# HG changeset patch # User Dan # Date 1194669592 18000 # Node ID 275c70f80137c95cc083b84a5d646309d4a9965f # Parent f4323fa79313f60f01d53dec2ba67b250682773d# Parent acb9d021b860deca3188229eba187b7d932e1d97 Merged in the low-level DBAL fix involving dashes in the database name from stable diff -r acb9d021b860 -r 275c70f80137 .hgtags --- a/.hgtags Fri Nov 09 23:36:49 2007 -0500 +++ b/.hgtags Fri Nov 09 23:39:52 2007 -0500 @@ -5,3 +5,4 @@ 6f0bbf88c3251ca597cb76ac8b59a1ee61d6dd3d rebrand 0b5244001799fa29e83bf06c5f14eb69350f171c rebrand 42c6c83b8a004163c9cc2d85f3c8eada3b73adf6 rebrand +d53cc29308f4f4b97fc6d054e9e0855f37137409 rebrand diff -r acb9d021b860 -r 275c70f80137 ajax.php --- a/ajax.php Fri Nov 09 23:36:49 2007 -0500 +++ b/ajax.php Fri Nov 09 23:39:52 2007 -0500 @@ -1,425 +1,425 @@ -connect(); - - // result is sent using JSON - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $return = Array( - 'mode' => 'success', - 'users_real' => Array() - ); - - // should be connected to the DB now - $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; - if ( !$name ) - { - $return = array( - 'mode' => 'error', - 'error' => 'Invalid URI' - ); - die( $json->encode($return) ); - } - $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1'; - $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;'); - if ( !$q ) - { - $return = array( - 'mode' => 'error', - 'error' => 'MySQL error selecting username data: '.addslashes(mysql_error()) - ); - die( $json->encode($return) ); - } - $i = 0; - while($r = $db->fetchrow()) - { - $return['users_real'][] = $r['username']; - $i++; - } - $db->free_result(); - - // all done! :-) - $db->close(); - - echo $json->encode( $return ); - - exit; - } - - require('includes/common.php'); - - global $db, $session, $paths, $template, $plugins; // Common objects - if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); - - $_ob = ''; - - switch($_GET['_mode']) { - case "checkusername": - echo PageUtils::checkusername($_GET['name']); - break; - case "getsource": - $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; - echo PageUtils::getsource($paths->page, $p); - break; - case "getpage": - // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); - $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); - $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); - - $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; - $page->password = $pagepass; - - $page->send(); - break; - case "savepage": - $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; - $minor = isset($_POST['minor']); - $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); - if($e=='good') - { - $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); - $page->send(); - } - else - { - echo '
Error saving the page: '.$e.'
'; - } - break; - case "protect": - echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); - break; - case "histlist": - echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "rollback": - echo PageUtils::rollback( (int)$_GET['id'] ); - break; - case "comments": - $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); - if ( isset($_POST['data']) ) - { - $comments->process_json($_POST['data']); - } - else - { - die('{ "mode" : "error", "error" : "No input" }'); - } - break; - case "rename": - echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); - break; - case "flushlogs": - echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "deletepage": - $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; - if ( empty($reason) ) - die('Please enter a reason for deleting this page.'); - echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); - break; - case "delvote": - echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "resetdelvotes": - echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "getstyles": - echo PageUtils::getstyles($_GET['id']); - break; - case "catedit": - echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "catsave": - echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); - break; - case "setwikimode": - echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); - break; - case "setpass": - echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); - break; - case "fillusername": - break; - case "fillpagename": - $name = (isset($_GET['name'])) ? $_GET['name'] : false; - if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); - $nd = RenderMan::strToPageID($name); - $c = 0; - $u = Array(); - $n = Array(); - - $name = sanitize_page_id($name); - $name = str_replace('_', ' ', $name); - - for($i=0;$iSQL injection attempt
'; $template->footer(); break; } - echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); - break; - case "jsres": - die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); - break; - case "rdns": - if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); - $ip = $_GET['ip']; - $rdns = gethostbyaddr($ip); - if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; - else echo $rdns; - break; - case 'acljson': - $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; - echo PageUtils::acl_json($parms); - break; - case "change_theme": - if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) - { - die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); - } - if ( !$session->user_logged_in ) - { - die('You must be logged in to change your theme'); - } - // Just in case something slipped through... - $theme_id = $db->escape($_POST['theme_id']); - $style_id = $db->escape($_POST['style_id']); - $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); - if ( !$e ) - die( $db->get_error() ); - die('GOOD'); - break; - case 'get_tags': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - - $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); - $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) - WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); - if ( !$q ) - $db->_die(); - - while ( $row = $db->fetchrow() ) - { - $can_del = true; - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - $can_del = false; - - if ( !$session->get_permissions($perm) ) - $can_del = false; - - if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - $can_del = false; - - $ret['tags'][] = array( - 'id' => $row['tag_id'], - 'name' => $row['tag_name'], - 'can_del' => $can_del, - 'acl' => ( $row['used_in_acl'] == 1 ) - ); - } - - echo $json->encode($ret); - - break; - case 'addtag': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $resp = array( - 'success' => false, - 'error' => 'No error', - 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), - 'in_acl' => false - ); - - // first of course, are we allowed to tag pages? - if ( !$session->get_permissions('tag_create') ) - { - $resp['error'] = 'You are not permitted to tag pages.'; - die($json->encode($resp)); - } - - // sanitize the tag name - $tag = sanitize_tag($_POST['tag']); - $tag = $db->escape($tag); - - if ( strlen($tag) < 2 ) - { - $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; - die($json->encode($resp)); - } - - // check if tag is already on page - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 ) - { - $resp['error'] = 'This page already has this tag.'; - die($json->encode($resp)); - } - $db->free_result(); - - // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access - $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 && !$can_edit_acl ) - { - $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; - die($json->encode($resp)); - } - $resp['in_acl'] = ( $db->numrows() > 0 ); - $db->free_result(); - - // we're good - $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); - if ( !$q ) - $db->_die(); - - $resp['success'] = true; - $resp['tag'] = $tag; - $resp['tag_id'] = $db->insert_id(); - - echo $json->encode($resp); - break; - case 'deltag': - - $tag_id = intval($_POST['tag_id']); - if ( empty($tag_id) ) - die('Invalid tag ID'); - - $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) - WHERE t.tag_id=' . $tag_id . ';'); - - if ( !$q ) - $db->_die(); - - if ( $db->numrows() < 1 ) - die('Could not find a tag with that ID'); - - $row = $db->fetchrow(); - $db->free_result(); - - if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) - $perms =& $session; - else - $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - die('You are not authorized to delete this tag.'); - - if ( !$perms->get_permissions($perm) ) - die('You are not authorized to delete this tag.'); - - if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - die('You are not authorized to delete this tag.'); - - // We're good - $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); - if ( !$q ) - $db->_die(); - - echo 'success'; - - break; - case 'ping': - echo 'pong'; - break; - default: - die('Hacking attempt'); - break; - } - +connect(); + + // result is sent using JSON + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $return = Array( + 'mode' => 'success', + 'users_real' => Array() + ); + + // should be connected to the DB now + $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; + if ( !$name ) + { + $return = array( + 'mode' => 'error', + 'error' => 'Invalid URI' + ); + die( $json->encode($return) ); + } + $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1'; + $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;'); + if ( !$q ) + { + $return = array( + 'mode' => 'error', + 'error' => 'MySQL error selecting username data: '.addslashes(mysql_error()) + ); + die( $json->encode($return) ); + } + $i = 0; + while($r = $db->fetchrow()) + { + $return['users_real'][] = $r['username']; + $i++; + } + $db->free_result(); + + // all done! :-) + $db->close(); + + echo $json->encode( $return ); + + exit; + } + + require('includes/common.php'); + + global $db, $session, $paths, $template, $plugins; // Common objects + if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); + + $_ob = ''; + + switch($_GET['_mode']) { + case "checkusername": + echo PageUtils::checkusername($_GET['name']); + break; + case "getsource": + $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; + echo PageUtils::getsource($paths->page, $p); + break; + case "getpage": + // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); + $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); + $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); + + $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; + $page->password = $pagepass; + + $page->send(); + break; + case "savepage": + $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; + $minor = isset($_POST['minor']); + $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); + if($e=='good') + { + $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); + $page->send(); + } + else + { + echo 'Error saving the page: '.$e.'
