ajax.php
author Dan
Sat, 07 Jun 2008 12:40:29 -0400
changeset 558 fd082123f2f4
parent 555 ac4c6a7f01d8
child 592 27377179fe58
permissions -rw-r--r--
Fixed some GD detection bugs with freecap
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     1
<?php
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     2
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     3
/*
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     4
 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
536
218a627eb53e Rebrand as 1.1.4 (Caoineag alpha 4)
Dan
parents: 481
diff changeset
     5
 * Version 1.1.4 (Caoineag alpha 4)
218a627eb53e Rebrand as 1.1.4 (Caoineag alpha 4)
Dan
parents: 481
diff changeset
     6
 * Copyright (C) 2006-2008 Dan Fuhry
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     7
 *
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     8
 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
     9
 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    10
 *
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    11
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    12
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    13
 */
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    14
 
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    15
  define('ENANO_INTERFACE_AJAX', '');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    16
 
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    17
  // fillusername should be done without the help of the rest of Enano - all we need is the DBAL
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    18
  if ( isset($_GET['_mode']) && $_GET['_mode'] == 'fillusername' )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    19
  {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    20
    // setup and load a very basic, specialized instance of the Enano API
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    21
    function microtime_float()
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    22
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    23
      list($usec, $sec) = explode(" ", microtime());
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    24
      return ((float)$usec + (float)$sec);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    25
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    26
    // Determine directory (special case for development servers)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    27
    if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    28
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    29
      $filename = str_replace('/repo/', '/', __FILE__);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    30
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    31
    else
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    32
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    33
      $filename = __FILE__;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    34
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    35
    define('ENANO_ROOT', dirname($filename));
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    36
    require(ENANO_ROOT.'/includes/functions.php');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    37
    require(ENANO_ROOT.'/includes/dbal.php');
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
    38
    require(ENANO_ROOT.'/includes/json2.php');
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    39
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    40
    require(ENANO_ROOT . '/config.php');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    41
    unset($dbuser, $dbpasswd);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    42
    if ( !isset($dbdriver) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    43
      $dbdriver = 'mysql';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    44
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    45
    $db = new $dbdriver();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    46
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    47
    $db->connect();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    48
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    49
    // result is sent using JSON
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    50
    $return = Array(
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    51
        'mode' => 'success',
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    52
        'users_real' => Array()
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    53
      );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    54
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    55
    // should be connected to the DB now
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    56
    $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    57
    if ( !$name )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    58
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    59
      $return = array(
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    60
        'mode' => 'error',
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    61
        'error' => 'Invalid URI'
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    62
      );
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
    63
      die( enano_json_encode($return) );
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    64
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    65
    $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    66
    $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username) LIKE ' . ENANO_SQLFUNC_LOWERCASE . '(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    67
    if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    68
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    69
      $db->die_json();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    70
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    71
    $i = 0;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    72
    while($r = $db->fetchrow())
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    73
    {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    74
      $return['users_real'][] = $r['username'];
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    75
      $i++;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    76
    }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    77
    $db->free_result();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    78
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    79
    // all done! :-)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    80
    $db->close();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    81
    
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
    82
    echo enano_json_encode( $return );
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    83
    
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    84
    exit;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    85
  }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    86
 
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    87
  require('includes/common.php');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    88
  
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    89
  global $db, $session, $paths, $template, $plugins; // Common objects
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    90
  if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    91
  
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    92
  $_ob = '';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    93
  
