- security hole: after BM quoting files from other board, they can edit

  list of other boards. Also introducted privacy issue.
- Unless someone defineds clear rule, we disable this function for BMs first.


git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3618 63ad8ddf-47c3-0310-b6dd-a9e9d9715204

1 files changed, 21 insertions, 3 deletions

diff --git a/mbbsd/friend.c b/mbbsd/friend.c
index 50f00887..e3c31fb9 100644
--- a/mbbsd/friend.c
+++ b/mbbsd/friend.c
@@ -124,9 +124,14 @@ friend_append(int type, int count)
 {
     char            fpath[80], i, j, buf[80], sfile[80];
     FILE           *fp, *fp1;
+    char	    myboard[IDLEN+1] = "";
+    int		    boardChanged = 0;
 
     setfriendfile(fpath, type);
 
+    if (currboard && *currboard) 
+	strcpy(myboard, currboard);
+
     do {
 	move(2, 0);
 	clrtobot();
@@ -143,17 +148,28 @@ friend_append(int type, int count)
 		    prints("  (%d) %s 板的 %s\n", j, currboard,
 			     friend_list[(int)i]);
 		}
-	outs("  (S) 選擇其他看板的特別名單");
+	if (HasUserPerm(PERM_SYSOP))
+	    outs("  (S) 選擇其他看板的特別名單");
+
 	getdata(11, 0, "請選擇 或 直接[Enter] 放棄:", buf, 3, LCECHO);
 	if (!buf[0])
 	    return;
-	if (buf[0] == 's')
+
+	if (HasUserPerm(PERM_SYSOP) && buf[0] == 's')
+	{
 	    Select();
+	    boardChanged = 1;
+	}
+
 	j = buf[0] - '1';
 	if (j >= type)
 	    j++;
 	if (!(HasUserPerm(PERM_SYSOP) || currmode & MODE_BOARD) && j >= 5)
-	    return;
+	{
+	    if (boardChanged)
+		enter_board(myboard);
+	   return;
+	}
     } while (buf[0] < '1' || buf[0] > '9');
 
     if (j == FRIEND_SPECIAL)
@@ -177,6 +193,8 @@ friend_append(int type, int count)
 	}
 	fclose(fp);
     }
+    if (boardChanged)
+	enter_board(myboard);
 }
 
 static int