plugins/admin/UserRanks.php
author Dan Fuhry <dan@enanocms.org>
Fri, 20 Aug 2010 01:36:44 -0400
changeset 1292 0e2e476e90e8
parent 1227 bdac73ed481e
permissions -rw-r--r--
Fixed some ACL scope warnings

<?php

/*
 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
 * Copyright (C) 2006-2009 Dan Fuhry
 *
 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
 */

function page_Admin_UserRanks()
{
	global $db, $session, $paths, $template, $plugins; // Common objects
	global $lang;
	if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN )
	{
		$login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true);
		echo '<h3>' . $lang->get('adm_err_not_auth_title') . '</h3>';
		echo '<p>' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '</p>';
		return;
	}
	
	// This should be a constant somewhere
	$protected_ranks = array(
			RANK_ID_MEMBER,
			RANK_ID_MOD,
			RANK_ID_ADMIN,
			RANK_ID_GUEST
		);
	
	if ( $paths->getParam(0) == 'action.json' )
	{
		// ajax call, try to decode json request
		header('Content-type: application/json');
		
		if ( !isset($_POST['r']) )
		{
			echo enano_json_encode(array(
					'mode' => 'error',
					'error' => 'Missing JSON request payload'
				));
			return true;
		}
		try
		{
			$request = enano_json_decode($_POST['r']);
		}
		catch ( Exception $e )
		{
			echo enano_json_encode(array(
					'mode' => 'error',
					'error' => 'Invalid JSON request payload'
				));
			return true;
		}
		
		if ( !isset($request['mode']) )
		{
			echo enano_json_encode(array(
					'mode' => 'error',
					'error' => 'JSON request payload does not contain required parameter "mode"'
				));
			return true;
		}
		
		// we've got it
		switch ( $request['mode'] )
		{
			case 'get_rank':
				// easy enough, get a rank from the DB
				$rank_id = intval(@$request['rank_id']);
				if ( empty($rank_id) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => 'Missing rank ID'
						));
					return true;
				}
				// query and fetch
				$q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;");
				if ( !$q || $db->numrows() < 1 )
					$db->die_json();
				
				$row = $db->fetchrow();
				$db->free_result();
				
				// why does mysql do this?
				$row['rank_id'] = intval($row['rank_id']);
				echo enano_json_encode($row);
				break;
			case 'save_rank':
				// easy enough, get a rank from the DB
				$rank_id = intval(@$request['rank_id']);
				// note - an empty rank_style field is permitted
				if ( empty($rank_id) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => 'Missing rank ID'
						));
					return true;
				}
				
				if ( empty($request['rank_title']) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => $lang->get('acpur_err_missing_rank_title')
						));
					return true;
				}
				
				// perform update
				$rank_title = $db->escape($request['rank_title']);
				$rank_style = $db->escape(@$request['rank_style']);
				$q = $db->sql_query('UPDATE ' . table_prefix . "ranks SET rank_title = '$rank_title', rank_style = '$rank_style' WHERE rank_id = $rank_id;");
				
				// regenerate the ranks cache
				generate_cache_userranks();
				
				echo enano_json_encode(array(
						'mode' => 'success'
					));
				break;
			case 'create_rank':
				if ( empty($request['rank_title']) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => $lang->get('acpur_err_missing_rank_title')
						));
					return true;
				}
				
				$rank_title = $db->escape($request['rank_title']);
				$rank_style = $db->escape(@$request['rank_style']);
				
				// perform insert
				$q = $db->sql_query('INSERT INTO ' . table_prefix . "ranks ( rank_title, rank_style ) VALUES\n"
													. "  ( '$rank_title', '$rank_style' );");
				if ( !$q )
					$db->die_json();
				
				$rank_id = $db->insert_id();
				if ( !$rank_id )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => 'Refetch of rank ID failed'
						));
					return true;
				}
				
				// regenerate the ranks cache
				generate_cache_userranks();
				
				echo enano_json_encode(array(
						'mode' => 'success',
						'rank_id' => $rank_id
					));
				break;
			case 'delete_rank':
				// nuke a rank
				$rank_id = intval(@$request['rank_id']);
				if ( empty($rank_id) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => 'Missing rank ID'
						));
					return true;
				}
				
				// is this rank protected (e.g. a system rank)?
				if ( in_array($rank_id, $protected_ranks) )
				{
					echo enano_json_encode(array(
							'mode' => 'error',
							'error' => $lang->get('acpur_err_cant_delete_system_rank')
						));
					return true;
				}
				
				// unset any user and groups that might be using it
				$q = $db->sql_query('UPDATE ' . table_prefix . "users SET user_rank = NULL WHERE user_rank = $rank_id;");
				if ( !$q )
					$db->die_json();
				$q = $db->sql_query('UPDATE ' . table_prefix . "groups SET group_rank = NULL WHERE group_rank = $rank_id;");
				if ( !$q )
					$db->die_json();
				
				// now remove the rank itself
				$q = $db->sql_query('DELETE FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;");
				if ( !$q )
					$db->_die();
				
				// regenerate the ranks cache
				generate_cache_userranks();
				
				echo enano_json_encode(array(
						'mode' => 'success'
					));
				break;
			default:
				echo enano_json_encode(array(
					'mode' => 'error',
					'error' => 'Unknown requested operation'
				));
			return true;
		}
		return true;
	}
	
	// draw initial interface
	// yes, four paragraphs of introduction. Suck it up.
	echo '<h3>' . $lang->get('acpur_heading_main') . '</h3>';
	echo '<p>' . $lang->get('acpur_intro_para1') . '</p>';
	echo '<p>' . $lang->get('acpur_intro_para2') . '</p>';
	echo '<p>' . $lang->get('acpur_intro_para3') . '</p>';
	echo '<p>' . $lang->get('acpur_intro_para4') . '</p>';
	
	// fetch ranks
	$q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks ORDER BY rank_title ASC;");
	if ( !$q )
		$db->_die();
	
	echo '<div class="rankadmin-left" id="admin_ranks_container_left">';
	while ( $row = $db->fetchrow() )
	{
		// format rank according to what its users look like
		// rank titles can be stored as language strings, so have the language manager fetch this
		// normally it refetches (which takes time) if a string isn't found, but it won't try to fetch
		// a string that isn't in the category_stringid format
		$rank_title = $lang->get($row['rank_title']);
		// FIXME: make sure htmlspecialchars() is escaping quotes and backslashes
		echo '<a href="#rank_edit:' . $row['rank_id'] . '" onclick="ajaxInitRankEdit(' . $row['rank_id'] . '); return false;" class="rankadmin-editlink" style="' . htmlspecialchars($row['rank_style']) . '" id="rankadmin_editlink_' . $row['rank_id'] . '">' . htmlspecialchars($rank_title) . '</a> ';
	}
	echo '<a href="#rank_create" onclick="ajaxInitRankCreate(); return false;" class="rankadmin-editlink rankadmin-createlink" id="rankadmin_createlink">' . $lang->get('acpur_btn_create_init') . '</a> ';
	echo '</div>';
	
	echo '<div class="rankadmin-right" id="admin_ranks_container_right">';
	echo $lang->get('acpur_msg_select_rank');
	echo '</div>';
	echo '<span class="menuclear"></span>';
}

?>