Do not permit unauthorised users to delete private messages from folder listing. #54355

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10322 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/docs/CHANGELOG.html

@@ -112,6 +112,7 @@
 		<li>[Fix] Do not deliver topics from unreadable or passworded forums in the news feed. (Bug #54345)</li>
 		<li>[Fix] Restore user language choice to compiled stylesheets. (Bug #54035)</li>
 		<li>[Fix] Add missing language entries. (Bug #55095)</li>
+		<li>[Fix] Do not permit unauthorised users to delete private messages from folder listing. (Bug #54355)</li>
 		<li>[Change] Log activation through inactive users ACP. (Bug #30145)</li>
 		<li>[Change] Send time of last item instead of current time in ATOM Feeds. (Bug #53305)</li>
 		<li>[Change] Use em dash instead of hyphen/minus as separator in ATOM Feeds item statistics. (Bug #53565)</li>

phpBB/includes/functions_privmsgs.php

@@ -894,6 +894,13 @@ function handle_mark_actions($user_id, $mark_action)
 
 		case 'delete_marked':
 
+			global $auth;
+
+			if (!$auth->acl_get('u_pm_delete'))
+			{
+				trigger_error('NO_AUTH_DELETE_MESSAGE');
+			}
+
 			if (confirm_box(true))
 			{
 				delete_pm($user_id, $msg_ids, $cur_folder_id);

phpBB/includes/ucp/ucp_pm_viewfolder.php

@@ -65,6 +65,12 @@ function view_folder($id, $mode, $folder_id, $folder)
 
 		$mark_options = array('mark_important', 'delete_marked');
 
+		// Minimise edits
+		if (!$auth->acl_get('u_pm_delete') && $key = array_search('delete_marked', $mark_options))
+		{
+			unset($mark_options[$key]);
+		}
+
 		$s_mark_options = '';
 		foreach ($mark_options as $mark_option)
 		{