1
+ − 1
<?php
166
+ − 2
1
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 5
* Version 1.1.6 (Caoineag beta 1)
536
+ − 6
* Copyright (C) 2006-2008 Dan Fuhry
1
+ − 7
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts
+ − 8
*
+ − 9
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 10
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 11
*
+ − 12
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 13
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 14
*/
+ − 15
+ − 16
class PageUtils {
+ − 17
+ − 18
/**
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 19
* Tell if a username is used or not.
1
+ − 20
* @param $name the name to check for
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 21
* @return string
1
+ − 22
*/
+ − 23
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 24
public static function checkusername($name)
1
+ − 25
{
+ − 26
global $db, $session, $paths, $template, $plugins; // Common objects
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 27
$name = str_replace('_', ' ', $name);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 28
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\'');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 29
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 30
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 31
die($db->get_error());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 32
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 33
if ( $db->numrows() < 1)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 34
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 35
$db->free_result(); return('good');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 36
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 37
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 38
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 39
$db->free_result(); return('bad');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 40
}
1
+ − 41
}
+ − 42
+ − 43
/**
+ − 44
* Get the wiki formatting source for a page
+ − 45
* @param $page the full page id (Namespace:Pagename)
+ − 46
* @return string
+ − 47
* @todo (DONE) Make it require a password (just for security purposes)
+ − 48
*/
+ − 49
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 50
public static function getsource($page, $password = false)
1
+ − 51
{
+ − 52
global $db, $session, $paths, $template, $plugins; // Common objects
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 53
if(!isPage($page))
1
+ − 54
{
+ − 55
return '';
+ − 56
}
+ − 57
+ − 58
if(strlen($paths->pages[$page]['password']) == 40)
+ − 59
{
+ − 60
if(!$password || ( $password != $paths->pages[$page]['password']))
+ − 61
{
+ − 62
return 'invalid_password';
+ − 63
}
+ − 64
}
+ − 65
+ − 66
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges
+ − 67
return 'access_denied';
+ − 68
$pid = RenderMan::strToPageID($page);
+ − 69
if($pid[1] == 'Special' || $pid[1] == 'Admin')
+ − 70
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 71
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.');
1
+ − 72
}
+ − 73
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 74
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\'');
1
+ − 75
if ( !$e )
+ − 76
{
+ − 77
$db->_die('The page text could not be selected.');
+ − 78
}
+ − 79
if( $db->numrows() < 1 )
+ − 80
{
+ − 81
return ''; //$db->_die('There were no rows in the text table that matched the page text query.');
+ − 82
}
+ − 83
+ − 84
$r = $db->fetchrow();
+ − 85
$db->free_result();
+ − 86
$message = $r['page_text'];
+ − 87
+ − 88
return htmlspecialchars($message);
+ − 89
}
+ − 90
+ − 91
/**
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 92
* DEPRECATED. Previously returned the full rendered contents of a page.
1
+ − 93
* @param $page the full page id (Namespace:Pagename)
+ − 94
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise
+ − 95
* @return string
+ − 96
*/
+ − 97
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 98
public static function getpage($page, $send_headers = false, $hist_id = false)
1
+ − 99
{
+ − 100
die('PageUtils->getpage is deprecated.');
+ − 101
}
+ − 102
+ − 103
/**
+ − 104
* Writes page data to the database, after verifying permissions and running the XSS filter
+ − 105
* @param $page_id the page ID
+ − 106
* @param $namespace the namespace
+ − 107
* @param $message the text to save
+ − 108
* @return string
+ − 109
*/
+ − 110
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 111
public static function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false)
1
+ − 112
{
+ − 113
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 114
$uid = sha1(microtime());
+ − 115
$pname = $paths->nslist[$namespace] . $page_id;
+ − 116
+ − 117
if(!$session->get_permissions('edit_page'))
+ − 118
return 'Access to edit pages is denied.';
+ − 119
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 120
if(!isPage($pname))
1
+ − 121
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 122
$create = PageUtils::createPage($page_id, $namespace);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 123
if ( $create != 'good' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 124
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create;
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 125
$paths->page_exists = true;
1
+ − 126
}
+ − 127
260
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 128
// Check page protection
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 129
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 130
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 131
$page_data =& $paths->pages[$pname];
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 132
// Is the protection semi?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 133
if ( $page_data['protected'] == 2 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 134
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 135
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 136
// Page is semi-protected. Has the user been here for at least 4 days?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 137
// 345600 seconds = 4 days
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 138
if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 139
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 140
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 141
// Is the protection full?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 142
else if ( $page_data['protected'] == 1 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 143
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 144
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 145
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 146
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 147
// If it's protected and we DON'T have even_when_protected rights, bail out
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 148
if ( $is_protected && !$session->get_permissions('even_when_protected') )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 149
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 150
return 'You don\'t have the necessary permissions to edit this page.';
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 151
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 152
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 153
// We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 154
// The exception here is the user's own userpage, which is overridden at the time of account creation.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 155
// At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage.
1
+ − 156
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 157
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings
1
+ − 158
$message = RenderMan::preprocess_text($message, false, false);
+ − 159
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 160
$msg = $db->escape($message);
1
+ − 161
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 162
$minor = $minor ? ENANO_SQL_BOOLEAN_TRUE : ENANO_SQL_BOOLEAN_FALSE;
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 163
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $paths->page_id . '\', \'' . $paths->namespace . '\', ' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');';
1
+ − 164
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
+ − 165
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 166
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';';
1
+ − 167
$e = $db->sql_query($q);
+ − 168
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.');
+ − 169
+ − 170
$paths->rebuild_page_index($page_id, $namespace);
+ − 171
+ − 172
return 'good';
+ − 173
}
+ − 174
+ − 175
/**
+ − 176
* Creates a page, both in memory and in the database.
+ − 177
* @param string $page_id
+ − 178
* @param string $namespace
+ − 179
* @return bool true on success, false on failure
+ − 180
*/
+ − 181
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 182
public static function createPage($page_id, $namespace, $name = false, $visible = 1)
1
+ − 183
{
+ − 184
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 185
if(in_array($namespace, Array('Special', 'Admin')))
+ − 186
{
+ − 187
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 188
return 'You can\'t create a special page in the database';
1
+ − 189
}
+ − 190
+ − 191
if(!isset($paths->nslist[$namespace]))
+ − 192
{
+ − 193
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 194
return 'Couldn\'t look up the namespace';
1
+ − 195
}
+ − 196
+ − 197
$pname = $paths->nslist[$namespace] . $page_id;
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 198
if(isPage($pname))
1
+ − 199
{
+ − 200
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 201
return 'Page already exists';
1
+ − 202
}
+ − 203
+ − 204
if(!$session->get_permissions('create_page'))
+ − 205
{
+ − 206
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 207
return 'Not authorized to create pages';
1
+ − 208
}
+ − 209
+ − 210
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System')
+ − 211
{
+ − 212
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 213
return 'Not authorized to create system messages';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 214
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 215
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 216
if ( substr($page_id, 0, 8) == 'Project:' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 217
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 218
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 219
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.';
1
+ − 220
}
+ − 221
361
+ − 222
/*
+ − 223
// Dunno why this was here. Enano can handle more flexible names than this...
1
+ − 224
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is';
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 225
if(!preg_match($regex, $name))
1
+ − 226
{
+ − 227
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 228
return 'Name contains invalid characters';
1
+ − 229
}
361
+ − 230
*/
+ − 231
+ − 232
$page_id = dirtify_page_id($page_id);
+ − 233
+ − 234
if ( !$name )
+ − 235
$name = str_replace('_', ' ', $page_id);
1
+ − 236
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 237
$page_id = sanitize_page_id( $page_id );
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 238
1
+ − 239
$prot = ( $namespace == 'System' ) ? 1 : 0;
+ − 240
112
+ − 241
$ips = array(
+ − 242
'ip' => array(),
+ − 243
'u' => array()
+ − 244
);
+ − 245
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 246
$page_data = Array(
1
+ − 247
'name'=>$name,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 248
'urlname'=>$page_id,
1
+ − 249
'namespace'=>$namespace,
112
+ − 250
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 251
);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 252
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 253
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>');
1
+ − 254
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 255
$paths->add_page($page_data);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 256
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 257
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 258
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 259
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
1
+ − 260
+ − 261
if($qa && $qb && $qc)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 262
return 'good';
1
+ − 263
else
+ − 264
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 265
return $db->get_error();
1
+ − 266
}
+ − 267
}
+ − 268
+ − 269
/**
+ − 270
* Sets the protection level on a page.
+ − 271
* @param $page_id string the page ID
+ − 272
* @param $namespace string the namespace
+ − 273
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi
+ − 274
* @param $reason string why the page is being (un)protected
+ − 275
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() )
+ − 276
*/
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 277
public static function protect($page_id, $namespace, $level, $reason)
1
+ − 278
{
+ − 279
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 280
+ − 281
$pname = $paths->nslist[$namespace] . $page_id;
+ − 282
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 283
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 284
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 285
if ( !$session->get_permissions('protect') )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 286
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 287
return('Insufficient access rights');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 288
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 289
if ( !$wiki )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 290
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 291
return('Page protection only has an effect when Wiki Mode is enabled.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 292
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 293
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 294
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 295
return('Invalid $level parameter.');
1
+ − 296
}
+ − 297
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 298
switch($level)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 299
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 300
case 0:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 301
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 302
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 303
case 1:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 304
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 305
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 306
case 2:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 307
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 308
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 309
default:
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 310
return 'PageUtils::protect(): Invalid value for $level';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 311
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 312
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 313
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 314
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 315
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 316
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 317
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 318
$db->_die('The pages table was not updated.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 319
}
1
+ − 320
+ − 321
return('good');
+ − 322
}
+ − 323
+ − 324
/**
+ − 325
* Generates an HTML table with history information in it.
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 326
* @param string the page ID
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 327
* @param string the namespace
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 328
* @param string page password
1
+ − 329
* @return string
+ − 330
*/
+ − 331
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 332
public static function histlist($page_id, $namespace, $password = false)
1
+ − 333
{
+ − 334
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 335
global $lang;
1
+ − 336
+ − 337
if(!$session->get_permissions('history_view'))
+ − 338
return 'Access denied';
+ − 339
+ − 340
ob_start();
+ − 341
+ − 342
$pname = $paths->nslist[$namespace] . $page_id;
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 343
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 344
if ( !isPage($pname) )
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 345
{
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 346
return 'DNE';
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 347
}
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 348
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 349
if ( isPage($pname['password']) )
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 350
{
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 351
$password_exists = ( !empty($paths->pages[$pname]['password']) && $paths->pages[$pname]['password'] !== sha1('') );
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 352
if ( $password_exists && $password !== $paths->pages[$pname]['password'] )
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 353
{
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 354
return '<p>' . $lang->get('history_err_wrong_password') . '</p>';
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 355
}
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 356
}
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 357
1
+ − 358
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 359
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 360
468
+ − 361
$q = 'SELECT log_id,time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND is_draft != 1 ORDER BY time_id DESC;';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 362
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.');
213
+ − 363
echo $lang->get('history_page_subtitle') . '
+ − 364
<h3>' . $lang->get('history_heading_edits') . '</h3>';
1
+ − 365
$numrows = $db->numrows();
213
+ − 366
if ( $numrows < 1 )
+ − 367
{
+ − 368
echo $lang->get('history_no_entries');
+ − 369
}
1
+ − 370
else
+ − 371
{
+ − 372
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get">
213
+ − 373
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 374
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 375
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 376
<input type="hidden" name="do" value="diff" />
1
+ − 377
<br /><span> </span>
+ − 378
<div class="tblholder">
+ − 379
<table border="0" width="100%" cellspacing="1" cellpadding="4">
+ − 380
<tr>
213
+ − 381
<th colspan="2">' . $lang->get('history_col_diff') . '</th>
+ − 382
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 383
<th>' . $lang->get('history_col_user') . '</th>
+ − 384
<th>' . $lang->get('history_col_summary') . '</th>
+ − 385
<th>' . $lang->get('history_col_minor') . '</th>
+ − 386
<th colspan="3">' . $lang->get('history_col_actions') . '</th>
1
+ − 387
</tr>'."\n"."\n";
+ − 388
$cls = 'row2';
+ − 389
$ticker = 0;
+ − 390
213
+ − 391
while ( $r = $db->fetchrow() )
+ − 392
{
1
+ − 393
+ − 394
$ticker++;
+ − 395
+ − 396
if($cls == 'row2') $cls = 'row1';
+ − 397
else $cls = 'row2';
+ − 398
+ − 399
echo '<tr>'."\n";
+ − 400
+ − 401
// Diff selection
+ − 402
if($ticker == 1)
+ − 403
{
+ − 404
$s1 = '';
+ − 405
$s2 = 'checked="checked" ';
+ − 406
}
+ − 407
elseif($ticker == 2)
+ − 408
{
+ − 409
$s1 = 'checked="checked" ';
+ − 410
$s2 = '';
+ − 411
}
+ − 412
else
+ − 413
{
+ − 414
$s1 = '';
+ − 415
$s2 = '';
+ − 416
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 417
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 418
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
1
+ − 419
+ − 420
// Date and time
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 421
echo '<td class="' . $cls . '" style="white-space: nowrap;">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">'."\n";
1
+ − 422
+ − 423
// User
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 424
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 425
{
213
+ − 426
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 427
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 428
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 429
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 430
$rc = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 431
}
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 432
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 433
if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) )
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 434
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 435
echo 'class="wikilink-nonexistent"';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 436
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 437
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n";
1
+ − 438
+ − 439
// Edit summary
213
+ − 440
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' )
+ − 441
{
+ − 442
$r['edit_summary'] = $lang->get('history_summary_clearlogs');
+ − 443
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 444
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n";
1
+ − 445
+ − 446
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 447
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n";
1
+ − 448
+ − 449
// Actions!