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    94
  switch($_GET['_mode']) {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    95
    case "checkusername":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    96
      echo PageUtils::checkusername($_GET['name']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    97
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
    98
    case "getsource":
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
    99
      header('Content-type: text/plain');
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   100
      $password = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false;
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   101
      $revid = ( isset($_GET['revid']) ) ? intval($_GET['revid']) : 0;
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   102
      $page = new PageProcessor($paths->page_id, $paths->namespace, $revid);
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   103
      $page->password = $password;
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   104
      $have_draft = false;
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   105
      if ( $src = $page->fetch_source() )
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   106
      {
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   107
        $allowed = true;
417
b76ebe229548 Edit summary should now be carried over when a draft is restored
Dan
parents: 416
diff changeset
   108
        $q = $db->sql_query('SELECT author, time_id, page_text, edit_summary FROM ' . table_prefix . 'logs WHERE log_type = \'page\' AND action = \'edit\'
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   109
                               AND page_id = \'' . $db->escape($paths->page_id) . '\'
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   110
                               AND namespace = \'' . $db->escape($paths->namespace) . '\'
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   111
                               AND is_draft = 1;');
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   112
        if ( !$q )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   113
          $db->die_json();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   114
        
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   115
        if ( $db->numrows() > 0 )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   116
        {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   117
          $have_draft = true;
419
b8b4e38825db Unsuccessful attempt at fixing "dismiss"/"close manager" buttons in ACL editor; non-breaking change to template API to allow plugins to add "normal" sidebar widgets in addition to the special "raw" block type, specified as the third parameter to $template->sidebar_widget(). Defaults to false, which is old behavior; new behavior (enabled by passing TRUE as the 3rd param) means that the content of the block is primarily block-level links.
Dan
parents: 417
diff changeset
   118
          $draft_row = $db->fetchrow($q);
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   119
        }
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   120
      }
325
e17cc42d77cf Fixed: $paths->page_id not set when the page doesn't exist; finally fixed garbled page names for IP addresses
Dan
parents: 324
diff changeset
   121
      else if ( $src !== false )
e17cc42d77cf Fixed: $paths->page_id not set when the page doesn't exist; finally fixed garbled page names for IP addresses
Dan
parents: 324
diff changeset
   122
      {
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   123
        $allowed = true;
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   124
        $src = '';
325
e17cc42d77cf Fixed: $paths->page_id not set when the page doesn't exist; finally fixed garbled page names for IP addresses
Dan
parents: 324
diff changeset
   125
      }
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   126
      else
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   127
      {
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   128
        $allowed = false;
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   129
        $src = '';
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   130
      }
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   131
      
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   132
      $auth_edit = ( $session->get_permissions('edit_page') && ( $session->get_permissions('even_when_protected') || !$paths->page_protected ) );
387
92664d2efab8 Rebranded source code as 1.1.1; added TinyMCE ACL rule as per Vadi's request: http://forum.enanocms.org/viewtopic.php?f=7&t=54
Dan
parents: 378
diff changeset
   133
      $auth_wysiwyg = ( $session->get_permissions('edit_wysiwyg') );
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   134
      
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   135
      $return = array(
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   136
          'mode' => 'editor',
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   137
          'src' => $src,
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   138
          'auth_view_source' => $allowed,
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   139
          'auth_edit' => $auth_edit,
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   140
          'time' => time(),
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   141
          'require_captcha' => false,
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   142
          'allow_wysiwyg' => $auth_wysiwyg,
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   143
          'revid' => $revid,
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   144
          'have_draft' => false
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   145
        );
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   146
      
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   147
      if ( $have_draft )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   148
      {
419
b8b4e38825db Unsuccessful attempt at fixing "dismiss"/"close manager" buttons in ACL editor; non-breaking change to template API to allow plugins to add "normal" sidebar widgets in addition to the special "raw" block type, specified as the third parameter to $template->sidebar_widget(). Defaults to false, which is old behavior; new behavior (enabled by passing TRUE as the 3rd param) means that the content of the block is primarily block-level links.
Dan
parents: 417
diff changeset
   149
        $row =& $draft_row;
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   150
        $return['have_draft'] = true;
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   151
        $return['draft_author'] = $row['author'];
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   152
        $return['draft_time'] = enano_date('d M Y h:i a', intval($row['time_id']));
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   153
        if ( isset($_GET['get_draft']) && @$_GET['get_draft'] === '1' )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   154
        {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   155
          $return['src'] = $row['page_text'];
417
b76ebe229548 Edit summary should now be carried over when a draft is restored
Dan
parents: 416
diff changeset
   156
          $return['edit_summary'] = $row['edit_summary'];
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   157
        }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   158
      }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   159
      
