What can I say? More progress. Mostly bugfixes and ACL stuff now. Which reminds me - don't use this release, there are quite a few access bugs in it right now.
--- a/decir/delete.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/delete.php Wed Oct 17 23:17:09 2007 -0400
@@ -40,7 +40,8 @@
$tid = intval($row['topic_id']);
-$acl_type = ( $row['poster_id'] == $session->user_id && $session->user_logged_in ) ? 'decir_edit_own' : 'decir_edit_other';
+$own_post = ( $row['poster_id'] == $session->user_id && $session->user_logged_in );
+$acl_type = ( $own_post ) ? 'decir_edit_own' : 'decir_edit_other';
$post_perms = $session->fetch_page_acl(strval($pid), 'DecirPost');
if ( !$post_perms->get_permissions($acl_type) )
@@ -53,6 +54,15 @@
{
if ( isset($_POST['do']['delete']) )
{
+ // Check permissions (of course!)
+ $acl_type = ( $own_post
+ ? ( $_POST['delete_method'] == 'hard' ? 'decir_delete_own_post_hard' : 'decir_delete_own_post_soft' )
+ : ( $_POST['delete_method'] == 'hard' ? 'decir_delete_other_post_hard' : 'decir_delete_other_post_soft' )
+ );
+ if ( !$post_perms->get_permissions($acl_type) )
+ {
+ die_friendly('Error', '<p>You do not have access to perform this type of deletion on this post.</p>');
+ }
// Nuke it
$result = decir_delete_post($pid, $_POST['edit_reason'], ( $_POST['delete_method'] == 'hard' ));
if ( $result )
--- a/decir/edit.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/edit.php Wed Oct 17 23:17:09 2007 -0400
@@ -39,7 +39,8 @@
$row = $db->fetchrow();
$db->free_result();
-$acl_type = ( $row['poster_id'] == $session->user_id && $session->user_logged_in ) ? 'decir_edit_own' : 'decir_edit_other';
+$own_post = ( $row['poster_id'] == $session->user_id && $session->user_logged_in );
+$acl_type = ( $own_post ) ? 'decir_edit_own' : 'decir_edit_other';
$post_perms = $session->fetch_page_acl(strval($pid), 'DecirPost');
if ( !$post_perms->get_permissions($acl_type) )
@@ -69,6 +70,15 @@
// Save changes
if ( isset($_POST['do']['delete']) )
{
+ // Check permissions (of course!)
+ $acl_type = ( $own_post
+ ? ( $_POST['delete_method'] == 'hard' ? 'decir_delete_own_post_hard' : 'decir_delete_own_post_soft' )
+ : ( $_POST['delete_method'] == 'hard' ? 'decir_delete_other_post_hard' : 'decir_delete_other_post_soft' )
+ );
+ if ( !$post_perms->get_permissions($acl_type) )
+ {
+ die_friendly('Error', '<p>You do not have access to perform this type of deletion on this post.</p>');
+ }
// Nuke it
$result = decir_delete_post($pid, $_POST['edit_reason']);
if ( $result )
--- a/decir/functions.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/functions.php Wed Oct 17 23:17:09 2007 -0400
@@ -210,14 +210,18 @@
return false;
// Obtain a list of posts in the topic
- $q = $db->sql_query('SELECT post_id FROM '.table_prefix.'decir_posts WHERE topic_id = ' . $topic_id . ';');
+ $q = $db->sql_query('SELECT post_id, post_deleted FROM '.table_prefix.'decir_posts WHERE topic_id = ' . $topic_id . ';');
if ( !$q )
$db->_die('Decir functions.php in decir_delete_topic()');
if ( $db->numrows() < 1 )
return false;
$posts = array();
+ $del_count = 0;
while ( $row = $db->fetchrow() )
{
+ if ( $row['post_deleted'] == 1 )
+ // Don't decrement the post count for deleted posts
+ $del_count++;
$posts[] = $row['post_id'];
}
@@ -252,7 +256,7 @@
}
// Update forum stats
- $post_count = count($posts);
+ $post_count = count($posts) - $del_count;
$q = $db->sql_query('UPDATE '.table_prefix."decir_forums SET num_topics = num_topics - 1, num_posts = num_posts - $post_count WHERE forum_id = $forum_id;");
if ( !$q )
$db->_die('Decir functions.php in decir_delete_topic()');
@@ -358,14 +362,18 @@
return false;
// Obtain a list of posts in the topic
- $q = $db->sql_query('SELECT post_id FROM '.table_prefix.'decir_posts WHERE topic_id = ' . $topic_id . ';');
+ $q = $db->sql_query('SELECT post_id, post_deleted FROM '.table_prefix.'decir_posts WHERE topic_id = ' . $topic_id . ';');
if ( !$q )
$db->_die('Decir functions.php in decir_delete_topic()');
if ( $db->numrows() < 1 )
return false;
$posts = array();
+ $del_count = 0;
