<?php

/*

 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between

 * Version 1.0.2 (Coblynau)

 * Copyright (C) 2006-2007 Dan Fuhry

 * pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts

 *

 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied

 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.

 */

class PageUtils {

  /**

   * Tell if a username is used or not.

   * @param $name the name to check for

   * @return string

   */

  function checkusername($name)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    $name = str_replace('_', ' ', $name);

    $q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\'');

    if ( !$q )

    {

      die(mysql_error());

    }

    if ( $db->numrows() < 1)

    {

      $db->free_result(); return('good');

    }

    else

    {

      $db->free_result(); return('bad');

    }

  }

  /**

   * Get the wiki formatting source for a page

   * @param $page the full page id (Namespace:Pagename)

   * @return string

   * @todo (DONE) Make it require a password (just for security purposes)

   */

  function getsource($page, $password = false)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    if(!isset($paths->pages[$page]))

    {

      return '';

    }

    if(strlen($paths->pages[$page]['password']) == 40)

    {

      if(!$password || ( $password != $paths->pages[$page]['password']))

      {

        return 'invalid_password';

      }

    }

    if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges

      return 'access_denied';

    $pid = RenderMan::strToPageID($page);

    if($pid[1] == 'Special' || $pid[1] == 'Admin')

    {

      die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.');

    }

    $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\'');

    if ( !$e )

    {

      $db->_die('The page text could not be selected.');

    }

    if( $db->numrows() < 1 )

    {

      return ''; //$db->_die('There were no rows in the text table that matched the page text query.');

    }

    $r = $db->fetchrow();

    $db->free_result();

    $message = $r['page_text'];

    return htmlspecialchars($message);

  }

  /**

   * Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages

   * @param $page the full page id (Namespace:Pagename)

   * @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise

   * @return string

   */

  function getpage($page, $send_headers = false, $hist_id = false)

  {

    die('PageUtils->getpage is deprecated.');

    global $db, $session, $paths, $template, $plugins; // Common objects

    ob_start();

    $pid = RenderMan::strToPageID($page);

    //die('<pre>'.print_r($pid, true).'</pre>');

    if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40)

    {

      password_prompt($page);

    }

    if(isset($paths->pages[$page]))

    {

      doStats($pid[0], $pid[1]);

    }

    if($paths->custom_page || $pid[1] == 'Special')

    {

      // If we don't have access to the page, get out and quick!

      if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register')

      {

        $template->tpl_strings['PAGE_NAME'] = 'Access denied';

        if ( $send_headers )

        {

          $template->header();

        }

        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';

        if ( $send_headers )

        {

          $template->footer();

        }

        $r = ob_get_contents();

        ob_end_clean();

        return $r;

      }

      $fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons'];

      @call_user_func($fname);

    }

    else if ( $pid[1] == 'Admin' )

    {

      // If we don't have access to the page, get out and quick!

      if(!$session->get_permissions('read'))

      {

        $template->tpl_strings['PAGE_NAME'] = 'Access denied';

        if ( $send_headers )

        {

          $template->header();

        }

        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';

        if ( $send_headers )

        {

          $template->footer();

        }

        $r = ob_get_contents();

        ob_end_clean();

        return $r;

      }

      $fname = 'page_' . $pid[1] . '_' . $pid[0];

      if ( !function_exists($fname) )

      {

        $title = 'Page backend not found';

        $message = "The administration page you are looking for was properly registered using the page API, but the backend function

                    (<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin.";

        if ( $send_headers )

        {

          die_friendly($title, "<p>$message</p>");

        }

        else

        {

          echo "<h2>$title</h2>\n<p>$message</p>";

        }

      }

      @call_user_func($fname);

    }

    else if ( !isset( $paths->pages[$page] ) )

    {

      ob_start();

      $code = $plugins->setHook('page_not_found');

      foreach ( $code as $cmd )

      {

        eval($cmd);

      }

      $text = ob_get_contents();

      if ( $text != '' )

      {

        ob_end_clean();

        return $text;

      }

      $template->header();

      if($m = $paths->sysmsg('Page_not_found'))

      {

        eval('?>'.RenderMan::render($m));

      }

      else

      {

        header('HTTP/1.1 404 Not Found');

        echo '<h3>There is no page with this title yet.</h3>

               <p>You have requested a page that doesn\'t exist yet.';

        if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.';

        else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>';

        if ( $session->get_permissions('history_rollback') )

        {

          $e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;');

          if ( !$e )

          {

            $db->_die('The deletion log could not be selected.');

          }

          if ($db->numrows() > 0 )

          {

            $r = $db->fetchrow();

            echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&amp;id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">roll back</a> the deletion.</p>';

          }

          $db->free_result();

        }

        echo '<p>

                HTTP Error: 404 Not Found

              </p>';

      }

      $template->footer();

    }

    else

    {

      // If we don't have access to the page, get out and quick!

      if(!$session->get_permissions('read'))

      {

        $template->tpl_strings['PAGE_NAME'] = 'Access denied';

        if($send_headers) $template->header();

        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';

        if($send_headers) $template->footer();

        $r = ob_get_contents();

        ob_end_clean();

        return $r;

      }

      ob_start();

      $code = $plugins->setHook('page_custom_handler');

      foreach ( $code as $cmd )

      {

        eval($cmd);

      }

      $text = ob_get_contents();

      if ( $text != '' )

      {

        ob_end_clean();

        return $text;

      }

      if ( $hist_id )

      {

        $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . '');

        if($db->numrows() < 1)

        {

          $db->_die('There were no rows in the text table that matched the page text query.');

        }

        $r = $db->fetchrow();

        $db->free_result();

