Don't show users boards they can't control

2013-10-25 01:20:23 +00:00 · 2013-10-25 01:20:23 +00:00 · 6f0dc29d03
commit 6f0dc29d03
parent 58ef0213d2
4 changed files with 28 additions and 11 deletions
--- a/inc/bans.php
+++ b/inc/bans.php
@ -154,13 +154,17 @@ class Bans {
 		return $ban_list;
 	}
-	static public function list_all($offset = 0, $limit = 9001) {
+	static public function list_all($offset = 0, $limit = 9001, $board = false) {
 		$offset = (int)$offset;
 		$limit = (int)$limit;
-		$query = query("SELECT ``bans``.*, `username` FROM ``bans``
+		$query = prepare("SELECT ``bans``.*, `username` FROM ``bans``
-			LEFT JOIN ``mods`` ON ``mods``.`id` = `creator`
+			LEFT JOIN ``mods`` ON ``mods``.`id` = `creator`" . ($board ? ' WHERE ``bans``.`board` = :board' : '') . "
-			ORDER BY `created` DESC LIMIT $offset, $limit") or error(db_error());
+			ORDER BY `created` DESC LIMIT $offset, $limit");
 		if ($board)
 			$query->bindValue(':board', $board);
 		$query->execute() or error(db_error());
 		$bans = $query->fetchAll(PDO::FETCH_ASSOC);
 		foreach ($bans as &$ban) {
@ -170,8 +174,10 @@ class Bans {
 		return $bans;
 	}
-	static public function count() {
+	static public function count($board = false) {
-		$query = query("SELECT COUNT(*) FROM ``bans``") or error(db_error());
+		$query = prepare("SELECT COUNT(*) FROM ``bans`` WHERE `board` = :board");
 		$query->bindValue(':board', $board);
 		$query->execute() or error(db_error());
 		return (int)$query->fetchColumn();
 	}
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@ -866,7 +866,7 @@ function mod_ban() {
 }
 function mod_bans($page_no = 1) {
-	global $config;
+	global $config, $mod;
 	if ($page_no < 1)
 		error($config['error']['404']);
@ -893,7 +893,9 @@ function mod_bans($page_no = 1) {
 		return;
 	}
-	$bans = Bans::list_all(($page_no - 1) * $config['mod']['banlist_page'], $config['mod']['banlist_page']);
+	$board = ($mod['boards'][0] == '*' ? false : $mod['boards'][0]);
 	$bans = Bans::list_all(($page_no - 1) * $config['mod']['banlist_page'], $config['mod']['banlist_page'], $board);
 	if (empty($bans) && $page_no > 1)
 		error($config['error']['404']);
@ -905,7 +907,7 @@ function mod_bans($page_no = 1) {
 	mod_page(_('Ban list'), 'mod/ban_list.html', array(
 		'bans' => $bans,
-		'count' => Bans::count(),
+		'count' => Bans::count($board),
 		'token' => make_secure_link_token('bans')
 	));
 }
--- a/templates/mod/ban_form.html
+++ b/templates/mod/ban_form.html
@ -65,20 +65,24 @@
 			<th>{% trans 'Board' %}</th>
 			<td>
 				<ul style="list-style:none;padding:2px 5px">
 					{% if mod.boards[0] == '*' %}
 					<li>
 						<input type="radio" name="board" value="*" id="ban-allboards" checked> 
 						<label style="display:inline" for="ban-allboards">
 							<em>{% trans 'all boards' %}</em>
 						</label>
 					</li>
 					{% endif %}
 					{% for board in boards %}
 					{% if board.uri in mod.boards or mod.boards[0] == '*' %}
 						<li>
-							<input type="radio" name="board" value="{{ board.uri }}" id="ban-board-{{ board.uri }}"> 
+							<input type="radio" name="board" value="{{ board.uri }}" id="ban-board-{{ board.uri }}" {%if board.uri == mod.boards[0]%}checked{%endif%}> 
 							<label style="display:inline" for="ban-board-{{ board.uri }}">
 								{{ config.board_abbreviation|sprintf(board.uri) }} - {{ board.title|e }}
 							</label>
 						</li>
 					{% endif %}
 					{% endfor %}
 				</ul>
 			</td>
--- a/templates/mod/dashboard.html
+++ b/templates/mod/dashboard.html
@ -1,3 +1,4 @@
 {{ mod.type }}
 <fieldset>
 	<legend>{% trans 'Boards' %}</legend>
@ -16,6 +17,10 @@
 							{{ board.subtitle|e }}
 						{% endif %}
 					</small>
 				{% endif %}
 				{% if mod.type == "20" %}
 					<a href="?/settings/{{ board.uri }}"><small>[{% trans 'settings' %}]</small></a>
 				{% endif %}
 				{% if mod|hasPermission(config.mod.manageboards) %}
 					 <a href="?/edit/{{ board.uri }}"><small>[{% trans 'edit' %}]</small></a>