while ( $row = $db->fetchrow() )
{
+ if ( $row['post_deleted'] == 1 )
+ // Don't decrement the post count for deleted posts
+ $del_count++;
$posts[] = $row['post_id'];
}
@@ -379,7 +387,7 @@
$q = $db->sql_query('UPDATE ' . table_prefix . "decir_topics SET topic_deleted = 0, topic_deletor = NULL, topic_delete_reason = NULL WHERE topic_id = $topic_id;");
// Update forum stats
- $post_count = count($posts);
+ $post_count = count($posts) - $del_count;
$q = $db->sql_query('UPDATE '.table_prefix."decir_forums SET num_topics = num_topics + 1, num_posts = num_posts + $post_count WHERE forum_id = $forum_id;");
if ( !$q )
$db->_die('Decir functions.php in decir_restore_topic()');
--- a/decir/functions_viewtopic.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/functions_viewtopic.php Wed Oct 17 23:17:09 2007 -0400
@@ -93,7 +93,9 @@
<span class="menuclear"></span>
{USER_TITLE}<br />
<br />
+ <!-- BEGIN user_is_registered -->
Joined: {REG_TIME}
+ <!-- END user_is_registered -->
<!-- BEGIN whos_online_support -->
<br />
<!-- BEGIN user_is_online -->
@@ -134,6 +136,11 @@
global $db, $session, $paths, $template, $plugins; // Common objects
global $whos_online;
+ if ( $row['deleted'] == 1 && !$session->get_permissions('decir_see_deleted_post') )
+ {
+ return '';
+ }
+
$poster_name = ( $row['poster_id'] == 1 ) ? $row['poster_name'] : $row['username'];
$datetime = date('F d, Y h:i a', $row['timestamp']);
$post_text = render_bbcode($row['post_text'], $row['bbcode_uid']);
@@ -201,13 +208,16 @@
{
$who_support = false;
}
+
+ // die('<pre>' . print_r($session, true) . '</pre>');
+
$this->parser->assign_bool(Array(
'whos_online_support' => $who_support,
'user_is_online' => $user_online,
'post_edited' => ( $row['edit_count'] > 0 ),
'post_deleted' => ( $row['post_deleted'] == 1 ),
- // FIXME: This should check something on ACLs
- 'show_post' => ( $row['post_deleted'] != 1 || $session->user_level >= USER_LEVEL_MOD )
+ 'show_post' => ( $session->get_permissions('decir_see_deleted_post_full') || $row['post_deleted'] != 1 ),
+ 'user_is_registered' => ( $row['poster_id'] > 1 )
));
return $this->parser->run();
}
--- a/decir/posting.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/posting.php Wed Oct 17 23:17:09 2007 -0400
@@ -77,6 +77,16 @@
if ( !$parms['authorized'] )
$errors[] = 'Invalid authorization key';
+ // If the user isn't logged in, check the CAPTCHA code
+ if ( !$session->user_logged_in )
+ {
+ $captcha_hash = $_POST['captcha_hash'];
+ $captcha_code = $_POST['captcha_code'];
+ $real_code = $session->get_captcha($captcha_hash);
+ if ( $real_code != $captcha_code )
+ $errors[] = 'The confirmation code you entered was incorrect.';
+ }
+
if ( sizeof($errors) < 1 )
{
// Collect other options
@@ -137,7 +147,7 @@
{
/**
- * @TODO: validate read permissions
+ * @FIXME: validate read permissions
*/
$post_id = intval($paths->getParam(2));
@@ -288,6 +298,14 @@
echo '<div class="tblholder">
<table border="0" cellspacing="1" cellpadding="4">';
echo '<tr><td class="row2">Post subject:</td><td class="row1"><input name="subject" type="text" size="50" style="width: 100%;" value="' . $subject . '" /></td>';
+if ( !$session->user_logged_in )
+{
+ $hash = $session->make_captcha();
+ $captcha_url = makeUrlNS('Special', 'Captcha/' . $hash);
+ $captcha_img = "<img alt=\"If you cannot read this image please contact the site administrator for assistance.\" src=\"$captcha_url\" onclick=\"this.src=this.src+'/a';\" style=\"cursor: pointer;\" />";
+ echo '<tr><td class="row2" rowspan="2">Image verification:</td><td class="row1">' . $captcha_img . '</td></tr>';
+ echo '<tr><td class="row1">Please input the code you see in the image: <input type="hidden" name="captcha_hash" value="' . $hash . '" /><input type="text" name="captcha_code" size="8" /></td></tr>';
+}
echo '<tr><td class="row3" colspan="2">';
echo '<textarea name="post_text" class="bbcode" rows="20" cols="80">' . $message . '</textarea>';
echo '</td></tr>';
--- a/decir/restoretopic.php Wed Oct 17 21:52:27 2007 -0400
+++ b/decir/restoretopic.php Wed Oct 17 23:17:09 2007 -0400
@@ -23,7 +23,7 @@
$tid = intval($tid);
// Obtain topic info
-$q = $db->sql_query('SELECT t.forum_id, t.topic_id, t.topic_deleted, t.topic_deletor, t.topic_delete_reason, u.username AS deletor FROM '.table_prefix.'decir_topics AS t
+$q = $db->sql_query('SELECT t.forum_id, t.topic_id, t.topic_deleted, t.topic_deletor, t.topic_starter, t.topic_delete_reason, u.username AS deletor FROM '.table_prefix.'decir_topics AS t
LEFT JOIN '.table_prefix.'users AS u
ON ( u.user_id = t.topic_deletor OR t.topic_deletor IS NULL )
WHERE t.topic_id='.$tid.';');
@@ -40,12 +40,10 @@
$tid = intval($row['topic_id']);
-// $acl_type = ( $row['poster_id'] == $session->user_id && $session->user_logged_in ) ? 'decir_edit_own' : 'decir_edit_other';
+$acl_type = ( $row['topic_starter'] == $session->user_id && $session->user_logged_in ) ? 'decir_undelete_own_topic' : 'decir_undelete_other_topic';
-// FIXME: This will eventually use an ACL rule
-
$post_perms = $session->fetch_page_acl(strval($pid), 'DecirPost');
-if ( $session->user_level < USER_LEVEL_MOD ) // ( !$post_perms->get_permissions($acl_type) )
+if ( !$post_perms->get_permissions($acl_type) )
{
die_friendly('Error', '<p>You do not have permission to restore this topic.</p>');
}
--- a/plugins/Decir.php Wed Oct 17 21:52:27 2007 -0400
+++ b/plugins/Decir.php Wed Oct 17 23:17:09 2007 -0400
@@ -40,12 +40,26 @@
$paths->create_namespace('DecirPost', $paths->nslist['Special'] . 'Forum/Post/');
$paths->create_namespace('DecirTopic', $paths->nslist['Special'] . 'Forum/Topic/');
+ // Decir's ACL rules
+
$session->register_acl_type('decir_see_forum', AUTH_ALLOW, 'See forum in index', Array('read'), 'DecirForum');
$session->register_acl_type('decir_view_forum', AUTH_ALLOW, 'View forum', Array('decir_see_forum'), 'DecirForum');
$session->register_acl_type('decir_post', AUTH_ALLOW, 'Post new topics', Array('decir_view_forum'), 'DecirForum');
$session->register_acl_type('decir_reply', AUTH_ALLOW, 'Reply to topics', Array('decir_post'), 'DecirTopic');
$session->register_acl_type('decir_edit_own', AUTH_ALLOW, 'Edit own posts', Array('decir_post'), 'DecirPost');
$session->register_acl_type('decir_edit_other', AUTH_DISALLOW, 'Edit others\' posts', Array('decir_post'), 'DecirPost');
+ $session->register_acl_type('decir_delete_own_post_soft', AUTH_ALLOW, 'Delete own posts (soft)', Array('decir_edit_own'), 'DecirPost');
+ $session->register_acl_type('decir_delete_own_post_hard', AUTH_DISALLOW, 'Delete own posts (hard)', Array('decir_delete_own_post_soft'), 'DecirPost');
+ $session->register_acl_type('decir_delete_other_post_soft', AUTH_DISALLOW, 'Delete others\' posts (soft)', Array('decir_edit_other'), 'DecirPost');
+ $session->register_acl_type('decir_delete_other_post_hard', AUTH_DISALLOW, 'Delete others\' posts (hard)', Array('decir_delete_other_post_soft'), 'DecirPost');
+ $session->register_acl_type('decir_undelete_own_post', AUTH_DISALLOW, 'Undelete own posts', Array('decir_edit_own'), 'DecirPost');
+ $session->register_acl_type('decir_undelete_other_post', AUTH_DISALLOW, 'Undelete others\' posts', Array('decir_edit_other'), 'DecirPost');
+ $session->register_acl_type('decir_undelete_own_topic', AUTH_DISALLOW, 'Undelete own topics', Array('read'), 'DecirTopic');
+ $session->register_acl_type('decir_undelete_other_topic', AUTH_DISALLOW, 'Undelete others\' topics', Array('read'), 'DecirTopic');
+ $session->register_acl_type('decir_see_deleted_post', AUTH_ALLOW, 'See placeholders for deleted posts', Array('read'), 'Special|DecirPost|DecirTopic|DecirForum');
+ $session->register_acl_type('decir_see_deleted_post_full', AUTH_DISALLOW, 'Read the full contents of deleted posts', Array('decir_see_deleted_post'), 'Special|DecirPost|DecirTopic|DecirForum');
+ $session->register_acl_type('decir_see_deleted_topic', AUTH_ALLOW, 'See placeholders for deleted topics', Array('read'), 'DecirTopic|DecirForum');
+ $session->register_acl_type('decir_see_deleted_topic_full', AUTH_DISALLOW, 'Read the full contents of deleted topics', Array('decir_see_deleted_topic'), 'DecirTopic|DecirForum');
}
function page_Special_Forum()