468
+ − 450
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['log_id']) . '" onclick="ajaxHistView(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n";
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
diff
changeset
+ − 451
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n";
468
+ − 452
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=edit&revid=' . $r['log_id']) . '" onclick="ajaxEditor(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n";
1
+ − 453
+ − 454
echo '</tr>'."\n"."\n";
+ − 455
+ − 456
}
+ − 457
echo '</table>
+ − 458
</div>
+ − 459
<br />
+ − 460
<input type="hidden" name="do" value="diff" />
213
+ − 461
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
1
+ − 462
</form>
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
diff
changeset
+ − 463
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>';
1
+ − 464
}
+ − 465
$db->free_result();
213
+ − 466
echo '<h3>' . $lang->get('history_heading_other') . '</h3>';
468
+ − 467
$q = 'SELECT log_id,time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;';
213
+ − 468
if ( !$db->sql_query($q) )
+ − 469
{
+ − 470
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.');
+ − 471
}
+ − 472
if ( $db->numrows() < 1 )
+ − 473
{
+ − 474
echo $lang->get('history_no_entries');
+ − 475
}
+ − 476
else
+ − 477
{
1
+ − 478
213
+ − 479
echo '<div class="tblholder">
+ − 480
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr>
+ − 481
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 482
<th>' . $lang->get('history_col_user') . '</th>
+ − 483
<th>' . $lang->get('history_col_minor') . '</th>
+ − 484
<th>' . $lang->get('history_col_action_taken') . '</th>
+ − 485
<th>' . $lang->get('history_col_extra') . '</th>
+ − 486
<th colspan="2"></th>
+ − 487
</tr>';
1
+ − 488
$cls = 'row2';
+ − 489
while($r = $db->fetchrow()) {
+ − 490
+ − 491
if($cls == 'row2') $cls = 'row1';
+ − 492
else $cls = 'row2';
+ − 493
+ − 494
echo '<tr>';
+ − 495
+ − 496
// Date and time
351
+ − 497
echo '<td class="' . $cls . '">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">';
1
+ − 498
+ − 499
// User
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 500
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 501
if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 502
echo '>' . $r['author'] . '</a></td class="' . $cls . '">';
1
+ − 503
+ − 504
+ − 505
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 506
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>';
1
+ − 507
+ − 508
// Action taken
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 509
echo '<td class="' . $cls . '">';
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
diff
changeset
+ − 510
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime.
468
+ − 511
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
+ − 512
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
+ − 513
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
213
+ − 514
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']);
+ − 515
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">';
+ − 516
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
481
+ − 517
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__ROLLBACK__' ? $lang->get('history_extra_upload_reversion') : htmlspecialchars($r['edit_summary']) );
913
+ − 518
elseif($r['action']=='votereset')echo $lang->get('history_log_votereset') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_numvotes') . ' ' . $r['edit_summary'];
1
+ − 519
echo '</td>';
+ − 520
+ − 521
// Actions!
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
diff
changeset
+ − 522
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>';
468
+ − 523
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['log_id']) . '" onclick="ajaxRollback(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>';
1
+ − 524
+ − 525
echo '</tr>';
+ − 526
}
+ − 527
echo '</table></div>';
+ − 528
}
+ − 529
$db->free_result();
+ − 530
$ret = ob_get_contents();
+ − 531
ob_end_clean();
+ − 532
return $ret;
+ − 533
}
+ − 534
+ − 535
/**
+ − 536
* Rolls back a logged action
+ − 537
* @param $id the time ID, a.k.a. the primary key in the logs table
+ − 538
* @return string
+ − 539
*/
+ − 540
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 541
public static function rollback($id)
1
+ − 542
{
+ − 543
global $db, $session, $paths, $template, $plugins; // Common objects
408
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 544
global $lang;
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 545
481
+ − 546
// placeholder
+ − 547
return 'PageUtils->rollback() is deprecated - use PageProcessor instead.';
1
+ − 548
}
+ − 549
+ − 550
/**
+ − 551
* Posts a comment.
+ − 552
* @param $page_id the page ID
+ − 553
* @param $namespace the namespace
+ − 554
* @param $name the name of the person posting, defaults to current username/IP
+ − 555
* @param $subject the subject line of the comment
+ − 556
* @param $text the comment text
+ − 557
* @return string javascript code
+ − 558
*/
+ − 559
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 560
public static function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false)
1
+ − 561
{
+ − 562
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 563
$_ob = '';
+ − 564
if(!$session->get_permissions('post_comments'))
+ − 565
return 'Access denied';
+ − 566
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.');
+ − 567
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 568
{
+ − 569
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method');
+ − 570
$result = $session->get_captcha($captcha_id);
456
+ − 571
if(strtolower($captcha_code) != strtolower($result)) _die('The confirmation code you entered was incorrect.');
1
+ − 572
}
+ − 573
$text = RenderMan::preprocess_text($text);
+ − 574
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name);
+ − 575
$subj = RenderMan::preprocess_text($subject);
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 576
if(getConfig('approve_comments', '0')=='1') $appr = '0'; else $appr = '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 577
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')';
1
+ − 578
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 579
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'))');
1
+ − 580
else $_ob .= '<div class="info-box">Your comment has been posted.</div>';
+ − 581
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob);
+ − 582
}
+ − 583
+ − 584
/**
+ − 585
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments
+ − 586
* @param $page_id the page ID
+ − 587
* @param $namespace the namespace
+ − 588
* @param $action administrative action to perform, default is false
+ − 589
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 590
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 591
* @return array
+ − 592
* @access private
+ − 593
*/
+ − 594
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 595
public static function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '')
1
+ − 596
{
+ − 597
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 598
global $lang;
1
+ − 599
+ − 600
$pname = $paths->nslist[$namespace] . $page_id;
+ − 601
+ − 602
ob_start();
+ − 603
+ − 604
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud
+ − 605
{
+ − 606
switch($action) {
+ − 607
case "delete":
+ − 608
if(isset($flags['id']))
+ − 609
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 610
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;';
1
+ − 611
} else {
+ − 612
$n = $db->escape($flags['name']);
+ − 613
$s = $db->escape($flags['subj']);
+ − 614
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 615
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 616
}
+ − 617
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 618
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 619
break;
+ − 620
case "approve":
+ − 621
if(isset($flags['id']))
+ − 622
{
+ − 623
$where = 'comment_id='.intval($flags['id']);
+ − 624
} else {
+ − 625
$n = $db->escape($flags['name']);
+ − 626
$s = $db->escape($flags['subj']);
+ − 627
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 628
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\'';
1
+ − 629
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 630
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;';
1
+ − 631
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 632
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 633
$r = $db->fetchrow();
+ − 634
$db->free_result();
+ − 635
$a = ( $r['approved'] ) ? '0' : '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 636
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';';
1
+ − 637
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 638
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
213
+ − 639
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove');
+ − 640
else $v = $lang->get('comment_btn_mod_approve');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 641
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";';
1
+ − 642
break;
+ − 643
}
+ − 644
}
+ − 645
+ − 646
if(!defined('ENANO_TEMPLATE_LOADED'))
+ − 647
{
+ − 648
$template->load_theme($session->theme, $session->style);
+ − 649
}
+ − 650
+ − 651
$tpl = $template->makeParser('comment.tpl');
+ − 652
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 653
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;');
1
+ − 654
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 655
$num_unapp = $db->numrows();
+ − 656
$db->free_result();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 657
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;');
1
+ − 658
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 659
$num_app = $db->numrows();
+ − 660
$db->free_result();
621
+ − 661
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,c.ip_address,u.user_level,u.email,u.signature,u.user_has_avatar,u.avatar_type
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 662
FROM ' . table_prefix.'comments AS c
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 663
LEFT JOIN ' . table_prefix.'users AS u
1
+ − 664
ON c.user_id=u.user_id
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 665
WHERE page_id=\'' . $page_id . '\'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 666
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 667
if(!$lq) _die('The comment text data could not be selected. '.$db->get_error());
213
+ − 668
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>';
+ − 669
1
+ − 670
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app;
213
+ − 671
+ − 672
$subst = array(
+ − 673
'num_comments' => $n,
226
0e6478521004
Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
diff
changeset
+ − 674
'page_type' => $template->namespace_string
213
+ − 675
);
+ − 676
+ − 677
$_ob .= '<p>';
+ − 678
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) );
+ − 679
+ − 680
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 )
1
+ − 681
{
213
+ − 682
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 683
}
+ − 684
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 )
+ − 685
{
+ − 686
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural';
+ − 687
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 688
}
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
diff
changeset
+ − 689
$_ob .= '</p>';
1
+ − 690
$list = 'list = { ';
+ − 691
// _die(htmlspecialchars($ttext));
+ − 692
$i = -1;
213
+ − 693
while ( $row = $db->fetchrow($lq) )
1
+ − 694
{
+ − 695
$i++;
+ − 696
$strings = Array();
+ − 697
$bool = Array();
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 698
if ( $session->get_permissions('mod_comments') || $row['approved'] == COMMENT_APPROVED )
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 699
{
1
+ − 700
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, ';
+ − 701
+ − 702
// Comment ID (used in the Javascript apps)
+ − 703
$strings['ID'] = (string)$i;
+ − 704
+ − 705
// Determine the name, and whether to link to the user page or not
+ − 706
$name = '';
304
+ − 707
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">';
1
+ − 708
$name .= $row['name'];
213
+ − 709
if($row['user_id'] > 1) $name .= '</a>';
1
+ − 710
$strings['NAME'] = $name; unset($name);
+ − 711
+ − 712
// Subject
+ − 713
$s = $row['subject'];
213
+ − 714
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>';
1
+ − 715
$strings['SUBJECT'] = $s;
+ − 716
+ − 717
// Date and time
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 718
$strings['DATETIME'] = enano_date('F d, Y h:i a', $row['time']);
1
+ − 719
+ − 720
// User level
+ − 721
switch($row['user_level'])
+ − 722
{
+ − 723
default:
+ − 724
case USER_LEVEL_GUEST:
213
+ − 725
$l = $lang->get('user_type_guest');
1
+ − 726
break;
+ − 727
case USER_LEVEL_MEMBER:
213
+ − 728
case USER_LEVEL_CHPREF:
+ − 729
$l = $lang->get('user_type_member');
1
+ − 730
break;
+ − 731
case USER_LEVEL_MOD:
213
+ − 732
$l = $lang->get('user_type_mod');
1
+ − 733
break;
+ − 734
case USER_LEVEL_ADMIN:
213
+ − 735
$l = $lang->get('user_type_admin');
1
+ − 736
break;
+ − 737
}
+ − 738
$strings['USER_LEVEL'] = $l; unset($l);
+ − 739
+ − 740
// The actual comment data
+ − 741
$strings['DATA'] = RenderMan::render($row['comment_data']);
+ − 742
+ − 743
if($session->get_permissions('edit_comments'))
+ − 744
{
+ − 745
// Edit link
213
+ − 746
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>';
1
+ − 747
+ − 748
// Delete link
213
+ − 749
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>';
1
+ − 750
}
+ − 751
else
+ − 752
{
+ − 753
// Edit link
+ − 754
$strings['EDIT_LINK'] = '';
+ − 755
+ − 756
// Delete link
+ − 757
$strings['DELETE_LINK'] = '';
+ − 758
}
+ − 759
+ − 760
// Send PM link
213
+ − 761
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : '';
1
+ − 762
+ − 763
// Add Buddy link
213
+ − 764
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : '';
1
+ − 765
+ − 766
// Mod links
+ − 767
$applink = '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 768
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">';
213
+ − 769
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove');
+ − 770
else $applink .= $lang->get('comment_btn_mod_approve');
1
+ − 771
$applink .= '</a>';
+ − 772
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink);
213
+ − 773
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>';
360
+ − 774
$strings['MOD_IP_LINK'] = '<span style="opacity: 0.5; filter: alpha(opacity=50);">' . ( ( empty($row['ip_address']) ) ? $lang->get('comment_btn_mod_ip_missing') : $lang->get('comment_btn_mod_ip_notimplemented') ) . '</span>';
1
+ − 775
+ − 776
// Signature
+ − 777
$strings['SIGNATURE'] = '';
+ − 778
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']);
+ − 779
328
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 780
// Avatar
