Merged from MOODLE_14_STABLE: Forum: Do not trust userid from hidden form field,...

diff --git a/mod/forum/lib.php b/mod/forum/lib.php
index e0871dfe551bb6278258280cf4f9be4a1a5afc5f..a47205f76069235ed4c7b8f956ea8a6c39d77bb1 100644 (file)
--- a/mod/forum/lib.php
+++ b/mod/forum/lib.php
@@ -2016,9 +2016,11 @@ function forum_add_attachment($post, $inputname,&$message) {
 
 function forum_add_new_post($post,&$message) {
 
+    global $USER;
+    
     $post->created = $post->modified = time();
     $post->mailed = "0";
-
+    $post->userid = $USER->id;
     $post->attachment = "";
 
     if (! $post->id = insert_record("forum_posts", $post)) {
@@ -2038,7 +2040,10 @@ function forum_add_new_post($post,&$message) {
 
 function forum_update_post($post,&$message) {
 
+    global $USER;
+
     $post->modified = time();
+    $post->userid = $USER->id;
 
     if (!$post->parent) {   // Post is a discussion starter - update discussion title too
         set_field("forum_discussions", "name", $post->subject, "id", $post->discussion);
@@ -2095,6 +2100,7 @@ function forum_add_discussion($discussion,&$message) {
     $discussion->firstpost    = $post->id;
     $discussion->timemodified = $timenow;
     $discussion->usermodified = $post->userid;
+    $discussion->userid = $USER->id;
 
     if (! $discussion->id = insert_record("forum_discussions", $discussion) ) {
         delete_records("forum_posts", "id", $post->id);