'; + } + break; + case "protect": + echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); + break; + case "histlist": + echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "rollback": + echo PageUtils::rollback( (int)$_GET['id'] ); + break; + case "comments": + $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); + if ( isset($_POST['data']) ) + { + $comments->process_json($_POST['data']); + } + else + { + die('{ "mode" : "error", "error" : "No input" }'); + } + break; + case "rename": + echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); + break; + case "flushlogs": + echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "deletepage": + $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; + if ( empty($reason) ) + die('Please enter a reason for deleting this page.'); + echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); + break; + case "delvote": + echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "resetdelvotes": + echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "getstyles": + echo PageUtils::getstyles($_GET['id']); + break; + case "catedit": + echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "catsave": + echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); + break; + case "setwikimode": + echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); + break; + case "setpass": + echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); + break; + case "fillusername": + break; + case "fillpagename": + $name = (isset($_GET['name'])) ? $_GET['name'] : false; + if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); + $nd = RenderMan::strToPageID($name); + $c = 0; + $u = Array(); + $n = Array(); + + $name = sanitize_page_id($name); + $name = str_replace('_', ' ', $name); + + for($i=0;$iSQL injection attempt
'; $template->footer(); break; } + echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); + break; + case "jsres": + die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); + break; + case "rdns": + if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); + $ip = $_GET['ip']; + $rdns = gethostbyaddr($ip); + if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; + else echo $rdns; + break; + case 'acljson': + $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; + echo PageUtils::acl_json($parms); + break; + case "change_theme": + if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) + { + die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); + } + if ( !$session->user_logged_in ) + { + die('You must be logged in to change your theme'); + } + // Just in case something slipped through... + $theme_id = $db->escape($_POST['theme_id']); + $style_id = $db->escape($_POST['style_id']); + $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); + if ( !$e ) + die( $db->get_error() ); + die('GOOD'); + break; + case 'get_tags': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + + $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); + $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) + WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); + if ( !$q ) + $db->_die(); + + while ( $row = $db->fetchrow() ) + { + $can_del = true; + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + $can_del = false; + + if ( !$session->get_permissions($perm) ) + $can_del = false; + + if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + $can_del = false; + + $ret['tags'][] = array( + 'id' => $row['tag_id'], + 'name' => $row['tag_name'], + 'can_del' => $can_del, + 'acl' => ( $row['used_in_acl'] == 1 ) + ); + } + + echo $json->encode($ret); + + break; + case 'addtag': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $resp = array( + 'success' => false, + 'error' => 'No error', + 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), + 'in_acl' => false + ); + + // first of course, are we allowed to tag pages? + if ( !$session->get_permissions('tag_create') ) + { + $resp['error'] = 'You are not permitted to tag pages.'; + die($json->encode($resp)); + } + + // sanitize the tag name + $tag = sanitize_tag($_POST['tag']); + $tag = $db->escape($tag); + + if ( strlen($tag) < 2 ) + { + $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; + die($json->encode($resp)); + } + + // check if tag is already on page + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 ) + { + $resp['error'] = 'This page already has this tag.'; + die($json->encode($resp)); + } + $db->free_result(); + + // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access + $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 && !$can_edit_acl ) + { + $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; + die($json->encode($resp)); + } + $resp['in_acl'] = ( $db->numrows() > 0 ); + $db->free_result(); + + // we're good + $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); + if ( !$q ) + $db->_die(); + + $resp['success'] = true; + $resp['tag'] = $tag; + $resp['tag_id'] = $db->insert_id(); + + echo $json->encode($resp); + break; + case 'deltag': + + $tag_id = intval($_POST['tag_id']); + if ( empty($tag_id) ) + die('Invalid tag ID'); + + $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) + WHERE t.tag_id=' . $tag_id . ';'); + + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + die('Could not find a tag with that ID'); + + $row = $db->fetchrow(); + $db->free_result(); + + if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) + $perms =& $session; + else + $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + die('You are not authorized to delete this tag.'); + + if ( !$perms->get_permissions($perm) ) + die('You are not authorized to delete this tag.'); + + if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + die('You are not authorized to delete this tag.'); + + // We're good + $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); + if ( !$q ) + $db->_die(); + + echo 'success'; + + break; + case 'ping': + echo 'pong'; + break; + default: + die('Hacking attempt'); + break; + } + ?> \ No newline at end of file diff -r acb9d021b860 -r 275c70f80137 includes/captcha.php --- a/includes/captcha.php Fri Nov 09 23:36:49 2007 -0500 +++ b/includes/captcha.php Fri Nov 09 23:39:52 2007 -0500 @@ -1,7 +1,8 @@ '; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_wizard_next'); groups = parseJSON(ajax.responseText); if ( groups.mode == 'error' ) { @@ -104,13 +104,13 @@ grpb.onclick = function() { seed = this.className; document.getElementById('enACL_grpbox_'+seed).style.display = 'block'; document.getElementById('enACL_usrbox_'+seed).style.display = 'none'; }; lbl = document.createElement('label'); lbl.appendChild(grpb); - lbl.appendChild(document.createTextNode('A usergroup')); + lbl.appendChild(document.createTextNode($lang.get('acl_radio_usergroup'))); lbl.style.display = 'block'; span.appendChild(grpsel); anoninfo = document.createElement('div'); anoninfo.className = 'info-box-mini'; - anoninfo.appendChild(document.createTextNode('To edit permissions for guests, select "a specific user", and enter Anonymous as the username.')); + anoninfo.appendChild(document.createTextNode($lang.get('acl_msg_guest_howto'))); span.appendChild(document.createElement('br')); span.appendChild(anoninfo); @@ -122,7 +122,7 @@ usrb.onclick = function() { seed = this.className; document.getElementById('enACL_grpbox_'+seed).style.display = 'none'; document.getElementById('enACL_usrbox_'+seed).style.display = 'block'; }; lbl2 = document.createElement('label'); lbl2.appendChild(usrb); - lbl2.appendChild(document.createTextNode('A specific user')); + lbl2.appendChild(document.createTextNode($lang.get('acl_radio_user'))); lbl2.style.display = 'block'; usrsel = document.createElement('input'); @@ -167,21 +167,21 @@ lblPage = document.createElement('label'); lblPage.style.display = 'block'; lblPage.appendChild(scopeRadioPage); - lblPage.appendChild(document.createTextNode('Only this page')); + lblPage.appendChild(document.createTextNode($lang.get('acl_radio_scope_thispage'))); lblGlobal = document.createElement('label'); lblGlobal.style.display = 'block'; lblGlobal.appendChild(scopeRadioGlobal); - lblGlobal.appendChild(document.createTextNode('The entire website')); + lblGlobal.appendChild(document.createTextNode($lang.get('acl_radio_scope_wholesite'))); lblGroup = document.createElement('label'); lblGroup.style.display = 'block'; lblGroup.appendChild(scopeRadioGroup); - lblGroup.appendChild(document.createTextNode('A group of pages')); + lblGroup.appendChild(document.createTextNode($lang.get('acl_radio_scope_pagegroup'))); scopediv1.appendChild(lblPage); scopediv2.appendChild(lblGroup); scopediv3.appendChild(lblGlobal); scopedesc = document.createElement('p'); - scopedesc.appendChild(document.createTextNode('What should this access rule control?')); + scopedesc.appendChild(document.createTextNode($lang.get('acl_lbl_scope'))); scopePGrp = document.createElement('select'); scopePGrp.style.marginLeft = '13px'; @@ -219,10 +219,10 @@ container.style.paddingTop = '50px'; head = document.createElement('h2'); - head.appendChild(document.createTextNode('Manage page access')); + head.appendChild(document.createTextNode($lang.get('acl_lbl_welcome_title'))); desc = document.createElement('p'); - desc.appendChild(document.createTextNode('Please select who should be affected by this access rule.')); + desc.appendChild(document.createTextNode($lang.get('acl_lbl_welcome_body'))); container.appendChild(head); container.appendChild(desc); @@ -319,11 +319,14 @@ // Build the ACL edit form // try { - act_desc = ( data.type == 'new' ) ? 'Create access rule' : 'Editing permissions'; - target_type_t = ( data.target_type == 1 ) ? 'group' : 'user'; - target_name_t = data.target_name; - var scope_type = ( data.page_id == false && data.namespace == false ) ? 'this entire site' : ( data.namespace == '__PageGroup' ) ? 'this group of pages' : 'this page'; - html = 'This panel allows you to edit what the '+target_type_t+' "'+target_name_t+'" can do on ' + scope_type + '. Unless you set a permission to "Deny", these permissions may be overridden by other rules.
