1
+ − 1
<?php
+ − 2
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 5
* Copyright (C) 2006-2009 Dan Fuhry
1
+ − 6
*
+ − 7
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 8
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 9
*
+ − 10
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 11
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 12
*/
+ − 13
+ − 14
/**
+ − 15
* Class that handles comments. Has HTML/Javascript frontend support.
+ − 16
* @package Enano CMS
+ − 17
* @subpackage Comment manager
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 18
* @license GNU General Public License <http://www.gnu.org/licenses/gpl-2.0.html>
1
+ − 19
*/
+ − 20
+ − 21
class Comments
+ − 22
{
+ − 23
#
+ − 24
# VARIABLES
+ − 25
#
+ − 26
+ − 27
/**
+ − 28
* Current list of comments.
+ − 29
* @var array
+ − 30
*/
+ − 31
+ − 32
var $comments = Array();
+ − 33
+ − 34
/**
+ − 35
* Object to track permissions.
+ − 36
* @var object
+ − 37
*/
+ − 38
+ − 39
var $perms;
+ − 40
+ − 41
#
+ − 42
# METHODS
+ − 43
#
+ − 44
+ − 45
/**
+ − 46
* Constructor.
+ − 47
* @param string Page ID of the page to load comments for
+ − 48
* @param string Namespace of the page to load comments for
+ − 49
*/
+ − 50
+ − 51
function __construct($page_id, $namespace)
+ − 52
{
+ − 53
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 54
+ − 55
// Initialize permissions
322
+ − 56
if ( $page_id == $paths->page_id && $namespace == $paths->namespace )
1
+ − 57
$this->perms =& $GLOBALS['session'];
+ − 58
else
+ − 59
$this->perms = $session->fetch_page_acl($page_id, $namespace);
+ − 60
+ − 61
$this->page_id = $db->escape($page_id);
+ − 62
$this->namespace = $db->escape($namespace);
+ − 63
}
+ − 64
+ − 65
/**
+ − 66
* Processes a command in JSON format.
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 67
* @param mixed Either the JSON-encoded input string, probably something sent from the Javascript/AJAX frontend, or an equivalent array
1
+ − 68
*/
+ − 69
+ − 70
function process_json($json)
+ − 71
{
+ − 72
global $db, $session, $paths, $template, $plugins; // Common objects
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 73
global $lang;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 74
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 75
$is_json = !is_array($json);
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 76
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 77
if ( $is_json )
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 78
{
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 79
$data = enano_json_decode($json);
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 80
$data = decode_unicode_array($data);
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 81
}
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 82
else
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 83
{
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 84
$data =& $json;
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 85
}
1
+ − 86
if ( !isset($data['mode']) )
+ − 87
{
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 88
$ret = Array('mode'=>'error','error'=>'No mode defined!');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 89
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 90
return $ret;
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 91
}
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 92
if ( getConfig('enable_comments', '1') == '0' )
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 93
{
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 94
$ret = Array('mode'=>'error','error'=>'Comments are not enabled on this site.');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 95
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 96
return $ret;
1
+ − 97
}
+ − 98
$ret = Array();
+ − 99
$ret['mode'] = $data['mode'];
+ − 100
switch ( $data['mode'] )
+ − 101
{
+ − 102
case 'fetch':
+ − 103
if ( !$template->theme_loaded )
