Merge branch '3.2.x'

* 3.2.x: [ticket/10961] Send HTTP 403 when applicable
2025-06-08 04:18:52 +00:00 · 2016-09-01 14:54:06 +02:00 · 2016-09-01 14:54:06 +02:00 · e6be2e558f
commit e6be2e558f
parent 0c91160856 a3dc829dab
26 changed files with 98 additions and 0 deletions
--- a/phpBB/adm/index.php
+++ b/phpBB/adm/index.php
@ -41,6 +41,7 @@ if (!isset($user->data['session_admin']) || !$user->data['session_admin'])
 // check specific permissions but this is a catchall
 if (!$auth->acl_get('a_'))
 {
 	send_status_line(403, 'Forbidden');
 	trigger_error('NO_ADMIN');
 }
--- a/phpBB/includes/acp/acp_groups.php
+++ b/phpBB/includes/acp/acp_groups.php
@ -223,6 +223,7 @@ class acp_groups
 				}
 				else if ($action === 'delete' && $group_row['group_type'] == GROUP_SPECIAL)
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 				}
@ -235,6 +236,7 @@ class acp_groups
 						case 'delete':
 							if (!$auth->acl_get('a_groupdel'))
 							{
 								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 							}
@ -313,6 +315,7 @@ class acp_groups
 				if ($action == 'add' && !$auth->acl_get('a_groupadd'))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 				}
--- a/phpBB/includes/acp/acp_inactive.php
+++ b/phpBB/includes/acp/acp_inactive.php
@ -164,6 +164,7 @@ class acp_inactive
 						{
 							if (!$auth->acl_get('a_userdel'))
 							{
 								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 							}
--- a/phpBB/includes/acp/acp_main.php
+++ b/phpBB/includes/acp/acp_main.php
@ -118,6 +118,7 @@ class acp_main
 					case 'online':
 						if (!$auth->acl_get('a_board'))
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
@ -134,6 +135,7 @@ class acp_main
 					case 'stats':
 						if (!$auth->acl_get('a_board'))
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
@ -189,6 +191,7 @@ class acp_main
 					case 'user':
 						if (!$auth->acl_get('a_board'))
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
@ -256,6 +259,7 @@ class acp_main
 					case 'date':
 						if (!$auth->acl_get('a_board'))
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
@ -372,6 +376,7 @@ class acp_main
 					case 'purge_sessions':
 						if ((int) $user->data['user_type'] !== USER_FOUNDER)
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
--- a/phpBB/includes/acp/acp_permissions.php
+++ b/phpBB/includes/acp/acp_permissions.php
@ -315,6 +315,7 @@ class acp_permissions
 				case 'apply_permissions':
 					if (!isset($_POST['setting']))
 					{
 						send_status_line(403, 'Forbidden');
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
 					if (!check_form_key($form_name))
@ -328,6 +329,7 @@ class acp_permissions
 				case 'apply_all_permissions':
 					if (!isset($_POST['setting']))
 					{
 						send_status_line(403, 'Forbidden');
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
 					if (!check_form_key($form_name))
@ -687,6 +689,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
@ -772,6 +775,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
@ -884,6 +888,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
--- a/phpBB/includes/acp/acp_users.php
+++ b/phpBB/includes/acp/acp_users.php
@ -205,6 +205,7 @@ class acp_users
 					{
 						if (!$auth->acl_get('a_userdel'))
 						{
 							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action . '&amp;u=' . $user_id), E_USER_WARNING);
 						}
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -2252,6 +2252,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		{
 			$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
 		}
 		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_ADMIN');
 	}
@ -2268,6 +2269,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 				{
 					$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
 				}
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_ADMIN');
 			}
@ -2289,6 +2291,8 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		{
 			// We log the attempt to use a different username...