        $message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on ' . $r['date_string'] . '.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a>  |  <a href="'.makeUrl($page, 'do=rollback&amp;id=' . $hist_id) . '" onclick="ajaxRollback(\'' . $hist_id . '\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']);

        if( !$paths->pages[$page]['special'] )

        {

          if($send_headers)

          {

            $template->header(); 

          }

          display_page_headers();

        }

        eval('?>' . $message);

        if( !$paths->pages[$page]['special'] )

        {

          display_page_footers();

          if($send_headers)

          {

            $template->footer();

          }

        }

      } else {

        if(!$paths->pages[$page]['special'])

        {

          $message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]);

        }

        else

        {

          $message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false);

        }

        // This line is used to debug wikiformatted code

        // die('<pre>'.htmlspecialchars($message).'</pre>');

        if( !$paths->pages[$page]['special'] )

        {

          if($send_headers)

          {

            $template->header(); 

          }

          display_page_headers();

        }

        // This is it, this is what all of Enano has been working up to...

        eval('?>' . $message);

        if( !$paths->pages[$page]['special'] )

        {

          display_page_footers();

          if($send_headers)

          {

            $template->footer();

          }

        }

      }

    }

    $ret = ob_get_contents();

    ob_end_clean();

    return $ret;

  }

  /**

   * Writes page data to the database, after verifying permissions and running the XSS filter

   * @param $page_id the page ID

   * @param $namespace the namespace

   * @param $message the text to save

   * @return string

   */

  function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    $uid = sha1(microtime());

    $pname = $paths->nslist[$namespace] . $page_id;

    if(!$session->get_permissions('edit_page'))

      return 'Access to edit pages is denied.';

    if(!isset($paths->pages[$pname]))

    {

      $create = PageUtils::createPage($page_id, $namespace);

      if ( $create != 'good' )

        return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create;

      $paths->page_exists = true;

    }

    // Check page protection

    $is_protected = false;

    $page_data =& $paths->pages[$pname];

    // Is the protection semi?

    if ( $page_data['protected'] == 2 )

    {

      $is_protected = true;

      // Page is semi-protected. Has the user been here for at least 4 days?

      // 345600 seconds = 4 days

      if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() )

        $is_protected = false;

    }

    // Is the protection full?

    else if ( $page_data['protected'] == 1 )

    {

      $is_protected = true;

    }

    // If it's protected and we DON'T have even_when_protected rights, bail out

    if ( $is_protected && !$session->get_permissions('even_when_protected') )

    {

      return 'You don\'t have the necessary permissions to edit this page.';

    }

    // We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE.

    // The exception here is the user's own userpage, which is overridden at the time of account creation.

    // At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage.

    // Strip potentially harmful tags and PHP from the message, dependent upon permissions settings

    $message = RenderMan::preprocess_text($message, false, false);

    $msg = $db->escape($message);

    $minor = $minor ? 'true' : 'false';

    $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');';

    if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');

    $q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';';

    $e = $db->sql_query($q);

    if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.');

    $paths->rebuild_page_index($page_id, $namespace);

    return 'good';

  }

  /**

   * Creates a page, both in memory and in the database.

   * @param string $page_id

   * @param string $namespace

   * @return bool true on success, false on failure

   */

  function createPage($page_id, $namespace, $name = false, $visible = 1)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    if(in_array($namespace, Array('Special', 'Admin')))

    {

      // echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />';

      return 'You can\'t create a special page in the database';

    }

    if(!isset($paths->nslist[$namespace]))

    {

      // echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />';

      return 'Couldn\'t look up the namespace';

    }

    $pname = $paths->nslist[$namespace] . $page_id;

    if(isset($paths->pages[$pname]))

    {

      // echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />';

      return 'Page already exists';

    }

    if(!$session->get_permissions('create_page'))

    {

      // echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />';

      return 'Not authorized to create pages';

    }

    if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System')

    {

      // echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />';

      return 'Not authorized to create system messages';

    }

    if ( substr($page_id, 0, 8) == 'Project:' )

    {

      // echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />';

      return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.';

    }

    $page_id = dirtify_page_id($page_id);

    if ( !$name )

      $name = str_replace('_', ' ', $page_id);

    $regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is';

    if(!preg_match($regex, $page))

    {

      //echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />';

      return 'Name contains invalid characters';

    }

    $page_id = sanitize_page_id( $page_id );

    $prot = ( $namespace == 'System' ) ? 1 : 0;

    $ips = array(

      'ip' => array(),

      'u' => array()

      );

    $page_data = Array(

      'name'=>$name,

      'urlname'=>$page_id,

      'namespace'=>$namespace,

      'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2,

    );

    // die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>');

    $paths->add_page($page_data);

    $qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');');

    $qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');

    $qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');

    if($qa && $qb && $qc)

      return 'good';

    else

    {

      return $db->get_error();

    }

  }

  /**

   * Sets the protection level on a page.

   * @param $page_id string the page ID

   * @param $namespace string the namespace

   * @param $level int level of protection - 0 is off, 1 is full, 2 is semi

   * @param $reason string why the page is being (un)protected

   * @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() )

   */

  function protect($page_id, $namespace, $level, $reason)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    $pname = $paths->nslist[$namespace] . $page_id;

    $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;

    $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;

    if ( !$session->get_permissions('protect') )

    {

      return('Insufficient access rights');

    }

    if ( !$wiki )

    {

      return('Page protection only has an effect when Wiki Mode is enabled.');

    }

    if ( !preg_match('#^([0-9]+){1}$#', (string)$level) )

    {

      return('Invalid $level parameter.');

    }

    switch($level)

    {

      case 0: