From 4b49019282b33e71dcbfe70e31ff6b1b8d57773f Mon Sep 17 00:00:00 2001 From: Zankaria Date: Fri, 27 Dec 2024 20:14:47 +0100 Subject: [PATCH] pages.php: QUICKFIX handle unban and notes in mod_user_posts_by_ip to workaround security token issue --- inc/mod/pages.php | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 3e0967f1..56785056 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -928,6 +928,45 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor = $config = $ctx->get('config'); + if (isset($_POST['ban_id'], $_POST['unban'])) { + if (!hasPermission($config['mod']['unban'])) + error($config['error']['noaccess']); + + Bans::delete($_POST['ban_id'], true, $mod['boards']); + + if (empty($encoded_cursor)) { + \header("Location: ?/user_posts/ip/$ip#bans", true, $config['redirect_http']); + } else { + \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#bans", true, $config['redirect_http']); + } + return; + } + + if (isset($_POST['note'])) { + if (!hasPermission($config['mod']['create_notes'])) + error($config['error']['noaccess']); + + $_POST['note'] = escape_markup_modifiers($_POST['note']); + markup($_POST['note']); + $query = prepare('INSERT INTO ``ip_notes`` VALUES (NULL, :ip, :mod, :time, :body)'); + $query->bindValue(':ip', $ip); + $query->bindValue(':mod', $mod['id']); + $query->bindValue(':time', time()); + $query->bindValue(':body', $_POST['note']); + $query->execute() or error(db_error($query)); + + Cache::delete("mod_page_ip_view_notes_$ip"); + + modLog("Added a note for {$ip}"); + + if (empty($encoded_cursor)) { + \header("Location: ?/user_posts/ip/$ip#notes", true, $config['redirect_http']); + } else { + \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#notes", true, $config['redirect_http']); + } + return; + } + $args = [ 'ip' => $ip, 'posts' => []