Fix entryproperties value setting

diff --git a/docs/NEWS b/docs/NEWS
index 1571ecfef8adc84f7de06758e0d50a13b768cc7e..6e49a28438562688c55a0b9bc56e16ad23f58f8e 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -186,6 +186,13 @@ Version 1.2 ()
     * Allow to call permalinks that end with a "/" the same as if not
       ending with a "/" (garvinhicking)
 
+Version 1.1.4 (August 8th, 2007)
+------------------------------------------------------------------------
+
+    * Fix being able to set entryproperties values via POST-Request (and
+      being able to bypass password-protection of an entry, when the
+      Entryproperties plugin is installed). Thanks to Erich Schubert
+
 Version 1.1.3 (June 17th, 2007)
 ------------------------------------------------------------------------
 

diff --git a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
index 601a890e515de1a9f31b46f82b0392c16bdb5f55..056ba9ff801e6f75b17fb76167d41e19c95dca21 100644 (file)
--- a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
+++ b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
@@ -618,20 +618,11 @@ class serendipity_event_entryproperties extends serendipity_event
                     //     is in the process of being created. This must be done for the extended properties
                     //     to be applied in the preview.
 
-                    if (is_array($serendipity['POST']['properties']) && count($serendipity['POST']['properties']) > 0){
-                        $parr = array();
-                        $supported_properties = serendipity_event_entryproperties::getSupportedProperties();
-                        foreach($supported_properties AS $prop_key) {
-                            if (isset($serendipity['POST']['properties'][$prop_key]))
-                                $eventData[0]['properties']['ep_' . $prop_key] = $serendipity['POST']['properties'][$prop_key];
-                        }
-                    }
-
                     if (isset($serendipity['GET']['id']) && isset($eventData[0]['properties']['ep_entrypassword'])) {
 
-                        if (isset($_SESSION['entrypassword_unlocked'][$serendipity['GET']['id']]) || $eventData[0]['properties']['ep_entrypassword'] == $serendipity['POST']['entrypassword']) {
+                        if ($_SESSION['entrypassword_unlocked'][$serendipity['GET']['id']] == md5($eventData[0]['properties']['ep_entrypassword']) || $eventData[0]['properties']['ep_entrypassword'] == $serendipity['POST']['entrypassword']) {
                             // Do not show login form again, once we have first enabled it.
-                            $_SESSION['entrypassword_unlocked'][$serendipity['GET']['id']] = true;
+                            $_SESSION['entrypassword_unlocked'][$serendipity['GET']['id']] = md5($eventData[0]['properties']['ep_entrypassword']);
                         } else {
                             if (is_array($eventData)) {
                                 $eventData['clean_page'] = true;
@@ -642,6 +633,15 @@ class serendipity_event_entryproperties extends serendipity_event
                         }
                     }
 
+                    if ($addData['preview'] && is_array($serendipity['POST']['properties']) && count($serendipity['POST']['properties']) > 0){
+                        $parr = array();
+                        $supported_properties = serendipity_event_entryproperties::getSupportedProperties();
+                        foreach($supported_properties AS $prop_key) {
+                            if (isset($serendipity['POST']['properties'][$prop_key]))
+                                $eventData[0]['properties']['ep_' . $prop_key] = $serendipity['POST']['properties'][$prop_key];
+                        }
+                    }
+
                     break;
 
                 case 'entries_header':