How about adding a userid to the query! Sure it would be difficult to know who has unread PM(s), but all one has to do is start sending requests with PM ids and they can delete all unread PM(s) even ones that are not theirs! Then you should also check the request, because allowing what you allow, can end up with anyone reading any table they want or even delete your whole database! Nice idea, but it needs to be made secure!
the best way would be to have a dropdown with multiple choices where you select the users that need to be deleted from the list of receiving the pm ... so if there is only one receiver, the dropdown will be a single choice... if we choose nobody, no pm will be deleted...
How about adding a userid to the query! Sure it would be difficult to know who has unread PM(s), but all one has to do is start sending requests with PM ids and they can delete all unread PM(s) even ones that are not theirs! Then you should also check the request, because allowing what you allow, can end up with anyone reading any table they want or even delete your whole database! Nice idea, but it needs to be made secure!
Sonia
Very good point... I have to say silly me for not doing it.
Quote:
That is the only draw back stoping me from using it.
Theres nothing that can be done about that, unfortunatly you can't pull back emails. I could do a "This PM has been deleted" error message if you guys'd prefer.
Quote:
the best way would be to have a dropdown with multiple choices where you select the users that need to be deleted from the list of receiving the pm ... so if there is only one receiver, the dropdown will be a single choice... if we choose nobody, no pm will be deleted...
Thats a good idea, the fact that it could be for mulitple users completly slipped my mind. I'd probally do checkboxes rather than a list purely because i find checkboxes easier and I want them as easy as possible.
1) The delete function LEAVES the tracking notice in your tracking folder. How can that be removed at the same time? (After all, you don't need the tracking notice anymore).
2) You create the following phrase:
Phrase Type: Private Messaging
Varname: was_deleted
Text: You deleted it!
1) The delete function LEAVES the tracking notice in your tracking folder. How can that be removed at the same time? (After all, you don't need the tracking notice anymore).
2) You create the following phrase:
Phrase Type: Private Messaging
Varname: was_deleted
Text: You deleted it!
Yes. This hack is still not 100% Featured, I will be adding it so that in the Sent Messages folder, it'll show that it was deleted and thus didn't get through.
1) The delete function LEAVES the tracking notice in your tracking folder. How can that be removed at the same time? (After all, you don't need the tracking notice anymore).
I would like to leave the tracking message just to remind the sender that he deleted it. But, I would like to have the "Delete Their PM!" link removed. The way it stands now, if the sender deletes the PM, the "Delete Their PM" link is still active. This could be gotten rid of to prevent an error message.
Ok, in the meantime, while pie works on the authenticate_sender_before_delete scheme, I added a quick fix to it. It's simple.. It replaces the entire request routine and here it is:
PHP Code:
if ($_REQUEST['do'] == "deleteunread") { $pm = $_GET['pm'];
// check to see if it is still unread and the user hasn't dilly-dallied $pmquery = $DB_site->query("SELECT * FROM " . TABLE_PREFIX . "pm WHERE pmid='$pm'"); $pmnum = $DB_site->num_rows($pmquery);
if ($pmnum == 0) { $idname = $vbphrase['private_message']; eval(print_standard_error('invalidid')); }
$pmquery = $DB_site->query("SELECT * FROM " . TABLE_PREFIX . "pm WHERE pmid=$pm AND messageread=0"); if ($DB_site->num_rows($pmquery) == 0) { eval(print_standard_error('hasbeenread')); }
// check to the actual sender of the PM is the one trying to delete it. Done by chris $suspectuser = $bbuserinfo['userid']; $senderquery = $DB_site->query("SELECT userid FROM " . TABLE_PREFIX . "pmreceipt WHERE pmid=$pm AND readtime=0"); $senderresult = mysql_fetch_assoc($senderquery); if ($senderresult['userid'] == $suspectuser) {
$receiptSql = "UPDATE " . TABLE_PREFIX . "pmreceipt SET deleted=1 WHERE pmid=$pm"; $DB_site->query($receiptSql);
$deletePmSql = "DELETE FROM " . TABLE_PREFIX . "pm WHERE pmid=" . $pm; $DB_site->query($deletePmSql);
To replace the "Delete Their PM!" link if the PM has already been deleted by the sender, do the following:
In private.php, find
PHP Code:
$pmreceipts = $DB_site->query(" SELECT pmreceipt.*, pmreceipt.pmid AS receiptid FROM " . TABLE_PREFIX . "pmreceipt AS pmreceipt WHERE pmreceipt.userid = $bbuserinfo[userid] ORDER BY pmreceipt.sendtime DESC ");
Replace with:
PHP Code:
$pmreceipts = $DB_site->query(" SELECT deleted, pmreceipt.*, pmreceipt.pmid AS receiptid FROM " . TABLE_PREFIX . "pmreceipt AS pmreceipt WHERE pmreceipt.userid = $bbuserinfo[userid] ORDER BY pmreceipt.sendtime DESC ");
The pm_receiptsbit template replacement string should be changed to:
No, i noticed now if a user deletes the PM WITHOUT reading it, the receipt should be processed as "confirmed" and not have the "delete their pm" availability anymore.