ajax.php
changeset 80 cb7dde69c301
parent 76 608dee512bf0
child 81 d7fc25acd3f3
--- a/ajax.php	Mon Jul 30 10:46:17 2007 -0400
+++ b/ajax.php	Wed Aug 01 13:39:27 2007 -0400
@@ -224,7 +224,7 @@
       $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
       
       $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create'));
-      $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t
+      $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t
         LEFT JOIN '.table_prefix.'page_groups AS pg
           ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) )
         WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';');
@@ -233,21 +233,141 @@
       
       while ( $row = $db->fetchrow() )
       {
-        $can_del = ( 
-          ( $session->get_permissions('tag_delete_own') && $row['user'] == $session->user_id && $session->user_logged_in ) || // User created the tag and can remove own tags
-          ( $session->get_permissions('tag_delete_other') && $row['used_in_acl'] != 1 ) || // User can remove tags and the tag isn't used in an ACL (page group)
-          ( $row['used_in_acl'] == 1 && $session->get_permissions('tag_delete_own') && $session->get_permissions('tag_delete_other') && ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ) )
-          );
+        $can_del = true;
+        
+        $perm = ( $row['user'] != $session->user_id ) ?
+                'tag_delete_other' :
+                'tag_delete_own';
+        
+        if ( $row['user'] == 1 && !$session->user_logged_in )
+          // anonymous user trying to delete tag (hardcode blacklisted)
+          $can_del = false;
+          
+        if ( !$session->get_permissions($perm) )
+          $can_del = false;
+        
+        if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN )
+          $can_del = false;
+        
         $ret['tags'][] = array(
           'id' => $row['tag_id'],
           'name' => $row['tag_name'],
-          'can_del' => $can_del
+          'can_del' => $can_del,
+          'acl' => ( $row['used_in_acl'] == 1 )
         );
       }
       
       echo $json->encode($ret);
       
       break;
+    case 'addtag':
+      $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
+      $resp = array(
+          'success' => false,
+          'error' => 'No error',
+          'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ),
+          'in_acl' => false
+        );
+      
+      // first of course, are we allowed to tag pages?
+      if ( !$session->get_permissions('tag_create') )
+      {
+        $resp['error'] = 'You are not permitted to tag pages.';
+        die($json->encode($resp));
+      }
+      
+      // sanitize the tag name
+      $tag = sanitize_tag($_POST['tag']);
+      $tag = $db->escape($tag);
+      
+      if ( strlen($tag) < 2 )
+      {
+        $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.';
+        die($json->encode($resp));
+      }
+      
+      // check if tag is already on page
+      $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';');
+      if ( !$q )
+        $db->_die();
+      if ( $db->numrows() > 0 )
+      {
+        $resp['error'] = 'This page already has this tag.';
+        die($json->encode($resp));
+      }
+      $db->free_result();
+      
+      // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access
+      $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN );
+      $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';');
+      if ( !$q )
+        $db->_die();
+      if ( $db->numrows() > 0 && !$can_edit_acl )
+      {
+        $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.';
+        die($json->encode($resp));
+      }
+      $resp['in_acl'] = ( $db->numrows() > 0 );
+      $db->free_result();
+      
+      // we're good
+      $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');');
+      if ( !$q )
+        $db->_die();
+      
+      $resp['success'] = true;
+      $resp['tag'] = $tag;
+      $resp['tag_id'] = $db->insert_id();
+      
+      echo $json->encode($resp);
+      break;
+    case 'deltag':
+      
+      $tag_id = intval($_POST['tag_id']);
+      if ( empty($tag_id) )
+        die('Invalid tag ID');
+      
+      $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t
+  LEFT JOIN '.table_prefix.'page_groups AS pg
+    ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) )
+  WHERE t.tag_id=' . $tag_id . ';');
+      
+      if ( !$q )
+        $db->_die();
+      
+      if ( $db->numrows() < 1 )
+        die('Could not find a tag with that ID');
+      
+      $row = $db->fetchrow();
+      $db->free_result();
+      
+      if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace )
+        $perms =& $session;
+      else
+        $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']);
+        
+      $perm = ( $row['user'] != $session->user_id ) ?
+                'tag_delete_other' :
+                'tag_delete_own';
+      
+      if ( $row['user'] == 1 && !$session->user_logged_in )
+        // anonymous user trying to delete tag (hardcode blacklisted)
+        die('You are not authorized to delete this tag.');
+        
+      if ( !$perms->get_permissions($perm) )
+        die('You are not authorized to delete this tag.');
+      
+      if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN )
+        die('You are not authorized to delete this tag.');
+      
+      // We're good
+      $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';');
+      if ( !$q )
+        $db->_die();
+      
+      echo 'success';
+      
+      break;
     default:
       die('Hacking attempt');
       break;