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   160
      $return['undo_info'] = array();
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   161
      
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   162
      if ( $revid > 0 )
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   163
      {
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   164
        // Retrieve information about this revision and the current one
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   165
        $q = $db->sql_query('SELECT l1.author AS currentrev_author, l2.author AS oldrev_author FROM ' . table_prefix . 'logs AS l1
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   166
  LEFT JOIN ' . table_prefix . 'logs AS l2
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   167
    ON ( l2.log_id = ' . $revid . '
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   168
         AND l2.log_type  = \'page\'
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   169
         AND l2.action    = \'edit\'
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   170
         AND l2.page_id   = \'' . $db->escape($paths->page_id)   . '\'
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   171
         AND l2.namespace = \'' . $db->escape($paths->namespace) . '\'
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   172
         AND l2.is_draft != 1
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   173
        )
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   174
  WHERE l1.log_type  = \'page\'
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   175
    AND l1.action    = \'edit\'
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   176
    AND l1.page_id   = \'' . $db->escape($paths->page_id)   . '\'
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   177
    AND l1.namespace = \'' . $db->escape($paths->namespace) . '\'
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   178
    AND l1.time_id   > ' . $page->revision_time . '
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   179
    AND l1.is_draft != 1
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   180
  ORDER BY l1.time_id DESC;');
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   181
        if ( !$q )
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   182
          $db->die_json();
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   183
        
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   184
        if ( $db->numrows() > 0 )
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   185
        {
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   186
          $rev_count = $db->numrows() - 1;
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   187
          if ( $rev_count == -1 )
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   188
          {
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   189
            $return = array(
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   190
                'mode' => 'error',
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   191
                'error' => '[Internal] No rows returned by revision info query. SQL:<pre>' . $db->latest_query . '</pre>'
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   192
              );
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   193
          }
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   194
          else
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   195
          {
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   196
            $row = $db->fetchrow();
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   197
            $return['undo_info'] = array(
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   198
              'old_author'     => $row['oldrev_author'],
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   199
              'current_author' => $row['currentrev_author'],
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   200
              'undo_count'     => $rev_count
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   201
            );
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   202
          }
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   203
        }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   204
        else
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   205
        {
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   206
          $return['revid'] = $revid = 0;
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   207
        }
408
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   208
      }
7ecbe721217c Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents: 387
diff changeset
   209
      
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   210
      if ( $auth_edit && !$session->user_logged_in && getConfig('guest_edit_require_captcha') == '1' )
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   211
      {
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   212
        $return['require_captcha'] = true;
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   213
        $return['captcha_id'] = $session->make_captcha();
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   214
      }
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   215
      
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   216
      $template->load_theme();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   217
      $return['toolbar_templates'] = $template->extract_vars('toolbar.tpl');
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   218
      
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   219
      echo enano_json_encode($return);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   220
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   221
    case "getpage":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   222
      // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false ));
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   223
      $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 );
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   224
      $page = new PageProcessor( $paths->page_id, $paths->namespace, $revision_id );
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   225
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   226
      $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : '';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   227
      $page->password = $pagepass;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   228
            
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   229
      $page->send();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   230
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   231
    case "savepage":
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   232
      /* **** OBSOLETE **** */
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   233
      $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : '';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   234
      $minor = isset($_POST['minor']);
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   235
      $e = PageUtils::savepage($paths->page_id, $paths->namespace, $_POST['text'], $summ, $minor);
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   236
      if ( $e == 'good' )
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   237
      {
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   238
        $page = new PageProcessor($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   239
        $page->send();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   240
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   241
      else
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   242
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   243
        echo '<p>Error saving the page: '.$e.'</p>';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   244
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   245
      break;
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   246
    case "savepage_json":
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   247
      header('Content-type: application/json');
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   248
      if ( !isset($_POST['r']) )
550
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   249
        die('Invalid request');
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   250
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   251
      $request = enano_json_decode($_POST['r']);
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   252
      if ( !isset($request['src']) || !isset($request['summary']) || !isset($request['minor_edit']) || !isset($request['time']) || !isset($request['draft']) )
550
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   253
        die('Invalid request');
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   254
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   255
      $time = intval($request['time']);
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   256
      