'; + + var act_desc = ( data.type == 'new' ) ? $lang.get('acl_lbl_editwin_title_create') : $lang.get('acl_lbl_editwin_title_edit'); + var target_type_t = ( data.target_type == 1 ) ? $lang.get('acl_target_type_group') : $lang.get('acl_target_type_user'); + var target_name_t = data.target_name; + var scope_type = ( data.page_id == false && data.namespace == false ) ? $lang.get('acl_scope_type_wholesite') : ( data.namespace == '__PageGroup' ) ? $lang.get('acl_scope_type_pagegroup') : $lang.get('acl_scope_type_thispage'); + + html = '' + $lang.get('acl_lbl_editwin_body', { target_type: target_type_t, target: target_name_t, scope_type: scope_type }) + '
'; parser = new templateParser(data.template.acl_field_begin); html += parser.run(); @@ -335,7 +338,14 @@ cls = ( cls == 'row1' ) ? 'row2' : 'row1'; p = new templateParser(data.template.acl_field_item); vars = new Object(); - vars['FIELD_DESC'] = data.acl_descs[i]; + if ( data.acl_descs[i].match(/^([a-z0-9_]+)$/) ) + { + vars['FIELD_DESC'] = $lang.get(data.acl_descs[i]); + } + else + { + vars['FIELD_DESC'] = data.acl_descs[i]; + } vars['FIELD_DENY_CHECKED'] = ''; vars['FIELD_DISALLOW_CHECKED'] = ''; vars['FIELD_WIKIMODE_CHECKED'] = ''; @@ -367,7 +377,7 @@ html += parser.run(); if(data.type == 'edit') - html += ''; + html += '' + $lang.get('acl_lbl_deleterule') + '
'; var main = document.getElementById(aclManagerID + '_main'); main.innerHTML = html; @@ -383,7 +393,7 @@ aclPermList = array_keys(data.acl_types); document.getElementById(aclManagerID + '_back').style.display = 'inline'; - document.getElementById(aclManagerID + '_next').value = 'Save Changes'; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_save_changes'); // } catch(e) { alert(e); aclDebug(ajax.responseText); } @@ -393,24 +403,24 @@ note.className = 'info-box'; note.style.marginLeft = '0'; var b = document.createElement('b'); - b.appendChild(document.createTextNode('Permissions updated')); + b.appendChild(document.createTextNode($lang.get('acl_lbl_save_success_title'))); note.appendChild(b); note.appendChild(document.createElement('br')); - note.appendChild(document.createTextNode('The permissions for '+data.target_name+' on this page have been updated successfully. If you changed permissions that affect your user account, you may not see changes until you reload the page.')); + note.appendChild(document.createTextNode($lang.get('acl_lbl_save_success_body', { target_name: data.target_name }))); note.appendChild(document.createElement('br')); var a = document.createElement('a'); a.href = 'javascript:void(0);'; a.onclick = function() { this.parentNode.parentNode.removeChild(this.parentNode); return false; }; - a.appendChild(document.createTextNode('[ dismiss :')); + a.appendChild(document.createTextNode('[ ' + $lang.get('acl_btn_success_dismiss') + ' :')); note.appendChild(a); var a2 = document.createElement('a'); a2.href = 'javascript:void(0);'; a2.onclick = function() { killACLManager(); return false; }; - a2.appendChild(document.createTextNode(': close manager ]')); + a2.appendChild(document.createTextNode(': ' + $lang.get('acl_btn_success_close') + ' ]')); note.appendChild(a2); document.getElementById(aclManagerID + '_main').insertBefore(note, document.getElementById(aclManagerID + '_main').firstChild); if(!document.getElementById(aclManagerID+'_deletelnk')) - document.getElementById(aclManagerID + '_main').innerHTML += ''; + document.getElementById(aclManagerID + '_main').innerHTML += '' + $lang.get('acl_lbl_deleterule') + '
'; //fadeInfoBoxes(); document.getElementById(aclManagerID+'_main').scrollTop = 0; @@ -428,7 +438,7 @@ { document.getElementById(aclManagerID+'_main').innerHTML = ''; document.getElementById(aclManagerID + '_back').style.display = 'none'; - document.getElementById(aclManagerID + '_next').value = 'Next >'; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_wizard_next'); var thispage = strToPageID(title); groups.page_id = thispage[0]; groups.namespace = thispage[1]; @@ -441,20 +451,20 @@ note.style.width = '558px'; note.id = 'aclSuccessNotice_' + Math.floor(Math.random() * 100000); b = document.createElement('b'); - b.appendChild(document.createTextNode('Entry deleted')); + b.appendChild(document.createTextNode($lang.get('acl_lbl_delete_success_title'))); note.appendChild(b); note.appendChild(document.createElement('br')); - note.appendChild(document.createTextNode('The access rules for '+aclDataCache.target_name+' on this page have been deleted.')); + note.appendChild(document.createTextNode($lang.get('acl_lbl_delete_success_title', { target_name: aclDataCache.target_name }))); note.appendChild(document.createElement('br')); a = document.createElement('a'); a.href = '#'; a.onclick = function() { opacity(this.parentNode.id, 100, 0, 1000); setTimeout('var div = document.getElementById("' + this.parentNode.id + '"); div.parentNode.removeChild(div);', 1100); return false; }; - a.appendChild(document.createTextNode('[ dismiss :')); + a.appendChild(document.createTextNode('[ ' + $lang.get('acl_btn_success_dismiss') + ' :')); note.appendChild(a); a = document.createElement('a'); a.href = '#'; a.onclick = function() { killACLManager(); return false; }; - a.appendChild(document.createTextNode(': close manager ]')); + a.appendChild(document.createTextNode(': ' + $lang.get('acl_btn_success_close') + ' ]')); note.appendChild(a); document.getElementById(aclManagerID + '_main').insertBefore(note, document.getElementById(aclManagerID + '_main').firstChild); //fadeInfoBoxes(); @@ -542,7 +552,7 @@ back = document.createElement('input'); back.type = 'button'; - back.value = '< Back'; + back.value = $lang.get('etc_wizard_back'); back.style.fontWeight = 'normal'; back.onclick = function() { ajaxACLSwitchToSelector(); return false; }; back.style.display = 'none'; @@ -550,14 +560,14 @@ saver = document.createElement('input'); saver.type = 'submit'; - saver.value = 'Next >'; + saver.value = $lang.get('etc_wizard_next'); saver.style.fontWeight = 'bold'; saver.id = aclManagerID + '_next'; closer = document.createElement('input'); closer.type = 'button'; - closer.value = 'Cancel Changes'; - closer.onclick = function() { if(!confirm('Do you really want to close the ACL manager?')) return false; killACLManager(); return false; } + closer.value = $lang.get('etc_cancel_changes'); + closer.onclick = function() { if(!confirm($lang.get('acl_msg_closeacl_confirm'))) return false; killACLManager(); return false; } spacer1 = document.createTextNode(' '); spacer2 = document.createTextNode(' '); @@ -624,7 +634,7 @@ var target_type = parseInt(getRadioState(thefrm, 'target_type', ['1', '2'])); if(isNaN(target_type)) { - alert('Please select a target type.'); + alert($lang.get('acl_err_pleaseselect_targettype')); return false; } target_id = ( target_type == 1 ) ? parseInt(thefrm.group_id.value) : thefrm.username.value; @@ -666,7 +676,7 @@ } if(target_id == '') { - alert('Please enter a username.'); + alert($lang.get('acl_err_pleaseselect_username')); return false; } __aclJSONSubmitAjaxHandler(obj); diff -r acb9d021b860 -r 275c70f80137 includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Fri Nov 09 23:36:49 2007 -0500 +++ b/includes/clientside/static/ajax.js Fri Nov 09 23:39:52 2007 -0500 @@ -71,7 +71,7 @@ if(ajax.readyState == 4) { unsetAjaxLoading(); if(edit_open) { - c=confirm('Do you really want to revert your changes?'); + c=confirm($lang.get('editor_msg_revert_confirm')); if(!c) return; } edit_open = true; @@ -82,18 +82,18 @@ // Allow the textarea grippifier to re-create the resizer control on the textarea grippied_textareas.pop(in_array('ajaxEditArea', grippied_textareas)); } - disableUnload('If you do, any changes that you have made to this page will be lost.'); + disableUnload($lang.get('editor_msg_unload')); var switcher = ( readCookie('enano_editor_mode') == 'tinymce' ) ? - 'wikitext editor | graphical editor' : - 'wikitext editor | graphical editor' ; + '' + $lang.get('editor_btn_wikitext') + ' | ' + $lang.get('editor_btn_graphical') : + $lang.get('editor_btn_wikitext') + ' | ' + $lang.get('editor_btn_graphical') + '' ; document.getElementById('ajaxEditContainer').innerHTML = '\ \ ' + switcher + 'Fetching an encryption key...