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 781
if ( $row['user_has_avatar'] == 1 )
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 782
{
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 783
$bool['user_has_avatar'] = true;
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 784
$strings['AVATAR_ALT'] = $lang->get('usercp_avatar_image_alt', array('username' => $row['name']));
621
+ − 785
$strings['AVATAR_URL'] = make_avatar_url(intval($row['user_id']), $row['avatar_type'], $row['email']);
328
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 786
$strings['USERPAGE_LINK'] = makeUrlNS('User', $row['name']);
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 787
}
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 788
1
+ − 789
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false;
+ − 790
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false;
+ − 791
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true;
+ − 792
+ − 793
// Done processing and compiling, now let's cook it into HTML
+ − 794
$tpl->assign_vars($strings);
+ − 795
$tpl->assign_bool($bool);
+ − 796
$_ob .= $tpl->run();
+ − 797
}
+ − 798
}
+ − 799
if(getConfig('comments_need_login') != '2' || $session->user_logged_in)
+ − 800
{
213
+ − 801
if($session->get_permissions('post_comments'))
1
+ − 802
{
213
+ − 803
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>';
+ − 804
$_ob .= $lang->get('comment_postform_blurb');
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 805
if(getConfig('approve_comments', '0')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp');
213
+ − 806
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 807
{
+ − 808
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha');
+ − 809
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 810
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />';
213
+ − 811
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a>
1
+ − 812
<div id="mdgCommentForm">
+ − 813
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em">
+ − 814
<table border="0">
213
+ − 815
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr>
+ − 816
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>';
1
+ − 817
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 818
{
+ − 819
$session->kill_captcha();
+ − 820
$captcha = $session->make_captcha();
213
+ − 821
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>';
1
+ − 822
}
+ − 823
$_ob .= '
213
+ − 824
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr>
+ − 825
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr>
1
+ − 826
</table>
+ − 827
</form>
+ − 828
</div>';
+ − 829
}
+ − 830
} else {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 831
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>';
1
+ − 832
}
+ − 833
$list .= '};';
+ − 834
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\');
+ − 835
' . $list;
+ − 836
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";';
+ − 837
+ − 838
$ret = ob_get_contents();
+ − 839
ob_end_clean();
+ − 840
return Array($ret, $_ob);
+ − 841
+ − 842
}
+ − 843
+ − 844
/**
+ − 845
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments
+ − 846
* @param $page_id the page ID
+ − 847
* @param $namespace the namespace
+ − 848
* @param $action administrative action to perform, default is false
+ − 849
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 850
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 851
* @return string
+ − 852
*/
+ − 853
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 854
public static function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '')
1
+ − 855
{
+ − 856
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 857
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 858
return $r[0];
+ − 859
}
+ − 860
+ − 861
/**
+ − 862
* Generates HTML code for comments - used in browser compatibility mode
+ − 863
* @param $page_id the page ID
+ − 864
* @param $namespace the namespace
+ − 865
* @param $action administrative action to perform, default is false
+ − 866
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 867
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 868
* @return string
+ − 869
*/
+ − 870
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 871
public static function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '')
1
+ − 872
{
+ − 873
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 874
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 875
return $r[1];
+ − 876
}
+ − 877
+ − 878
/**
+ − 879
* Updates comment data.
+ − 880
* @param $page_id the page ID
+ − 881
* @param $namespace the namespace
+ − 882
* @param $subject new subject
+ − 883
* @param $text new text
+ − 884
* @param $old_subject the old subject, unprocessed and identical to the value in the DB
+ − 885
* @param $old_text the old text, unprocessed and identical to the value in the DB
+ − 886
* @param $id the javascript list ID, used internally by the client-side app
+ − 887
* @return string
+ − 888
*/
+ − 889
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 890
public static function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1)
1
+ − 891
{
+ − 892
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 893
if(!$session->get_permissions('edit_comments'))
+ − 894
return 'result="BAD";error="Access denied"';
+ − 895
// Avoid SQL injection
+ − 896
$old_text = $db->escape($old_text);
+ − 897
$old_subject = $db->escape($old_subject);
+ − 898
// Safety check - username/login
+ − 899
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 900
{
+ − 901
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 902
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 903
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 904
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 905
$r = $db->fetchrow($s);
+ − 906
$db->free_result();
+ − 907
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 908
}
+ − 909
$s = RenderMan::preprocess_text($subject);
+ − 910
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 911
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 912
$result = $db->sql_query($sql);
+ − 913
if($result)
+ − 914
{
+ − 915
return 'result="GOOD";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 916
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 917
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . ';
1
+ − 918
s = unescape(\''.rawurlencode($s).'\');
+ − 919
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');';
+ − 920
}
+ − 921
else
+ − 922
{
+ − 923
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment.
+ − 924
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 925
' . $sql . '
1
+ − 926
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 927
Error returned by MySQL: '.$db->get_error()).'");';
1
+ − 928
}
+ − 929
}
+ − 930
+ − 931
/**
+ − 932
* Updates comment data using the comment_id column instead of the old, messy way
+ − 933
* @param $page_id the page ID
+ − 934
* @param $namespace the namespace
+ − 935
* @param $subject new subject
+ − 936
* @param $text new text
+ − 937
* @param $id the comment ID (primary key in enano_comments table)
+ − 938
* @return string
+ − 939
*/
+ − 940
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 941
public static function savecomment_neater($page_id, $namespace, $subject, $text, $id)
1
+ − 942
{
+ − 943
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 944
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety');
+ − 945
if(!$session->get_permissions('edit_comments'))
+ − 946
return 'Access denied';
+ − 947
// Safety check - username/login
+ − 948
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 949
{
+ − 950
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 951
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 952
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 953
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 954
$r = $db->fetchrow($s);
+ − 955
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 956
$db->free_result();
+ − 957
}
+ − 958
$s = RenderMan::preprocess_text($subject);
+ − 959
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 960
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 961
$result = $db->sql_query($sql);
+ − 962
if($result)
+ − 963
return 'good';
+ − 964
else return 'Enano encountered a problem whilst saving the comment.
+ − 965
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 966
' . $sql . '
1
+ − 967
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 968
Error returned by MySQL: '.$db->get_error();
1
+ − 969
}
+ − 970
+ − 971
/**
+ − 972
* Deletes a comment.
+ − 973
* @param $page_id the page ID
+ − 974
* @param $namespace the namespace
+ − 975
* @param $name the name the user posted under
+ − 976
* @param $subj the subject of the comment to be deleted
+ − 977
* @param $text the text of the comment to be deleted
+ − 978
* @param $id the javascript list ID, used internally by the client-side app
+ − 979
* @return string
+ − 980
*/
+ − 981
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 982
public static function deletecomment($page_id, $namespace, $name, $subj, $text, $id)
1
+ − 983
{
+ − 984
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 985
+ − 986
if(!$session->get_permissions('edit_comments'))
+ − 987
return 'alert("Access to delete/edit comments is denied");';
+ − 988
+ − 989
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 990
$n = $db->escape($name);
+ − 991
$s = $db->escape($subj);
+ − 992
$t = $db->escape($text);
+ − 993
+ − 994
// Safety check - username/login
+ − 995
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 996
{
+ − 997
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 998
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 999
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1000
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1001
$r = $db->fetchrow($s);
+ − 1002
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1003
$db->free_result();
+ − 1004
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1005
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 1006
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1007
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1008
return('good');
+ − 1009
}
+ − 1010
+ − 1011
/**
+ − 1012
* Deletes a comment in a cleaner fashion.
+ − 1013
* @param $page_id the page ID
+ − 1014
* @param $namespace the namespace
+ − 1015
* @param $id the comment ID (primary key)
+ − 1016
* @return string
+ − 1017
*/
+ − 1018
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1019
public static function deletecomment_neater($page_id, $namespace, $id)
1
+ − 1020
{
+ − 1021
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1022
+ − 1023
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 1024
+ − 1025
if(!$session->get_permissions('edit_comments'))
+ − 1026
return 'alert("Access to delete/edit comments is denied");';
+ − 1027
+ − 1028
// Safety check - username/login
+ − 1029
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 1030
{
+ − 1031
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1032
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1033
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1034
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1035
$r = $db->fetchrow($s);
+ − 1036
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1037
$db->free_result();
+ − 1038
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1039
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;';
1
+ − 1040
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1041
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1042
return('good');
+ − 1043
}
+ − 1044
+ − 1045
/**
+ − 1046
* Renames a page.
+ − 1047
* @param $page_id the page ID
+ − 1048
* @param $namespace the namespace
+ − 1049
* @param $name the new name for the page
+ − 1050
* @return string error string or success message
+ − 1051
*/
+ − 1052
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1053
public static function rename($page_id, $namespace, $name)
1
+ − 1054
{
+ − 1055
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1056
global $lang;
1
+ − 1057
+ − 1058
$pname = $paths->nslist[$namespace] . $page_id;
+ − 1059
+ − 1060
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 1061
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 1062
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1063
if( empty($name))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1064
{
214
+ − 1065
return($lang->get('ajax_rename_too_short'));
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1066
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1067
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' ))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1068
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1069
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->page_id) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1070
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1071
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1072
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1073
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1074
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1075
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1076
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1077
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1078
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1079
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1080
{
214
+ − 1081
$subst = array(
+ − 1082
'page_name_old' => $paths->pages[$pname]['name'],
+ − 1083
'page_name_new' => $name
+ − 1084
);
+ − 1085
return $lang->get('ajax_rename_success', $subst);
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1086
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1087
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1088
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1089
{
214
+ − 1090
return($lang->get('etc_access_denied'));
1
+ − 1091
}
+ − 1092
}
+ − 1093
+ − 1094
/**
+ − 1095
* Flushes (clears) the action logs for a given page
+ − 1096
* @param $page_id the page ID
+ − 1097
* @param $namespace the namespace
+ − 1098
* @return string error/success string
+ − 1099
*/
+ − 1100
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1101
public static function flushlogs($page_id, $namespace)
1
+ − 1102
{
+ − 1103
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1104
global $lang;
240
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1105
if ( !is_object($lang) && defined('IN_ENANO_INSTALL') )
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1106
{
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1107
// This is a special exception for the Enano installer, which doesn't init languages yet.
