diff --git a/phpBB/includes/acp/acp_modules.php b/phpBB/includes/acp/acp_modules.php index 1323c7aee4..7fcf1f7a29 100644 --- a/phpBB/includes/acp/acp_modules.php +++ b/phpBB/includes/acp/acp_modules.php @@ -580,14 +580,9 @@ class acp_modules $right = $row['right_id']; - /** - * @todo think about using module class here - */ if (!$ignore_acl && $row['module_auth']) { - $is_auth = false; - eval('$is_auth = (int) (' . preg_replace(array('#acl_([a-z_]+)(,\$id)?#', '#\$id#', '#aclf_([a-z_]+)#', '#cfg_([a-z_]+)#'), array('(int) $auth->acl_get("\\1"\\2)', 'true', '(int) $auth->acl_getf_global("\\1")', '(int) $config["\\1"]'), $row['module_auth']) . ');'); - if (!$is_auth) + if (!p_master::module_auth($row['module_auth'])) { continue; } diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 467727a9bc..d350ab3bb3 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -502,7 +502,7 @@ if (!function_exists('realpath')) else if (isset($_SERVER['SCRIPT_FILENAME']) && !empty($_SERVER['SCRIPT_FILENAME'])) { // Warning: If chdir() has been used this will lie! - // @todo This has some problems sometime (CLI can create them easily) + // Warning: This has some problems sometime (CLI can create them easily) $path = str_replace(DIRECTORY_SEPARATOR, '/', dirname($_SERVER['SCRIPT_FILENAME'])) . '/' . $path; $absolute = true; $path_prefix = ''; @@ -2907,9 +2907,6 @@ function msg_handler($errno, $msg_text, $errfile, $errline) return; } - /** - * @todo Think about removing the if-condition within the final product, since we no longer enable DEBUG by default and we will maybe adjust the error reporting level - */ if (defined('DEBUG')) { if (strpos($errfile, 'cache') === false && strpos($errfile, 'template.') === false) diff --git a/phpBB/includes/functions_admin.php b/phpBB/includes/functions_admin.php index 1655c56eec..283053ca6d 100644 --- a/phpBB/includes/functions_admin.php +++ b/phpBB/includes/functions_admin.php @@ -1946,8 +1946,6 @@ function split_sql_file($sql, $delimiter) /** * Cache moderators, called whenever permissions are changed via admin_permissions. Changes of username * and group names must be carried through for the moderators table -* -* @todo let the admin define if he wants to display moderators (forum-based) - display_on_index already present and checked for... */ function cache_moderators() { diff --git a/phpBB/includes/functions_display.php b/phpBB/includes/functions_display.php index 056af5c84a..b309f4b6c2 100644 --- a/phpBB/includes/functions_display.php +++ b/phpBB/includes/functions_display.php @@ -583,6 +583,10 @@ function get_moderators(&$forum_moderators, $forum_id = false) /** * User authorisation levels output +* +* @param string $mode Can be forum or topic. Not in use at the moment. +* @param int $forum_id The current forum the user is in. +* @param int $forum_status The forums status bit. */ function gen_forum_auth_level($mode, $forum_id, $forum_status) { @@ -955,12 +959,10 @@ function display_custom_bbcodes() // Start counting from 22 for the bbcode ids (every bbcode takes two ids - opening/closing) $num_predefined_bbcodes = 22; - /* - * @todo while adjusting custom bbcodes, think about caching this query as well as correct ordering - */ $sql = 'SELECT bbcode_id, bbcode_tag, bbcode_helpline FROM ' . BBCODES_TABLE . ' - WHERE display_on_posting = 1'; + WHERE display_on_posting = 1 + ORDER BY bbcode_tag'; $result = $db->sql_query($sql); $i = 0; diff --git a/phpBB/includes/functions_module.php b/phpBB/includes/functions_module.php index 89dda74700..556a4adaba 100644 --- a/phpBB/includes/functions_module.php +++ b/phpBB/includes/functions_module.php @@ -213,7 +213,6 @@ class p_master /** * Check module authorisation - * @todo Have a look at the eval statement and replace with other code... */ function module_auth($module_auth) { @@ -227,8 +226,38 @@ class p_master return true; } + // With the code below we make sure only those elements get eval'd we really want to be checked + preg_match_all('/(?: + "[^"\\\\]*(?:\\\\.[^"\\\\]*)*" | + \'[^\'\\\\]*(?:\\\\.