aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--phpBB/includes/functions_privmsgs.php5
-rw-r--r--phpBB/includes/ucp/ucp_pm.php10
-rw-r--r--phpBB/includes/ucp/ucp_pm_viewfolder.php4
3 files changed, 12 insertions, 7 deletions
diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php
index f07512d623..436b437cfa 100644
--- a/phpBB/includes/functions_privmsgs.php
+++ b/phpBB/includes/functions_privmsgs.php
@@ -958,6 +958,11 @@ function handle_mark_actions($user_id, $mark_action)
{
case 'mark_important':
+ if (!check_form_key('ucp_pm_view'))
+ {
+ trigger_error('FORM_INVALID');
+ }
+
$sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . "
SET pm_marked = 1 - pm_marked
WHERE folder_id = $cur_folder_id
diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php
index 6fcc0146df..d8633975a9 100644
--- a/phpBB/includes/ucp/ucp_pm.php
+++ b/phpBB/includes/ucp/ucp_pm.php
@@ -209,14 +209,14 @@ class ucp_pm
$submit_mark = false;
}
- if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view'))
- {
- trigger_error('FORM_INVALID');
- }
-
// Move PM
if ($move_pm)
{
+ if (!check_form_key('ucp_pm_view'))
+ {
+ trigger_error('FORM_INVALID');
+ }
+
$move_msg_ids = (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array();
$cur_folder_id = $request->variable('cur_folder_id', PRIVMSGS_NO_BOX);
diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php
index ce40a2507d..4b6377e0b7 100644
--- a/phpBB/includes/ucp/ucp_pm_viewfolder.php
+++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php
@@ -32,7 +32,7 @@ function view_folder($id, $mode, $folder_id, $folder)
$folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']);
- add_form_key('ucp_pm_view_folder');
+ add_form_key('ucp_pm_view');
if (!$submit_export)
{
@@ -199,7 +199,7 @@ function view_folder($id, $mode, $folder_id, $folder)
$enclosure = $request->variable('enclosure', '');
$delimiter = $request->variable('delimiter', '');
- if (!check_form_key('ucp_pm_view_folder'))
+ if (!check_form_key('ucp_pm_view'))
{
trigger_error('FORM_INVALID');
}