issue: secure against external form submissions

[minimedit.git] / issue / index.php

diff --git a/issue/index.php b/issue/index.php
index 87b22a39d876ac8774a1a1a512e52e025e9176b0..704a405e879bf42b40d9d40c89acec27874ce816 100644 (file)
--- a/issue/index.php
+++ b/issue/index.php
@@ -1,11 +1,11 @@
 <?php
-global $User, $Db;
+global $User, $Db, $Issue;
 require_once 'database.inc.php';
 @list ($id, $title) = explode('/', ltrim($Page->path, '/'));
 
 if ($id and ctype_digit($id)) {
        $Page->title = "Issue #$id";
-       $Page->path = "/$id";  # minimal reference
+       $Page->link = $Page->handler . ($Page->path = "/$id");  # minimal reference
        $Issue = $Db->query(
                'SELECT * FROM issues WHERE page = ? AND id = ?', [$Page->handler, $id]
        )->fetch();
@@ -42,8 +42,12 @@ if ($id and ctype_digit($id)) {
        return;
 }
 
-if ($_POST) {
+if ($Page->api) return;
+if ($_POST and isset($_POST['subject'])) {
                require_once 'upload.inc.php';
+               if (strlen($_POST['subject']) < 2) {
+                       throw new Exception('Een minimaal onderwerp is verplicht om een issue aan te maken.');
+               }
                $query = $Db->set('issues', [
                        'page'    => $Page->handler,
                        'subject' => $_POST['subject'],
@@ -55,7 +59,6 @@ if ($_POST) {
                }
                $_POST = [];
 }
-if ($Page->api) return;
 
 $subsql = "SELECT count(*) FROM comments WHERE page=i.page||'/'||i.id";
 $cols = "*, ($subsql AND message IS NOT NULL) AS replycount";