+ − 104
$template->load_theme();
+ − 105
if ( !isset($data['have_template']) )
+ − 106
{
+ − 107
$ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl');
+ − 108
}
621
+ − 109
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c
1
+ − 110
LEFT JOIN '.table_prefix.'users AS u
+ − 111
ON (u.user_id=c.user_id)
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 112
LEFT JOIN '.table_prefix.'buddies AS b
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 113
ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL)
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 114
LEFT JOIN '.table_prefix.'ranks AS r
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 115
ON ( ( u.user_rank = r.rank_id ) )
1
+ − 116
WHERE page_id=\'' . $this->page_id . '\'
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 117
AND namespace=\'' . $this->namespace . '\'
621
+ − 118
GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 119
ORDER BY c.time ASC;');
1
+ − 120
$count_appr = 0;
+ − 121
$count_total = 0;
+ − 122
$count_unappr = 0;
+ − 123
$ret['comments'] = Array();
+ − 124
if (!$q)
+ − 125
$db->die_json();
1011
+ − 126
if ( $row = $db->fetchrow($q) )
1
+ − 127
{
+ − 128
do {
+ − 129
+ − 130
// Increment counters
+ − 131
$count_total++;
+ − 132
( $row['approved'] == 1 ) ? $count_appr++ : $count_unappr++;
+ − 133
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 134
if ( !$this->perms->get_permissions('mod_comments') && $row['approved'] != COMMENT_APPROVED )
1
+ − 135
continue;
+ − 136
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 137
// Localize the rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 138
$row = array_merge($row, $session->get_user_rank(intval($row['user_id'])));
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 139
1
+ − 140
// Send the source
+ − 141
$row['comment_source'] = $row['comment_data'];
+ − 142
+ − 143
// Format text
+ − 144
$row['comment_data'] = RenderMan::render($row['comment_data']);
+ − 145
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 146
if ( $row['is_buddy'] == 1 && $row['is_friend'] == 0 )
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 147
{
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 148
$seed = md5(sha1(mt_rand() . microtime()));
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 149
$wrapper = '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 150
<div id="posthide_'.$seed.'" style="display: none;">
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 151
' . $row['comment_data'] . '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 152
</div>
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 153
<p><span style="opacity: 0.4; filter: alpha(opacity=40);">' . $lang->get('comment_msg_foe_comment_hidden') . '</span> <span style="text-align: right;"><a href="#showpost" onclick="document.getElementById(\'posthide_'.$seed.'\').style.display=\'block\'; this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode); return false;">' . $lang->get('comment_btn_display_foe_comment') . '</a></span></p>
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 154
';
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 155
$row['comment_data'] = $wrapper;
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 156
}
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 157
1
+ − 158
// Format date
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 159
$row['time'] = enano_date(ED_DATE | ED_TIME, $row['time']);
1
+ − 160
+ − 161
// Format signature
+ − 162
$row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : '';
+ − 163
359
+ − 164
// Do we have the IP?
+ − 165
$row['have_ip'] = ( $row['have_ip'] == 1 );
+ − 166
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 167
// Avatar URL
621
+ − 168
$row['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 169
1
+ − 170
// Add the comment to the list
+ − 171
$ret['comments'][] = $row;
+ − 172
1011
+ − 173
} while ( $row = $db->fetchrow($q) );