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1108
$lang = new Language('eng');
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1109
}
351
+ − 1110
if(!$session->get_permissions('clear_logs') && !defined('IN_ENANO_INSTALL'))
214
+ − 1111
{
+ − 1112
return $lang->get('etc_access_denied');
+ − 1113
}
907
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1114
if ( !$session->sid_super )
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1115
{
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1116
return $lang->get('etc_access_denied_need_reauth');
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1117
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1118
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
1
+ − 1119
if(!$e) $db->_die('The log entries could not be deleted.');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1120
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1121
// If the page exists, make a backup of it in case it gets spammed/vandalized
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1122
// If not, the admin's probably deleting a trash page
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1123
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) )
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1124
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1125
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1126
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1127
$row = $db->fetchrow();
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1128
$db->free_result();
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1129
$minor_edit = ( ENANO_DBLAYER == 'MYSQL' ) ? 'false' : '0';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1130
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.$minor_edit.');';
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1131
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1132
}
214
+ − 1133
return $lang->get('ajax_clearlogs_success');
1
+ − 1134
}
+ − 1135
+ − 1136
/**
+ − 1137
* Deletes a page.
28
+ − 1138
* @param string $page_id the condemned page ID
+ − 1139
* @param string $namespace the condemned namespace
+ − 1140
* @param string The reason for deleting the page in question
1
+ − 1141
* @return string
+ − 1142
*/
+ − 1143
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1144
public static function deletepage($page_id, $namespace, $reason)
1
+ − 1145
{
+ − 1146
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1147
global $lang;
609
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1148
global $cache;
1
+ − 1149
$perms = $session->fetch_page_acl($page_id, $namespace);
28
+ − 1150
$x = trim($reason);
+ − 1151
if ( empty($x) )
+ − 1152
{
214
+ − 1153
return $lang->get('ajax_delete_need_reason');
28
+ − 1154
}
+ − 1155
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
907
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1156
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1157
if ( !$session->sid_super )
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1158
{
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1159
return $lang->get('etc_access_denied_need_reauth');
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1160
}
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1161
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1162
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
1
+ − 1163
if(!$e) $db->_die('The page log entry could not be inserted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1164
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1165
if(!$e) $db->_die('The page categorization entries could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1166
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1167
if(!$e) $db->_die('The page comments could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1168
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1169
if(!$e) $db->_die('The page text entry could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1170
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1171
if(!$e) $db->_die('The page entry could not be deleted.');
609
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1172
if ( $namespace == 'File' )
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1173
{
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1174
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\'');
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1175
if(!$e) $db->_die('The file entry could not be deleted.');
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1176
}
ffa5decbb305
Fixed a few places where page metadata cache should have been purged (there may be a few more commits like this)
Dan
diff
changeset
+ − 1177
$cache->purge('page_meta');
214
+ − 1178
return $lang->get('ajax_delete_success');
1
+ − 1179
}
+ − 1180
+ − 1181
/**
898
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1182
* Deletes files associated with a File page.
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1183
* @param string Page ID
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1184
*/
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1185
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1186
public static function delete_page_files($page_id)
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1187
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1188
global $db, $session, $paths, $template, $plugins; // Common objects
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1189
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1190
$q = $db->sql_query('SELECT file_id, filename, file_key, time_id, file_extension FROM ' . table_prefix . "files WHERE page_id = '{$db->escape($page_id)}';");
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1191
if ( !$q )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1192
$db->_die();
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1193
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1194
while ( $row = $db->fetchrow() )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1195
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1196
// wipe original file
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1197
foreach ( array(
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1198
ENANO_ROOT . "/files/{$row['file_key']}_{$row['time_id']}{$row['file_extension']}",
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1199
ENANO_ROOT . "/files/{$row['file_key']}{$row['file_extension']}"
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1200
) as $orig_file )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1201
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1202
if ( file_exists($orig_file) )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1203
@unlink($orig_file);
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1204
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1205
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1206
// wipe cached files
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1207
if ( $dr = @opendir(ENANO_ROOT . '/cache/') )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1208
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1209
// lol404.jpg-1217958283-200x320.jpg
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1210
while ( $dh = @readdir($dr) )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1211
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1212
$regexp = ':^' . preg_quote("{$row['filename']}-{$row['time_id']}-") . '[0-9]+x[0-9]+\.' . ltrim($row['file_extension'], '.') . '$:';
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1213
if ( preg_match($regexp, $dh) )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1214
{
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1215
@unlink(ENANO_ROOT . "/cache/$dh");
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1216
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1217
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1218
@closedir($dr);
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1219
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1220
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1221
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1222
$q = $db->sql_query('DELETE FROM ' . table_prefix . "files WHERE page_id = '{$db->escape($page_id)}';");
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1223
if ( !$q )
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1224
$db->die();
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1225
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1226
return true;
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1227
}
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1228
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1229
/**
1
+ − 1230
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting
+ − 1231
* @param $page_id the page ID
+ − 1232
* @param $namespace the namespace
+ − 1233
* @return string
+ − 1234
*/
+ − 1235
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1236
public static function delvote($page_id, $namespace)
1
+ − 1237
{
+ − 1238
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1239
global $lang;
696
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1240
global $cache;
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1241
112
+ − 1242
if ( !$session->get_permissions('vote_delete') )
+ − 1243
{
214
+ − 1244
return $lang->get('etc_access_denied');
112
+ − 1245
}
+ − 1246
+ − 1247
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' )
+ − 1248
{
+ − 1249
return 'Special pages and system messages can\'t be voted for deletion.';
+ − 1250
}
+ − 1251
+ − 1252
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id);
+ − 1253
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 1254
if ( !isPage($pname) )
112
+ − 1255
{
+ − 1256
return 'The page does not exist.';
+ − 1257
}
+ − 1258
+ − 1259
$cv =& $paths->pages[$pname]['delvotes'];
+ − 1260
$ips = $paths->pages[$pname]['delvote_ips'];
+ − 1261
+ − 1262
if ( empty($ips) )
+ − 1263
{
+ − 1264
$ips = array(
+ − 1265
'ip' => array(),
+ − 1266
'u' => array()
+ − 1267
);
+ − 1268
}
+ − 1269
else
+ − 1270
{
+ − 1271
$ips = @unserialize($ips);
+ − 1272
if ( !$ips )
+ − 1273
{
+ − 1274
$ips = array(
+ − 1275
'ip' => array(),
+ − 1276
'u' => array()
+ − 1277
);
+ − 1278
}
+ − 1279
}
+ − 1280
+ − 1281
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) )
+ − 1282
{
214
+ − 1283
return $lang->get('ajax_delvote_already_voted');
112
+ − 1284
}
+ − 1285
+ − 1286
$ips['u'][] = $session->username;
+ − 1287
$ips['ip'][] = $_SERVER['REMOTE_ADDR'];
+ − 1288
$ips = $db->escape( serialize($ips) );
+ − 1289
1
+ − 1290
$cv++;
112
+ − 1291
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1292
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1293
$w = $db->sql_query($q);
696
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1294
if ( !$w )
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1295
$db->_die();
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1296
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1297
// all done, flush page cache to mark it up
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1298
$cache->purge('page_meta');
112
+ − 1299
214
+ − 1300
return $lang->get('ajax_delvote_success');
1
+ − 1301
}
+ − 1302
+ − 1303
/**
+ − 1304
* Resets the number of votes against a page to 0.
+ − 1305
* @param $page_id the page ID
+ − 1306
* @param $namespace the namespace
+ − 1307
* @return string
+ − 1308
*/
+ − 1309
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1310
public static function resetdelvotes($page_id, $namespace)
1
+ − 1311
{
+ − 1312
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1313
global $lang;
696
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1314
global $cache;
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1315
913
+ − 1316
if ( !$session->get_permissions('vote_reset') )
214
+ − 1317
{
+ − 1318
return $lang->get('etc_access_denied');
+ − 1319
}
913
+ − 1320
+ − 1321
$page_id = $db->escape($page_id);
+ − 1322
$namespace = $db->escape($namespace);
+ − 1323
+ − 1324
// pull existing info
+ − 1325
$q = $db->sql_query('SELECT delvotes, delvote_ips FROM ' . table_prefix . "pages WHERE urlname = '$page_id' AND namespace = '$namespace'");
+ − 1326
if ( !$q )
+ − 1327
$db->_die();
+ − 1328
if ( $db->numrows() < 1 )
+ − 1329
return $lang->get('page_err_page_not_exist');
+ − 1330
+ − 1331
list($delvotes, $delvote_ips) = $db->fetchrow_num();
+ − 1332
$db->free_result();
+ − 1333
$delvote_ips = $db->escape($delvote_ips);
+ − 1334
$username = $db->escape($session->username);
+ − 1335
+ − 1336
// log action
+ − 1337
$time = time();
+ − 1338
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs (time_id, log_type, action, edit_summary, page_text, author, page_id, namespace) VALUES\n"
+ − 1339
. " ( $time, 'page', 'votereset', '$delvotes', '$delvote_ips', '$username', '$page_id', '$namespace' )");
+ − 1340
if ( !$q )
+ − 1341
$db->_die();
+ − 1342
+ − 1343
// reset votes
+ − 1344
$empty_vote_record = $db->escape(serialize(array('ip'=>array(),'u'=>array())));
+ − 1345
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $empty_vote_record . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1346
$e = $db->sql_query($q);
696
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1347
if ( !$e )
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1348
{
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1349
$db->_die('The number of delete votes was not reset.');
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1350
}
214
+ − 1351
else
+ − 1352
{
696
bd5069e1f19a
Revamped page deletion interface; fixed bug where page_meta cache was not being cleared upon restoration of deleted page.
Dan
diff
changeset
+ − 1353
$cache->purge('page_meta');
214
+ − 1354
return $lang->get('ajax_delvote_reset_success');
+ − 1355
}
1
+ − 1356
}
+ − 1357
+ − 1358
/**
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1359
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON.
1
+ − 1360
* @param $id the name of the directory for the theme
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1361
* @return string JSON string with an array containing a list of themes
1
+ − 1362
*/
+ − 1363
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1364
public static function getstyles()
1
+ − 1365
{
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1366
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1367
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) )
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1368
return enano_json_encode(false);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1369
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1370
$dir = './themes/' . $_GET['id'] . '/css/';
1
+ − 1371
$list = Array();
+ − 1372
// Open a known directory, and proceed to read its contents
+ − 1373
if (is_dir($dir)) {
+ − 1374
if ($dh = opendir($dir)) {
+ − 1375
while (($file = readdir($dh)) !== false) {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1376
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1377
{ // it should be a copy of the original style, but
1
+ − 1378
// mostly black and white
+ − 1379
// Note to self: document this
+ − 1380
$list[] = substr($file, 0, strlen($file)-4);
+ − 1381
}
+ − 1382
}
+ − 1383
closedir($dh);
+ − 1384
}
+ − 1385
}
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1386
else
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1387
{
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1388
return(enano_json_encode(Array('mode' => 'error', 'error' => $dir.' is not a dir')));
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1389
}
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1390
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1391
return enano_json_encode($list);
1
+ − 1392
}
+ − 1393
+ − 1394
/**
+ − 1395
* Assembles a Javascript app with category information
+ − 1396
* @param $page_id the page ID
+ − 1397
* @param $namespace the namespace
+ − 1398
* @return string Javascript code
+ − 1399
*/
+ − 1400
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1401
public static function catedit($page_id, $namespace)
1
+ − 1402
{
+ − 1403
$d = PageUtils::catedit_raw($page_id, $namespace);
+ − 1404
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');';
+ − 1405
}
+ − 1406
+ − 1407
/**
+ − 1408
* Does the actual HTML/javascript generation for cat editing, but returns an array
+ − 1409
* @access private
+ − 1410
*/
+ − 1411
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1412
public static function catedit_raw($page_id, $namespace)
1
+ − 1413
{
+ − 1414
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1415
global $lang;
+ − 1416
1
+ − 1417
ob_start();
+ − 1418
$_ob = '';
322
+ − 1419
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\'');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1420
if(!$e) jsdie('Error selecting category information for current page: '.$db->get_error());
1
+ − 1421
$cat_current = Array();
+ − 1422
while($r = $db->fetchrow())
+ − 1423
{
+ − 1424
$cat_current[] = $r;
+ − 1425
}
+ − 1426
$db->free_result();
+ − 1427
$cat_all = Array();
593
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 1428
foreach ( $paths->pages as $i => $_ )
1
+ − 1429
{
+ − 1430
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1431
}
+ − 1432
+ − 1433
// Make $cat_all an associative array, like $paths->pages
+ − 1434
$sz = sizeof($cat_all);
+ − 1435
for($i=0;$i<$sz;$i++)
+ − 1436
{
+ − 1437
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1438
}
+ − 1439
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of
+ − 1440
$cat_info = $cat_all;
+ − 1441
for($i=0;$i<sizeof($cat_current);$i++)
+ − 1442
{
+ − 1443
$un = $cat_current[$i]['category_id'];
+ − 1444
$cat_info[$un]['member'] = true;
+ − 1445
}
+ − 1446
// Now copy the information we just set into the numerically named keys
+ − 1447
for($i=0;$i<sizeof($cat_info)/2;$i++)
+ − 1448
{
+ − 1449
$un = $cat_info[$i]['urlname_nons'];
+ − 1450
$cat_info[$i] = $cat_info[$un];
+ − 1451
}
+ − 1452
+ − 1453
echo 'catlist = new Array();'; // Initialize the client-side category list
214
+ − 1454
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3>
1
+ − 1455
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">';
+ − 1456
if ( sizeof($cat_info) < 1 )
+ − 1457
{
214
+ − 1458
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>';
1
+ − 1459
}
+ − 1460
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ )
+ − 1461
{
+ − 1462
// Protection code added 1/3/07
+ − 1463
// Updated 3/4/07
+ − 1464
$is_prot = false;
+ − 1465
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category');
+ − 1466
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1467
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) )
+ − 1468
$is_prot = true;
+ − 1469
$prot = ( $is_prot ) ? ' disabled="disabled" ' : '';
+ − 1470
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1471
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1472
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"';
1
+ − 1473
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1474
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />';
1
+ − 1475
}
+ − 1476
+ − 1477
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : '';
+ − 1478
214
+ − 1479
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>';
1
+ − 1480
+ − 1481
$cont = ob_get_contents();
+ − 1482
ob_end_clean();
+ − 1483
return Array($cont, $_ob);
+ − 1484
}
+ − 1485
+ − 1486
/**
+ − 1487
* Saves category information
+ − 1488
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked!
+ − 1489
* @param $page_id string the page ID
+ − 1490
* @param $namespace string the namespace
+ − 1491
* @param $which_cats array associative array of categories to put the page in
+ − 1492
* @return string "GOOD" on success, error string on failure
+ − 1493
*/
+ − 1494
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1495
public static function catsave($page_id, $namespace, $which_cats)
1
+ − 1496
{
+ − 1497
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1498
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information');
+ − 1499
+ − 1500
$page_perms = $session->fetch_page_acl($page_id, $namespace);
+ − 1501
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id];
+ − 1502
+ − 1503
$cat_all = Array();
593
4f9bec0d65c1
More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
Dan
diff
changeset
+ − 1504
foreach ( $paths->pages as $i => $_ )
1
+ − 1505
{
+ − 1506
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1507
}
+ − 1508
+ − 1509
// Make $cat_all an associative array, like $paths->pages
+ − 1510
$sz = sizeof($cat_all);
+ − 1511
for($i=0;$i<$sz;$i++)
+ − 1512
{
+ − 1513
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1514
}
+ − 1515
+ − 1516
$rowlist = Array();
+ − 1517
+ − 1518
for($i=0;$i<sizeof($cat_all)/2;$i++)
+ − 1519
{
+ − 1520
$auth = true;
+ − 1521
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category');
+ − 1522
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1523
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ||
+ − 1524
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) )
+ − 1525
$auth = false;
+ − 1526
if(!$auth)
+ − 1527
{
+ − 1528
// Find out if the page is currently in the category
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1529
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1530
if(!$q)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1531
return 'MySQL error: ' . $db->get_error();
1
+ − 1532
if($db->numrows() > 0)
+ − 1533
{
+ − 1534
$auth = true;
+ − 1535
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state
+ − 1536
}
+ − 1537
$db->free_result();
+ − 1538
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1539
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')';
1
+ − 1540
}
+ − 1541
if(sizeof($rowlist) > 0)
+ − 1542
{
+ − 1543
$val = implode(',', $rowlist);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1544
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1545
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1546
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1547
$e = $db->sql_query($q);
+ − 1548
if(!$e) $db->_die('The new category data could not be inserted.');
+ − 1549
return('GOOD');
+ − 1550
}
+ − 1551
else
+ − 1552
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1553
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1554
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1555
return('GOOD');
+ − 1556
}
+ − 1557
}
+ − 1558
+ − 1559
/**
+ − 1560
* Sets the wiki mode level for a page.
+ − 1561
* @param $page_id string the page ID
+ − 1562
* @param $namespace string the namespace
+ − 1563
* @param $level int 0 for off, 1 for on, 2 for use global setting
+ − 1564
* @return string "GOOD" on success, error string on failure
+ − 1565
*/
+ − 1566
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1567
public static function setwikimode($page_id, $namespace, $level)
1
+ − 1568
{
+ − 1569
global $db, $session, $paths, $template, $plugins; // Common objects
913
+ − 1570
global $cache;
+ − 1571
1
+ − 1572
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1573
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1574
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1575
return('Invalid mode string');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1576
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1577
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1578
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1579
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1580
return('Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1581
}
913
+ − 1582
+ − 1583
$cache->purge('page_meta');
1
+ − 1584
return('GOOD');
+ − 1585
}
+ − 1586
+ − 1587
/**
+ − 1588
* Sets the access password for a page.
+ − 1589
* @param $page_id string the page ID
+ − 1590
* @param $namespace string the namespace
+ − 1591
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed
+ − 1592
* @return string
+ − 1593
*/
+ − 1594
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1595
public static function setpass($page_id, $namespace, $pass)
1
+ − 1596
{
+ − 1597
global $db, $session, $paths, $template, $plugins; // Common objects
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 1598
global $lang, $cache;
1
+ − 1599
// Determine permissions
+ − 1600
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '')
+ − 1601
$a = $session->get_permissions('password_reset');
+ − 1602
else
+ − 1603
$a = $session->get_permissions('password_set');
+ − 1604
if(!$a)
214
+ − 1605
return $lang->get('etc_access_denied');
1
+ − 1606
if(!isset($pass)) return('Password was not set on URL');
+ − 1607
$p = $pass;
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1608
if ( !preg_match('#([0-9a-f]){40,40}#', $p) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1609
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1610
$p = sha1($p);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1611
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1612
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1613
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1614
$p = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1615
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1616
if ( !$e )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1617
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1618
die('PageUtils::setpass(): Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1619
}
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 1620
$cache->purge('page_meta');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1621
// Is the new password blank?
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1622
if ( $p == '' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1623
{
214
+ − 1624
return $lang->get('ajax_password_disable_success');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1625
}
214
+ − 1626
else
+ − 1627
{
+ − 1628
return $lang->get('ajax_password_success');
+ − 1629
}
1
+ − 1630
}
+ − 1631
+ − 1632
/**
+ − 1633
* Generates some preview HTML
+ − 1634
* @param $text string the wikitext to use
+ − 1635
* @return string
+ − 1636
*/
+ − 1637
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1638
public static function genPreview($text)
1
+ − 1639
{
214
+ − 1640
global $lang;
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 1641
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 10px 0;">';
102
+ − 1642
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false));
+ − 1643
ob_start();
+ − 1644
eval('?>' . $text);
+ − 1645
$text = ob_get_contents();
+ − 1646
ob_end_clean();
+ − 1647
$ret .= $text;
+ − 1648
$ret .= '</div>';
+ − 1649
return $ret;
1
+ − 1650
}
+ − 1651
+ − 1652
/**
+ − 1653
* Makes a scrollable box
+ − 1654
* @param string $text the inner HTML
+ − 1655
* @param int $height Optional - the maximum height. Defaults to 250.
+ − 1656
* @return string
+ − 1657
*/
+ − 1658
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1659
public static function scrollBox($text, $height = 250)
1
+ − 1660
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1661
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>';
1
+ − 1662
}
+ − 1663
+ − 1664
/**
+ − 1665
* Generates a diff summary between two page revisions.
+ − 1666
* @param $page_id the page ID
+ − 1667
* @param $namespace the namespace
+ − 1668
* @param $id1 the time ID of the first revision
+ − 1669
* @param $id2 the time ID of the second revision
+ − 1670
* @return string XHTML-formatted diff
+ − 1671
*/
+ − 1672
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1673
public static function pagediff($page_id, $namespace, $id1, $id2)
1
+ − 1674
{
+ − 1675
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 1676
global $lang;
898
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1677
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1678
if ( !$session->get_permissions('history_view') )
214
+ − 1679
return $lang->get('etc_access_denied');
898
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1680
1
+ − 1681
if(!preg_match('#^([0-9]+)$#', (string)$id1) ||
+ − 1682
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt';
+ − 1683
// OK we made it through security
+ − 1684
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries
898
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1685
if ( !$q1 = $db->sql_query('SELECT time_id,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE log_id = ' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: ' . $db->get_error();
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1686
if ( !$q2 = $db->sql_query('SELECT time_id,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE log_id = ' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: ' . $db->get_error();
1
+ − 1687
$row1 = $db->fetchrow($q1);
+ − 1688
$db->free_result($q1);
+ − 1689
$row2 = $db->fetchrow($q2);
+ − 1690
$db->free_result($q2);
909
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1691
if(sizeof($row1) < 1 || sizeof($row2) < 2)
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1692
{
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1693
if ( !$q1 = $db->sql_query('SELECT time_id,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id = ' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: ' . $db->get_error();
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1694
if ( !$q2 = $db->sql_query('SELECT time_id,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id = ' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: ' . $db->get_error();
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1695
$row1 = $db->fetchrow($q1);
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1696
$db->free_result($q1);
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1697
$row2 = $db->fetchrow($q2);
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1698
$db->free_result($q2);
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1699
if(sizeof($row1) < 1 || sizeof($row2) < 2)
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1700
return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.';
94c1ff984286
Finished core of log display interface including filter management. There is still a bit of a to-do list, especially regarding rollbacks and reuploads.
Dan
diff
changeset
+ − 1701
}
1
+ − 1702
$text1 = $row1['page_text'];
+ − 1703
$text2 = $row2['page_text'];
898
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1704
$time1 = enano_date('F d, Y h:i a', $row1['time_id']);
c75754f5b1da
When changing namespace of a File: page, associated files are now deleted. Also fixed some issues with image scaling.
Dan
diff
changeset
+ − 1705
$time2 = enano_date('F d, Y h:i a', $row2['time_id']);
1
+ − 1706
$_ob = "
213
+ − 1707
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p>
1
+ − 1708
";
+ − 1709
// Free some memory
+ − 1710
unset($row1, $row2, $q1, $q2);
+ − 1711
+ − 1712
$_ob .= RenderMan::diff($text1, $text2);
+ − 1713
return $_ob;
+ − 1714
}
+ − 1715
+ − 1716
/**
+ − 1717
* Gets ACL information about the selected page for target type X and target ID Y.
+ − 1718
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id.
