Update of /cvs/scoop/scoop/lib/Scoop/Admin
In directory lithium.sabren.com:/tmp/cvs-serv20953/lib/Scoop/Admin
Modified Files:
AdminStories.pm
Log Message:
Fix for an aid form-editing hole. save_story() now discards any incoming aid unless the user has story_admin perms.
Index: AdminStories.pm
===================================================================
RCS file: /cvs/scoop/scoop/lib/Scoop/Admin/AdminStories.pm,v
retrieving revision 1.152
retrieving revision 1.153
diff -C2 -d -r1.152 -r1.153
*** AdminStories.pm 13 Mar 2006 07:49:59 -0000 1.152
--- AdminStories.pm 26 Jul 2006 20:27:00 -0000 1.153
***************
*** 619,622 ****
--- 619,624 ----
my $commentstatus = $params{comment_status} || 0;
my $time = $params{time};
+ my $aid = ($S->have_perm('story_admin')) ? $S->dbh->quote($params{aid}) : $S->dbh->quote($S->{UID});
+
if ($params{timeupdate} eq 'now' || $time eq '') {
$time = $currtime;
***************
*** 629,633 ****
WHAT => 'stories',
SET => qq|tid='$params{tid}',
! aid=$params{aid},
title=$title,
dept=$dept,
--- 631,635 ----
WHAT => 'stories',
SET => qq|tid='$params{tid}',
! aid=$aid,
title=$title,
dept=$dept,
***************
*** 668,672 ****
INTO => 'stories',
COLS => 'sid, tid, aid, title, dept, time, introtext, bodytext, section, displaystatus, commentstatus, edit_category',
! VALUES => qq|$q_sid, $q_tid, $params{aid}, $title, $dept, '$time', $introtext, $bodytext, $section, $params{displaystatus}, $commentstatus, $edit_category|});
# Save story tags, if we're using them
--- 670,674 ----
INTO => 'stories',
COLS => 'sid, tid, aid, title, dept, time, introtext, bodytext, section, displaystatus, commentstatus, edit_category',
! VALUES => qq|$q_sid, $q_tid, $aid, $title, $dept, '$time', $introtext, $bodytext, $section, $params{displaystatus}, $commentstatus, $edit_category|});
# Save story tags, if we're using them