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   257
      if ( $request['draft'] )
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   258
      {
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   259
        //
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   260
        // The user wants to save a draft version of the page.
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   261
        //
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   262
        
550
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   263
        // Validate permissions
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   264
        if ( !$session->get_permissions('edit_page') )
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   265
        {
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   266
          $return = array(
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   267
            'mode' => 'error',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   268
            'error' => 'access_denied'
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   269
          );
550
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   270
        }
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   271
        else
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   272
        {
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   273
          // Delete any draft copies if they exist
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   274
          $q = $db->sql_query('DELETE FROM ' . table_prefix . 'logs WHERE log_type = \'page\' AND action = \'edit\'
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   275
                                 AND page_id = \'' . $db->escape($paths->page_id) . '\'
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   276
                                 AND namespace = \'' . $db->escape($paths->namespace) . '\'
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   277
                                 AND is_draft = 1;');
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   278
          if ( !$q )
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   279
            $db->die_json();
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   280
          
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   281
          // are we just supposed to delete the draft?
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   282
          if ( $request['src'] === -1 )
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   283
          {
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   284
            $return = array(
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   285
              'mode' => 'success',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   286
              'is_draft' => 'delete'
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   287
            );
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   288
          }
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   289
          else
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   290
          {
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   291
            $src = RenderMan::preprocess_text($request['src'], false, false);
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   292
            
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   293
            // Save the draft
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   294
            $q = $db->sql_query('INSERT INTO ' . table_prefix . 'logs ( log_type, action, page_id, namespace, author, edit_summary, page_text, is_draft, time_id )
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   295
                                   VALUES (
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   296
                                     \'page\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   297
                                     \'edit\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   298
                                     \'' . $db->escape($paths->page_id) . '\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   299
                                     \'' . $db->escape($paths->namespace) . '\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   300
                                     \'' . $db->escape($session->username) . '\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   301
                                     \'' . $db->escape($request['summary']) . '\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   302
                                     \'' . $db->escape($src) . '\',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   303
                                     1,
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   304
                                     ' . time() . '
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   305
                                   );');
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   306
            
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   307
            // Done!
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   308
            $return = array(
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   309
                'mode' => 'success',
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   310
                'is_draft' => true
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   311
              );
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   312
          }
685e839d934e Added ability to delete the draft revision; [SECURITY] fixed lack of permission check on draft save; renamed messagebox() constructor to MessageBox() (backward compat. maintained)
Dan
parents: 536
diff changeset
   313
        }
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   314
      }
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   315
      else
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   316
      {
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   317
        // Verify that no edits have been made since the editor was requested
416
53fcdf309a82 [Minor] Fixed obsolete trigger upon attempt at page save after draft autosave
Dan
parents: 413
diff changeset
   318
        $q = $db->sql_query('SELECT time_id, author FROM ' . table_prefix . "logs WHERE log_type = 'page' AND action = 'edit' AND page_id = '{$paths->page_id}' AND namespace = '{$paths->namespace}' AND is_draft != 1 ORDER BY time_id DESC LIMIT 1;");
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   319
        if ( !$q )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   320
          $db->die_json();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   321
        
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   322
        $row = $db->fetchrow();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   323
        $db->free_result();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   324
        
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   325
        if ( $row['time_id'] > $time )
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   326
        {
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   327
          $return = array(
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   328
            'mode' => 'obsolete',
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   329
            'author' => $row['author'],
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   330
            'date_string' => enano_date('d M Y h:i a', $row['time_id']),
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   331
            'time' => $row['time_id'] // time() ???
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   332
            );
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   333
          echo enano_json_encode($return);
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   334
          break;
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   335
        }
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   336
        