 			$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
 			send_status_line(403, 'Forbidden');
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
--- a/phpBB/includes/functions_privmsgs.php
+++ b/phpBB/includes/functions_privmsgs.php
@ -801,6 +801,7 @@ function move_pm($user_id, $message_limit, $move_msg_ids, $dest_folder, $cur_fol
 			if (!$row)
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NOT_AUTHORISED');
 			}
@ -965,6 +966,7 @@ function handle_mark_actions($user_id, $mark_action)
 			if (!$auth->acl_get('u_pm_delete'))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_DELETE_MESSAGE');
 			}
--- a/phpBB/includes/mcp/mcp_logs.php
+++ b/phpBB/includes/mcp/mcp_logs.php
@ -83,6 +83,7 @@ class mcp_logs
 				if (!in_array($forum_id, $forum_list))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error('NOT_AUTHORISED');
 				}
@ -101,6 +102,7 @@ class mcp_logs
 				if (!in_array($forum_id, $forum_list))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error('NOT_AUTHORISED');
 				}
--- a/phpBB/includes/mcp/mcp_queue.php
+++ b/phpBB/includes/mcp/mcp_queue.php
@ -622,6 +622,7 @@ class mcp_queue
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
@ -877,6 +878,7 @@ class mcp_queue
 		if (!phpbb_check_ids($topic_id_list, TOPICS_TABLE, 'topic_id', array('m_approve')))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
@ -1074,6 +1076,7 @@ class mcp_queue
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
--- a/phpBB/includes/mcp/mcp_reports.php
+++ b/phpBB/includes/mcp/mcp_reports.php
@ -542,6 +542,7 @@ function close_report($report_id_list, $mode, $action, $pm = false)
 	{
 		if (!$auth->acl_getf_global('m_report'))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 	}
@ -549,6 +550,7 @@ function close_report($report_id_list, $mode, $action, $pm = false)
 	{
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_report')))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 	}
--- a/phpBB/includes/ucp/ucp_activate.php
+++ b/phpBB/includes/ucp/ucp_activate.php
@ -67,6 +67,7 @@ class ucp_activate
 			{
 				login_box('', $user->lang['NO_AUTH_OPERATION']);
 			}
 			send_status_line(403, 'Forbidden');
 			trigger_error('NO_AUTH_OPERATION');
 		}
--- a/phpBB/includes/ucp/ucp_groups.php
+++ b/phpBB/includes/ucp/ucp_groups.php
@ -87,6 +87,7 @@ class ucp_groups
 							if (!$auth->acl_get('u_chggrp'))
 							{
 								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NOT_AUTHORISED'] . $return_page);
 							}
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@ -166,6 +166,7 @@ class ucp_pm
 				if (!$auth->acl_get('u_readpm'))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_READ_MESSAGE');
 				}
--- a/phpBB/includes/ucp/ucp_pm_compose.php
+++ b/phpBB/includes/ucp/ucp_pm_compose.php
@ -171,6 +171,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		case 'post':
 			if (!$auth->acl_get('u_sendpm'))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_SEND_MESSAGE');
 			}
 		break;
@ -186,6 +187,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 			if (!$auth->acl_get('u_sendpm'))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_SEND_MESSAGE');
 			}
@ -226,6 +228,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		case 'delete':
 			if (!$auth->acl_get('u_pm_delete'))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_DELETE_MESSAGE');
 			}
@ -251,11 +254,13 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 	if ($action == 'forward' && (!$config['forward_pm'] || !$auth->acl_get('u_pm_forward')))
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_FORWARD_MESSAGE');
 	}
 	if ($action == 'edit' && !$auth->acl_get('u_pm_edit'))
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_EDIT_MESSAGE');
 	}
@ -321,6 +326,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		{
 			if (($post['forum_id'] && !$auth->acl_get('f_read', $post['forum_id'])) || (!$post['forum_id'] && !$auth->acl_getf_global('f_read')))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NOT_AUTHORISED');
 			}
@ -456,6 +462,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 	if (($to_group_id || isset($address_list['g'])) && (!$config['allow_mass_pm'] || !$auth->acl_get('u_masspm_group')))
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_GROUP_MESSAGE');
 	}
--- a/phpBB/includes/ucp/ucp_pm_viewmessage.php
+++ b/phpBB/includes/ucp/ucp_pm_viewmessage.php
@ -41,6 +41,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
 		$message = $user->lang['NO_AUTH_READ_REMOVED_MESSAGE'];
 		$message .= '<br /><br />' . sprintf($user->lang['RETURN_FOLDER'], '<a href="' . $meta_info . '">', '</a>');
 		send_status_line(403, 'Forbidden');
 		trigger_error($message);
 	}
--- a/phpBB/includes/ucp/ucp_profile.php
