Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-17137

Attachments can be deleted after end of post editing or deletion time

    XMLWordPrintable

Details

    Description

      Users are able to remove file attachments from posts and private messages even if the post editing or deletion time has passed for years. This can lead to serious problems for forums where posts are highly focussed on file attachments. Also, this allows to remove files from internal forums by former members without consent or even knowledge of the administrator.

      The error can be found in includes/ucp/ucp_attachments.php:

      while ($row = $db->sql_fetchrow($result))
      {
      	if (!$auth->acl_get('m_edit', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked']))
      	{
      		continue;
      	}
       
      	$delete_ids[] = $row['attach_id'];
      }
      

      This line will only prevent deletion if the forum, the topic or the post is locked. Neither if the forum is internal nor the post editing and deletion times has passed is checked. 

      Since administrators will assume that the post editing or deletion times will protect from users manipulating posts, especially from undiscovered manipulations after years, this should not be the possible.

      The issue can easily be fixed by following change:

      while ($row = $db->sql_fetchrow($result))
      {
      	// Is 'delete_time' lower than 'edit_time', removal is still
      	// blocked as the user can manually edit his post anyway.
      	$post_modification_times_exceeded = (
      		($config['edit_time'] && $row['post_time'] <= time() - ($config['edit_time'] * 60)) ||
      		($config['delete_time'] && $row['post_time'] <= time() - ($config['delete_time'] * 60))
      	);
      	
      	if (!$auth->acl_get('m_edit', $row['forum_id']) && !$auth->acl_get('m_delete', $row['forum_id']) && ($row['forum_status'] == ITEM_LOCKED || $row['topic_status'] == ITEM_LOCKED || $row['post_edit_locked'] || $post_modification_times_exceeded))
      	{
      		continue;
      	}
       
      	$delete_ids[] = $row['attach_id'];
      }
      

      The additional 'm_delete' may not be required - I am not sure. Also the SQL query needs to be altered by adding 'post_time' to it:
       

      $sql = 'SELECT a.attach_id, p.post_edit_locked, p.post_time, t.topic_status, f.forum_id, f.forum_status

      Attachments

        Issue Links

          Activity

            People

              Marc Marc
              ElooKoN ElooKoN [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: