1
+ − 1
<?php
+ − 2
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
536
+ − 5
* Version 1.1.4 (Caoineag alpha 4)
+ − 6
* Copyright (C) 2006-2008 Dan Fuhry
1
+ − 7
*
+ − 8
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 9
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 10
*
+ − 11
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 12
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 13
*/
+ − 14
+ − 15
/**
+ − 16
* Class that handles comments. Has HTML/Javascript frontend support.
+ − 17
* @package Enano CMS
+ − 18
* @subpackage Comment manager
+ − 19
* @license GNU General Public License <http://www.gnu.org/licenses/gpl.html>
+ − 20
*/
+ − 21
+ − 22
class Comments
+ − 23
{
+ − 24
#
+ − 25
# VARIABLES
+ − 26
#
+ − 27
+ − 28
/**
+ − 29
* Current list of comments.
+ − 30
* @var array
+ − 31
*/
+ − 32
+ − 33
var $comments = Array();
+ − 34
+ − 35
/**
+ − 36
* Object to track permissions.
+ − 37
* @var object
+ − 38
*/
+ − 39
+ − 40
var $perms;
+ − 41
+ − 42
#
+ − 43
# METHODS
+ − 44
#
+ − 45
+ − 46
/**
+ − 47
* Constructor.
+ − 48
* @param string Page ID of the page to load comments for
+ − 49
* @param string Namespace of the page to load comments for
+ − 50
*/
+ − 51
+ − 52
function __construct($page_id, $namespace)
+ − 53
{
+ − 54
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 55
+ − 56
// Initialize permissions
322
+ − 57
if ( $page_id == $paths->page_id && $namespace == $paths->namespace )
1
+ − 58
$this->perms =& $GLOBALS['session'];
+ − 59
else
+ − 60
$this->perms = $session->fetch_page_acl($page_id, $namespace);
+ − 61
+ − 62
$this->page_id = $db->escape($page_id);
+ − 63
$this->namespace = $db->escape($namespace);
+ − 64
}
+ − 65
+ − 66
/**
+ − 67
* Processes a command in JSON format.
+ − 68
* @param string The JSON-encoded input, probably something sent from the Javascript/AJAX frontend
+ − 69
*/
+ − 70
+ − 71
function process_json($json)
+ − 72
{
+ − 73
global $db, $session, $paths, $template, $plugins; // Common objects
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 74
global $lang;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 75
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 76
$data = enano_json_decode($json);
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
diff
changeset
+ − 77
$data = decode_unicode_array($data);
1
+ − 78
if ( !isset($data['mode']) )
+ − 79
{
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 80
$ret = Array('mode'=>'error','error'=>'No mode defined!');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 81
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 82
return $ret;
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 83
}
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 84
if ( getConfig('enable_comments') == '0' )
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 85
{
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 86
$ret = Array('mode'=>'error','error'=>'Comments are not enabled on this site.');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 87
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 88
return $ret;
1
+ − 89
}
+ − 90
$ret = Array();
+ − 91
$ret['mode'] = $data['mode'];
+ − 92
switch ( $data['mode'] )
+ − 93
{
+ − 94
case 'fetch':
+ − 95
if ( !$template->theme_loaded )
+ − 96
$template->load_theme();
+ − 97
if ( !isset($data['have_template']) )
+ − 98
{
+ − 99
$ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl');
+ − 100
}
621
+ − 101
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c
1
+ − 102
LEFT JOIN '.table_prefix.'users AS u
+ − 103
ON (u.user_id=c.user_id)
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 104
LEFT JOIN '.table_prefix.'buddies AS b
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 105
ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL)
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 106
LEFT JOIN '.table_prefix.'ranks AS r
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 107
ON ( ( u.user_rank = r.rank_id ) )
1
+ − 108
WHERE page_id=\'' . $this->page_id . '\'
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 109
AND namespace=\'' . $this->namespace . '\'
621
+ − 110
GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 111
ORDER BY c.time ASC;');
1
+ − 112
$count_appr = 0;
+ − 113
$count_total = 0;
+ − 114
$count_unappr = 0;
+ − 115
$ret['comments'] = Array();
+ − 116
if (!$q)
+ − 117
$db->die_json();
+ − 118
if ( $row = $db->fetchrow() )
+ − 119
{
+ − 120
do {
+ − 121
+ − 122
// Increment counters
+ − 123
$count_total++;
+ − 124
( $row['approved'] == 1 ) ? $count_appr++ : $count_unappr++;
+ − 125
+ − 126
if ( !$this->perms->get_permissions('mod_comments') && $row['approved'] == 0 )
+ − 127
continue;
+ − 128
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 129
// Localize the rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 130
$row = array_merge($row, $session->get_user_rank(intval($row['user_id'])));
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 131
1
+ − 132
// Send the source
+ − 133
$row['comment_source'] = $row['comment_data'];
+ − 134
+ − 135
// Format text
+ − 136
$row['comment_data'] = RenderMan::render($row['comment_data']);
+ − 137
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 138
if ( $row['is_buddy'] == 1 && $row['is_friend'] == 0 )
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 139
{
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 140
$seed = md5(sha1(mt_rand() . microtime()));
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 141
$wrapper = '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 142
<div id="posthide_'.$seed.'" style="display: none;">
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 143
' . $row['comment_data'] . '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 144
</div>
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 145
<p><span style="opacity: 0.4; filter: alpha(opacity=40);">Post from foe hidden.</span> <span style="text-align: right;"><a href="#showpost" onclick="document.getElementById(\'posthide_'.$seed.'\').style.display=\'block\'; this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode); return false;">Display post</a></span></p>
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 146
';
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 147
$row['comment_data'] = $wrapper;
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 148
}
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 149
1
+ − 150
// Format date
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 151
$row['time'] = enano_date('F d, Y h:i a', $row['time']);
1
+ − 152
+ − 153
// Format signature
+ − 154
$row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : '';
+ − 155
359
+ − 156
// Do we have the IP?
+ − 157
$row['have_ip'] = ( $row['have_ip'] == 1 );
+ − 158
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 159
// Avatar URL
621
+ − 160
$row['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 161
1
+ − 162
// Add the comment to the list
+ − 163
$ret['comments'][] = $row;
+ − 164
+ − 165
} while ( $row = $db->fetchrow() );
+ − 166
}
+ − 167
$db->free_result();
+ − 168
$ret['count_appr'] = $count_appr;
+ − 169
$ret['count_total'] = $count_total;
+ − 170
$ret['count_unappr'] = $count_unappr;
+ − 171
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 172
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 173
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
+ − 174
$ret['user_id'] = $session->user_id;
+ − 175
$ret['username'] = $session->username;
+ − 176
$ret['logged_in'] = $session->user_logged_in;
+ − 177
+ − 178
$ret['user_level'] = Array();
+ − 179
$ret['user_level']['guest'] = USER_LEVEL_GUEST;
+ − 180
$ret['user_level']['member'] = USER_LEVEL_MEMBER;
+ − 181
$ret['user_level']['mod'] = USER_LEVEL_MOD;
+ − 182
$ret['user_level']['admin'] = USER_LEVEL_ADMIN;
+ − 183
+ − 184
$ret['approval_needed'] = ( getConfig('approve_comments') == '1' );
+ − 185
$ret['guest_posting'] = getConfig('comments_need_login');
+ − 186
+ − 187
if ( $ret['guest_posting'] == '1' && !$session->user_logged_in )
+ − 188
{
+ − 189
$session->kill_captcha();
+ − 190
$ret['captcha'] = $session->make_captcha();
+ − 191
}
+ − 192
break;
+ − 193
case 'edit':
+ − 194
$cid = (string)$data['id'];
+ − 195
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 )
+ − 196
{
+ − 197
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 198
return false;
+ − 199
}
+ − 200
$cid = intval($cid);
+ − 201
$q = $db->sql_query('SELECT c.user_id,c.approved FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 202
if(!$q)
+ − 203
$db->die_json();
+ − 204
$row = $db->fetchrow();
+ − 205
$uid = intval($row['user_id']);
+ − 206
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 207
if(!$can_edit)
+ − 208
{
+ − 209
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 210
return false;
+ − 211
}
+ − 212
$data['data'] = str_replace("\r", '', $data['data']); // Windows compatibility
+ − 213
$text = RenderMan::preprocess_text($data['data'], true, false);
+ − 214
$text2 = $db->escape($text);
+ − 215
$subj = $db->escape(htmlspecialchars($data['subj']));
+ − 216
$q = $db->sql_query('UPDATE '.table_prefix.'comments SET subject=\'' . $subj . '\',comment_data=\'' . $text2 . '\' WHERE comment_id=' . $cid . ';');
+ − 217
if(!$q)
+ − 218
$db->die_json();
+ − 219
$ret = Array(
+ − 220
'mode' => 'redraw',
+ − 221
'id' => $data['local_id'],
+ − 222
'subj' => htmlspecialchars($data['subj']),
+ − 223
'text' => RenderMan::render($text),
+ − 224
'src' => $text,
+ − 225
'approved' => $row['approved']
+ − 226
);
+ − 227
break;
+ − 228
case 'delete':
+ − 229
$cid = (string)$data['id'];
+ − 230
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 )
+ − 231
{
+ − 232
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 233
return false;
+ − 234
}
+ − 235
$cid = intval($cid);
+ − 236
$q = $db->sql_query('SELECT c.user_id FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 237
if(!$q)
+ − 238
$db->die_json();
+ − 239
$row = $db->fetchrow();
+ − 240
$uid = intval($row['user_id']);
+ − 241
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 242
if(!$can_edit)
+ − 243
{
+ − 244
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 245
return false;
+ − 246
}
+ − 247
$q = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 248
if(!$q)
+ − 249
$db->die_json();
+ − 250
$ret = Array(
+ − 251
'mode' => 'annihilate',
+ − 252
'id' => $data['local_id']
+ − 253
);
+ − 254
break;
+ − 255
case 'submit':
+ − 256
+ − 257
// Now for a huge round of security checks...
