author | Dan |
Tue, 08 Apr 2008 20:08:35 -0400 | |
changeset 522 | fd46b1bf708e |
parent 513 | c15fbf197a54 |
child 536 | 218a627eb53e |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
2 |
|
1 | 3 |
/* |
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
5 |
* Version 1.1.1 |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts |
|
8 |
* |
|
9 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
10 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
11 |
* |
|
12 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
13 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
14 |
*/ |
|
15 |
||
16 |
class PageUtils { |
|
17 |
||
18 |
/** |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
19 |
* Tell if a username is used or not. |
1 | 20 |
* @param $name the name to check for |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
21 |
* @return string |
1 | 22 |
*/ |
23 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
24 |
public static function checkusername($name) |
1 | 25 |
{ |
26 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
parents:
260
diff
changeset
|
27 |
$name = str_replace('_', ' ', $name); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
28 |
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\''); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
29 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
30 |
{ |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
31 |
die($db->get_error()); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
32 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
33 |
if ( $db->numrows() < 1) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
34 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
35 |
$db->free_result(); return('good'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
36 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
37 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
38 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
39 |
$db->free_result(); return('bad'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
40 |
} |
1 | 41 |
} |
42 |
||
43 |
/** |
|
44 |
* Get the wiki formatting source for a page |
|
45 |
* @param $page the full page id (Namespace:Pagename) |
|
46 |
* @return string |
|
47 |
* @todo (DONE) Make it require a password (just for security purposes) |
|
48 |
*/ |
|
49 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
50 |
public static function getsource($page, $password = false) |
1 | 51 |
{ |
52 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
53 |
if(!isset($paths->pages[$page])) |
|
54 |
{ |
|
55 |
return ''; |
|
56 |
} |
|
57 |
||
58 |
if(strlen($paths->pages[$page]['password']) == 40) |
|
59 |
{ |
|
60 |
if(!$password || ( $password != $paths->pages[$page]['password'])) |
|
61 |
{ |
|
62 |
return 'invalid_password'; |
|
63 |
} |
|
64 |
} |
|
65 |
||
66 |
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges |
|
67 |
return 'access_denied'; |
|
68 |
$pid = RenderMan::strToPageID($page); |
|
69 |
if($pid[1] == 'Special' || $pid[1] == 'Admin') |
|
70 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
71 |
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.'); |
1 | 72 |
} |
73 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
74 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\''); |
1 | 75 |
if ( !$e ) |
76 |
{ |
|
77 |
$db->_die('The page text could not be selected.'); |
|
78 |
} |
|
79 |
if( $db->numrows() < 1 ) |
|
80 |
{ |
|
81 |
return ''; //$db->_die('There were no rows in the text table that matched the page text query.'); |
|
82 |
} |
|
83 |
||
84 |
$r = $db->fetchrow(); |
|
85 |
$db->free_result(); |
|
86 |
$message = $r['page_text']; |
|
87 |
||
88 |
return htmlspecialchars($message); |
|
89 |
} |
|
90 |
||
91 |
/** |
|
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
parents:
372
diff
changeset
|
92 |
* DEPRECATED. Previously returned the full rendered contents of a page. |
1 | 93 |
* @param $page the full page id (Namespace:Pagename) |
94 |
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise |
|
95 |
* @return string |
|
96 |
*/ |
|
97 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
98 |
public static function getpage($page, $send_headers = false, $hist_id = false) |
1 | 99 |
{ |
100 |
die('PageUtils->getpage is deprecated.'); |
|
101 |
} |
|
102 |
||
103 |
/** |
|
104 |
* Writes page data to the database, after verifying permissions and running the XSS filter |
|
105 |
* @param $page_id the page ID |
|
106 |
* @param $namespace the namespace |
|
107 |
* @param $message the text to save |
|
108 |
* @return string |
|
109 |
*/ |
|
110 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
111 |
public static function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false) |
1 | 112 |
{ |
113 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
114 |
$uid = sha1(microtime()); |
|
115 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
116 |
||
117 |
if(!$session->get_permissions('edit_page')) |
|
118 |
return 'Access to edit pages is denied.'; |
|
119 |
||
120 |
if(!isset($paths->pages[$pname])) |
|
121 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
122 |
$create = PageUtils::createPage($page_id, $namespace); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
123 |
if ( $create != 'good' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
124 |
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create; |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
125 |
$paths->page_exists = true; |
1 | 126 |
} |
127 |
||
260
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
128 |
// Check page protection |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
129 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
130 |
$is_protected = false; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
131 |
$page_data =& $paths->pages[$pname]; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
132 |
// Is the protection semi? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
133 |
if ( $page_data['protected'] == 2 ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
134 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
135 |
$is_protected = true; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
136 |
// Page is semi-protected. Has the user been here for at least 4 days? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
137 |
// 345600 seconds = 4 days |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
138 |
if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
139 |
$is_protected = false; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
140 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
141 |
// Is the protection full? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
142 |
else if ( $page_data['protected'] == 1 ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
143 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
144 |
$is_protected = true; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
145 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
146 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
147 |
// If it's protected and we DON'T have even_when_protected rights, bail out |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
148 |
if ( $is_protected && !$session->get_permissions('even_when_protected') ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
149 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
150 |
return 'You don\'t have the necessary permissions to edit this page.'; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
151 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
152 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
153 |
// We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE. |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
154 |
// The exception here is the user's own userpage, which is overridden at the time of account creation. |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
155 |
// At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage. |
1 | 156 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
157 |
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings |
1 | 158 |
$message = RenderMan::preprocess_text($message, false, false); |
159 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
160 |
$msg = $db->escape($message); |
1 | 161 |
|
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
parents:
317
diff
changeset
|
162 |
$minor = $minor ? ENANO_SQL_BOOLEAN_TRUE : ENANO_SQL_BOOLEAN_FALSE; |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
163 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $paths->page_id . '\', \'' . $paths->namespace . '\', ' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');'; |
1 | 164 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
165 |
||
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
parents:
317
diff
changeset
|
166 |
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'; |
1 | 167 |
$e = $db->sql_query($q); |
168 |
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.'); |
|
169 |
||
170 |
$paths->rebuild_page_index($page_id, $namespace); |
|
171 |
||
172 |
return 'good'; |
|
173 |
} |
|
174 |
||
175 |
/** |
|
176 |
* Creates a page, both in memory and in the database. |
|
177 |
* @param string $page_id |
|
178 |
* @param string $namespace |
|
179 |
* @return bool true on success, false on failure |
|
180 |
*/ |
|
181 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
182 |
public static function createPage($page_id, $namespace, $name = false, $visible = 1) |
1 | 183 |
{ |
184 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
185 |
if(in_array($namespace, Array('Special', 'Admin'))) |
|
186 |
{ |
|
187 |
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
188 |
return 'You can\'t create a special page in the database'; |
1 | 189 |
} |
190 |
||
191 |
if(!isset($paths->nslist[$namespace])) |
|
192 |
{ |
|
193 |
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
194 |
return 'Couldn\'t look up the namespace'; |
1 | 195 |
} |
196 |
||
197 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
198 |
if(isset($paths->pages[$pname])) |
|
199 |
{ |
|
200 |
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
201 |
return 'Page already exists'; |
1 | 202 |
} |
203 |
||
204 |
if(!$session->get_permissions('create_page')) |
|
205 |
{ |
|
206 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
207 |
return 'Not authorized to create pages'; |
1 | 208 |
} |
209 |
||
210 |
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') |
|
211 |
{ |
|
212 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
213 |
return 'Not authorized to create system messages'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
214 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
215 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
216 |
if ( substr($page_id, 0, 8) == 'Project:' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
217 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
218 |
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
219 |
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.'; |
1 | 220 |
} |
221 |
||
361
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
222 |
/* |
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
223 |
// Dunno why this was here. Enano can handle more flexible names than this... |
1 | 224 |
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is'; |
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
parents:
317
diff
changeset
|
225 |
if(!preg_match($regex, $name)) |
1 | 226 |
{ |
227 |
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
228 |
return 'Name contains invalid characters'; |
1 | 229 |
} |
361
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
230 |
*/ |
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
231 |
|
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
232 |
$page_id = dirtify_page_id($page_id); |
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
233 |
|
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
234 |
if ( !$name ) |
35ed07abc99e
PageUtils::createpage(): $name was being sanitized too strictly
Dan
parents:
360
diff
changeset
|
235 |
$name = str_replace('_', ' ', $page_id); |
1 | 236 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
237 |
$page_id = sanitize_page_id( $page_id ); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
238 |
|
1 | 239 |
$prot = ( $namespace == 'System' ) ? 1 : 0; |
240 |
||
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
241 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
242 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
243 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
244 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
245 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
246 |
$page_data = Array( |
1 | 247 |
'name'=>$name, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
248 |
'urlname'=>$page_id, |
1 | 249 |
'namespace'=>$namespace, |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
250 |
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
251 |
); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
252 |
|
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
253 |
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>'); |
1 | 254 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
255 |
$paths->add_page($page_data); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
256 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
257 |
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
258 |
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
259 |
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
1 | 260 |
|
261 |
if($qa && $qb && $qc) |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
262 |
return 'good'; |
1 | 263 |
else |
264 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
265 |
return $db->get_error(); |
1 | 266 |
} |
267 |
} |
|
268 |
||
269 |
/** |
|
270 |
* Sets the protection level on a page. |
|
271 |
* @param $page_id string the page ID |
|
272 |
* @param $namespace string the namespace |
|
273 |
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi |
|
274 |
* @param $reason string why the page is being (un)protected |
|
275 |
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() ) |
|
276 |
*/ |
|
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
277 |
public static function protect($page_id, $namespace, $level, $reason) |
1 | 278 |
{ |
279 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
280 |
||
281 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
282 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
283 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
284 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
285 |
if ( !$session->get_permissions('protect') ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
286 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
287 |
return('Insufficient access rights'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
288 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
289 |
if ( !$wiki ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
290 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
291 |
return('Page protection only has an effect when Wiki Mode is enabled.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
292 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
293 |
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
294 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
295 |
return('Invalid $level parameter.'); |
1 | 296 |
} |
297 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
298 |
switch($level) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
299 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
300 |
case 0: |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
301 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
302 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
303 |
case 1: |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
304 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
305 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
306 |
case 2: |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
307 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
308 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
309 |
default: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
310 |
return 'PageUtils::protect(): Invalid value for $level'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
311 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
312 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
313 |
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
314 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
315 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
316 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
