Commit a4dcf982 authored by Clare Lenihan's avatar Clare Lenihan Committed by Clare Lenihan
Browse files

Added checking of parameters

parent cfa20553
......@@ -33,7 +33,7 @@ require_once('group.php');
$userid = $USER->get('id');
$postid = param_integer('id');
$info = get_record_sql(
'SELECT p.topic, t.forum, f.group
'SELECT p.topic, p.parent, t.forum, f.group
FROM {interaction_forum_post} p
INNER JOIN {interaction_forum_topic} t
ON (p.topic = t.id)
......@@ -44,7 +44,13 @@ $info = get_record_sql(
);
$topicid = $info->topic;
if (!$info) {
throw new NotFoundException("Couldn't find post with id $postid");
}
if (!$info->parent) {
throw new NotFoundException("Cannot edit first post"); // TODO: replace with correct exception
}
$membership = user_can_access_group((int)$info->group);
......@@ -76,7 +82,7 @@ $form = pieform(array(
'submit' => array(
'type' => 'submitcancel',
'value' => array(get_string('yes'), get_string('no')),
'goto' => get_config('wwwroot') . 'interaction/forum/topic.php?id=' . $topicid,
'goto' => get_config('wwwroot') . 'interaction/forum/topic.php?id=' . $info->topic,
)
)
));
......@@ -88,14 +94,13 @@ function deletepost_submit(Pieform $form, $values) {
array('deleted' => 1),
array('id' => $postid)
);
$topicid = get_record_sql(
'SELECT topic
$topic = get_record_sql(
'SELECT topic as id
FROM {interaction_forum_post}
WHERE id = ?',
array($postid)
);
$topicid = $topicid->topic;
redirect('/interaction/forum/topic.php?id=' . $topicid);
redirect('/interaction/forum/topic.php?id=' . $topic->id);
}
$smarty = smarty();
......
......@@ -42,6 +42,10 @@ $forum = get_record_sql(
array($topicid)
);
if (!$forum) {
throw new NotFoundException("Couldn't find topic with id $topicid");
}
$membership = user_can_access_group((int)$forum->group);
$admin = (bool)($membership & GROUP_MEMBERSHIP_OWNER);
......
......@@ -39,12 +39,16 @@ $topicid = 0;
if ($postid==0) {
unset($postid);
$parentid = param_integer('parent');
$topicid = get_record_sql(
$topic = get_record_sql(
'SELECT topic
FROM {interaction_forum_post}
WHERE id = ?',
array($parentid)
);
if (!$topic) {
throw new NotFoundException("Couldn't find topic with id $parentid");
}
$topicid = $topic->id;
}
if (isset($postid)) {
......@@ -58,6 +62,11 @@ if (isset($postid)) {
WHERE p.id = ?',
array($postid)
);
if (!$post) {
throw new NotFoundException("Couldn't find post with id $postid");
}
$topicid = $post->topic;
$membership = user_can_access_group((int)$post->group);
......
......@@ -43,6 +43,10 @@ if ($topicid==0) {
WHERE id = ?',
array($forumid)
);
if (!$group) {
throw new NotFoundException("Couldn't find forum with id $forumid");
}
$membership = user_can_access_group((int)$group->id);
......@@ -65,6 +69,11 @@ if (isset($topicid)) {
AND topic = ?',
array($topicid)
);
if (!$topicinfo) {
throw new NotFoundException("Couldn't find topic with id $topicid");
}
$info = get_record_sql(
'SELECT f.group, t.forum
FROM {interaction_forum_topic} t
......
......@@ -32,6 +32,10 @@ define('TITLE', get_string('nameplural', 'interaction.forum'));
$group = param_integer('group');
if (!record_exists('group', 'id', $group)) {
throw new GroupNotFoundException("Couldn't find group with id $group");
}
$membership = user_can_access_group($group);
if (!$membership) {
......
......@@ -43,6 +43,11 @@ $info = get_record_sql(
WHERE t.id = ?',
array($topicid)
);
if (!$info) {
throw new NotFoundException("Couldn't find topic with id $topicid");
}
$membership = user_can_access_group((int)$info->group);
if (!$membership) {
......
......@@ -43,6 +43,10 @@ $group = get_record_sql(
array($forumid)
);
if (!$group) {
throw new InteractionInstanceNotFoundException("Couldn't find forum with id $forumid");
}
$membership = user_can_access_group((int)$group->id);
if (!$membership) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment