james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Unify two regexes used in rating searches, intersect with user privs

Browse Source 
Fixes issue with unpriveleged users being able to circumvent the ratings
they could see, just by searching for it.  Also makes code much much
prettier.
This commit is contained in:
Peter Lejeck 2013-10-06 04:34:26 -07:00
parent dd58c35f8a
commit 0e4717ecae
1 changed files with 4 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ext/rating/main.php
View File

@ -104,21 +104,12 @@ class Ratings extends Extension {
$set = Ratings::privs_to_sql(Ratings::get_user_privs($user));
$event->add_querylet(new Querylet("rating IN ($set)"));
}
if(preg_match("/^rating=([sqeu]+)$/", $event->term, $matches)) {
$sqes = $matches[1];
$arr = array();
$length = strlen($sqes);
for($i=0; $i<$length; $i++) {
$arr[] = "'" . $sqes[$i] . "'";
}
$set = join(', ', $arr);
if(preg_match("/^rating=(?:([sqeu]+)|(safe|questionable|explicit|unknown))$", strtolower($event->term), $matches)) {
$ratings = $matches[1] ? $matches[1] : array($matches[2][0]);
$ratings = array_intersect($ratings, str_split(Ratings::get_user_privs($user)));
$set = "'" . join("', '", $ratings) . "'";
$event->add_querylet(new Querylet("rating IN ($set)"));
}
if(preg_match("/^rating=(safe|questionable|explicit|unknown)$/", strtolower($event->term), $matches)) {
$text = $matches[1];
$char = $text[0];
$event->add_querylet(new Querylet("rating = :img_rating", array("img_rating"=>$char)));
}
}
public function onPageRequest(PageRequestEvent $event) {