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   337
        // Verify captcha, if needed
555
ac4c6a7f01d8 Added user preference for disabling visual effects in Javascript applets; added re-import button to installed plugins
Dan
parents: 550
diff changeset
   338
        if ( false && !$session->user_logged_in && getConfig('guest_edit_require_captcha') == '1' )
336
bfa2e9c23f03 Added ability to require CAPTCHA for guests when editing pages (AJAX INTERFACE ONLY)
Dan
parents: 335
diff changeset
   339
        {
413
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   340
          if ( !isset($request['captcha_id']) || !isset($request['captcha_code']) )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   341
          {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   342
            die('Invalid request, need captcha metadata');
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   343
          }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   344
          $code_correct = strtolower($session->get_captcha($request['captcha_id']));
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   345
          $code_input = strtolower($request['captcha_code']);
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   346
          if ( $code_correct !== $code_input )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   347
          {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   348
            $return = array(
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   349
              'mode' => 'errors',
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   350
              'errors' => array($lang->get('editor_err_captcha_wrong')),
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   351
              'new_captcha' => $session->make_captcha()
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   352
            );
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   353
            echo enano_json_encode($return);
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   354
            break;
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   355
          }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   356
        }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   357
        
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   358
        // Verification complete. Start the PageProcessor and let it do the dirty work for us.
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   359
        $page = new PageProcessor($paths->page_id, $paths->namespace);
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   360
        if ( $page->update_page($request['src'], $request['summary'], ( $request['minor_edit'] == 1 )) )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   361
        {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   362
          $return = array(
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   363
              'mode' => 'success',
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   364
              'is_draft' => false
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   365
            );
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   366
        }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   367
        else
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   368
        {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   369
          $errors = array();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   370
          while ( $err = $page->pop_error() )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   371
          {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   372
            $errors[] = $err;
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   373
          }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   374
          $return = array(
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   375
            'mode' => 'errors',
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   376
            'errors' => array_values($errors)
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   377
            );
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   378
          if ( !$session->user_logged_in && getConfig('guest_edit_require_captcha') == '1' )
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   379
          {
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   380
            $return['new_captcha'] = $session->make_captcha();
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   381
          }
6607cd646d6d Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents: 408
diff changeset
   382
        }
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   383
      }
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   384
      
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   385
      // If this is based on a draft version, delete the draft - we no longer need it.
472
bc4b58034f4d Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
Dan
parents: 468
diff changeset
   386
      if ( @$request['used_draft'] && !$request['draft'] )
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   387
      {
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   388
        $q = $db->sql_query('DELETE FROM ' . table_prefix . 'logs WHERE log_type = \'page\' AND action = \'edit\'
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   389
                               AND page_id = \'' . $db->escape($paths->page_id) . '\'
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   390
                               AND namespace = \'' . $db->escape($paths->namespace) . '\'
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   391
                               AND is_draft = 1;');
335
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   392
      }
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   393
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   394
      echo enano_json_encode($return);
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   395
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   396
      break;
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   397
    case "diff_cur":
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   398
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   399
      // Lie about our content type to fool ad scripts
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   400
      header('Content-type: application/xhtml+xml');
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   401
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   402
      if ( !isset($_POST['text']) )
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   403
        die('Invalid request');
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   404
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   405
      $page = new PageProcessor($paths->page_id, $paths->namespace);
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   406
      if ( !($src = $page->fetch_source()) )
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   407
      {
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   408
        die('Access denied');
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   409
      }
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   410
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   411
      $diff = RenderMan::diff($src, $_POST['text']);
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   412
      if ( $diff == '<table class="diff"></table>' )
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   413
      {
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   414
        $diff = '<p>' . $lang->get('editor_msg_diff_empty') . '</p>';
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   415
      }
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   416
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   417
      echo '<div class="info-box">' . $lang->get('editor_msg_diff') . '</div>';
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   418
      echo $diff;
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   419
      
67bd3121a12e Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents: 334
diff changeset
   420
      break;
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   421
    case "protect":
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   422
      // echo PageUtils::protect($paths->page_id, $paths->namespace, (int)$_POST['level'], $_POST['reason']);
481
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   423
      
