author | Dan |
Fri, 16 Jan 2009 13:13:03 -0500 | |
changeset 814 | 7664d7d38a4a |
parent 801 | eb8b23f11744 |
child 825 | 9d5c04c1414f |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/* |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
parents:
800
diff
changeset
|
5 |
* Version 1.1.6 (Caoineag beta 1) |
536 | 6 |
* Copyright (C) 2006-2008 Dan Fuhry |
1 | 7 |
* |
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
/** |
|
16 |
* Class that handles comments. Has HTML/Javascript frontend support. |
|
17 |
* @package Enano CMS |
|
18 |
* @subpackage Comment manager |
|
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
parents:
748
diff
changeset
|
19 |
* @license GNU General Public License <http://www.gnu.org/licenses/gpl-2.0.html> |
1 | 20 |
*/ |
21 |
||
22 |
class Comments |
|
23 |
{ |
|
24 |
# |
|
25 |
# VARIABLES |
|
26 |
# |
|
27 |
||
28 |
/** |
|
29 |
* Current list of comments. |
|
30 |
* @var array |
|
31 |
*/ |
|
32 |
||
33 |
var $comments = Array(); |
|
34 |
||
35 |
/** |
|
36 |
* Object to track permissions. |
|
37 |
* @var object |
|
38 |
*/ |
|
39 |
||
40 |
var $perms; |
|
41 |
||
42 |
# |
|
43 |
# METHODS |
|
44 |
# |
|
45 |
||
46 |
/** |
|
47 |
* Constructor. |
|
48 |
* @param string Page ID of the page to load comments for |
|
49 |
* @param string Namespace of the page to load comments for |
|
50 |
*/ |
|
51 |
||
52 |
function __construct($page_id, $namespace) |
|
53 |
{ |
|
54 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
55 |
||
56 |
// Initialize permissions |
|
322
5f1cd51bf1be
Many changes. Installer with PostgreSQL is broken badly and will be for some time.
Dan
parents:
320
diff
changeset
|
57 |
if ( $page_id == $paths->page_id && $namespace == $paths->namespace ) |
1 | 58 |
$this->perms =& $GLOBALS['session']; |
59 |
else |
|
60 |
$this->perms = $session->fetch_page_acl($page_id, $namespace); |
|
61 |
||
62 |
$this->page_id = $db->escape($page_id); |
|
63 |
$this->namespace = $db->escape($namespace); |
|
64 |
} |
|
65 |
||
66 |
/** |
|
67 |
* Processes a command in JSON format. |
|
68 |
* @param string The JSON-encoded input, probably something sent from the Javascript/AJAX frontend |
|
69 |
*/ |
|
70 |
||
71 |
function process_json($json) |
|
72 |
{ |
|
73 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
74 |
global $lang; |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
75 |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
76 |
$data = enano_json_decode($json); |
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
74
diff
changeset
|
77 |
$data = decode_unicode_array($data); |
1 | 78 |
if ( !isset($data['mode']) ) |
79 |
{ |
|
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
80 |
$ret = Array('mode'=>'error','error'=>'No mode defined!'); |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
81 |
echo enano_json_encode($ret); |
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
82 |
return $ret; |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
83 |
} |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
84 |
if ( getConfig('enable_comments') == '0' ) |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
85 |
{ |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
86 |
$ret = Array('mode'=>'error','error'=>'Comments are not enabled on this site.'); |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
87 |
echo enano_json_encode($ret); |
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
88 |
return $ret; |
1 | 89 |
} |
90 |
$ret = Array(); |
|
91 |
$ret['mode'] = $data['mode']; |
|
92 |
switch ( $data['mode'] ) |
|
93 |
{ |
|
94 |
case 'fetch': |
|
95 |
if ( !$template->theme_loaded ) |
|
96 |
$template->load_theme(); |
|
97 |
if ( !isset($data['have_template']) ) |
|
98 |
{ |
|
99 |
$ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl'); |
|
100 |