\ -Not working? Use the alternate login form.
\ +' + $lang.get('user_login_ajax_fetching_key') + '
\ +' + $lang.get('user_login_ajax_link_fullform', { link_full_form: makeUrlNS('Special', 'Login/' + title) }) + '
\ \Username: | \ + | ' + $lang.get('user_login_field_username') + ': | \ |
Password: | \ + | ' + $lang.get('user_login_field_password') + ': | \ |
\
- Trouble logging in? Try the full login form. '; + ' + $lang.get('user_login_ajax_link_fullform', { link_full_form: makeUrlNS('Special', 'Login/' + title, 'level=' + level) }) + ' '; if ( level <= USER_LEVEL_MEMBER ) { form_html += ' \ - Did you forget your password? \ - Maybe you need to create an account.'; + ' + $lang.get('user_login_ajax_link_forgotpass', { forgotpass_link: makeUrlNS('Special', 'PasswordReset') }) + ' \ + ' + $lang.get('user_login_createaccount_blurb', { reg_link: makeUrlNS('Special', 'Register') }); } - form_html += ' \ + form_html += ' \ | \
Logging in...
\ +' + $lang.get('user_login_ajax_loggingin') + '
\ \- Close window -
- - -EOF; - exit; - break; - default: - break; -} - -$template = new template_nodb(); -$template->load_theme('oxygen', 'bleu', false); - -$modestrings = Array( - 'welcome' => 'Welcome', - 'license' => 'License Agreement', - 'sysreqs' => 'Server requirements', - 'database'=> 'Database information', - 'website' => 'Website configuration', - 'login' => 'Administration login', - 'confirm' => 'Confirm installation', - 'install' => 'Database installation', - 'finish' => 'Installation complete' - ); - -$sideinfo = ''; -$vars = $template->extract_vars('elements.tpl'); -$p = $template->makeParserText($vars['sidebar_button']); -foreach ( $modestrings as $id => $str ) -{ - if ( $_GET['mode'] == $id ) - { - $flags = 'style="font-weight: bold; text-decoration: underline;"'; - $this_page = $str; - } - else - { - $flags = ''; - } - $p->assign_vars(Array( - 'HREF' => '#', - 'FLAGS' => $flags . ' onclick="return false;"', - 'TEXT' => $str - )); - $sideinfo .= $p->run(); -} - -$template->init_vars(); - -if(isset($_GET['mode']) && $_GET['mode'] == 'css') -{ - header('Content-type: text/css'); - echo $template->get_css(); - exit; -} - -$template->header(); -if(!isset($_GET['mode'])) $_GET['mode'] = 'license'; -switch($_GET['mode']) -{ - default: - case 'welcome': - ?> -Thank you for choosing Enano as your CMS. You've selected the finest in design, the strongest in security, and the latest in Web 2.0 toys. Trust us, you'll like it.
-To get started, please read and accept the following license agreement. You've probably seen it before.
-Enano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License (below) for more details.
-By clicking the button below or otherwise continuing the installation, you indicate your acceptance of this license agreement.
-Enano is distributed under certain licensing terms that we believe make it of the greatest possible use to the public. The license we distribute it under, the GNU General Public License, provides certain terms and conditions that, rather than limit your use of Enano, allow you to get the most out of it. If you would like to read the full text, it can be found below. Here is a human-readable version that we think is a little easier to understand.
-You may exercise the freedoms specified here provided that you comply with the express conditions of this license. The principal conditions are:
-Disclaimer: The above text is not a license. It is simply a handy reference for understanding the Legal Code (the full license) – it is a human-readable expression of some of its key terms. Think of it as the user-friendly interface to the Legal Code beneath. The above text itself has no legal value, and its contents do not appear in the actual license.
Text copied from the Creative Commons GPL Deed page
This version of Enano is designed only for testing and evaluation purposes. It is not yet completely stable, and should not be used on production websites. As with any Enano version, Dan Fuhry and the Enano team cannot be responsible for any damage, physical or otherwise, to any property as a result of the use of Enano. While security is a number one priority, sometimes things slip through.
- -Enano has several requirements that must be met before it can be installed. If all is good then note any warnings and click Continue below.
-Now we need some information that will allow Enano to contact your database server. Enano uses MySQL as a data storage backend, - and we need to have access to a MySQL server in order to continue.
-If you do not have access to a MySQL server, and you are using your own server, you can download MySQL for free from - MySQL.com. Please note that, like Enano, MySQL is licensed under the GNU GPL. - If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL - or purchase a proprietary license.
- MySQL login information for this virtual appliance:ERROR: Cannot open config.php for writing - exiting!
'; - $template->footer(); - exit; - } - fwrite($handle, ''); - fclose($handle); - } - // Sorry for the ugly hack, but this f***s up jEdit badly. - echo ' - - '; - ?> - - - restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - ?> - - restart the installation.'; - $template->footer(); - exit; - } - switch($_POST['urlscheme']) - { - case "ugly": - default: - $cp = scriptPath.'/index.php?title='; - break; - case "short": - $cp = scriptPath.'/index.php/'; - break; - case "tiny": - $cp = scriptPath.'/'; - break; - } - function err($t) { global $template; echo $t; $template->footer(); exit; } - - // $stages = array('connect', 'decrypt', 'genkey', 'parse', 'sql', 'writeconfig', 'renameconfig', 'startapi', 'initlogs'); - - if ( !preg_match('/^[a-z0-9_]*$/', $_POST['table_prefix']) ) - err('Hacking attempt was detected in table_prefix.'); - - start_install_table(); - // The stages connect, decrypt, genkey, and parse are preprocessing and don't do any actual data modification. - // Thus, they need to be run on each retry, e.g. never skipped. - run_installer_stage('connect', 'Connect to MySQL', 'stg_mysql_connect', 'MySQL denied our attempt to connect to the database. This is most likely because your login information was incorrect. You will most likely need to restart the installation.', false); - if ( isset($_POST['drop_tables']) ) - { - // Are we supposed to drop any existing tables? If so, do it now - run_installer_stage('drop', 'Drop existing Enano tables', 'stg_drop_tables', 'This step never returns failure'); - } - run_installer_stage('decrypt', 'Decrypt administration password', 'stg_decrypt_admin_pass', 'The administration password you entered couldn\'t be decrypted. It is possible that your server did not properly store the encryption key in the configuration file. Please check the file permissions on config.new.php. You may have to return to the login stage of the installation, clear your browser cache, and then rerun this installation.', false); - run_installer_stage('genkey', 'Generate ' . AES_BITS . '-bit AES private key', 'stg_generate_aes_key', 'Enano encountered an internal error while generating the site encryption key. Please contact the Enano team for support.', false); - run_installer_stage('parse', 'Prepare to execute schema file', 'stg_parse_schema', 'Enano encountered an internal error while parsing the SQL file that contains the database structure and initial data. Please contact the Enano team for support.', false); - run_installer_stage('sql', 'Execute installer schema', 'stg_install', 'The installation failed because an SQL query wasn\'t quite correct. It is possible that you entered malformed data into a form field, or there may be a bug in Enano with your version of MySQL. Please contact the Enano team for support.', false); - run_installer_stage('writeconfig', 'Write configuration files', 'stg_write_config', 'Enano was unable to write the configuration file with your site\'s database credentials. This is almost always because your configuration file does not have the correct permissions. On Windows servers, you may see this message even if the check on the System Requirements page passed. Temporarily running IIS as the Administrator user may help.'); - run_installer_stage('renameconfig', 'Rename configuration files', 'stg_rename_config', 'Enano couldn\'t rename the configuration files to their correct production names. On some UNIX systems, you need to CHMOD the directory with your Enano files to 777 in order for this stage to succeed.'); - - // Mainstream installation complete - Enano should be usable now - // The stage of starting the API is special because it has to be called out of function context. - // To alleviate this, we have two functions, one that returns success and one that returns failure - // If the Enano API load is successful, the success function is called to report the action to the user - // If unsuccessful, the failure report is sent - - $template_bak = $template; - - $_GET['title'] = 'Main_Page'; - require('includes/common.php'); - - if ( is_object($db) && is_object($session) ) - { - run_installer_stage('startapi', 'Start the Enano API', 'stg_start_api_success', '...', false); - } - else - { - run_installer_stage('startapi', 'Start the Enano API', 'stg_start_api_failure', 'The Enano API could not be started. This is an error that should never occur; please contact the Enano team for support.', false); - } - - // We need to be logged in (with admin rights) before logs can be flushed - $admin_password = stg_decrypt_admin_pass(true); - $session->login_without_crypto($_POST['admin_user'], $admin_password, false); - - // Now that login cookies are set, initialize the session manager and ACLs - $session->start(); - $paths->init(); - - run_installer_stage('initlogs', 'Initialize logs', 'stg_init_logs', 'The session manager denied the request to flush logs for the main page.Review any warnings above, and then click here to finish the installation.'; - - // echo ''; - - break; - case "finish": - echo '
You have finished installing Enano on this server.