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   424
      if ( @$_POST['reason'] === '__ROLLBACK__' )
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   425
      {
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   426
        // __ROLLBACK__ is a keyword for log entries.
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   427
        die('"__ROLLBACK__" ain\'t gonna do it, buddy. Try to _not_ use reserved keywords next time, ok?');
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   428
      }
07bf15b066bc Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents: 472
diff changeset
   429
      
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   430
      $page = new PageProcessor($paths->page_id, $paths->namespace);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   431
      header('Content-type: application/json');
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   432
      
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   433
      $result = $page->protect_page(intval($_POST['level']), $_POST['reason']);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   434
      echo enano_json_encode($result);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   435
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   436
    case "histlist":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   437
      echo PageUtils::histlist($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   438
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   439
    case "rollback":
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   440
      $id = intval(@$_GET['id']);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   441
      $page = new PageProcessor($paths->page_id, $paths->namespace);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   442
      header('Content-type: application/json');
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   443
      
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   444
      $result = $page->rollback_log_entry($id);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   445
      echo enano_json_encode($result);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   446
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   447
    case "comments":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   448
      $comments = new Comments($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   449
      if ( isset($_POST['data']) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   450
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   451
        $comments->process_json($_POST['data']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   452
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   453
      else
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   454
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   455
        die('{ "mode" : "error", "error" : "No input" }');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   456
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   457
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   458
    case "rename":
468
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   459
      $page = new PageProcessor($paths->page_id, $paths->namespace);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   460
      header('Content-type: application/json');
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   461
      