317 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
318 |
$db->_die('The pages table was not updated.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
319 |
} |
1 | 320 |
|
321 |
return('good'); |
|
322 |
} |
|
323 |
||
324 |
/** |
|
325 |
* Generates an HTML table with history information in it. |
|
326 |
* @param $page_id the page ID |
|
327 |
* @param $namespace the namespace |
|
328 |
* @return string |
|
329 |
*/ |
|
330 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
331 |
public static function histlist($page_id, $namespace) |
1 | 332 |
{ |
333 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
334 |
global $lang; |
1 | 335 |
|
336 |
if(!$session->get_permissions('history_view')) |
|
337 |
return 'Access denied'; |
|
338 |
||
339 |
ob_start(); |
|
340 |
||
341 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
342 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
343 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
344 |
||
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
345 |
$q = 'SELECT log_id,time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND is_draft != 1 ORDER BY time_id DESC;'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
346 |
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
347 |
echo $lang->get('history_page_subtitle') . ' |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
348 |
<h3>' . $lang->get('history_heading_edits') . '</h3>'; |
1 | 349 |
$numrows = $db->numrows(); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
350 |
if ( $numrows < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
351 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
352 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
353 |
} |
1 | 354 |
else |
355 |
{ |
|
356 |
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
357 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
358 |
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
359 |
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
360 |
<input type="hidden" name="do" value="diff" /> |
1 | 361 |
<br /><span> </span> |
362 |
<div class="tblholder"> |
|
363 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"> |
|
364 |
<tr> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
365 |
<th colspan="2">' . $lang->get('history_col_diff') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
366 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
367 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
368 |
<th>' . $lang->get('history_col_summary') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
369 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
370 |
<th colspan="3">' . $lang->get('history_col_actions') . '</th> |
1 | 371 |
</tr>'."\n"."\n"; |
372 |
$cls = 'row2'; |
|
373 |
$ticker = 0; |
|
374 |
||
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
375 |
while ( $r = $db->fetchrow() ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
376 |
{ |
1 | 377 |
|
378 |
$ticker++; |
|
379 |
||
380 |
if($cls == 'row2') $cls = 'row1'; |
|
381 |
else $cls = 'row2'; |
|
382 |
||
383 |
echo '<tr>'."\n"; |
|
384 |
||
385 |
// Diff selection |
|
386 |
if($ticker == 1) |
|
387 |
{ |
|
388 |
$s1 = ''; |
|
389 |
$s2 = 'checked="checked" '; |
|
390 |
} |
|
391 |
elseif($ticker == 2) |
|
392 |
{ |
|
393 |
$s1 = 'checked="checked" '; |
|
394 |
$s2 = ''; |
|
395 |
} |
|
396 |
else |
|
397 |
{ |
|
398 |
$s1 = ''; |
|
399 |
$s2 = ''; |
|
400 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
401 |
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
402 |
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
1 | 403 |
|
404 |
// Date and time |
|
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
parents:
391
diff
changeset
|
405 |
echo '<td class="' . $cls . '" style="white-space: nowrap;">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">'."\n"; |
1 | 406 |
|
407 |
// User |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
408 |
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
409 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
410 |
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
411 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
412 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
413 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
414 |
$rc = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
415 |
} |
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
416 |
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" '; |
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
417 |
if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) ) |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
418 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
419 |
echo 'class="wikilink-nonexistent"'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
420 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
421 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n"; |
1 | 422 |
|
423 |
// Edit summary |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
424 |
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
425 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
426 |
$r['edit_summary'] = $lang->get('history_summary_clearlogs'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
427 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
428 |
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n"; |
1 | 429 |
|
430 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
431 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n"; |
1 | 432 |
|
433 |
// Actions! |
|
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
434 |
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['log_id']) . '" onclick="ajaxHistView(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n"; |
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents:
408
diff
changeset
|
435 |
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n"; |
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
436 |
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=edit&revid=' . $r['log_id']) . '" onclick="ajaxEditor(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n"; |
1 | 437 |
|
438 |
echo '</tr>'."\n"."\n"; |
|
439 |
||
440 |
} |
|
441 |
echo '</table> |
|
442 |
</div> |
|
443 |
<br /> |
|
444 |
<input type="hidden" name="do" value="diff" /> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
445 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
1 | 446 |
</form> |
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
parents:
40
diff
changeset
|
447 |
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>'; |
1 | 448 |
} |
449 |
$db->free_result(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
450 |
echo '<h3>' . $lang->get('history_heading_other') . '</h3>'; |
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
451 |
$q = 'SELECT log_id,time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
452 |
if ( !$db->sql_query($q) ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
453 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
454 |
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
455 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
456 |
if ( $db->numrows() < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
457 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
458 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
459 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
460 |
else |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
461 |
{ |
1 | 462 |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
463 |
echo '<div class="tblholder"> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
464 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
465 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
466 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
467 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
468 |
<th>' . $lang->get('history_col_action_taken') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
469 |
<th>' . $lang->get('history_col_extra') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
470 |
<th colspan="2"></th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
471 |
</tr>'; |
1 | 472 |
$cls = 'row2'; |
473 |
while($r = $db->fetchrow()) { |
|
474 |
||
475 |
if($cls == 'row2') $cls = 'row1'; |
|
476 |
else $cls = 'row2'; |
|
477 |
||
478 |
echo '<tr>'; |
|
479 |
||
480 |
// Date and time |
|
351 | 481 |
echo '<td class="' . $cls . '">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">'; |
1 | 482 |
|
483 |
// User |
|
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
484 |
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" '; |
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
485 |
if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
486 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'; |
1 | 487 |
|
488 |
||
489 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
490 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'; |
1 | 491 |
|
492 |
// Action taken |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
493 |
echo '<td class="' . $cls . '">'; |
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
494 |
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. |
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
495 |
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) ); |
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
496 |
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) ); |
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
497 |
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) ); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
498 |
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
499 |
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
500 |
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
481
07bf15b066bc
Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents:
468
diff
changeset
|
501 |
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__ROLLBACK__' ? $lang->get('history_extra_upload_reversion') : htmlspecialchars($r['edit_summary']) ); |
1 | 502 |
echo '</td>'; |
503 |
||
504 |
// Actions! |
|
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
parents:
408
diff
changeset
|
505 |
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'; |
468
194a19711346
Fixed the fact that cron just didn't work at all (brain fart that day or something)
Dan
parents:
458
diff
changeset
|
506 |
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['log_id']) . '" onclick="ajaxRollback(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>'; |
1 | 507 |
|
508 |
echo '</tr>'; |
|
509 |
} |
|
510 |
echo '</table></div>'; |
|
511 |
} |
|
512 |
$db->free_result(); |
|
513 |
$ret = ob_get_contents(); |
|
514 |
ob_end_clean(); |
|
515 |
return $ret; |
|
516 |
} |
|
517 |
||
518 |
/** |
|
519 |
* Rolls back a logged action |
|
520 |
* @param $id the time ID, a.k.a. the primary key in the logs table |
|
521 |
* @return string |
|
522 |
*/ |
|
523 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
524 |
public static function rollback($id) |
1 | 525 |
{ |
526 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
408
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents:
402
diff
changeset
|
527 |
global $lang; |
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
parents:
402
diff
changeset
|
528 |
|
481
07bf15b066bc
Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents:
468
diff
changeset
|
529 |
// placeholder |
07bf15b066bc
Hopefully completed rewrite and localization of rollback backend and interface
Dan
parents:
468
diff
changeset
|
530 |
return 'PageUtils->rollback() is deprecated - use PageProcessor instead.'; |
1 | 531 |
} |
532 |
||
533 |
/** |
|
534 |
* Posts a comment. |
|
535 |
* @param $page_id the page ID |
|
536 |
* @param $namespace the namespace |
|
537 |
* @param $name the name of the person posting, defaults to current username/IP |
|
538 |
* @param $subject the subject line of the comment |
|
539 |
* @param $text the comment text |
|
540 |
* @return string javascript code |
|
541 |
*/ |
|
542 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
543 |
public static function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false) |
1 | 544 |
{ |
545 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
546 |
$_ob = ''; |
|
547 |
if(!$session->get_permissions('post_comments')) |
|
548 |
return 'Access denied'; |
|
549 |
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.'); |
|
550 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
|
551 |
{ |
|
552 |
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method'); |
|
553 |
$result = $session->get_captcha($captcha_id); |
|
456
e133d321fce4
Made all captcha fields case-insensitive (thanks pkeating)
Dan
parents:
322
diff
changeset
|
554 |
if(strtolower($captcha_code) != strtolower($result)) _die('The confirmation code you entered was incorrect.'); |
1 | 555 |
} |
556 |
$text = RenderMan::preprocess_text($text); |
|
557 |
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); |
|
558 |
$subj = RenderMan::preprocess_text($subject); |
|
559 |
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
560 |
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')'; |
1 | 561 |
$e = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
562 |
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'))'); |
1 | 563 |
else $_ob .= '<div class="info-box">Your comment has been posted.</div>'; |
564 |
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); |
|
565 |
} |
|
566 |
||
567 |
/** |
|
568 |
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments |
|
569 |
* @param $page_id the page ID |
|
570 |
* @param $namespace the namespace |
|
571 |
* @param $action administrative action to perform, default is false |
|
572 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
573 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
574 |
* @return array |
|
575 |
* @access private |
|
576 |
*/ |
|
577 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
578 |
public static function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '') |
1 | 579 |
{ |
580 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
581 |
global $lang; |
1 | 582 |
|
583 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
584 |
||
585 |
ob_start(); |
|
586 |
||
587 |
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud |
|
588 |
{ |
|
589 |
switch($action) { |
|
590 |
case "delete": |
|
591 |
if(isset($flags['id'])) |
|
592 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
593 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; |
1 | 594 |
} else { |
595 |
$n = $db->escape($flags['name']); |
|
596 |
$s = $db->escape($flags['subj']); |
|
597 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
598 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 599 |
} |
600 |
$e=$db->sql_query($q); |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
601 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 602 |
break; |
603 |
case "approve": |
|
604 |
if(isset($flags['id'])) |
|
605 |
{ |
|
606 |
$where = 'comment_id='.intval($flags['id']); |
|
607 |
} else { |
|
608 |
$n = $db->escape($flags['name']); |
|
609 |
$s = $db->escape($flags['subj']); |
|
610 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
611 |
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\''; |
1 | 612 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
613 |
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;'; |
1 | 614 |
$e = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
615 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 616 |
$r = $db->fetchrow(); |
617 |
$db->free_result(); |
|
618 |
$a = ( $r['approved'] ) ? '0' : '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
619 |
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';'; |
1 | 620 |
$e=$db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
621 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
622 |
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
623 |
else $v = $lang->get('comment_btn_mod_approve'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
624 |
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";'; |
1 | 625 |
break; |
626 |
} |
|
627 |
} |
|
628 |
||
629 |
if(!defined('ENANO_TEMPLATE_LOADED')) |
|
630 |
{ |
|
631 |
$template->load_theme($session->theme, $session->style); |
|
632 |
} |
|
633 |
||
634 |
$tpl = $template->makeParser('comment.tpl'); |
|
635 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
636 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;'); |
1 | 637 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
638 |
$num_unapp = $db->numrows(); |
|
639 |
$db->free_result(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
640 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;'); |
