| Author |
 Topic Search  Topic Options
|
Marino2 
Newbie
Joined: 23 October 2004
Location: Switzerland
Status: Offline
Points: 6
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Edit -> delete url change BUG
Posted: 23 October 2004 at 11:20am |
 -boRg- wrote:
If you give a normal user permission to delete posts they can only delete their own posts and only before a reply is made to that post. Once someone has posted a reply the only person who can delete the previous post is the forum admin or a modertor.
|
Hello, As you mentionned, I gave the permission to delete posts to members but I noticed that one of them could nevertheless delete his posts AFTER a reply was made ! I asked him and he told me that he just changed in the url showed, the "edit_post.asp" page with "delete_post.asp" keeping the same parameters  Example: http://www.events-gallery.ch/forum/edit_post.asp?PID=46803&PN=0&TPN=1replaced by http://www.events-gallery.ch/forum/delete_post.asp?PID=46803&PN=0&TPN=1And so he is able to delete all his old posts after a reply is made. I use version 7.7. I've made a search in this forum before asking, but I couldn't find a post with this bug explained. In case of a post exists about it, just give me the link. Many thanks PS: I had a problem with my first subscription to this forum, so you could delete the user "Marino".
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 23 October 2004 at 2:10pm |
|
I shall look into the problem.
|
|
|
|
Marino2
Newbie
Joined: 23 October 2004
Location: Switzerland
Status: Offline
Points: 6
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 October 2004 at 9:46am |
Thank you, because he's know sending MP's with modified links hidden behind pictures or fake links to others members and then they delete their own messages without knowing
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 October 2004 at 11:01am |
|
Then maybe it's time to suspend this persons account to prevent him from doing such things.
|
|
|
|
Marino2
Newbie
Joined: 23 October 2004
Location: Switzerland
Status: Offline
Points: 6
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 October 2004 at 6:25pm |
But one or more others could do the same in the future, the problem will exists until it is solved...
Well, for the moment I've forbidden the deletion of posts, except for mods and admins and the trick could not be used anymore.
Hope someone will do a patch for that, thanks in advance.
Cheers
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 October 2004 at 5:27am |
|
I am working on it, but as it will mean allot of work and changing of
code there will not be a quick fix, so it will not be available for the
present version.
|
|
|
|
MadDog
Mod Builder Group
Joined: 01 January 2002
Status: Offline
Points: 3008
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 October 2004 at 2:04pm |
|
For a temp fix you could set edit and delete permissions to admin only.
That would make it so admins could be the only one allowed to edit or
delete posts.
|
|
|
|
ljamal
Mod Builder Group
Joined: 16 April 2003
Status: Offline
Points: 888
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 October 2004 at 3:20pm |
|
Try this right after line 147 in delete_post.asp
It should work, but I haven't tested it. Basically it checks to see if the threads has any posts after the user's post. If there are posts then only an admin or mod can delete the post.
Let me know if it works and I'll release it as a MOD or maybe borg will add it to correct the current release.
' LJAMAL MOD 26 OCT 2004
' CORRECTS THE ABILITY FOR USERS TO DELETE POST BY CHANGING URL
If lngDelMsgAuthorID = lngLoggedInUserID then
Dim RSCheck
Set RSCheck = Server.CreateObject("ADODB.Recordset")
strSQL = "select " & strDbTable & "Thread.Thread_ID From "& strDbTable & "Thread WHERE " &_
strDbTable &"Thread.Topic_ID in (select "&strDbTable &"Thread.Topic_ID from " & strDbTable & "Thread where "&_
strDbTable & "Thread.Thread_ID =" & lngMessageID & ") and "&_
strDbTable &"Thread.Message_date > (select "&strDbTable &"Thread.Message_date from " & strDbTable & "Thread where "&_
strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"
RSCheck.Open strSQL, adoCon
if not RSCheck.EOF then
blnDelete = False
end if
RSCheck.Close
Set RSCheck = Nothing
end if
' END MOD
This has been updated to correct the flawed code. The code above has been tested and corrects the flaw.
Edited by ljamal
|
|
|
|