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   462
      $result = $page->rename_page($_POST['newtitle']);
194a19711346 Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents: 419
diff changeset
   463
      echo enano_json_encode($result);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   464
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   465
    case "flushlogs":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   466
      echo PageUtils::flushlogs($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   467
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   468
    case "deletepage":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   469
      $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   470
      if ( empty($reason) )
378
c1c7fa6b329f Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
Dan
parents: 345
diff changeset
   471
        die($lang->get('page_err_need_reason'));
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   472
      echo PageUtils::deletepage($paths->page_id, $paths->namespace, $reason);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   473
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   474
    case "delvote":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   475
      echo PageUtils::delvote($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   476
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   477
    case "resetdelvotes":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   478
      echo PageUtils::resetdelvotes($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   479
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   480
    case "getstyles":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   481
      echo PageUtils::getstyles($_GET['id']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   482
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   483
    case "catedit":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   484
      echo PageUtils::catedit($paths->page_id, $paths->namespace);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   485
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   486
    case "catsave":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   487
      echo PageUtils::catsave($paths->page_id, $paths->namespace, $_POST);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   488
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   489
    case "setwikimode":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   490
      echo PageUtils::setwikimode($paths->page_id, $paths->namespace, (int)$_GET['mode']);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   491
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   492
    case "setpass":
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   493
      echo PageUtils::setpass($paths->page_id, $paths->namespace, $_POST['password']);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   494
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   495
    case "fillusername":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   496
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   497
    case "fillpagename":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   498
      $name = (isset($_GET['name'])) ? $_GET['name'] : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   499
      if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\'');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   500
      $nd = RenderMan::strToPageID($name);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   501
      $c = 0;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   502
      $u = Array();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   503
      $n = Array();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   504
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   505
      $name = sanitize_page_id($name);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   506
      $name = str_replace('_', ' ', $name);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   507
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   508
      for($i=0;$i<sizeof($paths->pages)/2;$i++)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   509
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   510
        if( ( 
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   511
            preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['name']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   512
            preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   513
            preg_match('#'.preg_quote($name).'(.*)#i', $paths->pages[$i]['urlname_nons']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   514
            preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['name']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   515
            preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   516
            preg_match('#'.preg_quote(str_replace(' ', '_', $name)).'(.*)#i', $paths->pages[$i]['urlname_nons'])
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   517
            ) &&
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   518
           ( ( $nd[1] != 'Article' && $paths->pages[$i]['namespace'] == $nd[1] ) || $nd[1] == 'Article' )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   519
            && $paths->pages[$i]['visible']
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   520
           )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   521
        {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   522
          $c++;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   523
          $u[] = $paths->pages[$i]['name'];
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   524
          $n[] = $paths->pages[$i]['urlname'];
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   525
        }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   526
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   527
      if($c > 0)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   528
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   529
        echo 'userlist = new Array(); namelist = new Array(); errorstring = false; '."\n";
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   530
        for($i=0;$i<sizeof($u);$i++) // Can't use foreach because we need the value of $i and we need to use both $u and $n
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   531
        {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   532
          echo "userlist[$i] = '".addslashes($n[$i])."';\n";
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   533
          echo "namelist[$i] = '".addslashes(htmlspecialchars($u[$i]))."';\n";
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   534
        }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   535
      } else {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   536
        die('userlist = new Array(); namelist = new Array(); errorstring=\'No page matches found.\'');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   537
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   538
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   539
    case "preview":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   540
      echo PageUtils::genPreview($_POST['text']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   541
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   542
    case "pagediff":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   543
      $id1 = ( isset($_GET['diff1']) ) ? (int)$_GET['diff1'] : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   544
      $id2 = ( isset($_GET['diff2']) ) ? (int)$_GET['diff2'] : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   545
      if(!$id1 || !$id2) { echo '<p>Invalid request.</p>'; $template->footer(); break; }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   546
      if(!preg_match('#^([0-9]+)$#', (string)$_GET['diff1']) ||
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   547
         !preg_match('#^([0-9]+)$#', (string)$_GET['diff2']  )) { echo '<p>SQL injection attempt</p>'; $template->footer(); break; }
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   548
      echo PageUtils::pagediff($paths->page_id, $paths->namespace, $id1, $id2);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   549
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   550
    case "jsres":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   551
      die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   552
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   553
    case "rdns":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   554
      if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   555
      $ip = $_GET['ip'];
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   556
      $rdns = gethostbyaddr($ip);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   557
      if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   558
      else echo $rdns;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   559
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   560
    case 'acljson':
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   561
      $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   562
      echo PageUtils::acl_json($parms);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   563
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   564
    case "change_theme":
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   565
      if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   566
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   567
        die('Invalid input');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   568
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   569
      if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   570
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   571
        die('Invalid input');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   572
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   573
      if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   574
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   575
        die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   576
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   577
      if ( !$session->user_logged_in )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   578
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   579
        die('You must be logged in to change your theme');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   580
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   581
      // Just in case something slipped through...
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   582
      $theme_id = $db->escape($_POST['theme_id']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   583
      $style_id = $db->escape($_POST['style_id']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   584
      $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;");
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   585
      if ( !$e )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   586
        die( $db->get_error() );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   587
      die('GOOD');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   588
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   589
    case 'get_tags':
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   590
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   591
      $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create'));
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   592
      $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user_id FROM '.table_prefix.'tags AS t
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   593
        LEFT JOIN '.table_prefix.'page_groups AS pg
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   594
          ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) )
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   595
        WHERE t.page_id=\'' . $db->escape($paths->page_id) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';');
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   596
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   597
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   598
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   599
      while ( $row = $db->fetchrow() )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   600
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   601
        $can_del = true;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   602
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   603
        $perm = ( $row['user_id'] != $session->user_id ) ?
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   604
                'tag_delete_other' :
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   605
                'tag_delete_own';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   606
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   607
        if ( $row['user_id'] == 1 && !$session->user_logged_in )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   608
          // anonymous user trying to delete tag (hardcode blacklisted)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   609
          $can_del = false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   610
          
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   611
        if ( !$session->get_permissions($perm) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   612
          $can_del = false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   613
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   614
        if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   615
          $can_del = false;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   616
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   617
        $ret['tags'][] = array(
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   618
          'id' => $row['tag_id'],
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   619
          'name' => $row['tag_name'],
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   620
          'can_del' => $can_del,
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   621
          'acl' => ( $row['used_in_acl'] == 1 )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   622
        );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   623
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   624
      
