Marius Cramer
2015-08-06 37b29231e47a0c4458dc1c15d98588f16f07e1e2
interface/web/client/client_message.php
@@ -51,7 +51,10 @@
//* Save data
if(isset($_POST) && count($_POST) > 1) {
   //* CSRF Check
   $app->auth->csrf_token_check();
   //* Check values
   if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $_POST['sender'])) $error .= $wb['sender_invalid_error'].'<br />';
   if(empty($_POST['subject'])) $error .= $wb['subject_invalid_error'].'<br />';
@@ -60,7 +63,7 @@
   //* Send message
   if($error == '') {
      if($app->functions->intval($_POST['recipient']) > 0){
         $circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".$app->functions->intval($_POST['recipient'])." AND ".$app->tform->getAuthSQL('r'));
         $circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ? AND ".$app->tform->getAuthSQL('r'), $_POST['recipient']);
         if(isset($circle['client_ids']) && $circle['client_ids'] != ''){
            $tmp_client_ids = explode(',', $circle['client_ids']);
            $where = array();
@@ -120,8 +123,8 @@
   if($_SESSION["s"]["user"]["typ"] != 'admin'){
      $client_id = $app->functions->intval($_SESSION['s']['user']['client_id']);
      if($client_id > 0){
         $sql = "SELECT email FROM client WHERE client_id = ".$client_id;
         $client = $app->db->queryOneRecord($sql);
         $sql = "SELECT email FROM client WHERE client_id = ?";
         $client = $app->db->queryOneRecord($sql, $client_id);
         if($client['email'] != '') $app->tpl->setVar('sender', $client['email']);
      }
   }
@@ -161,6 +164,11 @@
}
$app->tpl->setVar('message_variables', trim($message_variables));
//* SET csrf token
$csrf_token = $app->auth->csrf_token_get('client_message');
$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
$app->tpl->setVar('okmsg', $msg);
$app->tpl->setVar('error', $error);