1 | 641 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
642 |
$num_app = $db->numrows(); |
|
643 |
$db->free_result(); |
|
360
fad9bb5c094b
Implemented (well stubbed) IP logging in non-AJAX comment interface
Dan
parents:
351
diff
changeset
|
644 |
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,c.ip_address,u.user_level,u.signature,u.user_has_avatar,u.avatar_type |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
645 |
FROM ' . table_prefix.'comments AS c |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
646 |
LEFT JOIN ' . table_prefix.'users AS u |
1 | 647 |
ON c.user_id=u.user_id |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
648 |
WHERE page_id=\'' . $page_id . '\' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
649 |
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;'); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
650 |
if(!$lq) _die('The comment text data could not be selected. '.$db->get_error()); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
651 |
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
652 |
|
1 | 653 |
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
654 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
655 |
$subst = array( |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
656 |
'num_comments' => $n, |
226
0e6478521004
Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
parents:
219
diff
changeset
|
657 |
'page_type' => $template->namespace_string |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
658 |
); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
659 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
660 |
$_ob .= '<p>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
661 |
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) ); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
662 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
663 |
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1 | 664 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
665 |
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
666 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
667 |
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
668 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
669 |
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
670 |
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
671 |
} |
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
672 |
$_ob .= '</p>'; |
1 | 673 |
$list = 'list = { '; |
674 |
// _die(htmlspecialchars($ttext)); |
|
675 |
$i = -1; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
676 |
while ( $row = $db->fetchrow($lq) ) |
1 | 677 |
{ |
678 |
$i++; |
|
679 |
$strings = Array(); |
|
680 |
$bool = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
681 |
if ( $session->get_permissions('mod_comments') || $row['approved'] ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
682 |
{ |
1 | 683 |
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; |
684 |
||
685 |
// Comment ID (used in the Javascript apps) |
|
686 |
$strings['ID'] = (string)$i; |
|
687 |
||
688 |
// Determine the name, and whether to link to the user page or not |
|
689 |
$name = ''; |
|
304 | 690 |
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">'; |
1 | 691 |
$name .= $row['name']; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
692 |
if($row['user_id'] > 1) $name .= '</a>'; |
1 | 693 |
$strings['NAME'] = $name; unset($name); |
694 |
||
695 |
// Subject |
|
696 |
$s = $row['subject']; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
697 |
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>'; |
1 | 698 |
$strings['SUBJECT'] = $s; |
699 |
||
700 |
// Date and time |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
701 |
$strings['DATETIME'] = enano_date('F d, Y h:i a', $row['time']); |
1 | 702 |
|
703 |
// User level |
|
704 |
switch($row['user_level']) |
|
705 |
{ |
|
706 |
default: |
|
707 |
case USER_LEVEL_GUEST: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
708 |
$l = $lang->get('user_type_guest'); |
1 | 709 |
break; |
710 |
case USER_LEVEL_MEMBER: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
711 |
case USER_LEVEL_CHPREF: |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
712 |
$l = $lang->get('user_type_member'); |
1 | 713 |
break; |
714 |
case USER_LEVEL_MOD: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
715 |
$l = $lang->get('user_type_mod'); |
1 | 716 |
break; |
717 |
case USER_LEVEL_ADMIN: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
718 |
$l = $lang->get('user_type_admin'); |
1 | 719 |
break; |
720 |
} |
|
721 |
$strings['USER_LEVEL'] = $l; unset($l); |
|
722 |
||
723 |
// The actual comment data |
|
724 |
$strings['DATA'] = RenderMan::render($row['comment_data']); |
|
725 |
||
726 |
if($session->get_permissions('edit_comments')) |
|
727 |
{ |
|
728 |
// Edit link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
729 |
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>'; |
1 | 730 |
|
731 |
// Delete link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
732 |
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>'; |
1 | 733 |
} |
734 |
else |
|
735 |
{ |
|
736 |
// Edit link |
|
737 |
$strings['EDIT_LINK'] = ''; |
|
738 |
||
739 |
// Delete link |
|
740 |
$strings['DELETE_LINK'] = ''; |
|
741 |
} |
|
742 |
||
743 |
// Send PM link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
744 |
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : ''; |
1 | 745 |
|
746 |
// Add Buddy link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
747 |
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : ''; |
1 | 748 |
|
749 |
// Mod links |
|
750 |
$applink = ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
751 |
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
752 |
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
753 |
else $applink .= $lang->get('comment_btn_mod_approve'); |
1 | 754 |
$applink .= '</a>'; |
755 |
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
756 |
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>'; |
360
fad9bb5c094b
Implemented (well stubbed) IP logging in non-AJAX comment interface
Dan
parents:
351
diff
changeset
|
757 |
$strings['MOD_IP_LINK'] = '<span style="opacity: 0.5; filter: alpha(opacity=50);">' . ( ( empty($row['ip_address']) ) ? $lang->get('comment_btn_mod_ip_missing') : $lang->get('comment_btn_mod_ip_notimplemented') ) . '</span>'; |
1 | 758 |
|
759 |
// Signature |
|
760 |
$strings['SIGNATURE'] = ''; |
|
761 |
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']); |
|
762 |
||
328
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
763 |
// Avatar |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
764 |
if ( $row['user_has_avatar'] == 1 ) |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
765 |
{ |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
766 |
$bool['user_has_avatar'] = true; |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
767 |
$strings['AVATAR_ALT'] = $lang->get('usercp_avatar_image_alt', array('username' => $row['name'])); |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
768 |
$strings['AVATAR_URL'] = make_avatar_url(intval($row['user_id']), $row['avatar_type']); |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
769 |
$strings['USERPAGE_LINK'] = makeUrlNS('User', $row['name']); |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
770 |
} |
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
parents:
326
diff
changeset
|
771 |
|
1 | 772 |
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false; |
773 |
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false; |
|
774 |
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true; |
|
775 |
||
776 |
// Done processing and compiling, now let's cook it into HTML |
|
777 |
$tpl->assign_vars($strings); |
|
778 |
$tpl->assign_bool($bool); |
|
779 |
$_ob .= $tpl->run(); |
|
780 |
} |
|
781 |
} |
|
782 |
if(getConfig('comments_need_login') != '2' || $session->user_logged_in) |
|
783 |
{ |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
784 |
if($session->get_permissions('post_comments')) |
1 | 785 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
786 |
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
787 |
$_ob .= $lang->get('comment_postform_blurb'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
788 |
if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
789 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
790 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
791 |
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
792 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
793 |
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
794 |
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a> |
1 | 795 |
<div id="mdgCommentForm"> |
796 |
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em"> |
|
797 |
<table border="0"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
798 |
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
799 |
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>'; |
1 | 800 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
801 |
{ |
|
802 |
$session->kill_captcha(); |
|
803 |
$captcha = $session->make_captcha(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
804 |
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>'; |
1 | 805 |
} |
806 |
$_ob .= ' |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
807 |
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
808 |
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr> |
1 | 809 |
</table> |
810 |
</form> |
|
811 |
</div>'; |
|
812 |
} |
|
813 |
} else { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
814 |
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>'; |
1 | 815 |
} |
816 |
$list .= '};'; |
|
817 |
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); |
|
818 |
' . $list; |
|
819 |
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";'; |
|
820 |
||
821 |
$ret = ob_get_contents(); |
|
822 |
ob_end_clean(); |
|
823 |
return Array($ret, $_ob); |
|
824 |
||
825 |
} |
|
826 |
||
827 |
/** |
|
828 |
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments |
|
829 |
* @param $page_id the page ID |
|
830 |
* @param $namespace the namespace |
|
831 |
* @param $action administrative action to perform, default is false |
|
832 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
833 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
834 |
* @return string |
|
835 |
*/ |
|
836 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
837 |
public static function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
1 | 838 |
{ |
839 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
840 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
841 |
return $r[0]; |
|
842 |
} |
|
843 |
||
844 |
/** |
|
845 |
* Generates HTML code for comments - used in browser compatibility mode |
|
846 |
* @param $page_id the page ID |
|
847 |
* @param $namespace the namespace |
|
848 |
* @param $action administrative action to perform, default is false |
|
849 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
850 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
851 |
* @return string |
|
852 |
*/ |
|
853 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
854 |
public static function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
1 | 855 |
{ |
856 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
857 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
858 |
return $r[1]; |
|
859 |
} |
|
860 |
||
861 |
/** |
|
862 |
* Updates comment data. |
|
863 |
* @param $page_id the page ID |
|
864 |
* @param $namespace the namespace |
|
865 |
* @param $subject new subject |
|
866 |
* @param $text new text |
|
867 |
* @param $old_subject the old subject, unprocessed and identical to the value in the DB |
|
868 |
* @param $old_text the old text, unprocessed and identical to the value in the DB |
|
869 |
* @param $id the javascript list ID, used internally by the client-side app |
|
870 |
* @return string |
|
871 |
*/ |
|
872 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
873 |
public static function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1) |
1 | 874 |
{ |
875 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
876 |
if(!$session->get_permissions('edit_comments')) |
|
877 |
return 'result="BAD";error="Access denied"'; |
|
878 |
// Avoid SQL injection |
|
879 |
$old_text = $db->escape($old_text); |
|
880 |
$old_subject = $db->escape($old_subject); |
|
881 |
// Safety check - username/login |
|
882 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
883 |
{ |
|
884 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
885 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 886 |
$s = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
887 |
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
1 | 888 |
$r = $db->fetchrow($s); |
889 |
$db->free_result(); |
|
890 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
891 |
} |
|
892 |
$s = RenderMan::preprocess_text($subject); |
|
893 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
894 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 895 |
$result = $db->sql_query($sql); |
896 |
if($result) |
|
897 |
{ |
|
898 |
return 'result="GOOD"; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
899 |
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
900 |
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . '; |
1 | 901 |
s = unescape(\''.rawurlencode($s).'\'); |
902 |
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; |
|
903 |
} |
|
904 |
else |
|
905 |
{ |
|
906 |
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. |
|
907 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
908 |
' . $sql . ' |
1 | 909 |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
910 |
Error returned by MySQL: '.$db->get_error()).'");'; |
1 | 911 |
} |
912 |
} |
|
913 |
||
914 |
/** |
|
915 |
* Updates comment data using the comment_id column instead of the old, messy way |
|
916 |
* @param $page_id the page ID |
|
917 |
* @param $namespace the namespace |
|
918 |
* @param $subject new subject |
|
919 |
* @param $text new text |
|
920 |
* @param $id the comment ID (primary key in enano_comments table) |
|
921 |
* @return string |
|
922 |
*/ |
|
923 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
924 |
public static function savecomment_neater($page_id, $namespace, $subject, $text, $id) |
1 | 925 |
{ |
926 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
927 |
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety'); |
|
928 |
if(!$session->get_permissions('edit_comments')) |
|
929 |
return 'Access denied'; |
|
930 |
// Safety check - username/login |
|
931 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
932 |
{ |
|
933 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
934 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 935 |
$s = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
936 |
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
1 | 937 |
$r = $db->fetchrow($s); |
938 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
939 |
$db->free_result(); |
|
940 |
} |
|
941 |
$s = RenderMan::preprocess_text($subject); |
|
942 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
943 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 944 |
$result = $db->sql_query($sql); |
945 |
if($result) |
|
946 |
return 'good'; |
|
947 |
else return 'Enano encountered a problem whilst saving the comment. |
|
948 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
949 |
' . $sql . ' |
1 | 950 |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
951 |
Error returned by MySQL: '.$db->get_error(); |
1 | 952 |
} |
953 |
||
954 |
/** |
|
955 |
* Deletes a comment. |
|
956 |
* @param $page_id the page ID |
|
957 |
* @param $namespace the namespace |
|
958 |
* @param $name the name the user posted under |
|
959 |
* @param $subj the subject of the comment to be deleted |
|
960 |
* @param $text the text of the comment to be deleted |
|
961 |
* @param $id the javascript list ID, used internally by the client-side app |
|
962 |
* @return string |
|
963 |
*/ |
|
964 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
965 |
public static function deletecomment($page_id, $namespace, $name, $subj, $text, $id) |
1 | 966 |
{ |
967 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
968 |
||
969 |
if(!$session->get_permissions('edit_comments')) |
|
970 |
return 'alert("Access to delete/edit comments is denied");'; |
|
971 |
||
972 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
973 |
$n = $db->escape($name); |
|
974 |
$s = $db->escape($subj); |
|
975 |
$t = $db->escape($text); |
|
976 |
||
977 |
// Safety check - username/login |
|
978 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
979 |
{ |
|