-Click the link below to see the main page for your website. Where to go from here:
-If you wish to upgrade an older Enano installation to this version, please use the upgrade script.
'); + exit; +} + +define('IN_ENANO_INSTALL', 'true'); + +define('ENANO_VERSION', '1.1.1'); +define('ENANO_CODE_NAME', 'Germination'); +// In beta versions, define ENANO_BETA_VERSION here + +// This is required to make installation work right +define("ENANO_ALLOW_LOAD_NOLANG", 1); + +if(!defined('scriptPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('scriptPath', $sp); +} + +if(!defined('contentPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('contentPath', $sp); +} +global $_starttime, $this_page, $sideinfo; +$_starttime = microtime(true); + +// Determine directory (special case for development servers) +if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') ) +{ + $filename = str_replace('/repo/', '/', __FILE__); +} +else +{ + $filename = __FILE__; +} + +define('ENANO_ROOT', dirname($filename)); + +function is_page($p) +{ + return true; +} + +require('includes/wikiformat.php'); +require('includes/constants.php'); +require('includes/rijndael.php'); +require('includes/functions.php'); +require('includes/dbal.php'); +require('includes/lang.php'); +require('includes/json.php'); + +strip_magic_quotes_gpc(); + +// +// INSTALLER LIBRARY +// + +$neutral_color = 'C'; + +function run_installer_stage($stage_id, $stage_name, $function, $failure_explanation, $allow_skip = true) +{ + static $resumed = false; + static $resume_stack = array(); + + if ( empty($resume_stack) && isset($_POST['resume_stack']) && preg_match('/[a-z_]+((\|[a-z_]+)+)/', $_POST['resume_stack']) ) + { + $resume_stack = explode('|', $_POST['resume_stack']); + } + + $already_run = false; + if ( in_array($stage_id, $resume_stack) ) + { + $already_run = true; + } + + if ( !$resumed ) + { + if ( !isset($_GET['stage']) ) + $resumed = true; + if ( isset($_GET['stage']) && $_GET['stage'] == $stage_id ) + { + $resumed = true; + } + } + if ( !$resumed && $allow_skip ) + { + echo_stage_success($stage_id, "[dbg: skipped] $stage_name"); + return false; + } + if ( !function_exists($function) ) + die('libenanoinstall: CRITICAL: function "' . $function . '" for ' . $stage_id . ' doesn\'t exist'); + $result = @call_user_func($function, false, $already_run); + if ( $result ) + { + echo_stage_success($stage_id, $stage_name); + $resume_stack[] = $stage_id; + return true; + } + else + { + echo_stage_failure($stage_id, $stage_name, $failure_explanation, $resume_stack); + return false; + } +} + +function start_install_table() +{ + echo 'SECURITY: malformed database name \"$db_name\"
"); + } + + // First, try to connect using the normal credentials + $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if ( !$conn ) + { + // Connection failed. Do we have the root username and password? + if ( !empty($_POST['db_root_user']) && !empty($_POST['db_root_pass']) ) + { + $conn_root = @mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); + if ( !$conn_root ) + { + // Couldn't connect using either set of credentials. Bail out. + return false; + } + unset($db_user, $db_pass); + $db_user = mysql_real_escape_string($_POST['db_user']); + $db_pass = mysql_real_escape_string($_POST['db_pass']); + // Create the user account + $q = @mysql_query("GRANT ALL PRIVILEGES ON test.* TO '{$db_user}'@'localhost' IDENTIFIED BY '$db_pass' WITH GRANT OPTION;", $conn_root); + if ( !$q ) + { + return false; + } + // Revoke privileges from test, we don't need them + $q = @mysql_query("REVOKE ALL PRIVILEGES ON test.* FROM '{$db_user}'@'localhost';", $conn_root); + if ( !$q ) + { + return false; + } + if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' ) + { + // If not connecting to a server running on localhost, allow from any host + // this is safer than trying to detect the hostname of the webserver, but less secure + $q = @mysql_query("GRANT ALL PRIVILEGES ON test.* TO '{$db_user}'@'%' IDENTIFIED BY '$db_pass' WITH GRANT OPTION;", $conn_root); + if ( !$q ) + { + return false; + } + // Revoke privileges from test, we don't need them + $q = @mysql_query("REVOKE ALL PRIVILEGES ON test.* FROM '{$db_user}'@'%';", $conn_root); + if ( !$q ) + { + return false; + } + } + mysql_close($conn_root); + $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if ( !$conn ) + { + // This should honestly never happen. + return false; + } + } + } + $q = @mysql_query("USE `$db_name`;", $conn); + if ( !$q ) + { + // access denied to the database; try the whole root schenanegan again + if ( !empty($_POST['db_root_user']) && !empty($_POST['db_root_pass']) ) + { + $conn_root = @mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); + if ( !$conn_root ) + { + // Couldn't connect as root; bail out + return false; + } + // create the database, if it doesn't exist + $q = @mysql_query("CREATE DATABASE IF NOT EXISTS `$db_name`;", $conn_root); + if ( !$q ) + { + // this really should never fail, so don't give any tolerance to it + return false; + } + unset($db_user, $db_pass); + $db_user = mysql_real_escape_string($_POST['db_user']); + $db_pass = mysql_real_escape_string($_POST['db_pass']); + // we're in with root rights; grant access to the database + $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'localhost';", $conn_root); + if ( !$q ) + { + return false; + } + if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' ) + { + $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'%';", $conn_root); + if ( !$q ) + { + return false; + } + } + mysql_close($conn_root); + // grant tables have hopefully been flushed, kill and reconnect our regular user connection + mysql_close($conn); + $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if ( !$conn ) + { + return false; + } + } + else + { + return false; + } + // try again + $q = @mysql_query("USE `$db_name`;", $conn); + if ( !$q ) + { + // really failed this time; bail out + return false; + } + } + // connected and database exists + return true; +} + +function stg_drop_tables() +{ + $conn = stg_mysql_connect(true); + if ( !$conn ) + return false; + // Our list of tables included in Enano + $tables = Array( 'categories', 'comments', 'config', 'logs', 'page_text', 'session_keys', 'pages', 'users', 'users_extra', 'themes', 'buddies', 'banlist', 'files', 'privmsgs', 'sidebar', 'hits', 'search_index', 'groups', 'group_members', 'acl', 'search_cache', 'tags', 'page_groups', 'page_group_members' ); + + // Drop each table individually; if it fails, it probably means we're trying to drop a + // table that didn't exist in the Enano version we're deleting the database for. + foreach ( $tables as $table ) + { + // Remember that table_prefix is sanitized. + $table = "{$_POST['table_prefix']}$table"; + @mysql_query("DROP TABLE $table;", $conn); + } + return true; +} + +function stg_decrypt_admin_pass($act_get = false) +{ + static $decrypted_pass = false; + if ( $act_get ) + return $decrypted_pass; + + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + + if ( !empty($_POST['crypt_data']) ) + { + require('config.new.php'); + if ( !isset($cryptkey) ) + { + return false; + } + define('_INSTRESUME_AES_KEYBACKUP', $key); + $key = hexdecode($cryptkey); + + $decrypted_pass = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); + + } + else + { + $decrypted_pass = $_POST['admin_pass']; + } + if ( empty($decrypted_pass) ) + return false; + return true; +} + +function stg_generate_aes_key($act_get = false) +{ + static $key = false; + if ( $act_get ) + return $key; + + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + $key = $aes->gen_readymade_key(); + return true; +} + +function stg_parse_schema($act_get = false) +{ + static $schema; + if ( $act_get ) + return $schema; + + $admin_pass = stg_decrypt_admin_pass(true); + $key = stg_generate_aes_key(true); + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + $key = $aes->hextostring($key); + $admin_pass = $aes->encrypt($admin_pass, $key, ENC_HEX); + + $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0'; + + $schema = file_get_contents('schema.sql'); + $schema = str_replace('{{SITE_NAME}}', mysql_real_escape_string($_POST['sitename'] ), $schema); + $schema = str_replace('{{SITE_DESC}}', mysql_real_escape_string($_POST['sitedesc'] ), $schema); + $schema = str_replace('{{COPYRIGHT}}', mysql_real_escape_string($_POST['copyright'] ), $schema); + $schema = str_replace('{{ADMIN_USER}}', mysql_real_escape_string($_POST['admin_user'] ), $schema); + $schema = str_replace('{{ADMIN_PASS}}', mysql_real_escape_string($admin_pass ), $schema); + $schema = str_replace('{{ADMIN_EMAIL}}', mysql_real_escape_string($_POST['admin_email']), $schema); + $schema = str_replace('{{ENABLE_CACHE}}', mysql_real_escape_string($cacheonoff ), $schema); + $schema = str_replace('{{REAL_NAME}}', '', $schema); + $schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema); + $schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema); + $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema); + // Not anymore!! :-D + // $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema); + + if(isset($_POST['wiki_mode'])) + { + $schema = str_replace('{{WIKI_MODE}}', '1', $schema); + } + else + { + $schema = str_replace('{{WIKI_MODE}}', '0', $schema); + } + + // Build an array of queries + $schema = explode("\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + $t = trim($query); + if ( empty($t) || preg_match('/^(\#|--)/i', $t) ) + { + unset($schema[$i]); + unset($query); + } + } + + $schema = array_values($schema); + $schema = implode("\n", $schema); + $schema = explode(";\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + if ( substr($query, ( strlen($query) - 1 ), 1 ) != ';' ) + { + $query .= ';'; + } + } + + return true; +} + +function stg_install($_unused, $already_run) +{ + // This one's pretty easy. + $conn = stg_mysql_connect(true); + if ( !is_resource($conn) ) + return false; + $schema = stg_parse_schema(true); + if ( !is_array($schema) ) + return false; + + // If we're resuming installation, the encryption key was regenerated. + // This means we'll have to update the encrypted password in the database. + if ( $already_run ) + { + $admin_pass = stg_decrypt_admin_pass(true); + $key = stg_generate_aes_key(true); + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + $key = $aes->hextostring($key); + $admin_pass = $aes->encrypt($admin_pass, $key, ENC_HEX); + $admin_user = mysql_real_escape_string($_POST['admin_user']); + + $q = @mysql_query("UPDATE {$_POST['table_prefix']}users SET password='$admin_pass' WHERE username='$admin_user';"); + if ( !$q ) + { + echo 'MySQL return: ' . mysql_error() . '
'; + return false; + } + + return true; + } + + // OK, do the loop, baby!!! + foreach($schema as $q) + { + $r = mysql_query($q, $conn); + if ( !$r ) + { + echo 'MySQL return: ' . mysql_error() . '
'; + return false; + } + } + + return true; +} + +function stg_write_config() +{ + $privkey = stg_generate_aes_key(true); + + switch($_POST['urlscheme']) + { + case "ugly": + default: + $cp = scriptPath.'/index.php?title='; + break; + case "short": + $cp = scriptPath.'/index.php/'; + break; + case "tiny": + $cp = scriptPath.'/'; + break; + } + + if ( $_POST['urlscheme'] == 'tiny' ) + { + $contents = '# Begin Enano rules +RewriteEngine on +RewriteCond %{REQUEST_FILENAME} !-d +RewriteCond %{REQUEST_FILENAME} !-f +RewriteRule ^(.+) '.scriptPath.'/index.php?title=$1 [L,QSA] +RewriteRule \.(php|html|gif|jpg|png|css|js)$ - [L] +# End Enano rules +'; + if ( file_exists('./.htaccess') ) + $ht = fopen(ENANO_ROOT.'/.htaccess', 'a+'); + else + $ht = fopen(ENANO_ROOT.'/.htaccess.new', 'w'); + if ( !$ht ) + return false; + fwrite($ht, $contents); + fclose($ht); + } + + $config_file = ''; + + $cf_handle = fopen(ENANO_ROOT.'/config.new.php', 'w'); + if ( !$cf_handle ) + return false; + fwrite($cf_handle, $config_file); + + fclose($cf_handle); + + return true; +} + +function _stg_rename_config_revert() +{ + if ( file_exists('./config.php') ) + { + @rename('./config.php', './config.new.php'); + } + + $handle = @fopen('./config.php.new', 'w'); + if ( !$handle ) + return false; + $contents = ''; + fwrite($handle, $contents); + fclose($handle); + return true; +} + +function stg_rename_config() +{ + if ( !@rename('./config.new.php', './config.php') ) + { + echo 'Can\'t rename config.php
'; + _stg_rename_config_revert(); + return false; + } + + if ( $_POST['urlscheme'] == 'tiny' && !file_exists('./.htaccess') ) + { + if ( !@rename('./.htaccess.new', './.htaccess') ) + { + echo 'Can\'t rename .htaccess
'; + _stg_rename_config_revert(); + return false; + } + } + return true; +} + +function stg_start_api_success() +{ + return true; +} + +function stg_start_api_failure() +{ + return false; +} + +function stg_import_language() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + $lang_file = ENANO_ROOT . "/language/english/enano.json"; + install_language("eng", "English", "English", $lang_file); + + return true; +} + +function stg_init_logs() +{ + global $db, $session, $paths, $template, $plugins; // Common objects + + $q = $db->sql_query('INSERT INTO ' . table_prefix . 'logs(log_type,action,time_id,date_string,author,page_text,edit_summary) VALUES(\'security\', \'install_enano\', ' . time() . ', \'' . date('d M Y h:i a') . '\', \'' . mysql_real_escape_string($_POST['admin_user']) . '\', \'' . mysql_real_escape_string(ENANO_VERSION) . '\', \'' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '\');'); + if ( !$q ) + { + echo 'MySQL return: ' . mysql_error() . '
'; + return false; + } + + if ( !$session->get_permissions('clear_logs') ) + { + echo '$session: denied clear_logs
'; + return false; + } + + PageUtils::flushlogs('Main_Page', 'Article'); + + return true; +} + +//die('Key size: ' . AES_BITS . '([\s]*?)<\/p>#is', '', $result);
+ $result = preg_replace('#
([\s]*?)
$desc | "; + } elseif(!$val && $warn) { + if($cv) $color='FFFFCC'; else $color='FFFFAA'; + echo " |
$desc $extended_desc | |
$desc $extended_desc |
get('database_blurb_needdb'); ?>
+get('database_blurb_howtomysql'); ?>
+ + ' . $lang->get('database_vm_login_info', array( 'host' => 'localhost', 'user' => 'enano', 'pass' => 'clurichaun', 'name' => 'enano_www1' )) . ' + '; + } + ?> + + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + ?> + + + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + require('config.new.php'); + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + if ( isset($crypto_key) ) + { + $cryptkey = $crypto_key; + } + if(!isset($cryptkey) || ( isset($cryptkey) && strlen($cryptkey) != AES_BITS / 4) ) + { + $cryptkey = $aes->gen_readymade_key(); + $handle = @fopen(ENANO_ROOT.'/config.new.php', 'w'); + if(!$handle) + { + echo 'ERROR: Despite my repeated attempts to verify that the configuration file can be written, I was indeed prevented from opening it for writing. Maybe you\'re still on crack Windows?
Review any warnings above, and then click here to finish the installation.'; + + // echo ''; + + break; + case "finish": + echo '
You have finished installing Enano on this server.
+Click the link below to see the main page for your website. Where to go from here:
+This website is powered by Enano, the lightweight and open source CMS that everyone can use. Enano is copyright © 2006-2007 Dan Fuhry. For legal information, along with a list of libraries that Enano uses, please see Legal Information.
The developers and maintainers of Enano strongly believe that software should not only be free to use, but free to be modified, distributed, and used to create derivative works. For more information about Free Software, check out the Wikipedia page or the Free Software Foundation\'s homepage.
', + enano_about_gpl: 'This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
You should have received a copy of the GNU General Public License along with this program; if not, write to:
Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor
Boston, MA 02110-1301, USA
Alternatively, you can read it online.
