Prevent users from forcibly installing a disabled theme in mod/settings

This commit is contained in:
Hypolite Petovan 2019-07-17 23:08:03 -04:00
parent 4fc3eb8f06
commit ada699536a

View file

@ -369,19 +369,19 @@ function settings_post(App $a)
PConfig::set(local_user(), 'system', 'bandwidth_saver' , $bandwidth_saver); PConfig::set(local_user(), 'system', 'bandwidth_saver' , $bandwidth_saver);
PConfig::set(local_user(), 'system', 'smart_threading' , $smart_threading); PConfig::set(local_user(), 'system', 'smart_threading' , $smart_threading);
if (in_array($theme, Theme::getAllowedList())) {
if ($theme == $a->user['theme']) { if ($theme == $a->user['theme']) {
// call theme_post only if theme has not been changed // call theme_post only if theme has not been changed
if (($themeconfigfile = get_theme_config_file($theme)) !== null) { if (($themeconfigfile = get_theme_config_file($theme)) !== null) {
require_once $themeconfigfile; require_once $themeconfigfile;
theme_post($a); theme_post($a);
} }
} else {
$a->getDatabase()->update('user', ['theme' => $theme], ['uid' => local_user()]);
}
} else {
notice(L10n::t('The theme you chose isn\'t available.'));
} }
Theme::install($theme);
q("UPDATE `user` SET `theme` = '%s' WHERE `uid` = %d",
DBA::escape($theme),
intval(local_user())
);
Hook::callAll('display_settings_post', $_POST); Hook::callAll('display_settings_post', $_POST);
$a->internalRedirect('settings/display'); $a->internalRedirect('settings/display');