1
+ − 174
}
+ − 175
$db->free_result();
+ − 176
$ret['count_appr'] = $count_appr;
+ − 177
$ret['count_total'] = $count_total;
+ − 178
$ret['count_unappr'] = $count_unappr;
+ − 179
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 180
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 181
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
748
e39454295bbb
Added makeSwitchable Dynano method for textareas; enabled support for makeSwitchable in comment runtime
Dan
diff
changeset
+ − 182
$ret['auth_edit_wysiwyg'] = $this->perms->get_permissions('edit_wysiwyg');
1
+ − 183
$ret['user_id'] = $session->user_id;
+ − 184
$ret['username'] = $session->username;
+ − 185
$ret['logged_in'] = $session->user_logged_in;
+ − 186
+ − 187
$ret['user_level'] = Array();
+ − 188
$ret['user_level']['guest'] = USER_LEVEL_GUEST;
+ − 189
$ret['user_level']['member'] = USER_LEVEL_MEMBER;
+ − 190
$ret['user_level']['mod'] = USER_LEVEL_MOD;
+ − 191
$ret['user_level']['admin'] = USER_LEVEL_ADMIN;
+ − 192
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 193
$ret['approval_needed'] = ( getConfig('approve_comments', '0') == '1' );
1
+ − 194
$ret['guest_posting'] = getConfig('comments_need_login');
+ − 195
+ − 196
if ( $ret['guest_posting'] == '1' && !$session->user_logged_in )
+ − 197
{
+ − 198
$session->kill_captcha();
+ − 199
$ret['captcha'] = $session->make_captcha();
+ − 200
}
+ − 201
break;
+ − 202
case 'edit':
+ − 203
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 204
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 205
{
+ − 206
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 207
return false;
+ − 208
}
+ − 209
$cid = intval($cid);
+ − 210
$q = $db->sql_query('SELECT c.user_id,c.approved FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 211
if(!$q)
+ − 212
$db->die_json();
+ − 213
$row = $db->fetchrow();
+ − 214
$uid = intval($row['user_id']);
+ − 215
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 216
if(!$can_edit)
+ − 217
{
+ − 218
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 219
return false;
+ − 220
}
+ − 221
$data['data'] = str_replace("\r", '', $data['data']); // Windows compatibility
+ − 222
$text = RenderMan::preprocess_text($data['data'], true, false);
+ − 223
$text2 = $db->escape($text);
+ − 224
$subj = $db->escape(htmlspecialchars($data['subj']));
+ − 225
$q = $db->sql_query('UPDATE '.table_prefix.'comments SET subject=\'' . $subj . '\',comment_data=\'' . $text2 . '\' WHERE comment_id=' . $cid . ';');
+ − 226
if(!$q)
+ − 227
$db->die_json();
+ − 228
$ret = Array(
+ − 229
'mode' => 'redraw',
+ − 230
'id' => $data['local_id'],
+ − 231
'subj' => htmlspecialchars($data['subj']),
+ − 232
'text' => RenderMan::render($text),
+ − 233
'src' => $text,
+ − 234
'approved' => $row['approved']
+ − 235
);
+ − 236
break;
+ − 237
case 'delete':
+ − 238
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 239
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 240
{
+ − 241
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 242
return false;
+ − 243
}
+ − 244
$cid = intval($cid);
+ − 245
$q = $db->sql_query('SELECT c.user_id FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 246
if(!$q)
+ − 247
$db->die_json();
+ − 248
$row = $db->fetchrow();
+ − 249
$uid = intval($row['user_id']);
+ − 250
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 251
if(!$can_edit)
+ − 252
{
+ − 253
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 254
return false;
+ − 255
}
+ − 256
$q = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 257
if(!$q)
+ − 258
$db->die_json();
+ − 259
$ret = Array(
+ − 260
'mode' => 'annihilate',
+ − 261
'id' => $data['local_id']
+ − 262
);
+ − 263
break;
+ − 264
case 'submit':
+ − 265
+ − 266
// Now for a huge round of security checks...
+ − 267
+ − 268
$errors = Array();
+ − 269
+ − 270
// Authorization
+ − 271
// Like the rest of the ACL system, this call is a one-stop check for ALL ACL entries.
