diff options
-rw-r--r-- | phpBB/includes/functions_privmsgs.php | 5 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm.php | 10 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm_viewfolder.php | 4 |
3 files changed, 12 insertions, 7 deletions
diff --git a/phpBB/includes/functions_privmsgs.php b/phpBB/includes/functions_privmsgs.php index f07512d623..436b437cfa 100644 --- a/phpBB/includes/functions_privmsgs.php +++ b/phpBB/includes/functions_privmsgs.php @@ -958,6 +958,11 @@ function handle_mark_actions($user_id, $mark_action) { case 'mark_important': + if (!check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + $sql = 'UPDATE ' . PRIVMSGS_TO_TABLE . " SET pm_marked = 1 - pm_marked WHERE folder_id = $cur_folder_id diff --git a/phpBB/includes/ucp/ucp_pm.php b/phpBB/includes/ucp/ucp_pm.php index 6fcc0146df..d8633975a9 100644 --- a/phpBB/includes/ucp/ucp_pm.php +++ b/phpBB/includes/ucp/ucp_pm.php @@ -209,14 +209,14 @@ class ucp_pm $submit_mark = false; } - if (($move_pm || $submit_mark) && !check_form_key('ucp_pm_view')) - { - trigger_error('FORM_INVALID'); - } - // Move PM if ($move_pm) { + if (!check_form_key('ucp_pm_view')) + { + trigger_error('FORM_INVALID'); + } + $move_msg_ids = (isset($_POST['marked_msg_id'])) ? $request->variable('marked_msg_id', array(0)) : array(); $cur_folder_id = $request->variable('cur_folder_id', PRIVMSGS_NO_BOX); diff --git a/phpBB/includes/ucp/ucp_pm_viewfolder.php b/phpBB/includes/ucp/ucp_pm_viewfolder.php index ce40a2507d..4b6377e0b7 100644 --- a/phpBB/includes/ucp/ucp_pm_viewfolder.php +++ b/phpBB/includes/ucp/ucp_pm_viewfolder.php @@ -32,7 +32,7 @@ function view_folder($id, $mode, $folder_id, $folder) $folder_info = get_pm_from($folder_id, $folder, $user->data['user_id']); - add_form_key('ucp_pm_view_folder'); + add_form_key('ucp_pm_view'); if (!$submit_export) { @@ -199,7 +199,7 @@ function view_folder($id, $mode, $folder_id, $folder) $enclosure = $request->variable('enclosure', ''); $delimiter = $request->variable('delimiter', ''); - if (!check_form_key('ucp_pm_view_folder')) + if (!check_form_key('ucp_pm_view')) { trigger_error('FORM_INVALID'); } |