+ − 1719
* @return array
+ − 1720
*/
+ − 1721
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1722
public static function acl_editor($parms = Array())
1
+ − 1723
{
+ − 1724
global $db, $session, $paths, $template, $plugins; // Common objects
218
+ − 1725
global $lang;
+ − 1726
511
f88c8c79d784
Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
Dan
diff
changeset
+ − 1727
if(!$session->get_permissions('edit_acl') && ( $session->user_level < USER_LEVEL_ADMIN || !defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL')) )
40
+ − 1728
{
+ − 1729
return Array(
+ − 1730
'mode' => 'error',
218
+ − 1731
'error' => $lang->get('acl_err_access_denied')
40
+ − 1732
);
+ − 1733
}
907
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1734
if ( !$session->sid_super )
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1735
{
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1736
return Array(
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1737
'mode' => 'error',
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1738
'error' => $lang->get('etc_access_denied_need_reauth')
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1739
);
44851d7e9bda
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
Dan
diff
changeset
+ − 1740
}
1
+ − 1741
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
+ − 1742
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
+ − 1743
$page_id =& $parms['page_id'];
+ − 1744
$namespace =& $parms['namespace'];
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1745
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\'';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1746
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\'';
1
+ − 1747
//die(print_r($page_id,true));
+ − 1748
$template->load_theme();
+ − 1749
// $perms_obj = $session->fetch_page_acl($page_id, $namespace);
+ − 1750
$perms_obj =& $session;
+ − 1751
$return = Array();
+ − 1752
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') )
+ − 1753
{
+ − 1754
return Array(
+ − 1755
'mode' => 'error',
218
+ − 1756
'error' => $lang->get('acl_err_missing_template'),
1
+ − 1757
);
+ − 1758
}
+ − 1759
$return['template'] = $template->extract_vars('acledit.tpl');
+ − 1760
$return['page_id'] = $page_id;
+ − 1761
$return['namespace'] = $namespace;
+ − 1762
if(isset($parms['mode']))
+ − 1763
{
+ − 1764
switch($parms['mode'])
+ − 1765
{
+ − 1766
case 'listgroups':
+ − 1767
$return['groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1768
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;');
1
+ − 1769
while($row = $db->fetchrow())
+ − 1770
{
+ − 1771
$return['groups'][] = Array(
+ − 1772
'id' => $row['group_id'],
+ − 1773
'name' => $row['group_name'],
+ − 1774
);
+ − 1775
}
+ − 1776
$db->free_result();
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1777
$return['page_groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1778
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;');
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1779
if ( !$q )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1780
return Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1781
'mode' => 'error',
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1782
'error' => $db->get_error()
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1783
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1784
while ( $row = $db->fetchrow() )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1785
{
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1786
$return['page_groups'][] = Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1787
'id' => $row['pg_id'],
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1788
'name' => $row['pg_name']
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1789
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1790
}
1
+ − 1791
break;
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1792
case 'seltarget_id':
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1793
if ( !is_int($parms['target_id']) )
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1794
{
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1795
return Array(
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1796
'mode' => 'error',
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1797
'error' => 'Expected parameter target_id type int'
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1798
);
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1799
}
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1800
$q = $db->sql_query('SELECT target_id, target_type, page_id, namespace, rules FROM ' . table_prefix . "acl WHERE rule_id = {$parms['target_id']};");
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1801
if ( !$q )
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1802
return Array(
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1803
'mode' => 'error',
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1804
'error' => $db->get_error()
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1805
);
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1806
if ( $db->numrows() < 1 )
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1807
return Array(
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1808
'mode' => 'error',
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1809
'error' => "No rule with ID {$parms['target_id']} found"
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1810
);
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1811
$parms = $db->fetchrow();
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1812
$db->free_result();
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1813
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1814
// regenerate page selection
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1815
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1816
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
513
+ − 1817
$parms['mode'] = 'seltarget_id';
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1818
$page_id =& $parms['page_id'];
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1819
$namespace =& $parms['namespace'];
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1820
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\'';
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1821
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\'';
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1822
513
+ − 1823
$return['page_id'] = $parms['page_id'];
+ − 1824
$return['namespace'] = $parms['namespace'];
+ − 1825
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
diff
changeset
+ − 1826
// From here, let the seltarget handler take over
1
+ − 1827
case 'seltarget':
+ − 1828
$return['mode'] = 'seltarget';
+ − 1829
$return['acl_types'] = $perms_obj->acl_types;
+ − 1830
$return['acl_deps'] = $perms_obj->acl_deps;
+ − 1831
$return['acl_descs'] = $perms_obj->acl_descs;
+ − 1832
$return['target_type'] = $parms['target_type'];
+ − 1833
$return['target_id'] = $parms['target_id'];
+ − 1834
switch($parms['target_type'])
+ − 1835
{
+ − 1836
case ACL_TYPE_USER:
513
+ − 1837
$user_col = ( $parms['mode'] == 'seltarget_id' ) ? 'user_id' : 'username';
+ − 1838
$q = $db->sql_query('SELECT a.rules,u.user_id,u.username FROM ' . table_prefix.'users AS u
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1839
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 1840
ON a.target_id=u.user_id
+ − 1841
WHERE a.target_type='.ACL_TYPE_USER.'
513
+ − 1842
AND u.' . $user_col . ' = \'' . $db->escape($parms['target_id']) . '\'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1843
' . $page_where_clause . ';');
1
+ − 1844
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1845
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1846
if($db->numrows() < 1)
+ − 1847
{
+ − 1848
$return['type'] = 'new';
513
+ − 1849
$q = $db->sql_query('SELECT user_id,username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';');
1
+ − 1850
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1851
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1852
if($db->numrows() < 1)
513
+ − 1853
return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found'),'debug' => $db->sql_backtrace());
1
+ − 1854
$row = $db->fetchrow();
513
+ − 1855
$return['target_name'] = $row['username'];
1
+ − 1856
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1857
$return['current_perms'] = array();
1
+ − 1858
}
+ − 1859
else
+ − 1860
{
+ − 1861
$return['type'] = 'edit';
+ − 1862
$row = $db->fetchrow();
513
+ − 1863
$return['target_name'] = $row['username'];
1
+ − 1864
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1865
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 1866
}
+ − 1867
$db->free_result();
+ − 1868
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1869
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 1870
{
+ − 1871
foreach ( $return['current_perms'] AS $i => $perm )
+ − 1872
{
+ − 1873
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 1874
{
+ − 1875
// echo "// SCOPE CONTROL: eliminating: $i\n";
+ − 1876
unset($return['current_perms'][$i]);
+ − 1877
unset($return['acl_types'][$i]);
+ − 1878
unset($return['acl_descs'][$i]);
+ − 1879
unset($return['acl_deps'][$i]);
+ − 1880
}
+ − 1881
}
+ − 1882
}
+ − 1883
break;
+ − 1884
case ACL_TYPE_GROUP:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1885
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1886
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 1887
ON a.target_id=g.group_id
+ − 1888
WHERE a.target_type='.ACL_TYPE_GROUP.'
+ − 1889
AND g.group_id=\''.intval($parms['target_id']).'\'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1890
' . $page_where_clause . ';');
1
+ − 1891
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1892
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1893
if($db->numrows() < 1)
+ − 1894
{
+ − 1895
$return['type'] = 'new';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1896
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';');
1
+ − 1897
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1898
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1899
if($db->numrows() < 1)
218
+ − 1900
return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id'));
1
+ − 1901
$row = $db->fetchrow();
+ − 1902
$return['target_name'] = $row['group_name'];
+ − 1903
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1904
$return['current_perms'] = array();
1
+ − 1905
}
+ − 1906
else
+ − 1907
{
+ − 1908
$return['type'] = 'edit';
+ − 1909
$row = $db->fetchrow();
+ − 1910
$return['target_name'] = $row['group_name'];
+ − 1911
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1912
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 1913
}
+ − 1914
$db->free_result();
+ − 1915
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1916
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 1917
{
+ − 1918
foreach ( $return['current_perms'] AS $i => $perm )
+ − 1919
{
+ − 1920
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 1921
{
+ − 1922
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n";
+ − 1923
unset($return['current_perms'][$i]);
+ − 1924
unset($return['acl_types'][$i]);
+ − 1925
unset($return['acl_descs'][$i]);
+ − 1926
unset($return['acl_deps'][$i]);
+ − 1927
}
+ − 1928
}
+ − 1929
}
+ − 1930
//return Array('mode'=>'debug','text'=>print_r($return, true));
+ − 1931
break;
+ − 1932
default:
+ − 1933
return Array('mode'=>'error','error','Invalid ACL type ID');
+ − 1934
break;
+ − 1935
}
+ − 1936
return $return;
+ − 1937
break;
+ − 1938
case 'save_new':
+ − 1939
case 'save_edit':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1940
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1941
{
218
+ − 1942
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1943
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1944
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1945
' . $page_where_clause_lite . ';');
1
+ − 1946
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1947
return Array('mode'=>'error','error'=>$db->get_error());
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1948
if ( sizeof ( $parms['perms'] ) < 1 )
1
+ − 1949
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1950
// As of 1.1.x, this returns success because the rule length is zero if the user selected "inherit" in all columns
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1951
return Array(
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1952
'mode' => 'success',
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1953
'target_type' => $parms['target_type'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1954
'target_id' => $parms['target_id'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1955
'target_name' => $parms['target_name'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1956
'page_id' => $page_id,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1957
'namespace' => $namespace,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1958
);
1
+ − 1959
}
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1960
$rules = $session->perm_to_string($parms['perms']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1961
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1962
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' :
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1963
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1964
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1965
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 1966
return Array(
+ − 1967
'mode' => 'success',
+ − 1968
'target_type' => $parms['target_type'],
+ − 1969
'target_id' => $parms['target_id'],
+ − 1970
'target_name' => $parms['target_name'],
+ − 1971
'page_id' => $page_id,
+ − 1972
'namespace' => $namespace,
+ − 1973
);
+ − 1974
break;
+ − 1975
case 'delete':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1976
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1977
{
218
+ − 1978
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1979
}
513
+ − 1980
$sql = 'DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
+ − 1981
' . $page_where_clause_lite . ';';
+ − 1982
$q = $db->sql_query($sql);
1
+ − 1983
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1984
return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 1985
return Array(
+ − 1986
'mode' => 'delete',
+ − 1987
'target_type' => $parms['target_type'],
+ − 1988
'target_id' => $parms['target_id'],
+ − 1989
'target_name' => $parms['target_name'],
+ − 1990
'page_id' => $page_id,
+ − 1991
'namespace' => $namespace,
+ − 1992
);
+ − 1993
break;
513
+ − 1994
case 'list_existing':
+ − 1995
+ − 1996
$return = array(
+ − 1997
'mode' => 'list_existing',
+ − 1998
'key' => acl_list_draw_key(),
+ − 1999
'rules' => array()
+ − 2000
);
+ − 2001
+ − 2002
$q = $db->sql_query("SELECT a.rule_id, u.username, g.group_name, a.target_type, a.target_id, a.page_id, a.namespace, a.rules, p.pg_name\n"
+ − 2003
. " FROM " . table_prefix . "acl AS a\n"
+ − 2004
. " LEFT JOIN " . table_prefix . "users AS u\n"
+ − 2005
. " ON ( (a.target_type = " . ACL_TYPE_USER . " AND a.target_id = u.user_id) OR (u.user_id IS NULL) )\n"
+ − 2006
. " LEFT JOIN " . table_prefix . "groups AS g\n"
+ − 2007
. " ON ( (a.target_type = " . ACL_TYPE_GROUP . " AND a.target_id = g.group_id) OR (g.group_id IS NULL) )\n"
+ − 2008
. " LEFT JOIN " . table_prefix . "page_groups as p\n"
+ − 2009
. " ON ( (a.namespace = '__PageGroup' AND a.page_id = p.pg_id) OR (p.pg_id IS NULL) )\n"
690
+ − 2010
. " WHERE ( a.target_type = " . ACL_TYPE_USER . " OR a.target_type = " . ACL_TYPE_GROUP . " )\n"
513
+ − 2011
. " GROUP BY a.rule_id\n"
+ − 2012
. " ORDER BY a.target_type ASC, a.rule_id ASC;"
+ − 2013
);
+ − 2014
+ − 2015
if ( !$q )
+ − 2016
$db->_die();
+ − 2017
+ − 2018
while ( $row = $db->fetchrow($q) )
+ − 2019
{
+ − 2020
if ( $row['target_type'] == ACL_TYPE_USER && empty($row['username']) )
+ − 2021
{
+ − 2022
// This is only done if we have an ACL affecting a user that doesn't exist.