} |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
101 |
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c |
1 | 102 |
LEFT JOIN '.table_prefix.'users AS u |
103 |
ON (u.user_id=c.user_id) |
|
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
104 |
LEFT JOIN '.table_prefix.'buddies AS b |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
105 |
ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL) |
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
106 |
LEFT JOIN '.table_prefix.'ranks AS r |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
107 |
ON ( ( u.user_rank = r.rank_id ) ) |
1 | 108 |
WHERE page_id=\'' . $this->page_id . '\' |
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
109 |
AND namespace=\'' . $this->namespace . '\' |
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
110 |
GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend |
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
111 |
ORDER BY c.time ASC;'); |
1 | 112 |
$count_appr = 0; |
113 |
$count_total = 0; |
|
114 |
$count_unappr = 0; |
|
115 |
$ret['comments'] = Array(); |
|
116 |
if (!$q) |
|
117 |
$db->die_json(); |
|
118 |
if ( $row = $db->fetchrow() ) |
|
119 |
{ |
|
120 |
do { |
|
121 |
||
122 |
// Increment counters |
|
123 |
$count_total++; |
|
124 |
( $row['approved'] == 1 ) ? $count_appr++ : $count_unappr++; |
|
125 |
||
126 |
if ( !$this->perms->get_permissions('mod_comments') && $row['approved'] == 0 ) |
|
127 |
continue; |
|
128 |
||
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
129 |
// Localize the rank |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
130 |
$row = array_merge($row, $session->get_user_rank(intval($row['user_id']))); |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
131 |
|
1 | 132 |
// Send the source |
133 |
$row['comment_source'] = $row['comment_data']; |
|
134 |
||
135 |
// Format text |
|
136 |
$row['comment_data'] = RenderMan::render($row['comment_data']); |
|
137 |
||
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
138 |
if ( $row['is_buddy'] == 1 && $row['is_friend'] == 0 ) |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
139 |
{ |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
140 |
$seed = md5(sha1(mt_rand() . microtime())); |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
141 |
$wrapper = ' |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
142 |
<div id="posthide_'.$seed.'" style="display: none;"> |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
143 |
' . $row['comment_data'] . ' |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
144 |
</div> |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
145 |
<p><span style="opacity: 0.4; filter: alpha(opacity=40);">Post from foe hidden.</span> <span style="text-align: right;"><a href="#showpost" onclick="document.getElementById(\'posthide_'.$seed.'\').style.display=\'block\'; this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode); return false;">Display post</a></span></p> |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
146 |
'; |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
147 |
$row['comment_data'] = $wrapper; |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
148 |
} |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
149 |
|
1 | 150 |
// Format date |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
334
diff
changeset
|
151 |
$row['time'] = enano_date('F d, Y h:i a', $row['time']); |
1 | 152 |
|
153 |
// Format signature |
|
154 |
$row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : ''; |
|
155 |
||
359 | 156 |
// Do we have the IP? |
157 |
$row['have_ip'] = ( $row['have_ip'] == 1 ); |
|
158 |
||
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
159 |
// Avatar URL |
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
160 |
$row['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']); |
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
161 |
|
1 | 162 |
// Add the comment to the list |
163 |
$ret['comments'][] = $row; |
|
164 |
||
165 |
} while ( $row = $db->fetchrow() ); |
|
166 |
} |
|
167 |
$db->free_result(); |
|
168 |
$ret['count_appr'] = $count_appr; |
|
169 |
$ret['count_total'] = $count_total; |
|
170 |
$ret['count_unappr'] = $count_unappr; |
|
171 |
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments'); |
|
172 |
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments'); |
|
173 |
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments'); |
|
748
e39454295bbb
Added makeSwitchable Dynano method for textareas; enabled support for makeSwitchable in comment runtime
Dan
parents:
685
diff
changeset
|
174 |
$ret['auth_edit_wysiwyg'] = $this->perms->get_permissions('edit_wysiwyg'); |
1 | 175 |
$ret['user_id'] = $session->user_id; |
176 |
$ret['username'] = $session->username; |
|
177 |
$ret['logged_in'] = $session->user_logged_in; |
|
178 |
||
179 |
$ret['user_level'] = Array(); |
|
180 |
$ret['user_level']['guest'] = USER_LEVEL_GUEST; |
|
181 |
$ret['user_level']['member'] = USER_LEVEL_MEMBER; |
|
182 |
$ret['user_level']['mod'] = USER_LEVEL_MOD; |
|
183 |
$ret['user_level']['admin'] = USER_LEVEL_ADMIN; |
|
184 |
||
185 |
$ret['approval_needed'] = ( getConfig('approve_comments') == '1' ); |
|
186 |
$ret['guest_posting'] = getConfig('comments_need_login'); |
|
187 |
||
188 |
if ( $ret['guest_posting'] == '1' && !$session->user_logged_in ) |
|
189 |
{ |
|
190 |
$session->kill_captcha(); |
|
191 |
$ret['captcha'] = $session->make_captcha(); |
|
192 |
} |
|
193 |
break; |
|
194 |
case 'edit': |
|
195 |
$cid = (string)$data['id']; |
|
196 |
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 ) |
|
197 |
{ |
|
198 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
199 |
return false; |
|
200 |
} |
|
201 |
$cid = intval($cid); |
|
202 |
$q = $db->sql_query('SELECT c.user_id,c.approved FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';'); |
|
203 |
if(!$q) |
|
204 |
$db->die_json(); |
|
205 |
$row = $db->fetchrow(); |
|
206 |
$uid = intval($row['user_id']); |
|
207 |
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) ); |
|
208 |
if(!$can_edit) |
|
209 |
{ |
|
210 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
211 |
return false; |
|
212 |
} |
|
213 |
$data['data'] = str_replace("\r", '', $data['data']); // Windows compatibility |
|
214 |
$text = RenderMan::preprocess_text($data['data'], true, false); |
|
215 |
$text2 = $db->escape($text); |
|
216 |
$subj = $db->escape(htmlspecialchars($data['subj'])); |
|
217 |
$q = $db->sql_query('UPDATE '.table_prefix.'comments SET subject=\'' . $subj . '\',comment_data=\'' . $text2 . '\' WHERE comment_id=' . $cid . ';'); |
|
218 |
if(!$q) |
|
219 |
$db->die_json(); |
|
220 |
$ret = Array( |
|
221 |
'mode' => 'redraw', |
|
222 |
'id' => $data['local_id'], |
|
223 |
'subj' => htmlspecialchars($data['subj']), |
|
224 |
'text' => RenderMan::render($text), |
|
225 |
'src' => $text, |
|
226 |
'approved' => $row['approved'] |
|
227 |
); |
|
228 |
break; |
|
229 |
case 'delete': |
|
230 |
$cid = (string)$data['id']; |
|
231 |
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 ) |
|
232 |
{ |
|
233 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
234 |
return false; |
|
235 |
} |
|
236 |
$cid = intval($cid); |
|
237 |
$q = $db->sql_query('SELECT c.user_id FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';'); |
|
238 |
if(!$q) |
|
239 |
$db->die_json(); |
|
240 |
$row = $db->fetchrow(); |
|
241 |
$uid = intval($row['user_id']); |
|
242 |
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) ); |
|
243 |
if(!$can_edit) |
|
244 |
{ |
|
245 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
246 |
return false; |
|
247 |
} |
|
248 |