+ − 258
+ − 259
$errors = Array();
+ − 260
+ − 261
// Authorization
+ − 262
// Like the rest of the ACL system, this call is a one-stop check for ALL ACL entries.
+ − 263
if ( !$this->perms->get_permissions('post_comments') )
74
68469a95658d
Various bugfixes and cleanups, too much to remember... see the diffs for what got changed :-)
Dan
diff
changeset
+ − 264
$errors[] = 'The site security policy prevents your user account from posting comments;';
1
+ − 265
+ − 266
// Guest authorization
+ − 267
if ( getConfig('comments_need_login') == '2' && !$session->user_logged_in )
+ − 268
$errors[] = 'You need to log in before posting comments.';
+ − 269
+ − 270
// CAPTCHA code
+ − 271
if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in )
+ − 272
{
+ − 273
$real_code = $session->get_captcha($data['captcha_id']);
456
+ − 274
if ( strtolower($real_code) != strtolower($data['captcha_code']) )
1
+ − 275
$errors[] = 'The confirmation code you entered was incorrect.';
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 276
$session->kill_captcha();
1
+ − 277
}
+ − 278
+ − 279
if ( count($errors) > 0 )
+ − 280
{
+ − 281
$ret = Array(
+ − 282
'mode' => 'error',
+ − 283
'error' => implode("\n", $errors)
+ − 284
);
+ − 285
}
+ − 286
else
+ − 287
{
+ − 288
// We're authorized!
+ − 289
+ − 290
// Preprocess
+ − 291
$name = ( $session->user_logged_in ) ? htmlspecialchars($session->username) : htmlspecialchars($data['name']);
+ − 292
$subj = htmlspecialchars($data['subj']);
+ − 293
$text = RenderMan::preprocess_text($data['text'], true, false);
+ − 294
$src = $text;
+ − 295
$sql_text = $db->escape($text);
+ − 296
$text = RenderMan::render($text);
+ − 297
$appr = ( getConfig('approve_comments') == '1' ) ? '0' : '1';
+ − 298
$time = time();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 299
$date = enano_date('F d, Y h:i a', $time);
359
+ − 300
$ip = $_SERVER['REMOTE_ADDR'];
+ − 301
if ( !is_valid_ip($ip) )
+ − 302
die('Hacking attempt');
1
+ − 303
+ − 304
// Send it to the database
359
+ − 305
$q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " .
+ − 306
"('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
1
+ − 307
if(!$q)
+ − 308
$db->die_json();
+ − 309
+ − 310
// Re-fetch
621
+ − 311
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type FROM '.table_prefix.'comments AS c
1
+ − 312
LEFT JOIN '.table_prefix.'users AS u
+ − 313
ON (u.user_id=c.user_id)
+ − 314
WHERE page_id=\'' . $this->page_id . '\'
+ − 315
AND namespace=\'' . $this->namespace . '\'
+ − 316
AND time='.$time.' ORDER BY comment_id DESC LIMIT 1;');
+ − 317
if(!$q)
+ − 318
$db->die_json();
+ − 319
+ − 320
$row = $db->fetchrow();
+ − 321
$db->free_result();
+ − 322
$row['time'] = $date;
+ − 323
$row['comment_data'] = $text;
+ − 324
$row['comment_source'] = $src;
+ − 325
$ret = Array(
+ − 326
'mode' => 'materialize'
+ − 327
);
+ − 328
$ret = enano_safe_array_merge($ret, $row);
+ − 329
+ − 330
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 331
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 332
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
+ − 333
$ret['user_id'] = $session->user_id;
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 334
$ret['rank_data'] = $session->get_user_rank($session->user_id);
1
+ − 335
$ret['username'] = $session->username;
+ − 336
$ret['logged_in'] = $session->user_logged_in;
+ − 337
$ret['signature'] = RenderMan::render($row['signature']);
+ − 338
+ − 339
$ret['user_level_list'] = Array();
+ − 340
$ret['user_level_list']['guest'] = USER_LEVEL_GUEST;
+ − 341
$ret['user_level_list']['member'] = USER_LEVEL_MEMBER;
+ − 342
$ret['user_level_list']['mod'] = USER_LEVEL_MOD;
+ − 343
$ret['user_level_list']['admin'] = USER_LEVEL_ADMIN;
621
+ − 344
$ret['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
1
+ − 345
}
+ − 346
+ − 347
break;
+ − 348
case 'approve':
+ − 349
if ( !$this->perms->get_permissions('mod_comments') )
+ − 350
{
+ − 351
$ret = Array(
+ − 352
'mode' => 'error',
+ − 353
'error' => 'You are not authorized to moderate comments.'
+ − 354
);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 355
echo enano_json_encode($ret);
1
+ − 356
return $ret;
+ − 357
}
+ − 358
+ − 359
$cid = (string)$data['id'];
+ − 360
if ( !preg_match('#^([0-9]+)$#i', $cid) || intval($cid) < 1 )
+ − 361
{
+ − 362
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 363
return false;
+ − 364
}
+ − 365
$cid = intval($cid);
+ − 366
$q = $db->sql_query('SELECT subject,approved FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 367
if(!$q || $db->numrows() < 1)
+ − 368
$db->die_json();
+ − 369
$row = $db->fetchrow();
+ − 370
$db->free_result();
+ − 371
$appr = ( $row['approved'] == '1' ) ? '0' : '1';
+ − 372
$q = $db->sql_query('UPDATE '.table_prefix."comments SET approved=$appr WHERE comment_id=$cid;");
+ − 373
if (!$q)
+ − 374
$db->die_json();
+ − 375
+ − 376
$ret = Array(
+ − 377
'mode' => 'redraw',
+ − 378
'approved' => $appr,
+ − 379
'subj' => $row['subject'],
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 380
'id' => $data['local_id'],
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 381
'approve_updated' => 'yes'
1
+ − 382
);
+ − 383
+ − 384
break;
359
+ − 385
case 'view_ip':
+ − 386
if ( !$session->get_permissions('mod_comments') )
+ − 387
{
+ − 388
return array(
+ − 389
'mode' => 'error',
+ − 390
'error' => 'Unauthorized'
+ − 391
);
+ − 392
}
+ − 393
// fetch comment info
+ − 394
if ( !is_int($data['id']) )
+ − 395
{
+ − 396
return array(
+ − 397
'mode' => 'error',
+ − 398
'error' => 'Unauthorized'
+ − 399
);
+ − 400
}
+ − 401
$id =& $data['id'];
+ − 402
$q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';');
+ − 403
if ( !$q || $db->numrows() < 1 )
+ − 404
{
+ − 405
$db->die_json();
+ − 406
}
+ − 407
list($ip_addr, $name) = $db->fetchrow_num($q);
+ − 408
$db->free_result();
+ − 409
$name = $db->escape($name);
+ − 410
$username = $db->escape($session->username);
+ − 411
// log this action
+ − 412
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n "
+ − 413
. "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );");
+ − 414
if ( !$q )
+ − 415
$db->die_json();
+ − 416
+ − 417
// send packet
+ − 418
$ret = array(
+ − 419
'mode' => 'redraw',
+ − 420
'ip_addr' => $ip_addr,
+ − 421
'local_id' => $data['local_id']
+ − 422
);
+ − 423
break;
1
+ − 424
default:
+ − 425
$ret = Array(
+ − 426
'mode' => 'error',
+ − 427
'error' => $data['mode'] . ' is not a valid request mode'
+ − 428
);
+ − 429
break;
+ − 430
}
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 431
echo enano_json_encode($ret);
1
+ − 432
return $ret;
+ − 433
}
+ − 434
+ − 435
} // class Comments
+ − 436