', + enano_about_lbl_enanoversion: 'Enano version:', + enano_about_lbl_webserver: 'Web server:', + enano_about_lbl_serverplatform: 'Server platform:', + enano_about_lbl_phpversion: 'PHP version:', + enano_about_lbl_mysqlversion: 'MySQL version:', + }, + user: { + login_message_short: 'Please enter your username and password to log in.', + login_message_short_elev: 'Please re-enter your login details', + login_body: 'Logging in enables you to use your preferences and access member information. If you don\'t have a username and password here, you can create an account.', + login_body_elev: 'You are requesting that a sensitive operation be performed. To continue, please re-enter your password to confirm your identity.', + login_field_username: 'Username', + login_field_password: 'Password', + login_forgotpass_blurb: 'Forgot your password? No problem.', + login_createaccount_blurb: 'Maybe you need to create an account.', + login_field_captcha: 'Code in image', + login_nocrypt_title: 'Important note regarding cryptography:', + login_nocrypt_body: 'Some countries do not allow the import or use of cryptographic technology. If you live in one of the countries listed below, you should log in without using encryption.', + login_nocrypt_countrylist: 'This restriction applies to the following countries: Belarus, China, India, Israel, Kazakhstan, Mongolia, Pakistan, Russia, Saudi Arabia, Singapore, Tunisia, Venezuela, and Vietnam.', + login_usecrypt_title: 'Encryption is currently turned off.', + login_usecrypt_body: 'If you are not in one of the countries listed below, you should enable encryption to secure the logon process.', + login_usecrypt_countrylist: 'The cryptography restriction applies to the following countries: Belarus, China, India, Israel, Kazakhstan, Mongolia, Pakistan, Russia, Saudi Arabia, Singapore, Tunisia, Venezuela, and Vietnam.', + login_success_title: 'Login successful', + login_success_body: 'You have successfully logged into the %config.site_name% site as "%username%". Redirecting to %redir_target%...', + login_success_body_mainpage: 'the main page', + + login_ajax_fetching_key: 'Fetching an encryption key...', + login_ajax_prompt_title: 'Please enter your username and password to continue.', + login_ajax_prompt_title_elev: 'You are requesting a sensitive operation.', + login_ajax_prompt_body_elev: 'Please re-enter your login details, to verify your identity.', + login_ajax_link_fullform: 'Trouble logging in? Try the full login form.', + login_ajax_link_forgotpass: 'Did you forget your password?', + login_ajax_loggingin: 'Logging in...', + + err_key_not_found: 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.', + err_key_wrong_length: 'The encryption key was the wrong length.', + err_too_big_for_britches: 'You are trying to authenticate at a level that your user account does not permit.', + err_invalid_credentials: 'You have entered an invalid username or password. Please enter your login details again.', + err_invalid_credentials_lockout: ' You have used up %fails% out of %config.lockout_threshold% login attempts. After you have used up all %config.lockout_threshold% login attempts, you will be locked out from logging in for %config.lockout_duration% minutes.', + err_invalid_credentials_lockout_captcha: ' You have used up %lockout_fails% out of %config.lockout_threshold% login attempts. After you have used up all %config.lockout_threshold% login attempts, you will have to enter a visual confirmation code while logging in, effective for %config.lockout_duration% minutes.', + err_backend_fail: 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.', + err_locked_out: 'You have used up all %config.lockout_threshold% allowed login attempts. Please wait %time_rem% minute%plural% before attempting to log in again%captcha_blurb%.', + err_locked_out_captcha_blurb: ', or enter the visual confirmation code shown above in the appropriate box', + + logout_success_title: 'Logged out', + logout_success_body: 'You have been successfully logged out, and all cookies have been cleared. You will now be transferred to the main page.', + logout_confirm_title: 'Are you sure you want to log out?', + logout_confirm_body: 'If you log out, you will no longer be able to access your user preferences, your private messages, or certain areas of this site until you log in again.', + logout_confirm_title_elev: 'Are you sure you want to de-authenticate?', + logout_confirm_body_elev: 'If you de-authenticate, you will no longer be able to use the administration panel until you re-authenticate again. You may do so at any time using the Administration button on the sidebar.', + logout_err_title: 'An error occurred during the logout process.', + // Unused at this point + logout_err_not_loggedin: 'You don\'t seem to be logged in.', + + keepalive_info_title: 'About the keep-alive feature', + keepalive_info_body: 'Keep-alive is a new Enano feature that keeps your administrative session from timing out while you are using the administration panel. This feature can be useful if you are editing a large page or doing something in the administration interface that will take longer than 15 minutes.Unlike deleting or editing this page, this action is not reversible! You should only do this if you are desparate for database space.
Do you really want to continue?
', + flushlogs_btn_submit: 'Flush logs', + + delvote_warning_stern: 'If you think that this page is not relavent to the content on this site, or if it looks like this page was only created in an attempt to spam the site, you can request that this page be deleted by an administrator.
After you vote, you should leave a comment explaining the reason for your vote, especially if you are the first person to vote against this page.
', + + delvote_count_zero: 'So far, no one has voted for the deletion of this page.', + delvote_count_one: 'So far, one person has voted to delete this page.', + delvote_count_plural: 'So far, %delvotes% people have voted to delete this page.', + delvote_btn_submit: 'Vote to delete this page', + delvote_reset_btn_submit: 'Reset votes', + + delete_warning_stern: 'While the deletion of the page itself is completely reversible, it is impossible to recover any comments or category information on this page. If this is a file page, the file along with all older revisions of it will be permanently deleted. Also, any custom information that this page is tagged with, such as a custom name, protection status, or additional settings such as whether to allow comments, will be permanently lost.
Are you absolutely sure that you want to continue?
You will not be asked again.
Permission types:
This option allows you to control whether anything between the standard <?php and ?> tags will be treated as + PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will + execute that code when the page is loaded. There are obvious potential security implications here, which should + be carefully considered before enabling this option.
+If you are the only administrator of this site, or if you have a high level of trust for those will be administering + the site with you, you should enable this to allow extreme customization of pages.
+Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding + is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to + embed Javascript and arbitrary HTML and CSS.
+If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time + using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection.
', + btn_close_window: 'Close window', + } + } +} diff -r acb9d021b860 -r 275c70f80137 language/english/install/license-deed.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/language/english/install/license-deed.html Fri Nov 09 23:39:52 2007 -0500 @@ -0,0 +1,25 @@ +Enano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License (below) for more details.
+By clicking the button below or otherwise continuing the installation, you indicate your acceptance of this license agreement.
+ +Enano is distributed under certain licensing terms that we believe make it of the greatest possible use to the public. The license we distribute it under, the GNU General Public License, provides certain terms and conditions that, rather than limit your use of Enano, allow you to get the most out of it. If you would like to read the full text, it can be found below. Here is a human-readable version that we think is a little easier to understand.
+You may exercise the freedoms specified here provided that you comply with the express conditions of this license. The principal conditions are:
+
+ Disclaimer: The above text is not a license. It is simply a handy reference for understanding the Legal Code (the full license) – it is a human-readable expression of some of its key terms. Think of it as the user-friendly interface to the Legal Code beneath. The above text itself has no legal value, and its contents do not appear in the actual license.
Text copied from the Creative Commons GPL Deed page
+
You need to log in to view your private messages.
'); + if ( !$session->user_logged_in ) + { + die_friendly('Access denied', 'You need to log in to view your private messages.
'); + } $argv = Array(); $argv[] = $paths->getParam(0); $argv[] = $paths->getParam(1); $argv[] = $paths->getParam(2); - if(!$argv[0]) $argv[0] = 'InVaLiD'; + if ( !$argv[0] ) + { + $argv[0] = 'InVaLiD'; + } switch($argv[0]) { default: @@ -48,17 +54,29 @@ break; case 'View': $id = $argv[1]; - if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', 'Invalid message ID
'); + if ( !preg_match('#^([0-9]+)$#', $id) ) + { + die_friendly('Message error', 'Invalid message ID
'); + } $q = $db->sql_query('SELECT p.message_from, p.message_to, p.subject, p.message_text, p.date, p.folder_name, u.signature FROM '.table_prefix.'privmsgs AS p LEFT JOIN '.table_prefix.'users AS u ON (p.message_from=u.username) WHERE message_id='.$id.''); - if(!$q) $db->_die('The message data could not be selected.'); + if ( !$q ) + { + $db->_die('The message data could not be selected.'); + } $r = $db->fetchrow(); $db->free_result(); - if( ($r['message_to'] != $session->username && $r['message_from'] != $session->username ) || $r['folder_name']=='drafts' ) die_friendly('Access denied', 'You are not authorized to view this message.
'); - if($r['message_to'] == $session->username) + if ( ($r['message_to'] != $session->username && $r['message_from'] != $session->username ) || $r['folder_name']=='drafts' ) + { + die_friendly('Access denied', 'You are not authorized to view this message.
'); + } + if ( $r['message_to'] == $session->username ) { $q = $db->sql_query('UPDATE '.table_prefix.'privmsgs SET message_read=1 WHERE message_id='.$id.''); $db->free_result(); - if(!$q) $db->_die('Could not mark message as read'); + if ( !$q ) + { + $db->_die('Could not mark message as read'); + } } $template->header(); userprefs_show_menu(); @@ -69,7 +87,7 @@Invalid message ID
'); + if ( !preg_match('#^([0-9]+)$#', $id) ) + { + die_friendly('Message error', 'Invalid message ID
'); + } $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.''); - if(!$q) $db->_die('The message data could not be selected.'); + if ( !$q ) + { + $db->_die('The message data could not be selected.'); + } $r = $db->fetchrow(); $db->free_result(); - if($r['message_to'] != $session->username) die_friendly('Access denied', 'You are not authorized to alter this message.