$q = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE comment_id='.$cid.';'); |
|
249 |
if(!$q) |
|
250 |
$db->die_json(); |
|
251 |
$ret = Array( |
|
252 |
'mode' => 'annihilate', |
|
253 |
'id' => $data['local_id'] |
|
254 |
); |
|
255 |
break; |
|
256 |
case 'submit': |
|
257 |
||
258 |
// Now for a huge round of security checks... |
|
259 |
||
260 |
$errors = Array(); |
|
261 |
||
262 |
// Authorization |
|
263 |
// Like the rest of the ACL system, this call is a one-stop check for ALL ACL entries. |
|
264 |
if ( !$this->perms->get_permissions('post_comments') ) |
|
74
68469a95658d
Various bugfixes and cleanups, too much to remember... see the diffs for what got changed :-)
Dan
parents:
73
diff
changeset
|
265 |
$errors[] = 'The site security policy prevents your user account from posting comments;'; |
1 | 266 |
|
267 |
// Guest authorization |
|
268 |
if ( getConfig('comments_need_login') == '2' && !$session->user_logged_in ) |
|
269 |
$errors[] = 'You need to log in before posting comments.'; |
|
270 |
||
271 |
// CAPTCHA code |
|
272 |
if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in ) |
|
273 |
{ |
|
274 |
$real_code = $session->get_captcha($data['captcha_id']); |
|
456
e133d321fce4
Made all captcha fields case-insensitive (thanks pkeating)
Dan
parents:
322
diff
changeset
|
275 |
if ( strtolower($real_code) != strtolower($data['captcha_code']) ) |
1 | 276 |
$errors[] = 'The confirmation code you entered was incorrect.'; |
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
parents:
166
diff
changeset
|
277 |
$session->kill_captcha(); |
1 | 278 |
} |
279 |
||
280 |
if ( count($errors) > 0 ) |
|
281 |
{ |
|
282 |
$ret = Array( |
|
283 |
'mode' => 'error', |
|
284 |
'error' => implode("\n", $errors) |
|
285 |
); |
|
286 |
} |
|
287 |
else |
|
288 |
{ |
|
289 |
// We're authorized! |
|
290 |
||
291 |
// Preprocess |
|
292 |
$name = ( $session->user_logged_in ) ? htmlspecialchars($session->username) : htmlspecialchars($data['name']); |
|
293 |
$subj = htmlspecialchars($data['subj']); |
|
294 |
$text = RenderMan::preprocess_text($data['text'], true, false); |
|
295 |
$src = $text; |
|
296 |
$sql_text = $db->escape($text); |
|
297 |
$text = RenderMan::render($text); |
|
298 |
$appr = ( getConfig('approve_comments') == '1' ) ? '0' : '1'; |
|
299 |
$time = time(); |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
334
diff
changeset
|
300 |
$date = enano_date('F d, Y h:i a', $time); |
359 | 301 |
$ip = $_SERVER['REMOTE_ADDR']; |
302 |
if ( !is_valid_ip($ip) ) |
|
303 |
die('Hacking attempt'); |
|
1 | 304 |
|
305 |
// Send it to the database |
|
359 | 306 |
$q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " . |
307 |
"('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');"); |
|
1 | 308 |
if(!$q) |
309 |
$db->die_json(); |
|
310 |
||
311 |
// Re-fetch |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
312 |
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type FROM '.table_prefix.'comments AS c |
1 | 313 |
LEFT JOIN '.table_prefix.'users AS u |
314 |
ON (u.user_id=c.user_id) |
|
315 |
WHERE page_id=\'' . $this->page_id . '\' |
|
316 |
AND namespace=\'' . $this->namespace . '\' |
|
317 |
AND time='.$time.' ORDER BY comment_id DESC LIMIT 1;'); |
|
318 |
if(!$q) |
|
319 |
$db->die_json(); |
|
320 |
||
321 |
$row = $db->fetchrow(); |
|
322 |
$db->free_result(); |
|
323 |
$row['time'] = $date; |
|
324 |
$row['comment_data'] = $text; |
|
325 |
$row['comment_source'] = $src; |
|
326 |
$ret = Array( |
|
327 |
'mode' => 'materialize' |
|
328 |
); |
|
329 |
$ret = enano_safe_array_merge($ret, $row); |
|
330 |
||
331 |
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments'); |
|
332 |
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments'); |
|
333 |
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments'); |
|