980 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
981 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 982 |
$s = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
983 |
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
1 | 984 |
$r = $db->fetchrow($s); |
985 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
986 |
$db->free_result(); |
|
987 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
988 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 989 |
$e=$db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
990 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 991 |
return('good'); |
992 |
} |
|
993 |
||
994 |
/** |
|
995 |
* Deletes a comment in a cleaner fashion. |
|
996 |
* @param $page_id the page ID |
|
997 |
* @param $namespace the namespace |
|
998 |
* @param $id the comment ID (primary key) |
|
999 |
* @return string |
|
1000 |
*/ |
|
1001 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1002 |
public static function deletecomment_neater($page_id, $namespace, $id) |
1 | 1003 |
{ |
1004 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1005 |
||
1006 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1007 |
||
1008 |
if(!$session->get_permissions('edit_comments')) |
|
1009 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1010 |
||
1011 |
// Safety check - username/login |
|
1012 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1013 |
{ |
|
1014 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1015 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1016 |
$s = $db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1017 |
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
1 | 1018 |
$r = $db->fetchrow($s); |
1019 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1020 |
$db->free_result(); |
|
1021 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1022 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;'; |
1 | 1023 |
$e=$db->sql_query($q); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1024 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 1025 |
return('good'); |
1026 |
} |
|
1027 |
||
1028 |
/** |
|
1029 |
* Renames a page. |
|
1030 |
* @param $page_id the page ID |
|
1031 |
* @param $namespace the namespace |
|
1032 |
* @param $name the new name for the page |
|
1033 |
* @return string error string or success message |
|
1034 |
*/ |
|
1035 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1036 |
public static function rename($page_id, $namespace, $name) |
1 | 1037 |
{ |
1038 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1039 |
global $lang; |
1 | 1040 |
|
1041 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
1042 |
||
1043 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
1044 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
1045 |
||
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1046 |
if( empty($name)) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1047 |
{ |
214 | 1048 |
return($lang->get('ajax_rename_too_short')); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1049 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1050 |
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1051 |
{ |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1052 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->page_id) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1053 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1054 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1055 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1056 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1057 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1058 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1059 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1060 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1061 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1062 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1063 |
{ |
214 | 1064 |
$subst = array( |
1065 |
'page_name_old' => $paths->pages[$pname]['name'], |
|
1066 |
'page_name_new' => $name |
|
1067 |
); |
|
1068 |
return $lang->get('ajax_rename_success', $subst); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1069 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1070 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1071 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1072 |
{ |
214 | 1073 |
return($lang->get('etc_access_denied')); |
1 | 1074 |
} |
1075 |
} |
|
1076 |
||
1077 |
/** |
|
1078 |
* Flushes (clears) the action logs for a given page |
|
1079 |
* @param $page_id the page ID |
|
1080 |
* @param $namespace the namespace |
|
1081 |
* @return string error/success string |
|
1082 |
*/ |
|
1083 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1084 |
public static function flushlogs($page_id, $namespace) |
1 | 1085 |
{ |
1086 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1087 |
global $lang; |
240
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1088 |
if ( !is_object($lang) && defined('IN_ENANO_INSTALL') ) |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1089 |
{ |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1090 |
// This is a special exception for the Enano installer, which doesn't init languages yet. |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1091 |
$lang = new Language('eng'); |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1092 |
} |
351 | 1093 |
if(!$session->get_permissions('clear_logs') && !defined('IN_ENANO_INSTALL')) |
214 | 1094 |
{ |
1095 |
return $lang->get('etc_access_denied'); |
|
1096 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1097 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
1 | 1098 |
if(!$e) $db->_die('The log entries could not be deleted.'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1099 |
|
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1100 |
// If the page exists, make a backup of it in case it gets spammed/vandalized |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1101 |
// If not, the admin's probably deleting a trash page |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1102 |
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1103 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1104 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1105 |
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1106 |
$row = $db->fetchrow(); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1107 |
$db->free_result(); |
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
parents:
317
diff
changeset
|
1108 |
$minor_edit = ( ENANO_DBLAYER == 'MYSQL' ) ? 'false' : '0'; |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1109 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.$minor_edit.');'; |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1110 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1111 |
} |
214 | 1112 |
return $lang->get('ajax_clearlogs_success'); |
1 | 1113 |
} |
1114 |
||
1115 |
/** |
|
1116 |
* Deletes a page. |
|
28 | 1117 |
* @param string $page_id the condemned page ID |
1118 |
* @param string $namespace the condemned namespace |
|
1119 |
* @param string The reason for deleting the page in question |
|
1 | 1120 |
* @return string |
1121 |
*/ |
|
1122 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1123 |
public static function deletepage($page_id, $namespace, $reason) |
1 | 1124 |
{ |
1125 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1126 |
global $lang; |
1 | 1127 |
$perms = $session->fetch_page_acl($page_id, $namespace); |
28 | 1128 |
$x = trim($reason); |
1129 |
if ( empty($x) ) |
|
1130 |
{ |
|
214 | 1131 |
return $lang->get('ajax_delete_need_reason'); |
28 | 1132 |
} |
1133 |
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1134 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); |
1 | 1135 |
if(!$e) $db->_die('The page log entry could not be inserted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1136 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1137 |
if(!$e) $db->_die('The page categorization entries could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1138 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1139 |
if(!$e) $db->_die('The page comments could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1140 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1141 |
if(!$e) $db->_die('The page text entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1142 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1143 |
if(!$e) $db->_die('The page entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1144 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\''); |
1 | 1145 |
if(!$e) $db->_die('The file entry could not be deleted.'); |
214 | 1146 |
return $lang->get('ajax_delete_success'); |
1 | 1147 |
} |
1148 |
||
1149 |
/** |
|
1150 |
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting |
|
1151 |
* @param $page_id the page ID |
|
1152 |
* @param $namespace the namespace |
|
1153 |
* @return string |
|
1154 |
*/ |
|
1155 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1156 |
public static function delvote($page_id, $namespace) |
1 | 1157 |
{ |
1158 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1159 |
global $lang; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1160 |
if ( !$session->get_permissions('vote_delete') ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1161 |
{ |
214 | 1162 |
return $lang->get('etc_access_denied'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1163 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1164 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1165 |
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1166 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1167 |
return 'Special pages and system messages can\'t be voted for deletion.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1168 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1169 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1170 |
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1171 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1172 |
if ( !isset($paths->pages[$pname]) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1173 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1174 |
return 'The page does not exist.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1175 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1176 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1177 |
$cv =& $paths->pages[$pname]['delvotes']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1178 |
$ips = $paths->pages[$pname]['delvote_ips']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1179 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1180 |
if ( empty($ips) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1181 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1182 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1183 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1184 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1185 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1186 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1187 |
else |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1188 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1189 |
$ips = @unserialize($ips); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1190 |
if ( !$ips ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1191 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1192 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1193 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1194 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1195 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1196 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1197 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1198 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1199 |
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1200 |
{ |
214 | 1201 |
return $lang->get('ajax_delvote_already_voted'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1202 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1203 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1204 |
$ips['u'][] = $session->username; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1205 |
$ips['ip'][] = $_SERVER['REMOTE_ADDR']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1206 |
$ips = $db->escape( serialize($ips) ); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1207 |
|
1 | 1208 |
$cv++; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1209 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1210 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1211 |
$w = $db->sql_query($q); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1212 |
|
214 | 1213 |
return $lang->get('ajax_delvote_success'); |
1 | 1214 |
} |
1215 |
||
1216 |
/** |
|
1217 |
* Resets the number of votes against a page to 0. |
|
1218 |
* @param $page_id the page ID |
|
1219 |
* @param $namespace the namespace |
|
1220 |
* @return string |
|
1221 |
*/ |
|
1222 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1223 |
public static function resetdelvotes($page_id, $namespace) |
1 | 1224 |
{ |
1225 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1226 |
global $lang; |
1227 |
if(!$session->get_permissions('vote_reset')) |
|
1228 |
{ |
|
1229 |
return $lang->get('etc_access_denied'); |
|
1230 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1231 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1232 |
$e = $db->sql_query($q); |
1233 |
if(!$e) $db->_die('The number of delete votes was not reset.'); |
|
214 | 1234 |
else |
1235 |
{ |
|
1236 |
return $lang->get('ajax_delvote_reset_success'); |
|
1237 |
} |
|
1 | 1238 |
} |
1239 |
||
1240 |
/** |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1241 |
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON. |
1 | 1242 |
* @param $id the name of the directory for the theme |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1243 |
* @return string JSON string with an array containing a list of themes |
1 | 1244 |
*/ |
1245 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1246 |
public static function getstyles() |
1 | 1247 |
{ |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1248 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1249 |
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) ) |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
1250 |
return enano_json_encode(false); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1251 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1252 |
$dir = './themes/' . $_GET['id'] . '/css/'; |
1 | 1253 |
$list = Array(); |
1254 |
// Open a known directory, and proceed to read its contents |
|
1255 |
if (is_dir($dir)) { |
|
1256 |
if ($dh = opendir($dir)) { |
|
1257 |
while (($file = readdir($dh)) !== false) { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1258 |
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1259 |
{ // it should be a copy of the original style, but |
1 | 1260 |
// mostly black and white |
1261 |
// Note to self: document this |
|
1262 |
$list[] = substr($file, 0, strlen($file)-4); |
|
1263 |
} |
|
1264 |
} |
|
1265 |
closedir($dh); |
|
1266 |
} |
|
1267 |
} |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1268 |
else |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1269 |
{ |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
1270 |
return(enano_json_encode(Array('mode' => 'error', 'error' => $dir.' is not a dir'))); |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1271 |
} |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1272 |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
1273 |
return enano_json_encode($list); |
1 | 1274 |
} |
1275 |
||
1276 |
/** |
|
1277 |
* Assembles a Javascript app with category information |
|
1278 |
* @param $page_id the page ID |
|
1279 |
* @param $namespace the namespace |
|
1280 |
* @return string Javascript code |
|
1281 |
*/ |
|
1282 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1283 |
public static function catedit($page_id, $namespace) |
1 | 1284 |
{ |
1285 |
$d = PageUtils::catedit_raw($page_id, $namespace); |
|
1286 |
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');'; |
|
1287 |
} |
|
1288 |
||
1289 |
/** |
|
1290 |
* Does the actual HTML/javascript generation for cat editing, but returns an array |
|
1291 |
* @access private |
|
1292 |
*/ |
|
1293 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1294 |
public static function catedit_raw($page_id, $namespace) |
1 | 1295 |
{ |
1296 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1297 |
global $lang; |
1298 |
||
1 | 1299 |
ob_start(); |
1300 |
$_ob = ''; |
|
322
5f1cd51bf1be
Many changes. Installer with PostgreSQL is broken badly and will be for some time.
