perm('story_admin') && $sid) {