[2.0.21] prevent reply notifications to unauthorized users

[Extensions Robot]

MOD Name: prevent reply notifications to unauthorized users
Author: asinshesq
MOD Description: PHPBB does not check the current authorization of a user when it sends reply notification emails to all users listed in the topic watch table. This means for example that if a user is moved to a new group that does not have access to a given forum (or gets deactivated), the user will continue to receive email notifications of replies to topics he posted in that appear in that forum. Then, when he folows the link in the email, he is told no such topic or post exists (since he is no longer authorized
to be in that forum). This mod fixes that behavior by ensuring that only users who are authorized to read a given forum receive email notifications of replies in that forum.


MOD Version: 1.0.5a (Updated 06/11/06)

Download File: prevent_reply_notifications_to_unauthorized_users_1-0-5a.zip
mods overview page: View
File Size: 5229 Bytes

Support for this MOD needs to be asked within this topic. The phpBB Teams are not responsible or required to give anyone support for this MOD. By installing this MOD, the phpBB Support Team or phpBB MODifications Team may not be able to provide support.

This MOD has only been tested by the phpBB MOD Team with the phpBB version in the topic title. It may not work in any other versions of phpBB.

[ycl6]

MOD Validated/Released

Notes:
This MOD make sure emails are sent to the appropriate user based on the current status on the forum.

[asinshesq]

My first validated mod (I have 5 others in the que and it looks like those will be out soon too). Thanks for getting this thorugh so quickly, Mac (ycl6)!

By the way, is it cheating for me to vote in the poll

One more thing: if you have one of the forum notification hacks installed, you should add similar code in includes/functions_post.php where that hack figures out who to send the forum notification emails to.

[markus_petrux]

Little big MOD. Good catch, btw.


.

[asinshesq]

Good catch, btw.


.

Thanks, but this was not an insightful catch on my part...I had multiple users who had been moved from permission in one forum to permission in another complaining that they were receiving emaill notiifications and when they clicked the link in the notification there were 'no such posts'...didn't take a rocket scientist to realize what had gone wrong.

[omega13a]

I just got done adapting this mode for the Forum Notification mod by David Herrmann.

In functions_post.php find:

Code: Select all

			$sql = "SELECT u.user_id, u.user_email, u.user_lang, u.username, f.forum_name 
				FROM " . TOPICS_WATCH_TABLE . " tw, " . USERS_TABLE . " u, " . FORUMS_TABLE . " f 
				WHERE tw.topic_id = $topic_id 
					AND tw.user_id NOT IN (" . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND tw.notify_status = " . TOPIC_WATCH_UN_NOTIFIED . " 
					AND f.forum_id = $forum_id 
					AND u.user_id = tw.user_id";

Replace that with:

Code: Select all

// start mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users...replaced the original
// $sql definition with the one that appears below
			$sql = "SELECT DISTINCT u.user_id, u.user_email, u.user_lang, u.username, f.forum_name 
				FROM " . TOPICS_WATCH_TABLE . " tw, " . USERS_TABLE . " u, " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . FORUMS_TABLE . " f
				WHERE tw.topic_id = $topic_id 
					AND tw.user_id NOT IN (" . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND tw.notify_status = " . TOPIC_WATCH_UN_NOTIFIED . " 
					AND u.user_id = tw.user_id
					AND f.forum_id = $forum_id
					AND u.user_active = 1
					AND
					(
						(
						ug.user_id = tw.user_id
						AND aa.group_id = ug.group_id
						AND aa.forum_id = f.forum_id
						AND aa.auth_read = 1
						)
						OR f.auth_read <= " . AUTH_REG . " 
						OR (u.user_level = " . MOD . " AND f.auth_read = " . AUTH_MOD . ")
						OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")
					)";
// end mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users

Then find:

Code: Select all

$sql = "SELECT u.user_id, u.user_email, u.user_lang, f.forum_name
				FROM " . USERS_TABLE . " u, " . FORUMS_WATCH_TABLE . " fw, " . FORUMS_TABLE . " f 
				WHERE fw.forum_id = $forum_id 
					AND fw.user_id NOT IN (" . $already_mailed . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . " ) 
					AND f.forum_id = $forum_id
					AND f.forum_notify = '1' 
					AND u.user_id = fw.user_id";

