web: include security check when deleting relationship

This commit is contained in:
Bart Van Der Meerssche 2009-08-27 20:07:22 +00:00
parent 0ada64d2d2
commit 6c6740fb7e
1 changed files with 8 additions and 3 deletions

View File

@ -245,7 +245,6 @@ function _logger_dashboard($type, $function, $interval) {
} }
function _logger_add($uid) { function _logger_add($uid) {
// TODO : include security checks
global $user; global $user;
$rtid = db_result(db_query("SELECT rtid FROM {user_relationship_types} where name = '%s'", 'subscription')); $rtid = db_result(db_query("SELECT rtid FROM {user_relationship_types} where name = '%s'", 'subscription'));
user_relationships_request_relationship($user->uid, $uid, $rtid, TRUE); user_relationships_request_relationship($user->uid, $uid, $rtid, TRUE);
@ -254,8 +253,14 @@ function _logger_add($uid) {
} }
function _logger_remove($rid) { function _logger_remove($rid) {
// TODO : include security checks global $user;
// check whether the to-be-deleted relationship was created by the same user
if ($user->uid == db_result(db_query("SELECT requester_id FROM {user_relationships} WHERE rid = %d", $rid))) {
db_query("DELETE FROM {user_relationships} WHERE rid = %d", $rid); db_query("DELETE FROM {user_relationships} WHERE rid = %d", $rid);
}
else {
watchdog('relationships', 'attempt to delete rid %rid by non-authorized user %uid', array('%rid' => $rid, '%uid' => $user->uid), WATCHDOG_ERROR);
}
$destination = drupal_get_destination(); $destination = drupal_get_destination();
drupal_goto($destination); drupal_goto($destination);
} }