<?php
/*
* Decir
* Version 0.1
* Copyright (C) 2007 Dan Fuhry
* posting.php - post topics and replies
*
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
*/
require('common.php');
require('bbcode.php');
//
// Set mode and parameters
//
$mode = 'topic';
if ( $paths->getParam(1) )
{
$n = strtolower($paths->getParam(1));
if ( $n == 'reply' || $n == 'post' )
{
$mode = 'reply';
}
elseif ( $n == 'quote' )
{
$mode = 'quote';
}
}
// Set the parameters for posting, then encrypt it so we don't have to do authorization checks again
// Why? Because it's better than going through some session system for postings where the data is stored on the server
// We already have AES encryption - might as well use it ;-)
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
$do_preview = false;
if ( isset($_GET['act']) && $_GET['act'] == 'post' )
{
if ( !is_array($_POST['do']) )
die('Hacking attempt');
if ( isset($_POST['do']['preview']) )
{
$do_preview = true;
$parms = $_POST['authorization'];
$parms2 = $aes->decrypt($parms, $session->private_key, ENC_HEX);
if ( !$parms2 || substr($parms2, 0, 1) != 'a' )
{
die('Hacking attempt: ' . $parms2);
}
$parms2 = unserialize($parms2);
$mode = 'already_taken_care_of';
}
else if ( isset($_POST['do']['post']) )
{
$errors = Array();
// Decrypt authorization array
$parms = $aes->decrypt($_POST['authorization'], $session->private_key, ENC_HEX);
if ( !$parms )
$errors[] = 'Could not decrypt authorization key.';
$parms = unserialize($parms);
// Perform a little input validation
if ( empty($_POST['post_text']) )
$errors[] = 'Please enter a post.';
if ( empty($_POST['subject']) && $parms['mode'] == 'topic' )
$errors[] = 'Please enter a topic title.';
// It's OK to trust this! The auth key is encrypted with the site's private key.
if ( !$parms['authorized'] )
$errors[] = 'Invalid authorization key';
// If the user isn't logged in, check the CAPTCHA code
if ( !$session->user_logged_in )
{
$captcha_hash = $_POST['captcha_hash'];
$captcha_code = $_POST['captcha_code'];
$real_code = $session->get_captcha($captcha_hash);
if ( $real_code != $captcha_code )
$errors[] = 'The confirmation code you entered was incorrect.';
}
if ( sizeof($errors) < 1 )
{
// Collect other options
// Submit post
if ( $parms['mode'] == 'reply' || $parms['mode'] == 'quote' )
{
$result = decir_submit_post($parms['topic_in'], $_POST['subject'], $_POST['post_text'], $post_id);
if ( $result )
{
// update forum stats
$user = $db->escape($session->username);
$q = $db->sql_query('UPDATE '.table_prefix."decir_forums SET num_posts = num_posts+1, last_post_id = $post_id, last_post_topic = {$parms['topic_in']}, last_post_user = $session->user_id WHERE forum_id={$parms['forum_in']};");
if ( !$q )
{
$db->_die('Decir posting.php under Submit post [reply]');
}
$url = makeUrlNS('Special', 'Forum/Topic/' . $parms['topic_in'], false, true);
redirect($url, 'Post submitted', 'Your post has been submitted successfully.', 4);
}
}
else if ( $parms['mode'] == 'topic' )
{
$result = decir_submit_topic($parms['forum_id'], $_POST['subject'], $_POST['post_text'], $topic_id, $post_id);
if ( $result )
{
// update forum stats
$q = $db->sql_query('UPDATE '.table_prefix."decir_forums SET num_posts = num_posts+1, num_topics = num_topics+1, last_post_id = $post_id, last_post_topic = $topic_id, last_post_user = $session->user_id WHERE forum_id={$parms['forum_id']};");
