Mercurial > hgrepos > hgweb.cgi > s4

--- a/s4-blog.sh	Tue Jun 09 12:32:27 2020 +0900
+++ b/s4-blog.sh	Thu Jun 11 10:39:51 2020 +0900
@@ -228,7 +228,12 @@
     case $blog_mode in
       *report*|*quiz*|*enquete*)
 	href2="<a href=\"?lshandout+$rowid\" accesskey=\"l\" title=\"Shortcut: L${nl}List Handouts\"> 提出状況 </a>"
-	href3="(<a href=\"?gethandout+$rowid\" accesskey=\"f\" title=\"Shortcut: F${nl}File Retrieval\">ファイル取得</a>)"
+	case "$isgrpadmin$blog_mode" in
+	  false*closed*|false*quiz|false*enquete*) ;;
+	  *)
+	    href3="(<a href=\"?gethandout+$rowid\" accesskey=\"f\" title=\"Shortcut: F${nl}File Retrieval\">ファイル取得</a>)"
+	    ;;
+	esac
 	;;
     esac
   fi
@@ -736,16 +741,24 @@
     echo "メンバー以外は利用できません。" | html p; return
   fi
   # Here, this blog is writable by $user
+  mode=`getvalbyid blog mode $1`
   owner=`getvalbyid blog owner $1`
+  blogauthor=`getvalbyid blog author $1`
+  isopenblogauthor=false
   if [ x"$user" = x"$owner" ]; then
     : OK
   elif isgrpowner "$user" "$owner"; then
     : OK
+  elif [ x"$blogauthor" = x"$user" ]; then
+    # Non-admin Author of blog cannot do gethandout() in report-closed mode
+    # for avoidance the risk of fake report-closed blog.
+    case "$mode" in	# Only report-open can be handled by blog author
+      *open*) isopenblogauthor=true ;;
+    esac
   else
     contenttype; echo
-    echo "板の所有者以外は利用できません。" | html p; return
+    echo "グループ管理者のみ取得できます。" | html p; return
   fi
-  mode=`getvalbyid blog mode $1`
   copy2csv=false
   blogid=`getvalbyid blog id $1`
   isgroup "$owner" && isgroup=true || isgroup=false
@@ -813,7 +826,8 @@
 	WHERE blogid=(SELECT id FROM blog WHERE rowid=$rid);
 	EOF
   cat $midfile | while IFS='|' read rowid artid author text; do
-    isfilereadable $user article_s $rowid || continue
+    $isgrpowner || $isopenblogauthor \
+      || isfilereadable $user article_s $rowid || continue
     dir=`printf $bd/%d/%06d "$rid" "$rowid"`
     mkdir -p $dir
     echo "$author" > $dir/Author
--- a/s4-funcs.sh	Tue Jun 09 12:32:27 2020 +0900
+++ b/s4-funcs.sh	Thu Jun 11 10:39:51 2020 +0900
@@ -3434,14 +3434,13 @@
   gid=$(query "select rowid from grp where gname=`sqlquote \"$t_grp\"`;")
   rcpts="`getgroupadminmails "$t_grp"` $user"
   ## err admit: msgdir=$msgdir, rcpts="["$rcpts"]"
-  body="グループ <a href=\"?grp+$gid\">$t_grp</a>
-に
+  body="に
 $t_usr
 `[ x$1 = xyes ] && echo 'を追加' || echo 'の解除操作を'`
 しました。"
-  (echo "$body"; echo; echo "$url?grp+$gid") | smail "$rcpts" "joingrp $1"
+  echo "$t_grp$nl$body$nl$nl$url?grp+$gid" | smail "$rcpts" "joingrp $1"
   query "delete from session where id='$2';"
-  echo "$body" | html p
+  echo "グループ <a href=\"?grp+$gid\">$t_grp</a>$nl$body" | html p
 }

 joingrprequest() {