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   625
      echo enano_json_encode($ret);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   626
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   627
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   628
    case 'addtag':
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   629
      $resp = array(
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   630
          'success' => false,
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   631
          'error' => 'No error',
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   632
          'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ),
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   633
          'in_acl' => false
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   634
        );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   635
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   636
      // first of course, are we allowed to tag pages?
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   637
      if ( !$session->get_permissions('tag_create') )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   638
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   639
        $resp['error'] = 'You are not permitted to tag pages.';
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   640
        die(enano_json_encode($resp));
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   641
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   642
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   643
      // sanitize the tag name
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   644
      $tag = sanitize_tag($_POST['tag']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   645
      $tag = $db->escape($tag);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   646
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   647
      if ( strlen($tag) < 2 )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   648
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   649
        $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.';
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   650
        die(enano_json_encode($resp));
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   651
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   652
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   653
      // check if tag is already on page
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   654
      $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->page_id) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';');
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   655
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   656
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   657
      if ( $db->numrows() > 0 )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   658
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   659
        $resp['error'] = 'This page already has this tag.';
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   660
        die(enano_json_encode($resp));
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   661
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   662
      $db->free_result();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   663
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   664
      // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   665
      $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   666
      $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   667
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   668
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   669
      if ( $db->numrows() > 0 && !$can_edit_acl )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   670
      {
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   671
        $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.';
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   672
        die(enano_json_encode($resp));
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   673
      }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   674
      $resp['in_acl'] = ( $db->numrows() > 0 );
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   675
      $db->free_result();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   676
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   677
      // we're good
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   678
      $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user_id) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->page_id) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');');
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   679
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   680
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   681
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   682
      $resp['success'] = true;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   683
      $resp['tag'] = $tag;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   684
      $resp['tag_id'] = $db->insert_id();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   685
      
334
c72b545f1304 More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents: 326
diff changeset
   686
      echo enano_json_encode($resp);
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   687
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   688
    case 'deltag':
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   689
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   690
      $tag_id = intval($_POST['tag_id']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   691
      if ( empty($tag_id) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   692
        die('Invalid tag ID');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   693
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   694
      $q = $db->sql_query('SELECT t.tag_id, t.user_id, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   695
  LEFT JOIN '.table_prefix.'page_groups AS pg
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   696
    ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   697
  WHERE t.tag_id=' . $tag_id . ';');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   698
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   699
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   700
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   701
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   702
      if ( $db->numrows() < 1 )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   703
        die('Could not find a tag with that ID');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   704
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   705
      $row = $db->fetchrow();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   706
      $db->free_result();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   707
      
324
16d0c9f33466 Merging in a few stray changes from the MySQL branch
Dan
parents: 322 321
diff changeset
   708
      if ( $row['page_id'] == $paths->page_id && $row['namespace'] == $paths->namespace )
321
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   709
        $perms =& $session;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   710
      else
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   711
        $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']);
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   712
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   713
      $perm = ( $row['user_id'] != $session->user_id ) ?
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   714
                'tag_delete_other' :
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   715
                'tag_delete_own';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   716
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   717
      if ( $row['user_id'] == 1 && !$session->user_logged_in )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   718
        // anonymous user trying to delete tag (hardcode blacklisted)
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   719
        die('You are not authorized to delete this tag.');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   720
        
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   721
      if ( !$perms->get_permissions($perm) )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   722
        die('You are not authorized to delete this tag.');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   723
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   724
      if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   725
        die('You are not authorized to delete this tag.');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   726
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   727
      // We're good
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   728
      $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   729
      if ( !$q )
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   730
        $db->_die();
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   731
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   732
      echo 'success';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   733
      
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   734
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   735
    case 'ping':
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   736
      echo 'pong';
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   737
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   738
    default:
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   739
      die('Hacking attempt');
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   740
      break;
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   741
  }
c0d855cfaf0e Set Content-type on AJAX login key request to application/json to hopefully block ad injection
Dan
parents: 320
diff changeset
   742
  
0
902822492a68 Initial population
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   743
?>