+ − 272
if ( !$this->perms->get_permissions('post_comments') )
74
68469a95658d
Various bugfixes and cleanups, too much to remember... see the diffs for what got changed :-)
Dan
diff
changeset
+ − 273
$errors[] = 'The site security policy prevents your user account from posting comments;';
1
+ − 274
+ − 275
// Guest authorization
+ − 276
if ( getConfig('comments_need_login') == '2' && !$session->user_logged_in )
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 277
$errors[] = $lang->get('comment_err_need_login');
1
+ − 278
+ − 279
// CAPTCHA code
+ − 280
if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in )
+ − 281
{
+ − 282
$real_code = $session->get_captcha($data['captcha_id']);
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 283
if ( strtolower($real_code) !== strtolower($data['captcha_code']) )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 284
$errors[] = $lang->get('comment_err_captcha_wrong');
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 285
$session->kill_captcha();
1
+ − 286
}
+ − 287
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 288
// Spam check
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 289
$spam_policy = getConfig('comment_spam_policy', 'moderate');
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 290
$sc_name = ( $session->user_logged_in ) ? $session->username : $data['name'];
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 291
$sc_mail = ( $session->user_logged_in ) ? $session->email : false;
972
+ − 292
$sc_url = ( $session->user_logged_in ) ? @$session->user_extra['user_homepage'] : false;
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 293
$spamcheck = $spam_policy === 'accept' ? true : spamalyze($data['text'], $sc_name, $sc_mail, $sc_url);
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 294
if ( !$spamcheck && $spam_policy === 'reject' )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 295
{
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 296
$errors[] = $lang->get('comment_err_spamcheck_failed_rejected');
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 297
}
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 298
1
+ − 299
if ( count($errors) > 0 )
+ − 300
{
+ − 301
$ret = Array(
+ − 302
'mode' => 'error',
+ − 303
'error' => implode("\n", $errors)
+ − 304
);
+ − 305
}
+ − 306
else
+ − 307
{
+ − 308
// We're authorized!
+ − 309
+ − 310
// Preprocess
+ − 311
$name = ( $session->user_logged_in ) ? htmlspecialchars($session->username) : htmlspecialchars($data['name']);
+ − 312
$subj = htmlspecialchars($data['subj']);
+ − 313
$text = RenderMan::preprocess_text($data['text'], true, false);
+ − 314
$src = $text;
1085
+ − 315
$sql_subj = $db->escape($subj);
1
+ − 316
$sql_text = $db->escape($text);
+ − 317
$text = RenderMan::render($text);
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 318
$appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED;
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 319
if ( $appr === COMMENT_APPROVED && $spam_policy === 'moderate' && !$spamcheck )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 320
$appr = COMMENT_SPAM;
1
+ − 321
$time = time();
1081
745200a9cc2a
Fixed some upgrade bugs; added support for choosing one's own date/time formats; rebrand as 1.1.7
Dan
diff
changeset
+ − 322
$date = enano_date(ED_DATE | ED_TIME, $time);
359
+ − 323
$ip = $_SERVER['REMOTE_ADDR'];
+ − 324
if ( !is_valid_ip($ip) )
+ − 325
die('Hacking attempt');
1
+ − 326
+ − 327
// Send it to the database
359
+ − 328
$q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " .
1085
+ − 329
"('$this->page_id', '$this->namespace', '$name', '$sql_subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
1
+ − 330
if(!$q)
+ − 331
$db->die_json();
+ − 332
+ − 333
// Re-fetch
621
+ − 334
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type FROM '.table_prefix.'comments AS c
1
+ − 335
LEFT JOIN '.table_prefix.'users AS u
+ − 336
ON (u.user_id=c.user_id)
+ − 337
WHERE page_id=\'' . $this->page_id . '\'
+ − 338
AND namespace=\'' . $this->namespace . '\'
+ − 339
AND time='.$time.' ORDER BY comment_id DESC LIMIT 1;');
+ − 340
if(!$q)
+ − 341
$db->die_json();
+ − 342
+ − 343
$row = $db->fetchrow();
+ − 344
$db->free_result();
+ − 345
$row['time'] = $date;
+ − 346
$row['comment_data'] = $text;
+ − 347
$row['comment_source'] = $src;
+ − 348
$ret = Array(
+ − 349
'mode' => 'materialize'
+ − 350
);
+ − 351
$ret = enano_safe_array_merge($ret, $row);
+ − 352
+ − 353
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 354
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 355
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
+ − 356
$ret['user_id'] = $session->user_id;
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 357
$ret['rank_data'] = $session->get_user_rank($session->user_id);
1
+ − 358
$ret['username'] = $session->username;
+ − 359
$ret['logged_in'] = $session->user_logged_in;
+ − 360
$ret['signature'] = RenderMan::render($row['signature']);
+ − 361
+ − 362
$ret['user_level_list'] = Array();
+ − 363
$ret['user_level_list']['guest'] = USER_LEVEL_GUEST;
+ − 364
$ret['user_level_list']['member'] = USER_LEVEL_MEMBER;
+ − 365
$ret['user_level_list']['mod'] = USER_LEVEL_MOD;
+ − 366
$ret['user_level_list']['admin'] = USER_LEVEL_ADMIN;
621
+ − 367
$ret['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
1
+ − 368
}
+ − 369
+ − 370
break;
+ − 371
case 'approve':
+ − 372
if ( !$this->perms->get_permissions('mod_comments') )
+ − 373
{
+ − 374
$ret = Array(
+ − 375
'mode' => 'error',
+ − 376
'error' => 'You are not authorized to moderate comments.'