if ( !$q )
{
$db->_die('Decir posting.php under Submit post [topic]');
}
$url = makeUrlNS('Special', 'Forum/Topic/' . $topic_id, false, true);
redirect($url, 'Post submitted', 'Your post has been submitted successfully.', 4);
}
}
return;
}
$mode = 'already_taken_care_of';
$parms2 = $parms;
$parms = htmlspecialchars($_POST['authorization']);
}
}
if ( $mode == 'reply' || $mode == 'quote' )
{
if ( $mode == 'reply' )
{
$message = '';
$subject = '';
// Validate topic ID
$topic_id = intval($paths->getParam(2));
if ( empty($topic_id) )
die_friendly('Error', '<p>Invalid topic ID</p>');
$title = 'Reply to topic';
}
else if ( $mode == 'quote' )
{
/**
* @FIXME: validate read permissions
*/
$post_id = intval($paths->getParam(2));
if ( empty($post_id) )
die_friendly('Error', '<p>Invalid post ID</p>');
// Get post text and topic ID
$q = $db->sql_query('SELECT p.topic_id,t.post_text,t.bbcode_uid,p.poster_name,p.post_subject FROM '.table_prefix.'decir_posts AS p
LEFT JOIN '.table_prefix.'decir_posts_text AS t
ON ( p.post_id = t.post_id )
WHERE p.post_id=' . $post_id . ';');
if ( !$q )
$db->_die();
if ( $db->numrows() < 1 )
die_friendly('Error', '<p>The post you requested does not exist.</p>');
$row = $db->fetchrow();
$db->free_result();
$message = '[quote="' . $row['poster_name'] . '"]' . bbcode_strip_uid( $row['post_text'], $row['bbcode_uid'] ) . '[/quote]';
$subject = 'Re: ' . htmlspecialchars($row['post_subject']);
$quote_poster = $row['poster_name'];
$topic_id = intval($row['topic_id']);
$title = 'Reply to topic with quote';
}
// Topic ID is good, verify topic status
$q = $db->sql_query('SELECT topic_id,forum_id,topic_type,topic_locked,topic_moved FROM '.table_prefix.'decir_topics WHERE topic_id=' . $topic_id . ';');
if ( !$q )
$db->_die();
$row = $db->fetchrow();
$db->free_result();
$forum_perms = $session->fetch_page_acl($row['forum_id'], 'DecirForum');
$topic_perms = $session->fetch_page_acl($row['topic_id'], 'DecirTopic');
if ( !$forum_perms->get_permissions('decir_see_forum') )
die_friendly('Error', '<p>The forum you requested does not exist.</p>');
if ( !$topic_perms->get_permissions('decir_reply') )
die_friendly('Access denied', '<p>You are not allowed to post replies in this topic.</p>');
$forum_in = intval($row['forum_id']);
$topic_in = intval($row['topic_id']);
$parms = Array(
'mode' => $mode,
'forum_in' => $forum_in,
'topic_in' => $topic_in,
'timestamp' => time(),
'authorized' => true
);
$parms = serialize($parms);
$parms = $aes->encrypt($parms, $session->private_key, ENC_HEX);
}
else if ( $mode == 'topic' )
{
$message = '';
$subject = '';
// Validate topic ID
$forum_id = intval($paths->getParam(2));
if ( empty($forum_id) )
die_friendly('Error', '<p>Invalid forum ID</p>');
$title = 'Post new topic';
// Topic ID is good, verify topic status
$q = $db->sql_query('SELECT forum_id, forum_name FROM '.table_prefix.'decir_forums WHERE forum_id=' . $forum_id . ';');
if ( !$q )
$db->_die();
if ( $db->numrows() < 1 )
die_friendly('Error', '<p>The forum you requested does not exist.</p>');
$row = $db->fetchrow();
$db->free_result();
$forum_perms = $session->fetch_page_acl($row['forum_id'], 'DecirForum');
if ( !$forum_perms->get_permissions('decir_see_forum') )
die_friendly('Error', '<p>The forum you requested does not exist.</p>');
$parms = Array(
'mode' => $mode,
