diff -r a78b0798a116 -r 7e6537fd4730 plugins/PrivateMessages.php --- a/plugins/PrivateMessages.php Tue Nov 16 12:44:22 2010 -0500 +++ b/plugins/PrivateMessages.php Tue Jul 12 22:13:37 2011 -0400 @@ -96,6 +96,7 @@ die_friendly('Message status', '

Your message has been moved to the folder "'.$fname.'".

Return to inbox

'); break; case 'Delete': + csrf_request_confirm(); $id = $argv[1]; if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', '

Invalid message ID

'); $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.''); @@ -111,6 +112,7 @@ if($argv[1]=='Send' && isset($_POST['_send'])) { // Check each POST DATA parameter... + csrf_request_confirm(); if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '

Please enter the username to which you want to send your message.

'); if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '

Please enter a subject for your message.

'); if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '

Please enter a message to send.

'); @@ -133,6 +135,7 @@ return; } elseif($argv[1]=='Send' && isset($_POST['_savedraft'])) { // Check each POST DATA parameter... + csrf_request_confirm(); if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '

Please enter the username to which you want to send your message.

'); if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '

Please enter a subject for your message.

'); if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '

Please enter a message to send.

'); @@ -192,11 +195,12 @@
- - - + + +
Compose new private message
To:
Separate multiple names with a single comma; you
can send this message to up to users.		username_field('to', (isset($_POST['_savedraft'])) ? $_POST['to'] : $to ); ?>
Subject:
Message:
To:
Separate multiple names with a single comma; you
can send this message to up to users.		username_field('to', (isset($_POST['_savedraft'])) ? htmlspecialchars($_POST['to']) : $to ); ?>
Subject:
Message:
+ '; $template->footer(); @@ -214,6 +218,7 @@ if(isset($_POST['_send'])) { // Check each POST DATA parameter... + csrf_request_confirm(); if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '

Please enter the username to which you want to send your message.

'); if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '

Please enter a subject for your message.

'); if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '

Please enter a message to send.

'); @@ -231,6 +236,7 @@ return; } elseif(isset($_POST['_savedraft'])) { // Check each POST DATA parameter... + csrf_request_confirm(); if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '

Please enter the username to which you want to send your message.

'); if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '

Please enter a subject for your message.

'); if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '

Please enter a message to send.

'); @@ -251,6 +257,7 @@ userprefs_show_menu(); echo '
'; ?> +
@@ -317,6 +324,7 @@ if(!$q) $db->_die('The private message data could not be selected.'); echo '
Edit draft
'; if($db->numrows() < 1) echo ''; @@ -351,12 +359,16 @@ $fname = $db->escape(strtolower($_POST['folder'])); if($fname=='drafts' || $fname=='outbox') { - $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\' ORDER BY date DESC;'); + $fname = $fname == 'outbox' ? 'inbox' : $fname; + $readsnip = $fname == 'inbox' ? ' AND message_read = 0' : ''; + $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\'' . $readsnip . ' ORDER BY date DESC;'); } else { $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_to=\''.$session->username.'\' ORDER BY date DESC;'); } if(!$q) $db->_die('The private message data could not be selected.'); - + + csrf_request_confirm(); + if(isset($_POST['archive'])) { while($row = $db->fetchrow($q)) { @@ -373,7 +385,7 @@ if(isset($_POST['marked_'.$row['message_id']])) { $e = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$row['message_id'].';'); - if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully moved.'); + if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully removed.'); $db->free_result(); } }
Folder: '.$argv[1].'
'; if($fname == 'drafts' || $fname == 'Outbox') echo 'To'; else echo 'From'; + ?>SubjectDateMark
No messages in this folder.