[svn r20641] logic changes - allow to send messages in outbox - (partial FS#3909)

17 years ago · 8ba986d764
parent b30afce5c6
commit 8ba986d764
3 changed files with 48 additions and 12 deletions
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@ -1,4 +1,4 @@
-<?php // $Id: usermanager.lib.php 20615 2009-05-13 23:00:33Z cfasanando $
+<?php // $Id: usermanager.lib.php 20641 2009-05-14 16:13:21Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -1928,4 +1928,35 @@ class UserManager
 		}
 		return $picture;
    }
    /**
     * @author Isaac flores <isaac.flores@dokeos.com>
     * @param string The email administrator
     * @param integer The user id
     * @param string The message title
     * @param string The content message
     */
   	  function send_message_in_outbox ($email_administrator,$user_id,$title, $content) {
        global $charset;
 		$table_message = Database::get_main_table(TABLE_MESSAGE);
 		$table_user = Database::get_main_table(TABLE_MAIN_USER);		
        $title = mb_convert_encoding($title,$charset,'UTF-8');
        $content = mb_convert_encoding($content,$charset,'UTF-8');
 		//message in inbox
 		$sql_message_outbox='SELECT user_id from '.$table_user.' WHERE email="'.$email_administrator.'" ';
 		//$num_row_query=Database::num_rows($sql_message_outbox);
 		$res_message_outbox=Database::query($sql_message_outbox,__FILE__,__LINE__);
 		$array_users_administrator=array();
 		while ($row_message_outbox=Database::fetch_array($res_message_outbox,'ASSOC')) {
 			$array_users_administrator[]=$row_message_outbox['user_id'];
 		}
 		//allow to insert messages in outbox
 		for ($i=0;$i<count($array_users_administrator);$i++) {
 			$sql_insert_outbox = "INSERT INTO $table_message(user_sender_id, user_receiver_id, msg_status, send_date, title, content ) ".
 					" VALUES (".
 			 		"'".(int)$user_id."', '".(int)($array_users_administrator[$i])."', '4', '".date('Y-m-d H:i:s')."','".Database::escape_string($title)."','".Database::escape_string($content)."'".
 			 		")";
 			$rs = Database::query($sql_insert_outbox,__FILE__,__LINE__);
 		}
 	} 
 }
--- a/main/messages/inbox.php
+++ b/main/messages/inbox.php
@ -31,9 +31,9 @@
 // name of the language file that needs to be included 
 $language_file = array('registration','messages','userInfo','admin');
 $cidReset=true;
-include_once ('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 require_once '../messages/message.class.php';
-include_once(api_get_path(LIBRARY_PATH).'/message.lib.php');
+require_once(api_get_path(LIBRARY_PATH).'message.lib.php');
 api_block_anonymous_users();
 if (isset($_GET['messages_page_nr'])) {
 	if (api_get_setting('allow_social_tool')=='true' &&  api_get_setting('allow_message_tool')=='true') {
--- a/main/messaging/email_editor.php
+++ b/main/messaging/email_editor.php
@ -29,8 +29,8 @@
 // name of the language file that needs to be included 
 $language_file = "index";
-include_once("../inc/global.inc.php");
+require_once"../inc/global.inc.php";
-
+require_once"../inc/lib/usermanager.lib.php";
 if(empty($_user['user_id']))
 {
 	api_not_allowed(true);
@ -46,11 +46,16 @@ if(empty($_SESSION['origin_url'])){
 /* Process the form and redirect to origin */
 if(!empty($_POST['submit_email']) && !empty($_POST['email_title']) && !empty($_POST['email_text']))
 {
-	$text = $_POST['email_text']."\n\n---\n".get_lang('EmailSentFromDokeos')." ".api_get_path(WEB_PATH);
+	$text = Security::remove_XSS($_POST['email_text'])."\n\n---\n".get_lang('EmailSentFromDokeos')." ".api_get_path(WEB_PATH);
 	$email_administrator=Security::remove_XSS($_POST['dest']);
 	$user_id=api_get_user_id();
 	$title=Security::remove_XSS($_POST['email_title']);
 	$content=Security::remove_XSS($_POST['email_text']);	
 	if(!empty($_user['mail'])){
-		api_send_mail($_POST['dest'],$_POST['email_title'],$text,"From: ".$_user['mail']."\r\n");
+		api_send_mail($email_administrator,$title,$text,"From: ".$_user['mail']."\r\n");
 		UserManager::send_message_in_outbox ($email_administrator,$user_id,$title, $content);		
 	}else{
-		api_send_mail($_POST['dest'],$_POST['email_title'],$text);
+		api_send_mail($email_administrator,$title,$text);
 	}
 	$orig = $_SESSION['origin_url'];
 	api_session_unregister('origin_url');
@ -63,13 +68,13 @@ Display::display_header(get_lang('SendEmail'));
 ?>
 <table border="0">
 <form action="" method="POST">
-<input type="hidden" name="dest" value="<?php echo $_REQUEST['dest'];?>" />
+<input type="hidden" name="dest" value="<?php echo Security::remove_XSS($_REQUEST['dest']);?>" />
 	<tr>
 		<td>
 			<label for="email_address"><?php echo get_lang('EmailDestination');?></label>
 		</td>
 		<td>
-			<span id="email_address"><?php echo $_REQUEST['dest']; ?></span>
+			<span id="email_address"><?php echo Security::remove_XSS($_REQUEST['dest']); ?></span>
 		</td>
 	</tr>
 	<tr>
@ -77,7 +82,7 @@ Display::display_header(get_lang('SendEmail'));
 			<label for="email_title"><?php echo get_lang('EmailTitle');?></label>
 		</td>
 		<td>
-			<input name="email_title" id="email_title" value="<?php echo $_POST['email_title'];?>" size="60"></input>
+			<input name="email_title" id="email_title" value="<?php echo Security::remove_XSS($_POST['email_title']);?>" size="60"></input>
 		</td>
 	</tr>
 	<tr>
@ -86,7 +91,7 @@ Display::display_header(get_lang('SendEmail'));
 		</td>
 		<td>
 			<?php
-			  echo '<textarea id="email_text" name="email_text" rows="10" cols="80">'.$_POST['email_text'].'</textarea>';
+			  echo '<textarea id="email_text" name="email_text" rows="10" cols="80">'.Security::remove_XSS($_POST['email_text']).'</textarea>';
 			  //htmlarea is not used otherwise we have to deal with HTML e-mail and all the related probs
 			  //api_disp_html_area('email_text',$_POST['email_text'],'250px');
 			?>