'forum_id' => $forum_id,
'timestamp' => time(),
'authorized' => true
);
$parms = serialize($parms);
$parms = $aes->encrypt($parms, $session->private_key, ENC_HEX);
}
else if ( $mode == 'already_taken_care_of' )
{
$mode = $parms2['mode'];
$title = ( $mode == 'topic' ) ? 'Post new topic' : ( ( $mode == 'reply' ) ? 'Reply to topic' : ( $mode == 'quote' ) ? 'Reply to topic with quote' : 'Duh...' );
}
else
{
die_friendly('Invalid request', '<p>Invalid action defined</p>');
}
$template->tpl_strings['PAGE_NAME'] = $title;
$template->add_header('<!-- DECIR BEGIN -->
<script type="text/javascript" src="' . scriptPath . '/decir/js/bbcedit.js"></script>
<script type="text/javascript" src="' . scriptPath . '/decir/js/colorpick/jquery.js"></script>
<script type="text/javascript" src="' . scriptPath . '/decir/js/colorpick/farbtastic.js"></script>
<link rel="stylesheet" type="text/css" href="' . scriptPath . '/decir/js/bbcedit.css" />
<link rel="stylesheet" type="text/css" href="' . scriptPath . '/decir/js/colorpick/farbtastic.css" />
<!-- DECIR END -->');
$template->header();
if ( isset($errors) )
{
echo '<div class="error-box" style="margin: 10px 0;">
<b>Your post could not be submitted.</b>
<ul>
<li>' . implode("</li>\n <li>", $errors) . '</li>
</ul>
</div>';
}
if ( $do_preview )
{
$message = $_POST['post_text'];
$subject = htmlspecialchars($_POST['subject']);
$message_render = render_bbcode($message);
$message_render = RenderMan::smilieyize($message_render);
echo '<div style="border: 1px solid #222222; background-color: #F0F0F0; padding: 10px; max-height: 300px; clip: rect(0px,auto,auto,0px); overflow: auto; margin: 10px 0;">
<h2>Post preview</h2>
<p>' . $message_render . '</p>
</div>';
}
$url = makeUrlNS('Special', 'Forum/New', 'act=post', true);
echo '<br />
<form action="' . $url . '" method="post" enctype="multipart/form-data">';
echo '<div class="tblholder">
<table border="0" cellspacing="1" cellpadding="4">';
echo '<tr><td class="row2">Post subject:</td><td class="row1"><input name="subject" type="text" size="50" style="width: 100%;" value="' . $subject . '" /></td>';
if ( !$session->user_logged_in )
{
$hash = $session->make_captcha();
$captcha_url = makeUrlNS('Special', 'Captcha/' . $hash);
$captcha_img = "<img alt=\"If you cannot read this image please contact the site administrator for assistance.\" src=\"$captcha_url\" onclick=\"this.src=this.src+'/a';\" style=\"cursor: pointer;\" />";
echo '<tr><td class="row2" rowspan="2">Image verification:</td><td class="row1">' . $captcha_img . '</td></tr>';
echo '<tr><td class="row1">Please input the code you see in the image: <input type="hidden" name="captcha_hash" value="' . $hash . '" /><input type="text" name="captcha_code" size="8" /></td></tr>';
}
echo '<tr><td class="row3" colspan="2">';
echo '<textarea name="post_text" class="bbcode" rows="20" cols="80">' . $message . '</textarea>';
echo '</td></tr>';
echo '
<!-- This authorization code is encrypted with '.AES_BITS.'-bit AES. -->
';
echo '<tr><th colspan="2" class="subhead"><input type="hidden" name="authorization" value="' . $parms . '" />';
echo '<input type="submit" name="do[post]" value="Submit post" style="font-weight: bold;" /> <input type="submit" name="do[preview]" value="Show preview" /></th></tr>';
echo '</table></div>';
echo '</form>';
decir_show_footers();
$template->footer();
?>