+ − 377
);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 378
echo enano_json_encode($ret);
1
+ − 379
return $ret;
+ − 380
}
+ − 381
+ − 382
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 383
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 384
{
+ − 385
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 386
return false;
+ − 387
}
+ − 388
$cid = intval($cid);
+ − 389
$q = $db->sql_query('SELECT subject,approved FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 390
if(!$q || $db->numrows() < 1)
+ − 391
$db->die_json();
+ − 392
$row = $db->fetchrow();
+ − 393
$db->free_result();
+ − 394
$appr = ( $row['approved'] == '1' ) ? '0' : '1';
+ − 395
$q = $db->sql_query('UPDATE '.table_prefix."comments SET approved=$appr WHERE comment_id=$cid;");
+ − 396
if (!$q)
+ − 397
$db->die_json();
+ − 398
+ − 399
$ret = Array(
+ − 400
'mode' => 'redraw',
+ − 401
'approved' => $appr,
+ − 402
'subj' => $row['subject'],
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 403
'id' => $data['local_id'],
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 404
'approve_updated' => 'yes'
1
+ − 405
);
+ − 406
+ − 407
break;
359
+ − 408
case 'view_ip':
+ − 409
if ( !$session->get_permissions('mod_comments') )
+ − 410
{
+ − 411
return array(
+ − 412
'mode' => 'error',
+ − 413
'error' => 'Unauthorized'
+ − 414
);
+ − 415
}
+ − 416
// fetch comment info
+ − 417
if ( !is_int($data['id']) )
+ − 418
{
+ − 419
return array(
+ − 420
'mode' => 'error',
+ − 421
'error' => 'Unauthorized'
+ − 422
);
+ − 423
}
+ − 424
$id =& $data['id'];
+ − 425
$q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';');
+ − 426
if ( !$q || $db->numrows() < 1 )
+ − 427
{
+ − 428
$db->die_json();
+ − 429
}
+ − 430
list($ip_addr, $name) = $db->fetchrow_num($q);
+ − 431
$db->free_result();
+ − 432
$name = $db->escape($name);
+ − 433
$username = $db->escape($session->username);
+ − 434
// log this action
+ − 435
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n "
+ − 436
. "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );");
+ − 437
if ( !$q )
+ − 438
$db->die_json();
+ − 439
+ − 440
// send packet
+ − 441
$ret = array(
+ − 442
'mode' => 'redraw',
+ − 443
'ip_addr' => $ip_addr,
+ − 444
'local_id' => $data['local_id']
+ − 445
);
+ − 446
break;
1
+ − 447
default:
+ − 448
$ret = Array(
+ − 449
'mode' => 'error',
+ − 450
'error' => $data['mode'] . ' is not a valid request mode'
+ − 451
);
+ − 452
break;
+ − 453
}
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 454
if ( $is_json )
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 455
echo enano_json_encode($ret);
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
diff
changeset
+ − 456
1
+ − 457
return $ret;
+ − 458
}
+ − 459
+ − 460
} // class Comments
+ − 461