+ − 2023
// Nice little bit of maintenance to have.
+ − 2024
if ( !$db->sql_query("DELETE FROM " . table_prefix . "acl WHERE rule_id = {$row['rule_id']};") )
+ − 2025
$db->_die();
+ − 2026
continue;
+ − 2027
}
+ − 2028
$score = get_acl_rule_score($row['rules']);
+ − 2029
$deep_limit = ACL_SCALE_MINIMAL_SHADE;
+ − 2030
// Determine background color of cell by score
+ − 2031
if ( $score > 5 )
+ − 2032
{
+ − 2033
// high score, show in green
+ − 2034
$color = 2.5 * $score;
+ − 2035
if ( $color > 255 )
+ − 2036
$color = 255;
+ − 2037
$color = round($color);
+ − 2038
// blend with the colordepth limit
+ − 2039
$color = $deep_limit + ( ( 0xFF - $deep_limit ) - ( ( $color / 0xFF ) * ( 0xFF - $deep_limit ) ) );
+ − 2040
$color = dechex($color);
+ − 2041
$color = "{$color}ff{$color}";
+ − 2042
}
+ − 2043
else if ( $score < -5 )
+ − 2044
{
+ − 2045
// low score, show in red
+ − 2046
$color = 0 - $score;
+ − 2047
$color = 2.5 * $color;
+ − 2048
if ( $color > 255 )
+ − 2049
$color = 255;
+ − 2050
$color = round($color);
+ − 2051
// blend with the colordepth limit
+ − 2052
$color = $deep_limit + ( ( 0xFF - $deep_limit ) - ( ( $color / 0xFF ) * ( 0xFF - $deep_limit ) ) );
+ − 2053
$color = dechex($color);
+ − 2054
$color = "ff{$color}{$color}";
+ − 2055
}
+ − 2056
else
+ − 2057
{
+ − 2058
$color = 'efefef';
+ − 2059
}
+ − 2060
+ − 2061
// Rate rule textually based on its score
+ − 2062
if ( $score >= 70 )
+ − 2063
$desc = $lang->get('acl_msg_scale_allow');
+ − 2064
else if ( $score >= 50 )
+ − 2065
$desc = $lang->get('acl_msg_scale_mostly_allow');
+ − 2066
else if ( $score >= 25 )
+ − 2067
$desc = $lang->get('acl_msg_scale_some_allow');
+ − 2068
else if ( $score >= -25 )
+ − 2069
$desc = $lang->get('acl_msg_scale_mixed');
+ − 2070
else if ( $score <= -70 )
+ − 2071
$desc = $lang->get('acl_msg_scale_deny');
+ − 2072
else if ( $score <= -50 )
+ − 2073
$desc = $lang->get('acl_msg_scale_mostly_deny');
+ − 2074
else if ( $score <= -25 )
+ − 2075
$desc = $lang->get('acl_msg_scale_some_deny');
+ − 2076
+ − 2077
// group and user target info
+ − 2078
$info = '';
+ − 2079
if ( $row['target_type'] == ACL_TYPE_USER )
+ − 2080
$info = $lang->get('acl_msg_list_user', array( 'username' => $row['username'] )); // "(User: {$row['username']})";
+ − 2081
else if ( $row['target_type'] == ACL_TYPE_GROUP )
+ − 2082
$info = $lang->get('acl_msg_list_group', array( 'group' => $row['group_name'] ));
+ − 2083
+ − 2084
// affected pages info
+ − 2085
if ( $row['page_id'] && $row['namespace'] && $row['namespace'] != '__PageGroup' )
+ − 2086
$info .= $lang->get('acl_msg_list_on_page', array( 'page_name' => "{$row['namespace']}:{$row['page_id']}" ));
+ − 2087
else if ( $row['page_id'] && $row['namespace'] && $row['namespace'] == '__PageGroup' )
+ − 2088
$info .= $lang->get('acl_msg_list_on_page_group', array( 'page_group' => $row['pg_name'] ));
+ − 2089
else
+ − 2090
$info .= $lang->get('acl_msg_list_entire_site');
+ − 2091
+ − 2092
$score_string = $lang->get('acl_msg_list_score', array
+ − 2093
(
+ − 2094
'score' => $score,
+ − 2095
'desc' => $desc,
+ − 2096
'info' => $info
+ − 2097
));
+ − 2098
$return['rules'][] = array(
+ − 2099
'score_string' => $score_string,
+ − 2100
'rule_id' => $row['rule_id'],
+ − 2101
'color' => $color
+ − 2102
);
+ − 2103
}
+ − 2104
+ − 2105
break;
679
+ − 2106
case 'list_presets':
+ − 2107
$presets = array();
+ − 2108
$q = $db->sql_query('SELECT page_id AS preset_name, rule_id, rules FROM ' . table_prefix . "acl WHERE target_type = " . ACL_TYPE_PRESET . ";");
+ − 2109
if ( !$q )
+ − 2110
$db->die_json();
+ − 2111
+ − 2112
while ( $row = $db->fetchrow() )
+ − 2113
{
+ − 2114
$row['rules'] = $session->string_to_perm($row['rules']);
+ − 2115
$presets[] = $row;
+ − 2116
}
+ − 2117
+ − 2118
return array(
+ − 2119
'mode' => 'list_existing',
+ − 2120
'presets' => $presets
+ − 2121
);
+ − 2122
break;
+ − 2123
case 'save_preset':
+ − 2124
if ( empty($parms['preset_name']) )
+ − 2125
{
+ − 2126
return array(
+ − 2127
'mode' => 'error',
+ − 2128
'error' => $lang->get('acl_err_preset_name_empty')
+ − 2129
);
+ − 2130
}
+ − 2131
$preset_name = $db->escape($parms['preset_name']);
+ − 2132
$q = $db->sql_query('DELETE FROM ' . table_prefix . "acl WHERE target_type = " . ACL_TYPE_PRESET . " AND page_id = '$preset_name';");
+ − 2133
if ( !$q )
+ − 2134
$db->die_json();
+ − 2135
+ − 2136
$perms = $session->perm_to_string($parms['perms']);
+ − 2137
if ( !$perms )
+ − 2138
{
+ − 2139
return array(
+ − 2140
'mode' => 'error',
+ − 2141
'error' => $lang->get('acl_err_preset_is_blank')
+ − 2142
);
+ − 2143
}
+ − 2144
+ − 2145
$perms = $db->escape($perms);
+ − 2146
$q = $db->sql_query('INSERT INTO ' . table_prefix . "acl(page_id, target_type, rules) VALUES\n"
+ − 2147
. " ( '$preset_name', " . ACL_TYPE_PRESET . ", '$perms' );");
+ − 2148
if ( !$q )
+ − 2149
$db->die_json();
+ − 2150
+ − 2151
return array(
+ − 2152
'mode' => 'success'
+ − 2153
);
+ − 2154
break;
729
+ − 2155
case 'trace':
+ − 2156
list($targetpid, $targetns) = RenderMan::strToPageID($parms['page']);
737
+ − 2157
try
+ − 2158
{
+ − 2159
$perms = $session->fetch_page_acl_user($parms['user'], $targetpid, $targetns);
+ − 2160
$perm_table = array(
+ − 2161
AUTH_ALLOW => 'acl_lbl_field_allow',
+ − 2162
AUTH_WIKIMODE => 'acl_lbl_field_wikimode',
+ − 2163
AUTH_DISALLOW => 'acl_lbl_field_disallow',
+ − 2164
AUTH_DENY => 'acl_lbl_field_deny'
+ − 2165
);
+ − 2166
+ − 2167
$return = array(
+ − 2168
'mode' => 'trace',
+ − 2169
'perms' => array()
729
+ − 2170
);
+ − 2171
737
+ − 2172
foreach ( $perms->perm_resolve_table as $perm_type => $lookup_data )
+ − 2173
{
+ − 2174
if ( !$session->check_acl_scope($perm_type, $targetns) )
+ − 2175
continue;
+ − 2176
+ − 2177
$src_l10n = $lang->get($session->acl_inherit_lang_table[$lookup_data['src']], $lookup_data);
+ − 2178
$divclass = preg_replace('/^acl_inherit_/', '', $session->acl_inherit_lang_table[$lookup_data['src']]);
+ − 2179
$perm_string = $lang->get($perm_table[$perms->perms[$perm_type]]);
+ − 2180
$perm_name = $lang->get($session->acl_descs[$perm_type]);
+ − 2181
+ − 2182
$return['perms'][$perm_type] = array(
+ − 2183
'divclass' => "acl_inherit acl_$divclass",
+ − 2184
'perm_type' => $perm_type,
+ − 2185
'perm_name' => $perm_name,
+ − 2186
'perm_value' => $perm_string,
+ − 2187
'perm_src' => $src_l10n,
749
+ − 2188
'rule_id' => intval($lookup_data['rule_id']),
+ − 2189
'bad_deps' => $perms->acl_check_deps($perm_type, true)
737
+ − 2190
);
+ − 2191
}
729
+ − 2192
737
+ − 2193
// group rules if possible
+ − 2194
$return['groups'] = array();
+ − 2195
foreach ( $return['perms'] as $rule )
+ − 2196
{
+ − 2197
if ( !isset($return['groups'][$rule['rule_id']]) )
+ − 2198
{
+ − 2199
$return['groups'][$rule['rule_id']] = array();
+ − 2200
}
+ − 2201
$return['groups'][$rule['rule_id']][] = $rule['perm_type'];
+ − 2202
}
729
+ − 2203
}
737
+ − 2204
catch ( Exception $e )
729
+ − 2205
{
737
+ − 2206
$return = array(
+ − 2207
'mode' => 'error',
+ − 2208
'error' => $e->getMessage()
+ − 2209
);
729
+ − 2210
}
+ − 2211
+ − 2212
break;
1
+ − 2213
default:
+ − 2214
return Array('mode'=>'error','error'=>'Hacking attempt');
+ − 2215
break;
+ − 2216
}
+ − 2217
}
+ − 2218
return $return;
+ − 2219
}
+ − 2220
+ − 2221
/**
+ − 2222
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string.
+ − 2223
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string.
+ − 2224
* @return string
+ − 2225
*/
+ − 2226
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2227
public static function acl_json($parms = '{ }')
1
+ − 2228
{
+ − 2229
global $db, $session, $paths, $template, $plugins; // Common objects
582
+ − 2230
try
+ − 2231
{
+ − 2232
$parms = enano_json_decode($parms);
+ − 2233
}
+ − 2234
catch ( Zend_Json_Exception $e )
+ − 2235
{
+ − 2236
$parms = array();
+ − 2237
}
1
+ − 2238
$ret = PageUtils::acl_editor($parms);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 2239
$ret = enano_json_encode($ret);
1
+ − 2240
return $ret;
+ − 2241
}
+ − 2242
+ − 2243
/**
+ − 2244
* A non-Javascript frontend for the ACL API.
