summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGábor Hojtsy2011-11-23 09:45:13 (GMT)
committer Gábor Hojtsy2011-11-23 09:45:13 (GMT)
commit170419fe73d0e9dbb06db6edaea6655276810a0a (patch)
treeae90bf6a9f17cd0205d013033e877b42e83d10a3
parentcdc5cc1396552e2b6315aee04aca86703441ed1a (diff)
Issue #1283442 by Ben Coleman, twistor, ggevalt: aggregator_block()'s permission check on the list, configure and save operations could result in loss of aggregator blocks when block rehasing is invoked with a user who has no access to feeds; permissions should only be checked on the view op
-rw-r--r--modules/aggregator/aggregator.module64
1 files changed, 32 insertions, 32 deletions
diff --git a/modules/aggregator/aggregator.module b/modules/aggregator/aggregator.module
index e87b579..59a4fdb 100644
--- a/modules/aggregator/aggregator.module
+++ b/modules/aggregator/aggregator.module
@@ -298,38 +298,38 @@ function aggregator_cron() {
* Generates blocks for the latest news items in each category and feed.
*/
function aggregator_block($op = 'list', $delta = 0, $edit = array()) {
- if (user_access('access news feeds')) {
- if ($op == 'list') {
- $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title');
- while ($category = db_fetch_object($result)) {
- $block['category-'. $category->cid]['info'] = t('!title category latest items', array('!title' => $category->title));
- }
- $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid');
- while ($feed = db_fetch_object($result)) {
- $block['feed-'. $feed->fid]['info'] = t('!title feed latest items', array('!title' => $feed->title));
- }
+ if ($op == 'list') {
+ $result = db_query('SELECT cid, title FROM {aggregator_category} ORDER BY title');
+ while ($category = db_fetch_object($result)) {
+ $block['category-'. $category->cid]['info'] = t('!title category latest items', array('!title' => $category->title));
}
- else if ($op == 'configure') {
- list($type, $id) = explode('-', $delta);
- if ($type == 'category') {
- $value = db_result(db_query('SELECT block FROM {aggregator_category} WHERE cid = %d', $id));
- }
- else {
- $value = db_result(db_query('SELECT block FROM {aggregator_feed} WHERE fid = %d', $id));
- }
- $form['block'] = array('#type' => 'select', '#title' => t('Number of news items in block'), '#default_value' => $value, '#options' => drupal_map_assoc(array(2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)));
- return $form;
+ $result = db_query('SELECT fid, title FROM {aggregator_feed} ORDER BY fid');
+ while ($feed = db_fetch_object($result)) {
+ $block['feed-'. $feed->fid]['info'] = t('!title feed latest items', array('!title' => $feed->title));
}
- else if ($op == 'save') {
- list($type, $id) = explode('-', $delta);
- if ($type == 'category') {
- $value = db_query('UPDATE {aggregator_category} SET block = %d WHERE cid = %d', $edit['block'], $id);
- }
- else {
- $value = db_query('UPDATE {aggregator_feed} SET block = %d WHERE fid = %d', $edit['block'], $id);
- }
+ }
+ else if ($op == 'configure') {
+ list($type, $id) = explode('-', $delta);
+ if ($type == 'category') {
+ $value = db_result(db_query('SELECT block FROM {aggregator_category} WHERE cid = %d', $id));
}
- else if ($op == 'view') {
+ else {
+ $value = db_result(db_query('SELECT block FROM {aggregator_feed} WHERE fid = %d', $id));
+ }
+ $form['block'] = array('#type' => 'select', '#title' => t('Number of news items in block'), '#default_value' => $value, '#options' => drupal_map_assoc(array(2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)));
+ return $form;
+ }
+ else if ($op == 'save') {
+ list($type, $id) = explode('-', $delta);
+ if ($type == 'category') {
+ $value = db_query('UPDATE {aggregator_category} SET block = %d WHERE cid = %d', $edit['block'], $id);
+ }
+ else {
+ $value = db_query('UPDATE {aggregator_feed} SET block = %d WHERE fid = %d', $edit['block'], $id);
+ }
+ }
+ else if ($op == 'view') {
+ if (user_access('access news feeds')) {
list($type, $id) = explode('-', $delta);
switch ($type) {
case 'feed':
@@ -358,9 +358,9 @@ function aggregator_block($op = 'list', $delta = 0, $edit = array()) {
$block['content'] = theme('item_list', $items) . $read_more;
}
}
- if (isset($block)) {
- return $block;
- }
+ }
+ if (isset($block)) {
+ return $block;
}
}