From ee3d9359e3d43fb3935d3ce22405b52a47bc04b4 Mon Sep 17 00:00:00 2001
From: Savetheinternet <savetheinternet@tinyboard.org>
Date: Sun, 4 Dec 2011 13:52:56 +1100
Subject: [PATCH] v0.9.4

---
 post.php | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/post.php b/post.php
index 507999a8..40d7aeb2 100644
--- a/post.php
+++ b/post.php
@@ -210,7 +210,7 @@
 		// Check for an embed field
 		if($config['enable_embedding'] && isset($_POST['embed']) && !empty($_POST['embed'])) {
 			// yep; validate it
-			$value = &$_POST['embed'];
+			$value = $_POST['embed'];
 			foreach($config['embedding'] as &$embed) {
 				if($html = preg_replace($embed[0], $embed[1], $value)) {
 					if($html == $value) {
@@ -241,10 +241,10 @@
 		}
 		
 		$post['name'] = (!empty($_POST['name'])?$_POST['name']:$config['anonymous']);
-		$post['subject'] = &$_POST['subject'];
+		$post['subject'] = $_POST['subject'];
 		$post['email'] = utf8tohtml($_POST['email']);
-		$post['body'] = &$_POST['body'];
-		$post['password'] = &$_POST['password'];
+		$post['body'] = $_POST['body'];
+		$post['password'] = $_POST['password'];
 		$post['has_file'] = !isset($post['embed']) && (($OP && !isset($post['no_longer_require_an_image_for_op'])) || (isset($_FILES['file']) && !empty($_FILES['file']['tmp_name'])));
 		
 		$post['mod'] = isset($_POST['mod']) && $_POST['mod'];
@@ -269,9 +269,12 @@
 			$post['locked'] = $OP && isset($_POST['lock']);
 			$post['raw'] = isset($_POST['raw']);
 			
-			if($post['sticky'] && $mod['type'] < $config['mod']['sticky']) error($config['error']['noaccess']);
-			if($post['locked'] && $mod['type'] < $config['mod']['lock']) error($config['error']['noaccess']);
-			if($post['raw'] && $mod['type'] < $config['mod']['rawhtml']) error($config['error']['noaccess']);
+			if($post['sticky'] && !hasPermission($config['mod']['sticky'], $board['uri']))
+				error($config['error']['noaccess']);
+			if($post['locked'] && !hasPermission($config['mod']['lock'], $board['uri']))
+				error($config['error']['noaccess']);
+			if($post['raw'] && !hasPermission($config['mod']['rawhtml'], $board['uri']))
+				error($config['error']['noaccess']);
 		}
 		
 		// Check if thread is locked
@@ -300,7 +303,7 @@
 		}
 		
 		$trip = generate_tripcode($post['name']);
-		$post['name'] = &$trip[0];
+		$post['name'] = $trip[0];
 		$post['trip'] = (isset($trip[1])?$trip[1]:'');
 		
 		if(strtolower($post['email']) == 'noko') {
@@ -313,7 +316,8 @@
 			if(isset($config['filename_func']))
 				$post['file_id'] = $config['filename_func']($post);
 			else
-				$post['file_id'] = time() . rand(100, 999);
+				$post['file_id'] = floor(microtime(true) * 1000);
+			
 			$post['file'] = $board['dir'] . $config['dir']['img'] . $post['file_id'] . '.' . $post['extension'];
 			$post['thumb'] = $board['dir'] . $config['dir']['thumb'] . $post['file_id'] . '.' . ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension']);
 		}
@@ -551,7 +555,6 @@
 				$post['thumb'] = substr_replace($post['thumb'], '', 0, strlen($board['dir'] . $config['dir']['thumb']));
 		}
 		
-		// Todo: Validate some more, remove messy code, allow more specific configuration
 		$id = post($post, $OP);
 		
 		buildThread(($OP?$id:$post['thread']));
@@ -594,7 +597,6 @@
 			header('Location: install.php', true, $config['redirect_http']);
 		} else {
 			// They opened post.php in their browser manually.
-			// Possible TODO: Redirect back to homepage.
 			error($config['error']['nopost']);
 		}
 	}