'); + if ( $r['message_to'] != $session->username ) + { + die_friendly('Access denied', 'You are not authorized to alter this message.
'); + } $fname = $argv[2]; - if(!$fname || ( $fname != 'Inbox' && $fname != 'Outbox' && $fname != 'Sent' && $fname != 'Drafts' && $fname != 'Archive' ) ) die_friendly('Invalid request', 'The folder name "'.$fname.'" is invalid.
'); + if ( !$fname || ( $fname != 'Inbox' && $fname != 'Outbox' && $fname != 'Sent' && $fname != 'Drafts' && $fname != 'Archive' ) ) + { + die_friendly('Invalid request', 'The folder name "'.$fname.'" is invalid.
'); + } $q = $db->sql_query('UPDATE '.table_prefix.'privmsgs SET folder_name=\''.strtolower($fname).'\' WHERE message_id='.$id.';'); $db->free_result(); - if(!$q) $db->_die('The message was not successfully moved.'); + if ( !$q ) + { + $db->_die('The message was not successfully moved.'); + } die_friendly('Message status', 'Your message has been moved to the folder "'.$fname.'".
'); break; case 'Delete': $id = $argv[1]; - if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', 'Invalid message ID
'); + if ( !preg_match('#^([0-9]+)$#', $id) ) + { + die_friendly('Message error', 'Invalid message ID
'); + } $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.''); - if(!$q) $db->_die('The message data could not be selected.'); + if ( !$q ) + { + $db->_die('The message data could not be selected.'); + } $r = $db->fetchrow(); - if($r['message_to'] != $session->username) die_friendly('Access denied', 'You are not authorized to delete this message.
'); + if ( $r['message_to'] != $session->username ) + { + die_friendly('Access denied', 'You are not authorized to delete this message.
'); + } $q = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$id.';'); - if(!$q) $db->_die('The message was not successfully deleted.'); + if ( !$q ) + { + $db->_die('The message was not successfully deleted.'); + } $db->free_result(); die_friendly('Message status', 'The message has been deleted.
'); break; case 'Compose': - if($argv[1]=='Send' && isset($_POST['_send'])) + if ( $argv[1]=='Send' && isset($_POST['_send']) ) { // Check each POST DATA parameter... if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', 'Please enter the username to which you want to send your message.
'); @@ -191,10 +236,26 @@ ?>Compose new private message | |
---|---|
To: Separate multiple names with a single comma; you can send this message to up to users. | username_field('to', (isset($_POST['_savedraft'])) ? $_POST['to'] : $to ); ?> |
Subject: | |
Message: | |
Compose new private message | +|
+ To: + Separate multiple names with a single comma; you + may send this message to up to users. + |
+ + username_field('to', (isset($_POST['_savedraft'])) ? $_POST['to'] : $to ); ?> + | +
+ Subject: + | ++ |
Message: | |
Edit draft | |
---|---|
To: Separate multiple names with a single comma | |
Subject: | |
Message: | |
To: Separate multiple names with a single comma | |
Subject: | |
Message: | |
It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -115,9 +118,12 @@ function page_Admin_GeneralConfig() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -203,6 +209,16 @@ setConfig('pw_strength_minimum', $strength); } + // Account lockout policy + if ( preg_match('/^[0-9]+$/', $_POST['lockout_threshold']) ) + setConfig('lockout_threshold', $_POST['lockout_threshold']); + + if ( preg_match('/^[0-9]+$/', $_POST['lockout_duration']) ) + setConfig('lockout_duration', $_POST['lockout_duration']); + + if ( in_array($_POST['lockout_policy'], array('disable', 'captcha', 'lockout')) ) + setConfig('lockout_policy', $_POST['lockout_policy']); + echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -581,9 +637,12 @@ function page_Admin_PluginManager() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -722,9 +781,12 @@ function page_Admin_UploadAllowedMimeTypes() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -785,9 +847,12 @@ function page_Admin_Sidebar() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -842,9 +907,12 @@ /* function page_Admin_UserManager() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -1112,9 +1180,12 @@ function page_Admin_GroupManager() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -1471,9 +1542,12 @@ function page_Admin_COPPA() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -1544,9 +1618,12 @@ function page_Admin_PageManager() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -1740,9 +1817,12 @@ function page_Admin_PageEditor() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -1840,9 +1920,12 @@ { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -2103,15 +2186,18 @@ function page_Admin_BanControl() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } if(isset($_GET['action']) && $_GET['action'] == 'delete' && isset($_GET['id']) && $_GET['id'] != '') { - $e = $db->sql_query('DELETE FROM '.table_prefix.'banlist WHERE ban_id=' . $db->escape($_GET['id']) . ''); + $e = $db->sql_query('DELETE FROM '.table_prefix.'banlist WHERE ban_id=' . intval($_GET['id']) . ''); if(!$e) $db->_die('The ban list entry was not deleted.'); } if(isset($_POST['create']) && !defined('ENANO_DEMO_MODE')) @@ -2215,9 +2301,12 @@ function page_Admin_MassEmail() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -2431,9 +2520,12 @@ function page_Admin_DBBackup() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -2535,9 +2627,12 @@ function page_Admin_AdminLogout() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) { - echo 'It looks like your administration session is invalid or you are not authorized to access this administration page. Please re-authenticate to continue.
'; + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '
'; return; } @@ -2548,6 +2643,7 @@ function page_Special_Administration() { global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; if($session->auth_level < USER_LEVEL_ADMIN) { redirect(makeUrlNS('Special', 'Login/'.$paths->page, 'level='.USER_LEVEL_ADMIN), 'Not authorized', 'You need an authorization level of '.USER_LEVEL_ADMIN.' to use this page, your auth level is: ' . $session->auth_level, 0); @@ -2573,7 +2669,7 @@ } if ( t == namespace_list.Admin + 'AdminLogout' ) { - var mb = new messagebox(MB_YESNO|MB_ICONQUESTION, 'Are you sure you want to de-authenticate?', 'If you de-authenticate, you will no longer be able to use the administration panel until you re-authenticate again. You may do so at any time using the Administration button on the sidebar.'); + var mb = new messagebox(MB_YESNO|MB_ICONQUESTION, $lang.get('user_logout_confirm_title_elev'), $lang.get('user_logout_confirm_body_elev')); mb.onclick['Yes'] = function() { var tigraentry = document.getElementById('i_div0_0').parentNode; var tigraobj = $(tigraentry); @@ -2685,7 +2781,7 @@ } else { - echo 'About the Enano Content Management System | |
---|---|
This website is powered by Enano, the lightweight and open source - CMS that everyone can use. Enano is copyright © 2006-2007 Dan Fuhry. For legal information, along with a list of libraries that Enano - uses, please see Legal Information. -The developers and maintainers of Enano strongly believe that software should not only be free to use, but free to be modified, - distributed, and used to create derivative works. For more information about Free Software, check out the - Wikipedia page or - the Free Software Foundation's homepage. -This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU General Public License - as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. -You should have received a copy of - the GNU General Public License along with this program; if not, write to: -Free Software Foundation, Inc., Alternatively, you can read it online. + | |
+ get('meta_enano_about_poweredby');
+ $subst = array(
+ 'gpl_link' => makeUrlNS('Special', 'GNU_General_Public_License')
+ );
+ echo $lang->get('meta_enano_about_gpl', $subst);
+ if ( $lang->lang_code != 'eng' ):
+ // Do not remove this block of code. Doing so is a violation of the GPL. (A copy of the GPL in other languages
+ // must be accompanied by a copy of the English GPL.)
+ ?>
+ (English)++ This website is powered by Enano, the lightweight and open source CMS that everyone can use. + Enano is copyright © 2006-2007 Dan Fuhry. For legal information, along with a list of libraries that Enano uses, please + see Legal Information. + ++ The developers and maintainers of Enano strongly believe that software should not only be free to use, but free to be modified, + distributed, and used to create derivative works. For more information about Free Software, check out the + Wikipedia page or + the Free Software Foundation's homepage. + ++ This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. + ++ This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. + ++ You should have received a copy of + the GNU General Public License along with this program; if not, write to: + +
+ Free Software Foundation, Inc., + Alternatively, you can read it online. + + | |
@@ -417,11 +448,11 @@ |