Dan
parents:
320
diff
changeset
|
1301 |
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\''); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1302 |
if(!$e) jsdie('Error selecting category information for current page: '.$db->get_error()); |
1 | 1303 |
$cat_current = Array(); |
1304 |
while($r = $db->fetchrow()) |
|
1305 |
{ |
|
1306 |
$cat_current[] = $r; |
|
1307 |
} |
|
1308 |
$db->free_result(); |
|
1309 |
$cat_all = Array(); |
|
1310 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1311 |
{ |
|
1312 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1313 |
} |
|
1314 |
||
1315 |
// Make $cat_all an associative array, like $paths->pages |
|
1316 |
$sz = sizeof($cat_all); |
|
1317 |
for($i=0;$i<$sz;$i++) |
|
1318 |
{ |
|
1319 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1320 |
} |
|
1321 |
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of |
|
1322 |
$cat_info = $cat_all; |
|
1323 |
for($i=0;$i<sizeof($cat_current);$i++) |
|
1324 |
{ |
|
1325 |
$un = $cat_current[$i]['category_id']; |
|
1326 |
$cat_info[$un]['member'] = true; |
|
1327 |
} |
|
1328 |
// Now copy the information we just set into the numerically named keys |
|
1329 |
for($i=0;$i<sizeof($cat_info)/2;$i++) |
|
1330 |
{ |
|
1331 |
$un = $cat_info[$i]['urlname_nons']; |
|
1332 |
$cat_info[$i] = $cat_info[$un]; |
|
1333 |
} |
|
1334 |
||
1335 |
echo 'catlist = new Array();'; // Initialize the client-side category list |
|
214 | 1336 |
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3> |
1 | 1337 |
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">'; |
1338 |
if ( sizeof($cat_info) < 1 ) |
|
1339 |
{ |
|
214 | 1340 |
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>'; |
1 | 1341 |
} |
1342 |
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ ) |
|
1343 |
{ |
|
1344 |
// Protection code added 1/3/07 |
|
1345 |
// Updated 3/4/07 |
|
1346 |
$is_prot = false; |
|
1347 |
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category'); |
|
1348 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1349 |
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ) |
|
1350 |
$is_prot = true; |
|
1351 |
$prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; |
|
1352 |
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1353 |
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1354 |
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"'; |
1 | 1355 |
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1356 |
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />'; |
1 | 1357 |
} |
1358 |
||
1359 |
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; |
|
1360 |
||
214 | 1361 |
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>'; |
1 | 1362 |
|
1363 |
$cont = ob_get_contents(); |
|
1364 |
ob_end_clean(); |
|
1365 |
return Array($cont, $_ob); |
|
1366 |
} |
|
1367 |
||
1368 |
/** |
|
1369 |
* Saves category information |
|
1370 |
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked! |
|
1371 |
* @param $page_id string the page ID |
|
1372 |
* @param $namespace string the namespace |
|
1373 |
* @param $which_cats array associative array of categories to put the page in |
|
1374 |
* @return string "GOOD" on success, error string on failure |
|
1375 |
*/ |
|
1376 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1377 |
public static function catsave($page_id, $namespace, $which_cats) |
1 | 1378 |
{ |
1379 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1380 |
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information'); |
|
1381 |
||
1382 |
$page_perms = $session->fetch_page_acl($page_id, $namespace); |
|
1383 |
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id]; |
|
1384 |
||
1385 |
$cat_all = Array(); |
|
1386 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1387 |
{ |
|
1388 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1389 |
} |
|
1390 |
||
1391 |
// Make $cat_all an associative array, like $paths->pages |
|
1392 |
$sz = sizeof($cat_all); |
|
1393 |
for($i=0;$i<$sz;$i++) |
|
1394 |
{ |
|
1395 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1396 |
} |
|
1397 |
||
1398 |
$rowlist = Array(); |
|
1399 |
||
1400 |
for($i=0;$i<sizeof($cat_all)/2;$i++) |
|
1401 |
{ |
|
1402 |
$auth = true; |
|
1403 |
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category'); |
|
1404 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1405 |
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) || |
|
1406 |
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) ) |
|
1407 |
$auth = false; |
|
1408 |
if(!$auth) |
|
1409 |
{ |
|
1410 |
// Find out if the page is currently in the category |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1411 |
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1412 |
if(!$q) |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1413 |
return 'MySQL error: ' . $db->get_error(); |
1 | 1414 |
if($db->numrows() > 0) |
1415 |
{ |
|
1416 |
$auth = true; |
|
1417 |
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state |
|
1418 |
} |
|
1419 |
$db->free_result(); |
|
1420 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1421 |
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')'; |
1 | 1422 |
} |
1423 |
if(sizeof($rowlist) > 0) |
|
1424 |
{ |
|
1425 |
$val = implode(',', $rowlist); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1426 |
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1427 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1428 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1429 |
$e = $db->sql_query($q); |
|
1430 |
if(!$e) $db->_die('The new category data could not be inserted.'); |
|
1431 |
return('GOOD'); |
|
1432 |
} |
|
1433 |
else |
|
1434 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1435 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1436 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1437 |
return('GOOD'); |
|
1438 |
} |
|
1439 |
} |
|
1440 |
||
1441 |
/** |
|
1442 |
* Sets the wiki mode level for a page. |
|
1443 |
* @param $page_id string the page ID |
|
1444 |
* @param $namespace string the namespace |
|
1445 |
* @param $level int 0 for off, 1 for on, 2 for use global setting |
|
1446 |
* @return string "GOOD" on success, error string on failure |
|
1447 |
*/ |
|
1448 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1449 |
public static function setwikimode($page_id, $namespace, $level) |
1 | 1450 |
{ |
1451 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1452 |
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1453 |
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1454 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1455 |
return('Invalid mode string'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1456 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1457 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1458 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1459 |
{ |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1460 |
return('Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1461 |
} |
1 | 1462 |
return('GOOD'); |
1463 |
} |
|
1464 |
||
1465 |
/** |
|
1466 |
* Sets the access password for a page. |
|
1467 |
* @param $page_id string the page ID |
|
1468 |
* @param $namespace string the namespace |
|
1469 |
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed |
|
1470 |
* @return string |
|
1471 |
*/ |
|
1472 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1473 |
public static function setpass($page_id, $namespace, $pass) |
1 | 1474 |
{ |
1475 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1476 |
global $lang; |
1 | 1477 |
// Determine permissions |
1478 |
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '') |
|
1479 |
$a = $session->get_permissions('password_reset'); |
|
1480 |
else |
|
1481 |
$a = $session->get_permissions('password_set'); |
|
1482 |
if(!$a) |
|
214 | 1483 |
return $lang->get('etc_access_denied'); |
1 | 1484 |
if(!isset($pass)) return('Password was not set on URL'); |
1485 |
$p = $pass; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1486 |
if ( !preg_match('#([0-9a-f]){40,40}#', $p) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1487 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1488 |
$p = sha1($p); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1489 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1490 |
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1491 |
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709 |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1492 |
$p = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1493 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1494 |
if ( !$e ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1495 |
{ |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1496 |
die('PageUtils::setpass(): Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1497 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1498 |
// Is the new password blank? |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1499 |
if ( $p == '' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1500 |
{ |
214 | 1501 |
return $lang->get('ajax_password_disable_success'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1502 |
} |
214 | 1503 |
else |
1504 |
{ |
|
1505 |
return $lang->get('ajax_password_success'); |
|
1506 |
} |
|
1 | 1507 |
} |
1508 |
||
1509 |
/** |
|
1510 |
* Generates some preview HTML |
|
1511 |
* @param $text string the wikitext to use |
|
1512 |
* @return string |
|
1513 |
*/ |
|
1514 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1515 |
public static function genPreview($text) |
1 | 1516 |
{ |
214 | 1517 |
global $lang; |
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
parents:
334
diff
changeset
|
1518 |
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 10px 0;">'; |
102
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1519 |
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false)); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1520 |
ob_start(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1521 |
eval('?>' . $text); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1522 |
$text = ob_get_contents(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1523 |
ob_end_clean(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1524 |
$ret .= $text; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1525 |
$ret .= '</div>'; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1526 |
return $ret; |
1 | 1527 |
} |
1528 |
||
1529 |
/** |
|
1530 |
* Makes a scrollable box |
|
1531 |
* @param string $text the inner HTML |
|
1532 |
* @param int $height Optional - the maximum height. Defaults to 250. |
|
1533 |
* @return string |
|
1534 |
*/ |
|
1535 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1536 |
public static function scrollBox($text, $height = 250) |
1 | 1537 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1538 |
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>'; |
1 | 1539 |
} |
1540 |
||
1541 |
/** |
|
1542 |
* Generates a diff summary between two page revisions. |
|
1543 |
* @param $page_id the page ID |
|
1544 |
* @param $namespace the namespace |
|
1545 |
* @param $id1 the time ID of the first revision |
|
1546 |
* @param $id2 the time ID of the second revision |
|
1547 |
* @return string XHTML-formatted diff |
|
1548 |
*/ |
|
1549 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1550 |
public static function pagediff($page_id, $namespace, $id1, $id2) |
1 | 1551 |
{ |
1552 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1553 |
global $lang; |
1 | 1554 |
if(!$session->get_permissions('history_view')) |
214 | 1555 |
return $lang->get('etc_access_denied'); |
1 | 1556 |
if(!preg_match('#^([0-9]+)$#', (string)$id1) || |
1557 |
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; |
|
1558 |
// OK we made it through security |
|
1559 |
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1560 |
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error(); |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1561 |
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error(); |
1 | 1562 |
$row1 = $db->fetchrow($q1); |
1563 |
$db->free_result($q1); |
|
1564 |
$row2 = $db->fetchrow($q2); |
|
1565 |
$db->free_result($q2); |
|
1566 |
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.'; |
|
1567 |
$text1 = $row1['page_text']; |
|
1568 |
$text2 = $row2['page_text']; |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1569 |
$time1 = enano_date('F d, Y h:i a', $id1); |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1570 |
$time2 = enano_date('F d, Y h:i a', $id2); |
1 | 1571 |
$_ob = " |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1572 |
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p> |
1 | 1573 |
"; |
1574 |
// Free some memory |
|
1575 |
unset($row1, $row2, $q1, $q2); |
|
1576 |
||
1577 |
$_ob .= RenderMan::diff($text1, $text2); |
|
1578 |
return $_ob; |
|
1579 |
} |
|
1580 |
||
1581 |
/** |
|
1582 |
* Gets ACL information about the selected page for target type X and target ID Y. |
|
1583 |
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id. |
|
1584 |
* @return array |
|
1585 |
*/ |
|
1586 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1587 |
public static function acl_editor($parms = Array()) |
1 | 1588 |
{ |
1589 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
218 | 1590 |
global $lang; |
1591 |
||
511
f88c8c79d784
Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
Dan
parents:
481
diff
changeset
|
1592 |
if(!$session->get_permissions('edit_acl') && ( $session->user_level < USER_LEVEL_ADMIN || !defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL')) ) |
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1593 |
{ |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1594 |
return Array( |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1595 |
'mode' => 'error', |
218 | 1596 |
'error' => $lang->get('acl_err_access_denied') |
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1597 |
); |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1598 |
} |
1 | 1599 |
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; |
1600 |
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; |
|
1601 |
$page_id =& $parms['page_id']; |
|
1602 |
$namespace =& $parms['namespace']; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1603 |
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1604 |
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; |
1 | 1605 |
//die(print_r($page_id,true)); |
1606 |
$template->load_theme(); |
|
1607 |
// $perms_obj = $session->fetch_page_acl($page_id, $namespace); |
|
1608 |
$perms_obj =& $session; |
|
1609 |
$return = Array(); |
|
1610 |
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') ) |
|
1611 |
{ |
|
1612 |
return Array( |
|
1613 |
'mode' => 'error', |
|
218 | 1614 |
'error' => $lang->get('acl_err_missing_template'), |
1 | 1615 |
); |
1616 |
} |
|
1617 |
$return['template'] = $template->extract_vars('acledit.tpl'); |
|
1618 |
$return['page_id'] = $page_id; |
|
1619 |
$return['namespace'] = $namespace; |
|
1620 |
if(isset($parms['mode'])) |
|
1621 |
{ |
|
1622 |
switch($parms['mode']) |
|
1623 |
{ |
|
1624 |
case 'listgroups': |
|
1625 |
$return['groups'] = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1626 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;'); |
1 | 1627 |
while($row = $db->fetchrow()) |
1628 |
{ |
|
1629 |
$return['groups'][] = Array( |
|
1630 |
'id' => $row['group_id'], |
|
1631 |
'name' => $row['group_name'], |
|
1632 |
); |
|
1633 |
} |
|
1634 |
$db->free_result(); |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1635 |
$return['page_groups'] = Array(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1636 |
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;'); |
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1637 |
if ( !$q ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1638 |
return Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1639 |
'mode' => 'error', |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1640 |
'error' => $db->get_error() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1641 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1642 |
while ( $row = $db->fetchrow() ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1643 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1644 |
$return['page_groups'][] = Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1645 |
'id' => $row['pg_id'], |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1646 |
'name' => $row['pg_name'] |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1647 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1648 |
} |
1 | 1649 |
break; |
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1650 |
case 'seltarget_id': |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1651 |
if ( !is_int($parms['target_id']) ) |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1652 |
{ |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1653 |
return Array( |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1654 |
'mode' => 'error', |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1655 |
'error' => 'Expected parameter target_id type int' |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1656 |
); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1657 |
} |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1658 |
$q = $db->sql_query('SELECT target_id, target_type, page_id, namespace, rules FROM ' . table_prefix . "acl WHERE rule_id = {$parms['target_id']};"); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1659 |
if ( !$q ) |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1660 |
return Array( |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1661 |
'mode' => 'error', |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1662 |
'error' => $db->get_error() |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1663 |
); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1664 |
if ( $db->numrows() < 1 ) |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1665 |
return Array( |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1666 |
'mode' => 'error', |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1667 |
'error' => "No rule with ID {$parms['target_id']} found" |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1668 |
); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1669 |
$parms = $db->fetchrow(); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1670 |
$db->free_result(); |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1671 |
|
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1672 |
// regenerate page selection |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1673 |
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1674 |
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; |
513 | 1675 |
$parms['mode'] = 'seltarget_id'; |
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1676 |
$page_id =& $parms['page_id']; |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1677 |
$namespace =& $parms['namespace']; |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1678 |
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1679 |
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; |
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1680 |
|
513 | 1681 |
$return['page_id'] = $parms['page_id']; |
1682 |
$return['namespace'] = $parms['namespace']; |
|
1683 |
||
512
13532b0a223f
ACL: Added API call to edit rule based only on numeric rule ID; to be used later with lister for existing rules and effective permissions viewer
Dan
parents:
511
diff
changeset
|
1684 |
// From here, let the seltarget handler take over |
1 | 1685 |
case 'seltarget': |
1686 |
$return['mode'] = 'seltarget'; |
|
1687 |
$return['acl_types'] = $perms_obj->acl_types; |
|
1688 |
$return['acl_deps'] = $perms_obj->acl_deps; |
|
1689 |
$return['acl_descs'] = $perms_obj->acl_descs; |
|
1690 |
$return['target_type'] = $parms['target_type']; |
|
1691 |
$return['target_id'] = $parms['target_id']; |
|
1692 |
switch($parms['target_type']) |
|
1693 |
{ |
|
1694 |
case ACL_TYPE_USER: |
|
513 | 1695 |
$user_col = ( $parms['mode'] == 'seltarget_id' ) ? 'user_id' : 'username'; |
1696 |
$q = $db->sql_query('SELECT a.rules,u.user_id,u.username FROM ' . table_prefix.'users AS u |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1697 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 1698 |
ON a.target_id=u.user_id |
1699 |
WHERE a.target_type='.ACL_TYPE_USER.' |
|
513 | 1700 |
AND u.' . $user_col . ' = \'' . $db->escape($parms['target_id']) . '\' |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1701 |
' . $page_where_clause . ';'); |
1 | 1702 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1703 |
return(Array('mode'=>'error','error'=>$db->get_error())); |
1 | 1704 |
if($db->numrows() < 1) |
1705 |
{ |
|
1706 |
$return['type'] = 'new'; |
|
513 | 1707 |
$q = $db->sql_query('SELECT user_id,username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';'); |
1 | 1708 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1709 |
return(Array('mode'=>'error','error'=>$db->get_error())); |
1 | 1710 |
if($db->numrows() < 1) |
513 | 1711 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found'),'debug' => $db->sql_backtrace()); |
1 | 1712 |
$row = $db->fetchrow(); |
513 | 1713 |
$return['target_name'] = $row['username']; |
1 | 1714 |
$return['target_id'] = intval($row['user_id']); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1715 |
$return['current_perms'] = array(); |
1 | 1716 |
} |
1717 |
else |
|
1718 |
{ |
|
1719 |
$return['type'] = 'edit'; |
|
1720 |
$row = $db->fetchrow(); |
|
513 | 1721 |
$return['target_name'] = $row['username']; |
1 | 1722 |
$return['target_id'] = intval($row['user_id']); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1723 |
$return['current_perms'] = $session->string_to_perm($row['rules']); |
1 | 1724 |
} |
1725 |
$db->free_result(); |
|
1726 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1727 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 1728 |
{ |
1729 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
1730 |
{ |
|
1731 |
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
1732 |
{ |
|
1733 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; |
|
1734 |
unset($return['current_perms'][$i]); |
|
1735 |
unset($return['acl_types'][$i]); |
|
1736 |
unset($return['acl_descs'][$i]); |
|
1737 |
unset($return['acl_deps'][$i]); |
|
1738 |
} |
|
1739 |
} |
|
1740 |
} |
|
1741 |
break; |
|
1742 |
case ACL_TYPE_GROUP: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1743 |
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1744 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 1745 |
ON a.target_id=g.group_id |
1746 |
WHERE a.target_type='.ACL_TYPE_GROUP.' |
|
1747 |
AND g.group_id=\''.intval($parms['target_id']).'\' |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1748 |
' . $page_where_clause . ';'); |
1 | 1749 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1750 |
return(Array('mode'=>'error','error'=>$db->get_error())); |
1 | 1751 |
if($db->numrows() < 1) |
1752 |
{ |
|
1753 |
$return['type'] = 'new'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1754 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); |
1 | 1755 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1756 |
return(Array('mode'=>'error','error'=>$db->get_error())); |
1 | 1757 |
if($db->numrows() < 1) |
218 | 1758 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id')); |
1 | 1759 |
$row = $db->fetchrow(); |
1760 |
$return['target_name'] = $row['group_name']; |
|
1761 |
$return['target_id'] = intval($row['group_id']); |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1762 |
$return['current_perms'] = array(); |
1 | 1763 |
} |
1764 |
else |
|
1765 |
{ |
|
1766 |
$return['type'] = 'edit'; |
|
1767 |
$row = $db->fetchrow(); |
|
1768 |
$return['target_name'] = $row['group_name']; |
|
1769 |
$return['target_id'] = intval($row['group_id']); |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1770 |
$return['current_perms'] = $session->string_to_perm($row['rules']); |
1 | 1771 |
} |
1772 |
$db->free_result(); |
|
1773 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1774 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 1775 |
{ |
1776 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
1777 |
{ |
|
1778 |
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
1779 |
{ |
|
1780 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n"; |
|
1781 |
unset($return['current_perms'][$i]); |
|
1782 |
unset($return['acl_types'][$i]); |
|
1783 |
unset($return['acl_descs'][$i]); |
|
1784 |
unset($return['acl_deps'][$i]); |
|
1785 |
} |
|
1786 |
} |
|
1787 |
} |
|
1788 |
//return Array('mode'=>'debug','text'=>print_r($return, true)); |
|
1789 |
break; |
|
1790 |
default: |
|
1791 |
return Array('mode'=>'error','error','Invalid ACL type ID'); |
|
1792 |
break; |
|
1793 |
} |
|
1794 |
return $return; |
|
1795 |
break; |
|
1796 |
case 'save_new': |
|
1797 |
case 'save_edit': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1798 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1799 |
{ |
218 | 1800 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo')); |
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1801 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1802 |
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1803 |
' . $page_where_clause_lite . ';'); |
1 | 1804 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1805 |
return Array('mode'=>'error','error'=>$db->get_error()); |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1806 |
if ( sizeof ( $parms['perms'] ) < 1 ) |
1 | 1807 |
{ |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1808 |
// As of 1.1.x, this returns success because the rule length is zero if the user selected "inherit" in all columns |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1809 |
return Array( |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1810 |
'mode' => 'success', |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1811 |
'target_type' => $parms['target_type'], |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1812 |
'target_id' => $parms['target_id'], |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1813 |
'target_name' => $parms['target_name'], |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1814 |
'page_id' => $page_id, |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1815 |
'namespace' => $namespace, |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1816 |
); |
1 | 1817 |
} |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1818 |
$rules = $session->perm_to_string($parms['perms']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1819 |
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1820 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' : |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1821 |
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1822 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )'; |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1823 |
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>$db->get_error()); |
1 | 1824 |
return Array( |
1825 |
'mode' => 'success', |
|
1826 |
'target_type' => $parms['target_type'], |
|
1827 |
'target_id' => $parms['target_id'], |
|
1828 |
'target_name' => $parms['target_name'], |
|
1829 |
'page_id' => $page_id, |
|
1830 |
'namespace' => $namespace, |
|
1831 |
); |
|
1832 |
break; |
|
1833 |
case 'delete': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1834 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1835 |
{ |
218 | 1836 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo')); |
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1837 |
} |
513 | 1838 |
$sql = 'DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
1839 |
' . $page_where_clause_lite . ';'; |
|
1840 |
$q = $db->sql_query($sql); |
|
1 | 1841 |
if(!$q) |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
1842 |
return Array('mode'=>'error','error'=>$db->get_error()); |
1 | 1843 |
return Array( |
1844 |
'mode' => 'delete', |
|
1845 |
'target_type' => $parms['target_type'], |
|
1846 |
'target_id' => $parms['target_id'], |
|
1847 |
'target_name' => $parms['target_name'], |
|
1848 |
'page_id' => $page_id, |
|
1849 |
'namespace' => $namespace, |
|
1850 |
); |
|
1851 |
break; |
|
513 | 1852 |
case 'list_existing': |
1853 |
||
1854 |
$return = array( |
|
1855 |
'mode' => 'list_existing', |
|
1856 |
'key' => acl_list_draw_key(), |
|
1857 |
'rules' => array() |
|
1858 |
); |
|
1859 |
||
1860 |
$q = $db->sql_query("SELECT a.rule_id, u.username, g.group_name, a.target_type, a.target_id, a.page_id, a.namespace, a.rules, p.pg_name\n" |
|
1861 |
. " FROM " . table_prefix . "acl AS a\n" |
|
1862 |
. " LEFT JOIN " . table_prefix . "users AS u\n" |
|
1863 |
. " ON ( (a.target_type = " . ACL_TYPE_USER . " AND a.target_id = u.user_id) OR (u.user_id IS NULL) )\n" |
|
1864 |
. " LEFT JOIN " . table_prefix . "groups AS g\n" |
|
1865 |
. " ON ( (a.target_type = " . ACL_TYPE_GROUP . " AND a.target_id = g.group_id) OR (g.group_id IS NULL) )\n" |
|
1866 |
. " LEFT JOIN " . table_prefix . "page_groups as p\n" |
|
1867 |
. " ON ( (a.namespace = '__PageGroup' AND a.page_id = p.pg_id) OR (p.pg_id IS NULL) )\n" |
|
1868 |
. " GROUP BY a.rule_id\n" |
|
1869 |
. " ORDER BY a.target_type ASC, a.rule_id ASC;" |
|
1870 |
); |
|
1871 |
||
1872 |
if ( !$q ) |
|
1873 |
$db->_die(); |
|
1874 |
||
1875 |
while ( $row = $db->fetchrow($q) ) |
|
1876 |
{ |
|
1877 |
if ( $row['target_type'] == ACL_TYPE_USER && empty($row['username']) ) |
|
1878 |
{ |
|
1879 |
// This is only done if we have an ACL affecting a user that doesn't exist. |
|
1880 |
// Nice little bit of maintenance to have. |
|
1881 |
if ( !$db->sql_query("DELETE FROM " . table_prefix . "acl WHERE rule_id = {$row['rule_id']};") ) |
|
1882 |
$db->_die(); |
|
1883 |
continue; |
|
1884 |
} |
|
1885 |
$score = get_acl_rule_score($row['rules']); |
|
1886 |
$deep_limit = ACL_SCALE_MINIMAL_SHADE; |
|
1887 |
// Determine background color of cell by score |
|
1888 |
if ( $score > 5 ) |
|
1889 |
{ |
|
1890 |
// high score, show in green |
|
1891 |
$color = 2.5 * $score; |
|
1892 |
if ( $color > 255 ) |
|
1893 |
$color = 255; |
|
1894 |
$color = round($color); |
|
1895 |
// blend with the colordepth limit |
|
1896 |
$color = $deep_limit + ( ( 0xFF - $deep_limit ) - ( ( $color / 0xFF ) * ( 0xFF - $deep_limit ) ) ); |
|
1897 |
$color = dechex($color); |
|
1898 |
$color = "{$color}ff{$color}"; |
|
1899 |
} |
|
1900 |
else if ( $score < -5 ) |
|
1901 |
{ |
|
1902 |
// low score, show in red |
|
1903 |
$color = 0 - $score; |
|
1904 |
$color = 2.5 * $color; |
|
1905 |
if ( $color > 255 ) |
|
1906 |
$color = 255; |
|
1907 |
$color = round($color); |
|
1908 |
// blend with the colordepth limit |
|
1909 |
$color = $deep_limit + ( ( 0xFF - $deep_limit ) - ( ( $color / 0xFF ) * ( 0xFF - $deep_limit ) ) ); |
|
1910 |
$color = dechex($color); |
|
1911 |
$color = "ff{$color}{$color}"; |
|
1912 |
} |
|
1913 |
else |
|
1914 |
{ |
|
1915 |
$color = 'efefef'; |
|
1916 |
} |
|
1917 |
||
1918 |
// Rate rule textually based on its score |
|
1919 |
if ( $score >= 70 ) |
|
1920 |
$desc = $lang->get('acl_msg_scale_allow'); |
|
1921 |
else if ( $score >= 50 ) |
|
1922 |
$desc = $lang->get('acl_msg_scale_mostly_allow'); |
|
1923 |
else if ( $score >= 25 ) |
|
1924 |
$desc = $lang->get('acl_msg_scale_some_allow'); |
|
1925 |
else if ( $score >= -25 ) |
|
1926 |
$desc = $lang->get('acl_msg_scale_mixed'); |
|
1927 |
else if ( $score <= -70 ) |
|
1928 |
$desc = $lang->get('acl_msg_scale_deny'); |
|
1929 |
else if ( $score <= -50 ) |
|
1930 |
$desc = $lang->get('acl_msg_scale_mostly_deny'); |
|
1931 |
else if ( $score <= -25 ) |
|
1932 |
$desc = $lang->get('acl_msg_scale_some_deny'); |
|
1933 |
||
1934 |
// group and user target info |
|
1935 |
$info = ''; |
|
1936 |
if ( $row['target_type'] == ACL_TYPE_USER ) |
|
1937 |
$info = $lang->get('acl_msg_list_user', array( 'username' => $row['username'] )); // "(User: {$row['username']})"; |
|
1938 |
else if ( $row['target_type'] == ACL_TYPE_GROUP ) |
|
1939 |
$info = $lang->get('acl_msg_list_group', array( 'group' => $row['group_name'] )); |
|
1940 |
||
1941 |
// affected pages info |
|
1942 |
if ( $row['page_id'] && $row['namespace'] && $row['namespace'] != '__PageGroup' ) |
|
1943 |
$info .= $lang->get('acl_msg_list_on_page', array( 'page_name' => "{$row['namespace']}:{$row['page_id']}" )); |
|
1944 |
else if ( $row['page_id'] && $row['namespace'] && $row['namespace'] == '__PageGroup' ) |
|
1945 |
$info .= $lang->get('acl_msg_list_on_page_group', array( 'page_group' => $row['pg_name'] )); |
|
1946 |
else |
|
1947 |
$info .= $lang->get('acl_msg_list_entire_site'); |
|
1948 |
||
1949 |
$score_string = $lang->get('acl_msg_list_score', array |
|
1950 |
( |
|
1951 |
'score' => $score, |
|
1952 |
'desc' => $desc, |
|
1953 |
'info' => $info |
|
1954 |
)); |
|
1955 |
$return['rules'][] = array( |
|
1956 |
'score_string' => $score_string, |
|
1957 |
'rule_id' => $row['rule_id'], |
|
1958 |
'color' => $color |
|
1959 |
); |
|
1960 |
} |
|
1961 |
||
1962 |
break; |
|
1 | 1963 |
default: |
1964 |
return Array('mode'=>'error','error'=>'Hacking attempt'); |
|
1965 |
break; |
|
1966 |
} |
|
1967 |
} |
|
1968 |
return $return; |
|
1969 |
} |
|
1970 |
||
1971 |
/** |
|
1972 |
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string. |
|
1973 |
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string. |
|
1974 |
* @return string |
|
1975 |
*/ |
|
1976 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1977 |
public static function acl_json($parms = '{ }') |
1 | 1978 |
{ |
1979 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
1980 |
$parms = enano_json_decode($parms); |
1 | 1981 |
$ret = PageUtils::acl_editor($parms); |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
1982 |
$ret = enano_json_encode($ret); |
1 | 1983 |
return $ret; |
1984 |
} |
|
1985 |
||
1986 |
/** |
|
1987 |
* A non-Javascript frontend for the ACL API. |
|
1988 |
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor() |
|
1989 |
*/ |
|
1990 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
1991 |
public static function aclmanager($parms) |
1 | 1992 |
{ |
1993 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
219 | 1994 |
global $lang; |
1 | 1995 |
ob_start(); |
1996 |
// Convenience |
|
1997 |
$formstart = '<form |
|
1998 |
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '" |
|
1999 |
method="post" enctype="multipart/form-data" |
|
2000 |
onsubmit="if(!submitAuthorized) return false;" |
|
2001 |
>'; |
|
2002 |
$formend = '</form>'; |
|
2003 |
$parms = PageUtils::acl_preprocess($parms); |
|
2004 |
$response = PageUtils::acl_editor($parms); |
|
2005 |
$response = PageUtils::acl_postprocess($response); |
|
2006 |
||
2007 |
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>'); |
|
2008 |
||
2009 |
switch($response['mode']) |
|
2010 |
{ |
|
2011 |
case 'debug': |
|
2012 |
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>'; |
|
2013 |
break; |
|
2014 |
case 'stage1': |
|
219 | 2015 |
echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3> |
2016 |
<p>' . $lang->get('acl_lbl_welcome_body') . '</p>'; |
|
1 | 2017 |
echo $formstart; |
219 | 2018 |
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p> |
1 | 2019 |
<p><select name="data[target_id_grp]">'; |
2020 |
foreach ( $response['groups'] as $group ) |
|
2021 |
{ |
|
2022 |
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>'; |
|
2023 |
} |
|
219 | 2024 |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2025 |
// page group selector |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2026 |
$groupsel = ''; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2027 |
if ( count($response['page_groups']) > 0 ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2028 |
{ |
219 | 2029 |
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p> |
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2030 |
<p><select name="data[pg_id]">'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2031 |
foreach ( $response['page_groups'] as $grp ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2032 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2033 |
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2034 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2035 |
$groupsel .= '</select></p>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2036 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2037 |
|
1 | 2038 |
echo '</select></p> |
219 | 2039 |
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p> |
1 | 2040 |
<p>' . $template->username_field('data[target_id_user]') . '</p> |
219 | 2041 |
<p>' . $lang->get('acl_lbl_scope') . '</p> |
2042 |
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2043 |
' . $groupsel . ' |
219 | 2044 |
<p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p> |
1 | 2045 |
<div style="margin: 0 auto 0 0; text-align: right;"> |
2046 |
<input name="data[mode]" value="seltarget" type="hidden" /> |
|
322
5f1cd51bf1be
Many changes. Installer with PostgreSQL is broken badly and will be for some time.