Replace that with:

Code: Select all

// start mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users...replaced the original
// $sql definition with the one that appears below
			$sql = "SELECT DISTINCT u.user_id, u.user_email, u.user_lang, f.forum_name
				FROM " . FORUMS_WATCH_TABLE . " fw, " . USERS_TABLE . " u, " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug, " . FORUMS_TABLE . " f
				WHERE fw.forum_id = $forum_id 
					AND fw.user_id NOT IN (" . $already_mailed . $userdata['user_id'] . ", " . ANONYMOUS . $user_id_sql . ") 
					AND f.forum_notify = '1' 
					AND u.user_id = fw.user_id
					AND f.forum_id = $forum_id
					AND u.user_active = 1
					AND
					(
						(
						ug.user_id = fw.user_id
						AND aa.group_id = ug.group_id
						AND aa.forum_id = f.forum_id
						AND aa.auth_read = 1
						)
						OR f.auth_read <= " . AUTH_REG . " 
						OR (u.user_level = " . MOD . " AND f.auth_read = " . AUTH_MOD . ")
						OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")
					)";
// end mod prevent_reply_notification_emails_from_being_emailed_to_unauthorized_users

[asinshesq]

Thanks, Omega13, but I think you may have missed one, since I think the David Hermann mod has two different notifications - one for new topics in a watched forum and the other for replies in a watched forum where the user hasn't himself posted in that topic.

If I have time over the weekend I'll try to post an integrated mod that shows everything you need to do to make this work with Hermann's forum notifcation mod.

[asinshesq]

OK, here's the full mod if you are already using David Hermann's forum notification mod (which I highly recommend):

[edit: I deleted the mod code here since I now include it in the latest version of the mod that you can download from the first post of this thread]

[Winky]

Ty Alan for the great modification to the original mod

For my opinion, it confirms u as a Master on "know how" & "support". lol great medals but no cash :\



P.s. E.M. is great once understood ... really ty 4 suggestion


ciao

Take care

Andres

[asinshesq]

My friend Andres (a/k/a Winky) pointed out an error in the alternate version of this mod that I posted for people who have David Hermann's forum notification already installed, so I reposted that code earlier in this thread.

[asinshesq]

By the way, some people may want to tweak this mod to provide that anyone who is an admin always has a right to get notification from ANY forum even if he is not a member of a group that has access to the forum (since an ADMIN has acess to all forums regardless of group membership).

If you want this mod to work that way on your forum, do this:

FIND all lines in the mod that read like this:
OR (u.user_level = " . ADMIN . " AND f.auth_read = " . AUTH_ADMIN . ")

(note that in the normal mod that appears only once but in the version that I posted earlier in this thread for people with David Hermann's forum notification mod installed, the line appears three times)

now, change each that reads like that to instead read like this:
OR (u.user_level = " . ADMIN . ")

Please let me know if you think this is the better way for the mod to work for everyone...if so, I will submit another version for validation that works that way.

[ycl6]

MOD Updated to version 1.0.3
See first post for Download Link

[asinshesq]

The new version changes things so that anyone who is an admin always has a right to get notification from ANY forum even if he is not a member of a group that has access to the forum (since an ADMIN has acess to all forums regardless of group membership); if you've already made the chagne described in my last post before this one you are already up to date.

I've also included an alternative mod for people that use David Hermann's forum notification mod.

[ymmotrojam]

hmm... could this mod possibly be modified to also stop sending replies to a person if they haven't looked a thread in a certain amount of time?

[asinshesq]

hmm... could this mod possibly be modified to also stop sending replies to a person if they haven't looked a thread in a certain amount of time?

Why would want to do that? Reply notification in phpbb is already set up so that a user only gets an email for a topic once and then subsequent emails are not sent to the user until he has gone and looked at the thread (at which point a subsequent reply would trigger another email and again stop until the user actually goes to view the topic), so there is no risk of a user getting besieged with multiple emails for a topic he never looks at.

As for your question, yes, you could modify this, but that probably invloves substantial tinkering similar to that involved in the keep unread mod...not very pretty.