+ − 2245
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor()
+ − 2246
*/
+ − 2247
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2248
public static function aclmanager($parms)
1
+ − 2249
{
+ − 2250
global $db, $session, $paths, $template, $plugins; // Common objects
219
+ − 2251
global $lang;
1
+ − 2252
ob_start();
+ − 2253
// Convenience
+ − 2254
$formstart = '<form
+ − 2255
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '"
+ − 2256
method="post" enctype="multipart/form-data"
+ − 2257
onsubmit="if(!submitAuthorized) return false;"
+ − 2258
>';
+ − 2259
$formend = '</form>';
+ − 2260
$parms = PageUtils::acl_preprocess($parms);
+ − 2261
$response = PageUtils::acl_editor($parms);
+ − 2262
$response = PageUtils::acl_postprocess($response);
+ − 2263
+ − 2264
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>');
+ − 2265
+ − 2266
switch($response['mode'])
+ − 2267
{
+ − 2268
case 'debug':
+ − 2269
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>';
+ − 2270
break;
+ − 2271
case 'stage1':
219
+ − 2272
echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3>
+ − 2273
<p>' . $lang->get('acl_lbl_welcome_body') . '</p>';
1
+ − 2274
echo $formstart;
219
+ − 2275
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p>
1
+ − 2276
<p><select name="data[target_id_grp]">';
+ − 2277
foreach ( $response['groups'] as $group )
+ − 2278
{
+ − 2279
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>';
+ − 2280
}
219
+ − 2281
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2282
// page group selector
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2283
$groupsel = '';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2284
if ( count($response['page_groups']) > 0 )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2285
{
219
+ − 2286
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2287
<p><select name="data[pg_id]">';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2288
foreach ( $response['page_groups'] as $grp )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2289
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2290
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2291
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2292
$groupsel .= '</select></p>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2293
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2294
1
+ − 2295
echo '</select></p>
219
+ − 2296
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p>
1
+ − 2297
<p>' . $template->username_field('data[target_id_user]') . '</p>
219
+ − 2298
<p>' . $lang->get('acl_lbl_scope') . '</p>
+ − 2299
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2300
' . $groupsel . '
219
+ − 2301
<p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p>
1
+ − 2302
<div style="margin: 0 auto 0 0; text-align: right;">
+ − 2303
<input name="data[mode]" value="seltarget" type="hidden" />
322
+ − 2304
<input type="hidden" name="data[page_id]" value="' . $paths->page_id . '" />
1
+ − 2305
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" />
219
+ − 2306
<input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" />
1
+ − 2307
</div>';
+ − 2308
echo $formend;
+ − 2309
break;
+ − 2310
case 'success':
+ − 2311
echo '<div class="info-box">
219
+ − 2312
<b>' . $lang->get('acl_lbl_save_success_title') . '</b><br />
+ − 2313
' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br />
1
+ − 2314
' . $formstart . '
+ − 2315
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2316
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2317
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2318
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2319
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2320
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2321
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2322
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2323
' . $formend . '
+ − 2324
</div>';
+ − 2325
break;
+ − 2326
case 'delete':
+ − 2327
echo '<div class="info-box">
219
+ − 2328
<b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br />
+ − 2329
' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br />
1
+ − 2330
' . $formstart . '
+ − 2331
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2332
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2333
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2334
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2335
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2336
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2337
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2338
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2339
' . $formend . '
+ − 2340
</div>';
+ − 2341
break;
+ − 2342
case 'seltarget':
+ − 2343
if ( $response['type'] == 'edit' )
+ − 2344
{
219
+ − 2345
echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>';
1
+ − 2346
}
+ − 2347
else
+ − 2348
{
219
+ − 2349
echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>';
1
+ − 2350
}
219
+ − 2351
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user');
+ − 2352
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite');
+ − 2353
$subs = array(
+ − 2354
'target_type' => $type,
+ − 2355
'target' => $response['target_name'],
+ − 2356
'scope_type' => $scope
+ − 2357
);
+ − 2358
echo $lang->get('acl_lbl_editwin_body', $subs);
1
+ − 2359
echo $formstart;
+ − 2360
$parser = $template->makeParserText( $response['template']['acl_field_begin'] );
+ − 2361
echo $parser->run();
+ − 2362
$parser = $template->makeParserText( $response['template']['acl_field_item'] );
+ − 2363
$cls = 'row2';
+ − 2364
foreach ( $response['acl_types'] as $acl_type => $value )
+ − 2365
{
+ − 2366
$vars = Array(
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2367
'FIELD_INHERIT_CHECKED' => '',
1
+ − 2368
'FIELD_DENY_CHECKED' => '',
+ − 2369
'FIELD_DISALLOW_CHECKED' => '',
+ − 2370
'FIELD_WIKIMODE_CHECKED' => '',
+ − 2371
'FIELD_ALLOW_CHECKED' => '',
+ − 2372
);
+ − 2373
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1';
+ − 2374
$vars['ROW_CLASS'] = $cls;
+ − 2375
+ − 2376
switch ( $response['current_perms'][$acl_type] )
+ − 2377
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2378
case 'i':
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2379
default:
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2380
$vars['FIELD_INHERIT_CHECKED'] = 'checked="checked"';
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2381
break;
1
+ − 2382
case AUTH_ALLOW:
+ − 2383
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"';
+ − 2384
break;
+ − 2385
case AUTH_WIKIMODE:
+ − 2386
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"';
+ − 2387
break;
+ − 2388
case AUTH_DISALLOW:
+ − 2389
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"';
+ − 2390
break;
+ − 2391
case AUTH_DENY:
+ − 2392
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"';
+ − 2393
break;
+ − 2394
}
+ − 2395
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']';
219
+ − 2396
if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) )
+ − 2397
{
+ − 2398
$vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]);
+ − 2399
}
+ − 2400
else
+ − 2401
{
+ − 2402
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type];
+ − 2403
}
1
+ − 2404
$parser->assign_vars($vars);
+ − 2405
echo $parser->run();
+ − 2406
}
+ − 2407
$parser = $template->makeParserText( $response['template']['acl_field_end'] );
+ − 2408
echo $parser->run();
+ − 2409
echo '<div style="margin: 10px auto 0 0; text-align: right;">
+ − 2410
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" />
+ − 2411
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" />
+ − 2412
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" />
+ − 2413
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2414
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" />
+ − 2415
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" />
219
+ − 2416
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" /> <input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . '
1
+ − 2417
</div>';
+ − 2418
echo $formend;
+ − 2419
break;
+ − 2420
case 'error':
+ − 2421
ob_end_clean();
+ − 2422
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>');
+ − 2423
break;
+ − 2424
}
+ − 2425
$ret = ob_get_contents();
+ − 2426
ob_end_clean();
+ − 2427
echo
+ − 2428
$template->getHeader() .
+ − 2429
$ret .
+ − 2430
$template->getFooter();
+ − 2431
}
+ − 2432
+ − 2433
/**
+ − 2434
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle
+ − 2435
* @param array The posted data
+ − 2436
* @return array
+ − 2437
* @access private
+ − 2438
*/
+ − 2439
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2440
public static function acl_preprocess($parms)
1
+ − 2441
{
+ − 2442
if ( !isset($parms['mode']) )
+ − 2443
// Nothing to do
+ − 2444
return $parms;
+ − 2445
switch ( $parms['mode'] )
+ − 2446
{
+ − 2447
case 'seltarget':
+ − 2448
+ − 2449
// Who's affected?
+ − 2450
$parms['target_type'] = intval( $parms['target_type'] );
+ − 2451
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user'];
+ − 2452
+ − 2453
case 'save_edit':
+ − 2454
case 'save_new':
+ − 2455
if ( isset($parms['act_delete_rule']) )
+ − 2456
{
+ − 2457
$parms['mode'] = 'delete';
+ − 2458
}
+ − 2459
+ − 2460
// Scope (just this page or entire site?)
+ − 2461
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) )
+ − 2462
{
+ − 2463
$parms['page_id'] = false;
+ − 2464
$parms['namespace'] = false;
+ − 2465
}
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2466
else if ( $parms['scope'] == 'page_group' )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2467
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2468
$parms['page_id'] = $parms['pg_id'];
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2469
$parms['namespace'] = '__PageGroup';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2470
}
1
+ − 2471
+ − 2472
break;
+ − 2473
}
+ − 2474
+ − 2475
if ( isset($parms['act_go_stage1']) )
+ − 2476
{
+ − 2477
$parms = array(
+ − 2478
'mode' => 'listgroups'
+ − 2479
);
+ − 2480
}
+ − 2481
+ − 2482
return $parms;
+ − 2483
}
+ − 2484
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2485
public static function acl_postprocess($response)
1
+ − 2486
{
+ − 2487
if(!isset($response['mode']))
+ − 2488
{
+ − 2489
if ( isset($response['groups']) )
+ − 2490
$response['mode'] = 'stage1';
+ − 2491
else
+ − 2492
$response = Array(
+ − 2493
'mode' => 'error',
+ − 2494
'error' => 'Invalid action passed by API backend.',
+ − 2495
);
+ − 2496
}
+ − 2497
return $response;
+ − 2498
}
+ − 2499
+ − 2500
}
+ − 2501
513
+ − 2502
/**
+ − 2503
* Generates a graphical key showing how the ACL rule list works.
+ − 2504
* @return string
+ − 2505
*/
+ − 2506
+ − 2507
function acl_list_draw_key()
+ − 2508
{
+ − 2509
$out = '<div style="width: 460px; margin: 0 auto; text-align: center; margin-bottom: 10px;">';
+ − 2510
$out .= '<div style="float: left;">← Deny</div>';
+ − 2511
$out .= '<div style="float: right;">Allow →</div>';
+ − 2512
$out .= 'Neutral';
+ − 2513
$out .= '<div style="clear: both;"></div>';
+ − 2514
// 11 boxes on each side of the center
+ − 2515
$inc = ceil ( ( 0xFF - ACL_SCALE_MINIMAL_SHADE ) / 11 );
+ − 2516
for ( $i = ACL_SCALE_MINIMAL_SHADE; $i <= 0xFF; $i+= $inc )
+ − 2517
{
+ − 2518
$octet = dechex($i);
+ − 2519
$color = "ff$octet$octet";
+ − 2520
$out .= '<div style="background-color: #' . $color . '; float: left; width: 20px;"> </div>';
+ − 2521
}
+ − 2522
$out .= '<div style="background-color: #efefef; float: left; width: 20px;"> </div>';
+ − 2523
for ( $i = 0xFF; $i >= ACL_SCALE_MINIMAL_SHADE; $i-= $inc )
+ − 2524
{
+ − 2525
$octet = dechex($i);
+ − 2526
$color = "{$octet}ff{$octet}";
+ − 2527
$out .= '<div style="background-color: #' . $color . '; float: left; width: 20px;"> </div>';
+ − 2528
}
+ − 2529
$out .= '<div style="clear: both;"></div>';
+ − 2530
$out .= '<div style="float: left;">-100</div>';
+ − 2531
$out .= '<div style="float: right;">+100</div>';
+ − 2532
$out .= '0';
+ − 2533
$out .= '</div>';
+ − 2534
return $out;
+ − 2535
}
+ − 2536
+ − 2537
/**
+ − 2538
* Gets the numerical score for the serialized form of an ACL rule
+ − 2539
*/
+ − 2540
+ − 2541
function get_acl_rule_score($perms)
+ − 2542
{
+ − 2543
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 2544
if ( is_string($perms) )
+ − 2545
$perms = $session->string_to_perm($perms);
+ − 2546
else if ( !is_array($perms) )
+ − 2547
return false;
+ − 2548
$score = 0;
+ − 2549
foreach ( $perms as $item )
+ − 2550
{
+ − 2551
switch ( $item )
+ − 2552
{
+ − 2553
case AUTH_ALLOW :
+ − 2554
$inc = 2;
+ − 2555
break;
+ − 2556
case AUTH_WIKIMODE:
+ − 2557
$inc = 1;
+ − 2558
break;
+ − 2559
case AUTH_DISALLOW:
+ − 2560
$inc = -1;
+ − 2561
break;
+ − 2562
case AUTH_DENY:
+ − 2563
$inc = -2;
+ − 2564
break;
+ − 2565
default:
+ − 2566
$inc = 0;
+ − 2567
break;
+ − 2568
}
+ − 2569
$score += $inc;
+ − 2570
}
+ − 2571
// this is different from the beta; calculate highest score and
+ − 2572
// get percentage to be fairer to smaller/less broad rules
+ − 2573
$divisor = count($perms) * 2;
+ − 2574
if ( $divisor == 0 )
+ − 2575
{
+ − 2576
return 0;
+ − 2577
}
+ − 2578
$score = 100 * ( $score / $divisor );
+ − 2579
return round($score);
+ − 2580
}
+ − 2581
1
+ − 2582
?>