Dan
parents:
320
diff
changeset
|
2047 |
<input type="hidden" name="data[page_id]" value="' . $paths->page_id . '" /> |
1 | 2048 |
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" /> |
219 | 2049 |
<input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" /> |
1 | 2050 |
</div>'; |
2051 |
echo $formend; |
|
2052 |
break; |
|
2053 |
case 'success': |
|
2054 |
echo '<div class="info-box"> |
|
219 | 2055 |
<b>' . $lang->get('acl_lbl_save_success_title') . '</b><br /> |
2056 |
' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br /> |
|
1 | 2057 |
' . $formstart . ' |
2058 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2059 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2060 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2061 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2062 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2063 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2064 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
219 | 2065 |
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" /> |
1 | 2066 |
' . $formend . ' |
2067 |
</div>'; |
|
2068 |
break; |
|
2069 |
case 'delete': |
|
2070 |
echo '<div class="info-box"> |
|
219 | 2071 |
<b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br /> |
2072 |
' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br /> |
|
1 | 2073 |
' . $formstart . ' |
2074 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2075 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2076 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2077 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2078 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2079 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2080 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
219 | 2081 |
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" /> |
1 | 2082 |
' . $formend . ' |
2083 |
</div>'; |
|
2084 |
break; |
|
2085 |
case 'seltarget': |
|
2086 |
if ( $response['type'] == 'edit' ) |
|
2087 |
{ |
|
219 | 2088 |
echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>'; |
1 | 2089 |
} |
2090 |
else |
|
2091 |
{ |
|
219 | 2092 |
echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>'; |
1 | 2093 |
} |
219 | 2094 |
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user'); |
2095 |
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite'); |
|
2096 |
$subs = array( |
|
2097 |
'target_type' => $type, |
|
2098 |
'target' => $response['target_name'], |
|
2099 |
'scope_type' => $scope |
|
2100 |
); |
|
2101 |
echo $lang->get('acl_lbl_editwin_body', $subs); |
|
1 | 2102 |
echo $formstart; |
2103 |
$parser = $template->makeParserText( $response['template']['acl_field_begin'] ); |
|
2104 |
echo $parser->run(); |
|
2105 |
$parser = $template->makeParserText( $response['template']['acl_field_item'] ); |
|
2106 |
$cls = 'row2'; |
|
2107 |
foreach ( $response['acl_types'] as $acl_type => $value ) |
|
2108 |
{ |
|
2109 |
$vars = Array( |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
2110 |
'FIELD_INHERIT_CHECKED' => '', |
1 | 2111 |
'FIELD_DENY_CHECKED' => '', |
2112 |
'FIELD_DISALLOW_CHECKED' => '', |
|
2113 |
'FIELD_WIKIMODE_CHECKED' => '', |
|
2114 |
'FIELD_ALLOW_CHECKED' => '', |
|
2115 |
); |
|
2116 |
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1'; |
|
2117 |
$vars['ROW_CLASS'] = $cls; |
|
2118 |
||
2119 |
switch ( $response['current_perms'][$acl_type] ) |
|
2120 |
{ |
|
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
2121 |
case 'i': |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
2122 |
default: |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
2123 |
$vars['FIELD_INHERIT_CHECKED'] = 'checked="checked"'; |
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
335
diff
changeset
|
2124 |
break; |
1 | 2125 |
case AUTH_ALLOW: |
2126 |
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"'; |
|
2127 |
break; |
|
2128 |
case AUTH_WIKIMODE: |
|
2129 |
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"'; |
|
2130 |
break; |
|
2131 |
case AUTH_DISALLOW: |
|
2132 |
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"'; |
|
2133 |
break; |
|
2134 |
case AUTH_DENY: |
|
2135 |
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"'; |
|
2136 |
break; |
|
2137 |
} |
|
2138 |
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']'; |
|
219 | 2139 |
if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) ) |
2140 |
{ |
|
2141 |
$vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]); |
|
2142 |
} |
|
2143 |
else |
|
2144 |
{ |
|
2145 |
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type]; |
|
2146 |
} |
|
1 | 2147 |
$parser->assign_vars($vars); |
2148 |
echo $parser->run(); |
|
2149 |
} |
|
2150 |
$parser = $template->makeParserText( $response['template']['acl_field_end'] ); |
|
2151 |
echo $parser->run(); |
|
2152 |
echo '<div style="margin: 10px auto 0 0; text-align: right;"> |
|
2153 |
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" /> |
|
2154 |
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" /> |
|
2155 |
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" /> |
|
2156 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2157 |
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" /> |
|
2158 |
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" /> |
|
219 | 2159 |
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" /> <input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . ' |
1 | 2160 |
</div>'; |
2161 |
echo $formend; |
|
2162 |
break; |
|
2163 |
case 'error': |
|
2164 |
ob_end_clean(); |
|
2165 |
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>'); |
|
2166 |
break; |
|
2167 |
} |
|
2168 |
$ret = ob_get_contents(); |
|
2169 |
ob_end_clean(); |
|
2170 |
echo |
|
2171 |
$template->getHeader() . |
|
2172 |
$ret . |
|
2173 |
$template->getFooter(); |
|
2174 |
} |
|
2175 |
||
2176 |
/** |
|
2177 |
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle |
|
2178 |
* @param array The posted data |
|
2179 |
* @return array |
|
2180 |
* @access private |
|
2181 |
*/ |
|
2182 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
2183 |
public static function acl_preprocess($parms) |
1 | 2184 |
{ |
2185 |
if ( !isset($parms['mode']) ) |
|
2186 |
// Nothing to do |
|
2187 |
return $parms; |
|
2188 |
switch ( $parms['mode'] ) |
|
2189 |
{ |
|
2190 |
case 'seltarget': |
|
2191 |
||
2192 |
// Who's affected? |
|
2193 |
$parms['target_type'] = intval( $parms['target_type'] ); |
|
2194 |
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user']; |
|
2195 |
||
2196 |
case 'save_edit': |
|
2197 |
case 'save_new': |
|
2198 |
if ( isset($parms['act_delete_rule']) ) |
|
2199 |
{ |
|
2200 |
$parms['mode'] = 'delete'; |
|
2201 |
} |
|
2202 |
||
2203 |
// Scope (just this page or entire site?) |
|
2204 |
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) ) |
|
2205 |
{ |
|
2206 |
$parms['page_id'] = false; |
|
2207 |
$parms['namespace'] = false; |
|
2208 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2209 |
else if ( $parms['scope'] == 'page_group' ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2210 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2211 |
$parms['page_id'] = $parms['pg_id']; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2212 |
$parms['namespace'] = '__PageGroup'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2213 |
} |
1 | 2214 |
|
2215 |
break; |
|
2216 |
} |
|
2217 |
||
2218 |
if ( isset($parms['act_go_stage1']) ) |
|
2219 |
{ |
|
2220 |
$parms = array( |
|
2221 |
'mode' => 'listgroups' |
|
2222 |
); |
|
2223 |
} |
|
2224 |
||
2225 |
return $parms; |
|
2226 |
} |
|
2227 |
||
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
parents:
361
diff
changeset
|
2228 |
public static function acl_postprocess($response) |
1 | 2229 |
{ |
2230 |
if(!isset($response['mode'])) |
|
2231 |
{ |
|
2232 |
if ( isset($response['groups']) ) |
|
2233 |
$response['mode'] = 'stage1'; |
|
2234 |
else |
|
2235 |
$response = Array( |
|
2236 |
'mode' => 'error', |
|
2237 |
'error' => 'Invalid action passed by API backend.', |
|
2238 |
); |
|
2239 |
} |
|
2240 |
return $response; |
|
2241 |
} |
|
2242 |
||
2243 |
} |
|
2244 |
||
513 | 2245 |
/** |
2246 |
* Generates a graphical key showing how the ACL rule list works. |
|
2247 |
* @return string |
|
2248 |
*/ |
|
2249 |
||
2250 |
function acl_list_draw_key() |
|
2251 |
{ |
|
2252 |
$out = '<div style="width: 460px; margin: 0 auto; text-align: center; margin-bottom: 10px;">'; |
|
2253 |
$out .= '<div style="float: left;">← Deny</div>'; |
|
2254 |
$out .= '<div style="float: right;">Allow →</div>'; |
|
2255 |
$out .= 'Neutral'; |
|
2256 |
$out .= '<div style="clear: both;"></div>'; |
|
2257 |
// 11 boxes on each side of the center |
|
2258 |
$inc = ceil ( ( 0xFF - ACL_SCALE_MINIMAL_SHADE ) / 11 ); |
|
2259 |
for ( $i = ACL_SCALE_MINIMAL_SHADE; $i <= 0xFF; $i+= $inc ) |
|
2260 |
{ |
|
2261 |
$octet = dechex($i); |
|
2262 |
$color = "ff$octet$octet"; |
|
2263 |
$out .= '<div style="background-color: #' . $color . '; float: left; width: 20px;"> </div>'; |
|
2264 |
} |
|
2265 |
$out .= '<div style="background-color: #efefef; float: left; width: 20px;"> </div>'; |
|
2266 |
for ( $i = 0xFF; $i >= ACL_SCALE_MINIMAL_SHADE; $i-= $inc ) |
|
2267 |
{ |
|
2268 |
$octet = dechex($i); |
|
2269 |
$color = "{$octet}ff{$octet}"; |
|
2270 |
$out .= '<div style="background-color: #' . $color . '; float: left; width: 20px;"> </div>'; |
|
2271 |
} |
|
2272 |
$out .= '<div style="clear: both;"></div>'; |
|
2273 |
$out .= '<div style="float: left;">-100</div>'; |
|
2274 |
$out .= '<div style="float: right;">+100</div>'; |
|
2275 |
$out .= '0'; |
|
2276 |
$out .= '</div>'; |
|
2277 |
return $out; |
|
2278 |
} |
|
2279 |
||
2280 |
/** |
|
2281 |
* Gets the numerical score for the serialized form of an ACL rule |
|
2282 |
*/ |
|
2283 |
||
2284 |
function get_acl_rule_score($perms) |
|
2285 |
{ |
|
2286 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
2287 |
if ( is_string($perms) ) |
|
2288 |
$perms = $session->string_to_perm($perms); |
|
2289 |
else if ( !is_array($perms) ) |
|
2290 |
return false; |
|
2291 |
$score = 0; |
|
2292 |
foreach ( $perms as $item ) |
|
2293 |
{ |
|
2294 |
switch ( $item ) |
|
2295 |
{ |
|
2296 |
case AUTH_ALLOW : |
|
2297 |
$inc = 2; |
|
2298 |
break; |
|
2299 |
case AUTH_WIKIMODE: |
|
2300 |
$inc = 1; |
|
2301 |
break; |
|
2302 |
case AUTH_DISALLOW: |
|
2303 |
$inc = -1; |
|
2304 |
break; |
|
2305 |
case AUTH_DENY: |
|
2306 |
$inc = -2; |
|
2307 |
break; |
|
2308 |
default: |
|
2309 |
$inc = 0; |
|
2310 |
break; |
|
2311 |
} |
|
2312 |
$score += $inc; |
|
2313 |
} |
|
2314 |
// this is different from the beta; calculate highest score and |
|
2315 |
// get percentage to be fairer to smaller/less broad rules |
|
2316 |
$divisor = count($perms) * 2; |
|
2317 |
if ( $divisor == 0 ) |
|
2318 |
{ |
|
2319 |
return 0; |
|
2320 |
} |
|
2321 |
$score = 100 * ( $score / $divisor ); |
|
2322 |
return round($score); |
|
2323 |
} |
|
2324 |
||
1 | 2325 |
?> |