fix post quote under protected forum

xiaomlove · Apr 19, 2023 · e5c91d4 · e5c91d4
1 parent 1cd021e
commit e5c91d4
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 16 deletions.
diff --git a/app/Models/ForumMod.php b/app/Models/ForumMod.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Models;
+class ForumMod extends NexusModel
+{
+    protected $table = 'forummods';
+
+    protected $fillable = ['forumid', 'userid'];
+
+}
diff --git a/include/constants.php b/include/constants.php
@@ -1,6 +1,6 @@
 <?php
-defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.8.0');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-04-16');
+defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.8.1');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-04-20');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");

diff --git a/include/functions.php b/include/functions.php
@@ -6423,4 +6423,54 @@ function username_for_admin(int $id)
     return new HtmlString(get_username($id, false, true, true, true));
 }
 
+function can_view_post($uid, $post)
+{
+    static $topics = [];
+    static $protectedForumIdArr;
+    static $forumMods;
+    if (!is_array($post)) {
+        $post = \App\Models\Post::query()->findOrFail(intval($post))->toArray();
+    }
+    $topicId = $post['topicid'];
+    if (!isset($topics[$topicId])) {
+        $topics[$topicId] = \App\Models\Topic::query()->findOrFail($topicId);
+    }
+    /** @var \App\Models\Topic $topicInfo */
+    $topicInfo = $topics[$topicId];
+
+    $forumId = $topicInfo->forumid;
+
+    if (is_null($protectedForumIdArr)) {
+        $protectedForumIdArr = [];
+        $protectedForumIds = \Nexus\Database\NexusDB::remember("setting_protected_forum", 600, function () {
+            return \App\Models\Setting::getByName('misc.protected_forum');
+        });
+        $protectedForumIdArr = $protectedForumIds ? preg_split("/[,\s]+/", $protectedForumIds) : [];
+    }
+    if (is_null($forumMods)) {
+        $forumMods = [];
+        $results = \App\Models\ForumMod::query()->get();
+        foreach ($results as $item) {
+            $forumMods[$item->forumid] = $item->userid;
+        }
+    }
+    $isForumMod = isset($forumMods[$forumId]) && $forumMods[$forumId] == $uid;
+    $log = sprintf(
+        "uid: $uid, class: %s,  post: {$post['id']}, forumId: $forumId, protectedForumIdArr: %s, forumMods: %s, isForumMod: %s",
+        get_user_class(), json_encode($protectedForumIdArr), json_encode($forumMods), $isForumMod
+    );
+    if (
+        in_array($forumId, $protectedForumIdArr)
+        && get_user_class() < \App\Models\User::CLASS_ADMINISTRATOR
+        && $uid != $post['userid']
+        && $uid != $topicInfo->userid
+        && !$isForumMod
+    ) {
+        do_log("$log, FALSE");
+        return false;
+    }
+    do_log("$log, TRUE");
+    return true;
+}
+
 ?>
diff --git a/public/announce.php b/public/announce.php
@@ -384,7 +384,7 @@
         do_log("notSeedBoxMaxSpeedMbps: $notSeedBoxMaxSpeedMbps, upSpeedMbps: $upSpeedMbps");
         if ($upSpeedMbps > $notSeedBoxMaxSpeedMbps) {
             (new \App\Repositories\UserRepository())->updateDownloadPrivileges(null, $userid, 'no', 'upload_over_speed');
-            do_log("user: $userid downloading privileges have been disabled! (over speed), notSeedBoxMaxSpeedMbps: $notSeedBoxMaxSpeedMbps > upSpeedMbps: $upSpeedMbps", 'error');
+            do_log("user: $userid downloading privileges have been disabled! (over speed), upSpeedMbps: $upSpeedMbps > notSeedBoxMaxSpeedMbps: $notSeedBoxMaxSpeedMbps", 'error');
             err("Your downloading privileges have been disabled! (over speed)");
         }
     }

diff --git a/public/forums.php b/public/forums.php
@@ -270,6 +270,9 @@ function insert_compose_frame($id, $type = 'new')
 {
 	$postid = intval($_GET["postid"] ?? 0);
 	check_whether_exist($postid, 'post');
+    if (!can_view_post($CURUSER['id'], $postid)) {
+        permissiondenied();
+    }
 	stdhead($lang_forums['head_post_reply']);
 	begin_main_frame();
 	insert_compose_frame($postid, 'quote');
@@ -685,15 +688,15 @@ function insert_compose_frame($id, $type = 'new')
 		$forumpostad=$Advertisement->get_ad('forumpost');
 
 	//check if privacy protection enabled in this forum
-	$protected_forums = Nexus\Database\NexusDB::remember("setting_protected_forum", 600, function () {
-		return \App\Models\Setting::getByName('misc.protected_forum');
-	});
-	
-	if ($protected_forums and in_array(strval($forumid),explode(",",$protected_forums))){
-		$protected_enabled=true;
-	}else{
-		$protected_enabled=false;
-	}
+//	$protected_forums = Nexus\Database\NexusDB::remember("setting_protected_forum", 600, function () {
+//		return \App\Models\Setting::getByName('misc.protected_forum');
+//	});
+//
+//	if ($protected_forums and in_array(strval($forumid),explode(",",$protected_forums))){
+//		$protected_enabled=true;
+//	}else{
+//		$protected_enabled=false;
+//	}
 
 	foreach ($allPosts as $arr)
 	{
@@ -761,15 +764,18 @@ function insert_compose_frame($id, $type = 'new')
 		print("</table></div>\n");
 
 		print("<table class=\"main\" width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\">\n");
-				
+
 		$body = "<div id=\"pid".$postid."body\">";
-		//hidden content applied to second or higher floor post (for whose user class below Ad , not poster , not mods ,not reply's author) 
-		if ($protected_enabled && $pn+$offset>1 && get_user_class()<UC_ADMINISTRATOR && $userid != $base_posterid && $posterid!=$userid && !$is_forummod){
+		//hidden content applied to second or higher floor post (for whose user class below Ad , not poster , not mods ,not reply's author)
+//		if ($protected_enabled && $pn+$offset>1 && get_user_class()<UC_ADMINISTRATOR && $userid != $base_posterid && $posterid!=$userid && !$is_forummod){
+		if ($pn+$offset>1 && !can_view_post($userid, $arr)){
 			//enable content protection
 			$bodyContent = format_comment($lang_forums["text_post_protected"]);
+            $canViewProtected = false;
 		}else{
 			//display normal content
 			$bodyContent = format_comment($arr["body"]);
+            $canViewProtected = true;
 		}
 		if ($highlight){
             $bodyContent = highlight($highlight,$bodyContent);
@@ -795,7 +801,7 @@ function insert_compose_frame($id, $type = 'new')
 
 		do_action('post_toolbox', $arr, $allPosts, $CURUSER['id']);
 
-		if ($maypost)
+		if ($maypost && $canViewProtected)
 		print("<a href=\"".htmlspecialchars("?action=quotepost&postid=".$postid)."\"><img class=\"f_quote\" src=\"pic/trans.gif\" alt=\"Quote\" title=\"".$lang_forums['title_reply_with_quote']."\" /></a>");
 
 		if (user_can('postmanage') || $is_forummod)