vb.org Archive - View Single Post - Allow Your Users to Post Anonymously Without Logging Out

Greebo · #64 03-28-2005, 03:49 PM

Ok, the modification to editpost.php has a logic error in it.

You test two conditions in a nested double test:
Was post made anon?
- Yes
-- was it anon before?
---Yes set a bunch of vars incl $threadupdate
---No set a bunch of vars incl $threadupdate
- No
-- was it anon before?
---Yes set a bunch of vars incl $threadupdate
---No set a bunch of vars incl $threadupdate

Then you later have logic twice to update the thread
// if (!empty($threadupdate))

$threadupdate will never be empty in either case.

Net effect: When a thread is posted and someone replies to it and then edits their reply, thread.postusername and thread.postuserid are overwridden inappropriately and the 2nd threadupdate . Thread should only be updated with anon/real user names and IDs if the OP is edited.

This is the change I made to the entire code set of editpost.php following delete_post_index($postid);

PHP Code:


			
  // The post is made anonymously
  if ($edit['postanon'])
  {
   // Check to see if it was made anonymously BEFORE the edit
   if ($postinfo['postanon'])
   {
    $edit['postusername']= $postinfo['username'];
    $edit['userid'] = $postinfo['userid'];
    $edit['postanon'] = $postinfo['postanon'];
    $edit['anonname'] = $postinfo['username'];
    if($threadinfo[firstpostid] == $postinfo[postid])
    {
     $threadupdate[] = "postusername = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "',anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
    }
    $forumupdate = "anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
   }
   // If not, we need to set the values.
   else
   {
    // This isn't exactly right. But, most times, it will work.
    $edit['postusername']= $usergroupcache["$bbuserinfo[usergroupid]"]['anonname'];
    $edit['postusername']= $threadinfo[postusername];
    $edit['userid'] = 256;
    $edit['postanon'] = $postinfo['userid'];
    $edit['anonname'] = $postinfo['username'];
    if($threadinfo[firstpostid] == $postinfo[postid])
    {
     $threadupdate[] = "postusername = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "',anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
    }
    $forumupdate = "anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
   }
  }
  // The post is no longer made anonymously
  else
  {
   // Check to see if it was made anonymously BEFORE the edit.
   if ($postinfo['postanon'])
   {
    $edit['postusername']= $postinfo['anonname'];
    $edit['userid'] = $postinfo['postanon'];
    $edit['postanon'] = 0;
    $edit['anonname'] = "";
    if($threadinfo[firstpostid] == $postinfo[postid])
    {
     $threadupdate[] = "postusername = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "',anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
    }
    $forumupdate = "anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
   }
   else
   {
    $edit['postanon'] = 0;
    $edit['anonname'] = "";
    $edit['userid'] = $postinfo['userid'];
    $edit['postusername'] = $postinfo['username'];
    if($threadinfo[firstpostid] == $postinfo[postid])
    {
     $threadupdate[] = "postusername = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "',anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
    }
    $forumupdate = "anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
   }
  }
  if (!empty($threadupdate))
  {
   // do thread update
   $DB_site->query("
    UPDATE " . TABLE_PREFIX . "thread
    SET " . implode(', ', $threadupdate) . "
    WHERE threadid = $threadinfo[threadid]
   ");
  }
  if ($foruminfo['lastposter'] == $postinfo['username'])
  {
   // this thread is the one being displayed as the thread with the last post...
    $forumupdate = "lastposter = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "', postanon = $edit[postanon]";
  }
  if ($threadinfo['lastposter'] == $postinfo['username'])
  {
   // this post is the one being displayed as the thread with the last post...
     $threadupdate[] = "lastposter = '" . addslashes(htmlspecialchars_uni($edit['postusername'])) . "',anonname = '" . addslashes(htmlspecialchars_uni($edit['anonname'])) . "', postanon = $edit[postanon]";
  }
  if (!empty($threadupdate))
  {
   // do thread update
   $DB_site->query("
    UPDATE " . TABLE_PREFIX . "thread
    SET " . implode(', ', $threadupdate) . "
    WHERE threadid = $threadinfo[threadid]
   ");
  }

You will see, I wrapped all updates to $threadupdate in a conditional validating that the post edited is the first post in the thread.

I also removed "postuserid = $edit[userid]" in all spots in that code (it was in every update to $threadupdate).

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01406 seconds Memory Usage 1,860KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: