222 break; |
222 break; |
223 case 'get_tags': |
223 case 'get_tags': |
224 $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
224 $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
225 |
225 |
226 $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); |
226 $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); |
227 $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t |
227 $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t |
228 LEFT JOIN '.table_prefix.'page_groups AS pg |
228 LEFT JOIN '.table_prefix.'page_groups AS pg |
229 ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) |
229 ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) |
230 WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); |
230 WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); |
231 if ( !$q ) |
231 if ( !$q ) |
232 $db->_die(); |
232 $db->_die(); |
233 |
233 |
234 while ( $row = $db->fetchrow() ) |
234 while ( $row = $db->fetchrow() ) |
235 { |
235 { |
236 $can_del = ( |
236 $can_del = true; |
237 ( $session->get_permissions('tag_delete_own') && $row['user'] == $session->user_id && $session->user_logged_in ) || // User created the tag and can remove own tags |
237 |
238 ( $session->get_permissions('tag_delete_other') && $row['used_in_acl'] != 1 ) || // User can remove tags and the tag isn't used in an ACL (page group) |
238 $perm = ( $row['user'] != $session->user_id ) ? |
239 ( $row['used_in_acl'] == 1 && $session->get_permissions('tag_delete_own') && $session->get_permissions('tag_delete_other') && ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ) ) |
239 'tag_delete_other' : |
240 ); |
240 'tag_delete_own'; |
|
241 |
|
242 if ( $row['user'] == 1 && !$session->user_logged_in ) |
|
243 // anonymous user trying to delete tag (hardcode blacklisted) |
|
244 $can_del = false; |
|
245 |
|
246 if ( !$session->get_permissions($perm) ) |
|
247 $can_del = false; |
|
248 |
|
249 if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) |
|
250 $can_del = false; |
|
251 |
241 $ret['tags'][] = array( |
252 $ret['tags'][] = array( |
242 'id' => $row['tag_id'], |
253 'id' => $row['tag_id'], |
243 'name' => $row['tag_name'], |
254 'name' => $row['tag_name'], |
244 'can_del' => $can_del |
255 'can_del' => $can_del, |
|
256 'acl' => ( $row['used_in_acl'] == 1 ) |
245 ); |
257 ); |
246 } |
258 } |
247 |
259 |
248 echo $json->encode($ret); |
260 echo $json->encode($ret); |
|
261 |
|
262 break; |
|
263 case 'addtag': |
|
264 $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
|
265 $resp = array( |
|
266 'success' => false, |
|
267 'error' => 'No error', |
|
268 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), |
|
269 'in_acl' => false |
|
270 ); |
|
271 |
|
272 // first of course, are we allowed to tag pages? |
|
273 if ( !$session->get_permissions('tag_create') ) |
|
274 { |
|
275 $resp['error'] = 'You are not permitted to tag pages.'; |
|
276 die($json->encode($resp)); |
|
277 } |
|
278 |
|
279 // sanitize the tag name |
|
280 $tag = sanitize_tag($_POST['tag']); |
|
281 $tag = $db->escape($tag); |
|
282 |
|
283 if ( strlen($tag) < 2 ) |
|
284 { |
|
285 $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; |
|
286 die($json->encode($resp)); |
|
287 } |
|
288 |
|
289 // check if tag is already on page |
|
290 $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); |
|
291 if ( !$q ) |
|
292 $db->_die(); |
|
293 if ( $db->numrows() > 0 ) |
|
294 { |
|
295 $resp['error'] = 'This page already has this tag.'; |
|
296 die($json->encode($resp)); |
|
297 } |
|
298 $db->free_result(); |
|
299 |
|
300 // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access |
|
301 $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); |
|
302 $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); |
|
303 if ( !$q ) |
|
304 $db->_die(); |
|
305 if ( $db->numrows() > 0 && !$can_edit_acl ) |
|
306 { |
|
307 $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; |
|
308 die($json->encode($resp)); |
|
309 } |
|
310 $resp['in_acl'] = ( $db->numrows() > 0 ); |
|
311 $db->free_result(); |
|
312 |
|
313 // we're good |
|
314 $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); |
|
315 if ( !$q ) |
|
316 $db->_die(); |
|
317 |
|
318 $resp['success'] = true; |
|
319 $resp['tag'] = $tag; |
|
320 $resp['tag_id'] = $db->insert_id(); |
|
321 |
|
322 echo $json->encode($resp); |
|
323 break; |
|
324 case 'deltag': |
|
325 |
|
326 $tag_id = intval($_POST['tag_id']); |
|
327 if ( empty($tag_id) ) |
|
328 die('Invalid tag ID'); |
|
329 |
|
330 $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t |
|
331 LEFT JOIN '.table_prefix.'page_groups AS pg |
|
332 ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) |
|
333 WHERE t.tag_id=' . $tag_id . ';'); |
|
334 |
|
335 if ( !$q ) |
|
336 $db->_die(); |
|
337 |
|
338 if ( $db->numrows() < 1 ) |
|
339 die('Could not find a tag with that ID'); |
|
340 |
|
341 $row = $db->fetchrow(); |
|
342 $db->free_result(); |
|
343 |
|
344 if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) |
|
345 $perms =& $session; |
|
346 else |
|
347 $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); |
|
348 |
|
349 $perm = ( $row['user'] != $session->user_id ) ? |
|
350 'tag_delete_other' : |
|
351 'tag_delete_own'; |
|
352 |
|
353 if ( $row['user'] == 1 && !$session->user_logged_in ) |
|
354 // anonymous user trying to delete tag (hardcode blacklisted) |
|
355 die('You are not authorized to delete this tag.'); |
|
356 |
|
357 if ( !$perms->get_permissions($perm) ) |
|
358 die('You are not authorized to delete this tag.'); |
|
359 |
|
360 if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) |
|
361 die('You are not authorized to delete this tag.'); |
|
362 |
|
363 // We're good |
|
364 $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); |
|
365 if ( !$q ) |
|
366 $db->_die(); |
|
367 |
|
368 echo 'success'; |
249 |
369 |
250 break; |
370 break; |
251 default: |
371 default: |
252 die('Hacking attempt'); |
372 die('Hacking attempt'); |
253 break; |
373 break; |