TimG,
First of all sorry for my English. I was hurted then our class was learned it.
This mod use same solution of authorisation as phpBB. Autologin "true" is default setting and use standart phpBB session procedures then "login" or "uid" key is not set.
Checking permission are next:
Code: Select all
if($userdata['user_level']<>ADMIN)
{
$is_auth = array();
$is_auth = auth(AUTH_READ, AUTH_LIST_ALL, $userdata);
if($forum_id=='') {
while ( list($forumId, $auth_mode) = each($is_auth) )
{
if ( !$auth_mode['auth_read'] )
{
$unauthed .= ',' . $forumId;
}
}
$sql_forum_where="AND f.forum_id NOT IN (" . $unauthed . ")";
}
else
{
if((!$is_auth[$forum_id]['auth_read']) or (strpos(",$unauthed," , ",$forum_id,")))
{
if($needlogin) ExitWithHeader("404 Not Found","This forum does not exists");
else
{
header('Location: ' .$index_url."rss.".$phpEx."?".$HTTP_SERVER_VARS['QUERY_STRING'].'&login');
ExitWithHeader("301 Moved Permanently");
}
}
else $sql_forum_where = 'AND f.forum_id = ' . $forum_id;
}
unset($is_auth);
}
elseif($forum_id!='')
{
$sql_forum_where = 'AND f.forum_id = ' . $forum_id;
}
Also, I'm not 100% sure about the $unauthed list: I'm guessing that this the list of forums I want to explicitly exclude from the feed, is that correct?
As you see, ADMIN can see ALL forums and $unauthed too, but other users cannot see $unauthed forums at all.
NB! It check READ permission, not VIEW. You must set correct VIEW permission to your forum.
In addition I can say that it's standart solution not mine.
To disable see $unauthed forum to ADMIN too, change code like this:
Code: Select all
elseif($forum_id!='')
{
$sql_forum_where = 'AND f.forum_id = ' . $forum_id;
}
to
Code: Select all
elseif($forum_id!='')
{
if(strpos(",$unauthed," , ",$forum_id,")) ExitWithHeader("404 Not Found","This forum does not exists");
$sql_forum_where = 'AND f.forum_id = ' . $forum_id;
}
if(empty($sql_forum_where)) $sql_forum_where="AND f.forum_id NOT IN (" . $unauthed . ")";
Is it absolutely certain that no hidden or private forums will be included in the feed if the user is not a member of the group that gives permissions to use these forums normally?
I believe that it true. But as you see phpBB has 3 security fix not so long ago therefore anybody cannot guarantee
absolute security.