I tried to update forum's search function with patch in sbarakat's message. I pasted it over the code below, but after patching I noticed that Anonymous users get search results from restricted/access denied forum areas which they are not allowed to read.
Text Formatted Code
/**
* this searches for files matching the user query and returns an array of
* for the header and table rows back to search.php where it will be formated and
* printed
*
* @query string Keywords user is looking for
* @datestart date/time Start date to get results for
* @dateend date/time End date to get results for
* @topic string The topic they were searching in
* @type string Type of items they are searching
* @author string Get all results by this author
*
*/
function plugin_dopluginsearch_forum($query, $datestart, $dateend, $topic, $type, $author,$keyType,$page, $perpage)
{
global $LANG_GF00, $LANG_GF01, $_TABLES, $_CONF, $CONF_FORUM;
if (empty($type)) {
$type = 'all';
}
// Bail if we aren't supppose to do our search
if ($type <> 'all' AND $type <> 'forum') {
$plugin_results = new Plugin();
$plugin_results->plugin_name = $LANG_GF00['plugin_name'];
$plugin_results->searchlabel = $LANG_GF00['searchlabel'];
return $plugin_results;
}
// Build search SQL
$sqltmp = " WHERE 1=1 ";
if ( $keyType == 'phrase' ) {
$sqltmp .= "AND (comment LIKE '%$query%' OR subject LIKE '%$query%')";
} else if ( $keyType == 'any' ) {
$sqltmp .= 'AND ';
$tmp = '';
$mywords = explode( ' ', $query );
foreach( $mywords AS $mysearchitem ) {
$mysearchitem = addslashes( $mysearchitem );
$tmp .= "( comment LIKE '%$mysearchitem%' OR subject LIKE '%$mysearchitem%' ) OR ";
}
$tmp = substr($tmp, 0, strlen($tmp) - 3); // pulls off the last OR
$sqltmp .= "($tmp)";
} else if ( $keyType == 'all' ) {
$sqltmp .= 'AND ';
$tmp = '';
$mywords = explode( ' ', $query );
foreach( $mywords AS $mysearchitem ) {
$mysearchitem = addslashes( $mysearchitem );
$tmp .= "( comment LIKE '%$mysearchitem%' ) AND ";
}
$tmp = substr($tmp, 0, strlen($tmp) - 4);
$sqltmp .= "($tmp)";
$sqltmp .= 'OR ';
$tmp = '';
$mywords = explode( ' ', $query );
foreach( $mywords AS $mysearchitem ) {
$mysearchitem = addslashes( $mysearchitem );
$tmp .= "( subject LIKE '%$mysearchitem%' ) AND ";
}
$tmp = substr($tmp, 0, strlen($tmp) - 4);
$sqltmp .= "($tmp)";
} else {
$sqltmp = "WHERE (comment LIKE '%$query%' OR subject LIKE '%$query%')";
}
if ( $author != 0 ) {
$sqltmp .= " AND uid='" . $author . "'";
}
// handle date ranges
if (!empty($datestart) && !empty($dateend)) {
$delim = substr($datestart, 4, 1);
$sd = explode($delim,$datestart);
$ed = explode($delim,$dateend);
$startdate = mktime(0,0,0,$sd[1],$sd[2],$sd[0]);
$enddate = mktime(0,0,0,$ed[1],$ed[2],$ed[0]) + 3600;
$sqltmp .= " AND date BETWEEN '$startdate' AND '$enddate'";
}
$sql = "SELECT id,name,forum,date,subject,comment,views,uid FROM {$_TABLES['gf_topic']} "
. $sqltmp . " ORDER BY date DESC";
// limit what we are searching for...
if ( $perpage < 1 ) {
$perpage = 10;
}
$limitStart = ($page-1) * $perpage;
$limitEnd = $limitStart + $perpage;
$sql .= " LIMIT " . $limitStart . "," . $limitEnd;
// Perform search
$result = DB_query($sql);
// OK, now return coma delmited string of table header labels
// Need to use language variables
require_once($_CONF['path_system'] . 'classes/plugin.class.php');
$plugin_results = new Plugin();
$plugin_results->plugin_name = 'forum';
if (!empty($author)) {
$username = DB_getItem($_TABLES['users'],"username","uid = {$author}");
$plugin_results->searchlabel = sprintf($LANG_GF00['searchresults'],$LANG_GF01['FOR'] . ' ' . $username);
} else {
$plugin_results->searchlabel = sprintf($LANG_GF00['searchresults'],"");
}
$plugin_results->addSearchHeading($LANG_GF01['FORUM']);
$plugin_results->addSearchHeading($LANG_GF01['SUBJECT']);
$plugin_results->addSearchHeading($LANG_GF01['DATE']);
$plugin_results->addSearchHeading($LANG_GF01['VIEWS'] );
$totalsearched = DB_numRows($result);
$searchcount=0;
// NOTE if any of your data items need to be links then add them here!
// make sure data elements are in an array and in the same order as your
// headings above!
for ($i = 1; $i <= $totalsearched; $i++) {
$A = DB_fetchArray($result);
$grp_id = DB_getItem($_TABLES['gf_forums'],'grp_id',"forum_id='{$A['forum']}'");
$groupname = DB_getItem($_TABLES['groups'],'grp_name',"grp_id='$grp_id'");
if (SEC_inGroup($groupname) OR $grp_id == 2) {
if ($CONF_FORUM['use_censor']) {
$A['subject'] = COM_checkWords($A['subject']);
}
$searchcount++;
$forumname = DB_getItem($_TABLES['gf_forums'],"forum_name","forum_id='{$A['forum']}'");
$subject = wordwrap($A['subject'],40,"<br>");
$date = strftime('%b %d %Y @ %I:%M %p', $A['date']);
$url = $_CONF['site_url']. "/forum/viewtopic.php?forum={$A['forum']}&showtopic={$A['id']}";
$row = array($forumname, "<a href=\"$url\">" . COM_truncate($subject,$CONF_FORUM['show_subject_length'],'...') . "</a>",$date,$A['views']);
$plugin_results->addSearchResult($row);
}
}
$plugin_results->num_searchresults = $searchcount;
$plugin_results->num_itemssearched = DB_count($_TABLES['gf_topic']);
return $plugin_results;
}