+++ b/phpBB/includes/ucp/ucp_profile.php
@ -279,6 +279,7 @@ class ucp_profile
 				// Do not display profile information panel if not authed to do so
 				if (!$auth->acl_get('u_chgprofileinfo'))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_PROFILEINFO');
 				}
@ -464,6 +465,7 @@ class ucp_profile
 				if (!$auth->acl_get('u_sig'))
 				{
 					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_SIGNATURE');
 				}
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@ -79,6 +79,7 @@ class ucp_remind
 			if (!$auth2->acl_get('u_chgpasswd'))
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_PASSWORD_REMINDER');
 			}
--- a/phpBB/mcp.php
+++ b/phpBB/mcp.php
@ -127,6 +127,7 @@ if (!$auth->acl_getf_global('m_'))
 	if (!$allow_user)
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('NOT_AUTHORISED');
 	}
 }
@ -134,6 +135,7 @@ if (!$auth->acl_getf_global('m_'))
 // if the user cannot read the forum he tries to access then we won't allow mcp access either
 if ($forum_id && !$auth->acl_get('f_read', $forum_id))
 {
 	send_status_line(403, 'Forbidden');
 	trigger_error('NOT_AUTHORISED');
 }
--- a/phpBB/memberlist.php
+++ b/phpBB/memberlist.php
@ -75,6 +75,7 @@ switch ($mode)
 		{
 			if ($user->data['user_id'] != ANONYMOUS)
 			{
 				send_status_line(403, 'Forbidden');
 				trigger_error('NO_VIEW_USERS');
 			}
@ -377,6 +378,7 @@ switch ($mode)
 		if (!$auth->acl_get('u_sendim'))
 		{
 			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
--- a/phpBB/phpbb/feed/forum.php
+++ b/phpBB/phpbb/feed/forum.php
@ -74,6 +74,14 @@ class forum extends post_base
 		// Make sure we can read this forum
 		if (!$this->auth->acl_get('f_read', $this->forum_id))
 		{
 			if ($this->user->data['user_id'] != ANONYMOUS)
 			{
 				send_status_line(403, 'Forbidden');
 			}
 			else
 			{
 				send_status_line(401, 'Unauthorized');
 			}
 			throw new unauthorized_forum_exception($this->forum_id);
 		}
@ -84,6 +92,14 @@ class forum extends post_base
 			if (isset($forum_ids_passworded[$this->forum_id]))
 			{
 				if ($this->user->data['user_id'] != ANONYMOUS)
 				{
 					send_status_line(403, 'Forbidden');
 				}
 				else
 				{
 					send_status_line(401, 'Unauthorized');
 				}
 				throw new unauthorized_forum_exception($this->forum_id);
 			}
--- a/phpBB/phpbb/feed/topic.php
+++ b/phpBB/phpbb/feed/topic.php
@ -66,6 +66,14 @@ class topic extends post_base
 		// Make sure topic is either approved or user authed
 		if ($this->topic_data['topic_visibility'] != ITEM_APPROVED && !$this->auth->acl_get('m_approve', $this->forum_id))
 		{
 			if ($this->user->data['user_id'] != ANONYMOUS)
 			{
 				send_status_line(403, 'Forbidden');
 			}
 			else
 			{
 				send_status_line(401, 'Unauthorized');
 			}
 			throw new unauthorized_topic_exception($this->topic_id);
 		}
@ -78,6 +86,14 @@ class topic extends post_base
 		// Make sure we can read this forum
 		if (!$this->auth->acl_get('f_read', $this->forum_id))
 		{
 			if ($this->user->data['user_id'] != ANONYMOUS)
 			{
 				send_status_line(403, 'Forbidden');
 			}
 			else
 			{
 				send_status_line(401, 'Unauthorized');
 			}
 			throw new unauthorized_forum_exception($this->forum_id);
 		}
@ -88,6 +104,14 @@ class topic extends post_base
 			if (isset($forum_ids_passworded[$this->forum_id]))
 			{
 				if ($this->user->data['user_id'] != ANONYMOUS)
 				{
 					send_status_line(403, 'Forbidden');
 				}
 				else
 				{
 					send_status_line(401, 'Unauthorized');
 				}
 				throw new unauthorized_forum_exception($this->forum_id);
 			}
--- a/phpBB/phpbb/message/topic_form.php
+++ b/phpBB/phpbb/message/topic_form.php
@ -71,6 +71,14 @@ class topic_form extends form
 		if (!$this->auth->acl_get('f_read', $this->topic_row['forum_id']))
 		{
 			if ($this->user->data['user_id'] != ANONYMOUS)
 			{
 				send_status_line(403, 'Forbidden');
 			}
 			else
 			{
 				send_status_line(401, 'Unauthorized');
 			}
 			return 'SORRY_AUTH_READ';
 		}
--- a/phpBB/viewforum.php
+++ b/phpBB/viewforum.php
@ -91,6 +91,7 @@ if (!$auth->acl_gets('f_list', 'f_read', $forum_id) || ($forum_data['forum_type'
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('SORRY_AUTH_READ');
 	}
--- a/phpBB/viewonline.php
+++ b/phpBB/viewonline.php
@ -37,6 +37,7 @@ if (!$auth->acl_gets('u_viewprofile', 'a_user', 'a_useradd', 'a_userdel'))
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('NO_VIEW_USERS');
 	}
--- a/phpBB/viewtopic.php
+++ b/phpBB/viewtopic.php
@ -376,6 +376,7 @@ if (!$overrides_f_read_check && !$auth->acl_get('f_read', $forum_id))
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
 		send_status_line(403, 'Forbidden');
 		trigger_error('SORRY_AUTH_READ');
 	}