334 |
$ret['user_id'] = $session->user_id; |
|
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
335 |
$ret['rank_data'] = $session->get_user_rank($session->user_id); |
1 | 336 |
$ret['username'] = $session->username; |
337 |
$ret['logged_in'] = $session->user_logged_in; |
|
338 |
$ret['signature'] = RenderMan::render($row['signature']); |
|
339 |
||
340 |
$ret['user_level_list'] = Array(); |
|
341 |
$ret['user_level_list']['guest'] = USER_LEVEL_GUEST; |
|
342 |
$ret['user_level_list']['member'] = USER_LEVEL_MEMBER; |
|
343 |
$ret['user_level_list']['mod'] = USER_LEVEL_MOD; |
|
344 |
$ret['user_level_list']['admin'] = USER_LEVEL_ADMIN; |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
345 |
$ret['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']); |
1 | 346 |
} |
347 |
||
348 |
break; |
|
349 |
case 'approve': |
|
350 |
if ( !$this->perms->get_permissions('mod_comments') ) |
|
351 |
{ |
|
352 |
$ret = Array( |
|
353 |
'mode' => 'error', |
|
354 |
'error' => 'You are not authorized to moderate comments.' |
|
355 |
); |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
356 |
echo enano_json_encode($ret); |
1 | 357 |
return $ret; |
358 |
} |
|
359 |
||
360 |
$cid = (string)$data['id']; |
|
361 |
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 ) |
|
362 |
{ |
|
363 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
364 |
return false; |
|
365 |
} |
|
366 |
$cid = intval($cid); |
|
367 |
$q = $db->sql_query('SELECT subject,approved FROM '.table_prefix.'comments WHERE comment_id='.$cid.';'); |
|
368 |
if(!$q || $db->numrows() < 1) |
|
369 |
$db->die_json(); |
|
370 |
$row = $db->fetchrow(); |
|
371 |
$db->free_result(); |
|
372 |
$appr = ( $row['approved'] == '1' ) ? '0' : '1'; |
|
373 |
$q = $db->sql_query('UPDATE '.table_prefix."comments SET approved=$appr WHERE comment_id=$cid;"); |
|
374 |
if (!$q) |
|
375 |
$db->die_json(); |
|
376 |
||
377 |
$ret = Array( |
|
378 |
'mode' => 'redraw', |
|
379 |
'approved' => $appr, |
|
380 |
'subj' => $row['subject'], |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
21
diff
changeset
|
381 |
'id' => $data['local_id'], |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
21
diff
changeset
|
382 |
'approve_updated' => 'yes' |
1 | 383 |
); |
384 |
||
385 |
break; |
|
359 | 386 |
case 'view_ip': |
387 |
if ( !$session->get_permissions('mod_comments') ) |
|
388 |
{ |
|
389 |
return array( |
|
390 |
'mode' => 'error', |
|
391 |
'error' => 'Unauthorized' |
|
392 |
); |
|
393 |
} |
|
394 |
// fetch comment info |
|
395 |
if ( !is_int($data['id']) ) |
|
396 |
{ |
|
397 |
return array( |
|
398 |
'mode' => 'error', |
|
399 |
'error' => 'Unauthorized' |
|
400 |
); |
|
401 |
} |
|
402 |
$id =& $data['id']; |
|
403 |
$q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';'); |
|
404 |
if ( !$q || $db->numrows() < 1 ) |
|
405 |
{ |
|
406 |
$db->die_json(); |
|
407 |
} |
|
408 |
list($ip_addr, $name) = $db->fetchrow_num($q); |
|
409 |
$db->free_result(); |
|
410 |
$name = $db->escape($name); |
|
411 |
$username = $db->escape($session->username); |
|
412 |
// log this action |
|
413 |
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n " |
|
414 |
. "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );"); |
|
415 |
if ( !$q ) |
|
416 |
$db->die_json(); |
|
417 |
||
418 |
// send packet |
|
419 |
$ret = array( |
|
420 |
'mode' => 'redraw', |
|
421 |
'ip_addr' => $ip_addr, |
|
422 |
'local_id' => $data['local_id'] |
|
423 |
); |
|
424 |
break; |
|
1 | 425 |
default: |
426 |
$ret = Array( |
|
427 |
'mode' => 'error', |
|
428 |
'error' => $data['mode'] . ' is not a valid request mode' |
|
429 |
); |
|
430 |
break; |
|
431 |
} |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
432 |
echo enano_json_encode($ret); |
1 | 433 |
return $ret; |
434 |
} |
|
435 |
||
436 |
} // class Comments |
|
437 |