From 86d4f2eb823058e741f04072dc3ff9e9d8b5baa0 Mon Sep 17 00:00:00 2001 From: Shish Date: Sun, 15 Dec 2019 20:40:05 +0000 Subject: [PATCH] permissions for sending & reading PMs, so that ghosts can have them revoked --- core/permissions.php | 2 ++ core/userclass.php | 7 ++++++- ext/pm/main.php | 32 ++++++++++++++++++-------------- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/core/permissions.php b/core/permissions.php index a2eb842b..bea6368c 100644 --- a/core/permissions.php +++ b/core/permissions.php @@ -51,6 +51,8 @@ abstract class Permissions public const MANAGE_ADMINTOOLS = "manage_admintools"; + public const SEND_PM = "send_pm"; + public const READ_PM = "read_pm"; public const VIEW_OTHER_PMS = "view_other_pms"; public const EDIT_FEATURE = "edit_feature"; public const BULK_EDIT_VOTE = "bulk_edit_vote"; diff --git a/core/userclass.php b/core/userclass.php index faf41bbe..3d49e852 100644 --- a/core/userclass.php +++ b/core/userclass.php @@ -121,6 +121,8 @@ new UserClass("base", null, [ Permissions::MANAGE_ADMINTOOLS => false, + Permissions::SEND_PM => false, + Permissions::READ_PM => false, Permissions::VIEW_OTHER_PMS => false, Permissions::EDIT_FEATURE => false, Permissions::BULK_EDIT_VOTE => false, @@ -176,7 +178,8 @@ new UserClass("user", "base", [ Permissions::EDIT_IMAGE_TITLE => true, Permissions::CREATE_IMAGE_REPORT => true, Permissions::EDIT_IMAGE_RATING => true, - + Permissions::SEND_PM => true, + Permissions::READ_PM => true, ]); new UserClass("admin", "base", [ @@ -216,6 +219,8 @@ new UserClass("admin", "base", [ Permissions::MANAGE_BLOCKS => true, Permissions::MANAGE_ADMINTOOLS => true, Permissions::IGNORE_DOWNTIME => true, + Permissions::SEND_PM => true, + Permissions::READ_PM => true, Permissions::VIEW_OTHER_PMS => true, Permissions::EDIT_FEATURE => true, Permissions::BULK_EDIT_VOTE => true, diff --git a/ext/pm/main.php b/ext/pm/main.php index b0d5d874..b7b8bbce 100644 --- a/ext/pm/main.php +++ b/ext/pm/main.php @@ -87,7 +87,7 @@ class PrivMsg extends Extension { global $user; if ($event->parent==="user") { - if (!$user->is_anonymous()) { + if ($user->can(Permissions::READ_PM)) { $count = $this->count_pms($user); $h_count = $count > 0 ? " ($count)" : ""; $event->add_nav_link("pm", new Link('user#private-messages'), "Private Messages$h_count"); @@ -99,7 +99,7 @@ class PrivMsg extends Extension public function onUserBlockBuilding(UserBlockBuildingEvent $event) { global $user; - if (!$user->is_anonymous()) { + if ($user->can(Permissions::READ_PM)) { $count = $this->count_pms($user); $h_count = $count > 0 ? " ($count)" : ""; $event->add_link("Private Messages$h_count", make_link("user#private-messages")); @@ -124,9 +124,9 @@ class PrivMsg extends Extension { global $cache, $database, $page, $user; if ($event->page_matches("pm")) { - if (!$user->is_anonymous()) { - switch ($event->get_arg(0)) { - case "read": + switch ($event->get_arg(0)) { + case "read": + if ($user->can(Permissions::READ_PM)) { $pm_id = int_escape($event->get_arg(1)); $pm = $database->get_row("SELECT * FROM private_message WHERE id = :id", ["id" => $pm_id]); if (is_null($pm)) { @@ -141,8 +141,10 @@ class PrivMsg extends Extension } else { $this->theme->display_permission_denied(); } - break; - case "delete": + } + break; + case "delete": + if ($user->can(Permissions::READ_PM)) { if ($user->check_auth_token()) { $pm_id = int_escape($_POST["pm_id"]); $pm = $database->get_row("SELECT * FROM private_message WHERE id = :id", ["id" => $pm_id]); @@ -156,8 +158,10 @@ class PrivMsg extends Extension $page->set_redirect($_SERVER["HTTP_REFERER"]); } } - break; - case "send": + } + break; + case "send": + if ($user->can(Permissions::SEND_PM)) { if ($user->check_auth_token()) { $to_id = int_escape($_POST["to_id"]); $from_id = $user->id; @@ -168,11 +172,11 @@ class PrivMsg extends Extension $page->set_mode(PageMode::REDIRECT); $page->set_redirect($_SERVER["HTTP_REFERER"]); } - break; - default: - $this->theme->display_error(400, "Invalid action", "That's not something you can do with a PM"); - break; - } + } + break; + default: + $this->theme->display_error(400, "Invalid action", "That's not something you can do with a PM"); + break; } } }