[^\'\\\\]*)*\' | + [(),] | + [^\s(),]+)/x', $module_auth, $match); + + $tokens = $match[0]; + for ($i = 0, $size = sizeof($tokens); $i < $size; $i++) + { + $token = &$tokens[$i]; + + switch ($token) + { + case ')': + case '(': + case '&&': + case '||': + break; + + default: + if (!preg_match('#(?:acl_([a-z_]+)(,\$id)?)|(?:\$id)|(?:aclf_([a-z_]+))|(?:cfg_([a-z_]+))#', $token)) + { + $token = ''; + } + break; + } + } + $module_auth = implode(' ', $tokens); + $is_auth = false; - eval('$is_auth = (int) (' . preg_replace(array('#acl_([a-z_]+)(,\$id)?#', '#\$id#', '#aclf_([a-z_]+)#', '#cfg_([a-z_]+)#'), array('(int) $auth->acl_get("\\1"\\2)', '(int) $this->acl_forum_id', '(int) $auth->acl_getf_global("\\1")', '(int) $config["\\1"]'), $module_auth) . ');'); + eval('$is_auth = (int) (' . preg_replace(array('#acl_([a-z_]+)(,\$id)?#', '#\$id#', '#aclf_([a-z_]+)#', '#cfg_([a-z_]+)#'), array('(int) $auth->acl_get(\'\\1\'\\2)', '(int) $this->acl_forum_id', '(int) $auth->acl_getf_global(\'\\1\')', '(int) $config[\'\\1\']'), $module_auth) . ');'); return $is_auth; } diff --git a/phpBB/includes/functions_posting.php b/phpBB/includes/functions_posting.php index 6d3fcd47dd..aec4a3417f 100644 --- a/phpBB/includes/functions_posting.php +++ b/phpBB/includes/functions_posting.php @@ -1242,7 +1242,7 @@ function delete_post($forum_id, $topic_id, $post_id, &$data) $sql_data[FORUMS_TABLE] = 'forum_posts = forum_posts - 1'; } - $sql_data[TOPICS_TABLE] = 'topic_first_post_id = ' . intval($row['post_id']) . ", topic_first_poster_colour = '" . $db->sql_escape($row['user_colour']) . ", topic_first_poster_name = '" . (($row['poster_id'] == ANONYMOUS) ? $db->sql_escape($row['post_username']) : $db->sql_escape($row['username'])) . "'"; + $sql_data[TOPICS_TABLE] = 'topic_first_post_id = ' . intval($row['post_id']) . ", topic_first_poster_colour = '" . $db->sql_escape($row['user_colour']) . "', topic_first_poster_name = '" . (($row['poster_id'] == ANONYMOUS) ? $db->sql_escape($row['post_username']) : $db->sql_escape($row['username'])) . "'"; $sql_data[TOPICS_TABLE] .= ', topic_replies_real = topic_replies_real - 1' . (($data['post_approved']) ? ', topic_replies = topic_replies - 1' : ''); $next_post_id = (int) $row['post_id']; diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index c30219c118..584c0a9de4 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -1115,8 +1115,7 @@ function validate_match($string, $optional = false, $match) * Also checks if it includes the " character, which we don't allow in usernames. * Used for registering, changing names, and posting anonymously with a username * -* @todo do we really check and disallow the " character in usernames as written above. Has it only be forgotten to include the check? -* @return boolean|string Either false if validation succeeded or a string which will be used as the error message (with the variable name appended) +* @return mixed Either false if validation succeeded or a string which will be used as the error message (with the variable name appended) */ function validate_username($username) { diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 21180bd9a5..cc31f8652b 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -1039,7 +1039,8 @@ class user extends session /** * If a guest user is surfing, we try to guess his/her language first by obtaining the browser language - * @todo if re-enabled we need to make sure only those languages installed are checked + * If re-enabled we need to make sure only those languages installed are checked + * Commented out so we do not loose the code. if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index 841cfdb886..1c0eb24e87 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -302,9 +302,7 @@ function compose_pm($id, $mode, $action) { delete_pm($user->data['user_id'], $msg_id, $folder_id); - /** - * @todo jump to next message in "history"? - */ + // jump to next message in "history"? nope, not for the moment. But able to be included later. $meta_info = append_sid("{$phpbb_root_path}ucp.$phpEx", "i=pm&folder=$folder_id"); $message = $user->lang['MESSAGE_DELETED'];