diff -r de56132c008d -r bdac73ed481e plugins/admin/UserRanks.php --- a/plugins/admin/UserRanks.php Sun Mar 28 21:49:26 2010 -0400 +++ b/plugins/admin/UserRanks.php Sun Mar 28 23:10:46 2010 -0400 @@ -13,239 +13,239 @@ function page_Admin_UserRanks() { - global $db, $session, $paths, $template, $plugins; // Common objects - global $lang; - if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) - { - $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); - echo '<h3>' . $lang->get('adm_err_not_auth_title') . '</h3>'; - echo '<p>' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '</p>'; - return; - } - - // This should be a constant somewhere - $protected_ranks = array( - RANK_ID_MEMBER, - RANK_ID_MOD, - RANK_ID_ADMIN, - RANK_ID_GUEST - ); - - if ( $paths->getParam(0) == 'action.json' ) - { - // ajax call, try to decode json request - header('Content-type: application/json'); - - if ( !isset($_POST['r']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing JSON request payload' - )); - return true; - } - try - { - $request = enano_json_decode($_POST['r']); - } - catch ( Exception $e ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Invalid JSON request payload' - )); - return true; - } - - if ( !isset($request['mode']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'JSON request payload does not contain required parameter "mode"' - )); - return true; - } - - // we've got it - switch ( $request['mode'] ) - { - case 'get_rank': - // easy enough, get a rank from the DB - $rank_id = intval(@$request['rank_id']); - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - // query and fetch - $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); - if ( !$q || $db->numrows() < 1 ) - $db->die_json(); - - $row = $db->fetchrow(); - $db->free_result(); - - // why does mysql do this? - $row['rank_id'] = intval($row['rank_id']); - echo enano_json_encode($row); - break; - case 'save_rank': - // easy enough, get a rank from the DB - $rank_id = intval(@$request['rank_id']); - // note - an empty rank_style field is permitted - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - - if ( empty($request['rank_title']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_missing_rank_title') - )); - return true; - } - - // perform update - $rank_title = $db->escape($request['rank_title']); - $rank_style = $db->escape(@$request['rank_style']); - $q = $db->sql_query('UPDATE ' . table_prefix . "ranks SET rank_title = '$rank_title', rank_style = '$rank_style' WHERE rank_id = $rank_id;"); - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success' - )); - break; - case 'create_rank': - if ( empty($request['rank_title']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_missing_rank_title') - )); - return true; - } - - $rank_title = $db->escape($request['rank_title']); - $rank_style = $db->escape(@$request['rank_style']); - - // perform insert - $q = $db->sql_query('INSERT INTO ' . table_prefix . "ranks ( rank_title, rank_style ) VALUES\n" - . " ( '$rank_title', '$rank_style' );"); - if ( !$q ) - $db->die_json(); - - $rank_id = $db->insert_id(); - if ( !$rank_id ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Refetch of rank ID failed' - )); - return true; - } - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success', - 'rank_id' => $rank_id - )); - break; - case 'delete_rank': - // nuke a rank - $rank_id = intval(@$request['rank_id']); - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - - // is this rank protected (e.g. a system rank)? - if ( in_array($rank_id, $protected_ranks) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_cant_delete_system_rank') - )); - return true; - } - - // unset any user and groups that might be using it - $q = $db->sql_query('UPDATE ' . table_prefix . "users SET user_rank = NULL WHERE user_rank = $rank_id;"); - if ( !$q ) - $db->die_json(); - $q = $db->sql_query('UPDATE ' . table_prefix . "groups SET group_rank = NULL WHERE group_rank = $rank_id;"); - if ( !$q ) - $db->die_json(); - - // now remove the rank itself - $q = $db->sql_query('DELETE FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); - if ( !$q ) - $db->_die(); - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success' - )); - break; - default: - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Unknown requested operation' - )); - return true; - } - return true; - } - - // draw initial interface - // yes, four paragraphs of introduction. Suck it up. - echo '<h3>' . $lang->get('acpur_heading_main') . '</h3>'; - echo '<p>' . $lang->get('acpur_intro_para1') . '</p>'; - echo '<p>' . $lang->get('acpur_intro_para2') . '</p>'; - echo '<p>' . $lang->get('acpur_intro_para3') . '</p>'; - echo '<p>' . $lang->get('acpur_intro_para4') . '</p>'; - - // fetch ranks - $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks ORDER BY rank_title ASC;"); - if ( !$q ) - $db->_die(); - - echo '<div class="rankadmin-left" id="admin_ranks_container_left">'; - while ( $row = $db->fetchrow() ) - { - // format rank according to what its users look like - // rank titles can be stored as language strings, so have the language manager fetch this - // normally it refetches (which takes time) if a string isn't found, but it won't try to fetch - // a string that isn't in the category_stringid format - $rank_title = $lang->get($row['rank_title']); - // FIXME: make sure htmlspecialchars() is escaping quotes and backslashes - echo '<a href="#rank_edit:' . $row['rank_id'] . '" onclick="ajaxInitRankEdit(' . $row['rank_id'] . '); return false;" class="rankadmin-editlink" style="' . htmlspecialchars($row['rank_style']) . '" id="rankadmin_editlink_' . $row['rank_id'] . '">' . htmlspecialchars($rank_title) . '</a> '; - } - echo '<a href="#rank_create" onclick="ajaxInitRankCreate(); return false;" class="rankadmin-editlink rankadmin-createlink" id="rankadmin_createlink">' . $lang->get('acpur_btn_create_init') . '</a> '; - echo '</div>'; - - echo '<div class="rankadmin-right" id="admin_ranks_container_right">'; - echo $lang->get('acpur_msg_select_rank'); - echo '</div>'; - echo '<span class="menuclear"></span>'; + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; + if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) + { + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '<h3>' . $lang->get('adm_err_not_auth_title') . '</h3>'; + echo '<p>' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '</p>'; + return; + } + + // This should be a constant somewhere + $protected_ranks = array( + RANK_ID_MEMBER, + RANK_ID_MOD, + RANK_ID_ADMIN, + RANK_ID_GUEST + ); + + if ( $paths->getParam(0) == 'action.json' ) + { + // ajax call, try to decode json request + header('Content-type: application/json'); + + if ( !isset($_POST['r']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing JSON request payload' + )); + return true; + } + try + { + $request = enano_json_decode($_POST['r']); + } + catch ( Exception $e ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Invalid JSON request payload' + )); + return true; + } + + if ( !isset($request['mode']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'JSON request payload does not contain required parameter "mode"' + )); + return true; + } + + // we've got it + switch ( $request['mode'] ) + { + case 'get_rank': + // easy enough, get a rank from the DB + $rank_id = intval(@$request['rank_id']); + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + // query and fetch + $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); + if ( !$q || $db->numrows() < 1 ) + $db->die_json(); + + $row = $db->fetchrow(); + $db->free_result(); + + // why does mysql do this? + $row['rank_id'] = intval($row['rank_id']); + echo enano_json_encode($row); + break; + case 'save_rank': + // easy enough, get a rank from the DB + $rank_id = intval(@$request['rank_id']); + // note - an empty rank_style field is permitted + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + + if ( empty($request['rank_title']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_missing_rank_title') + )); + return true; + } + + // perform update + $rank_title = $db->escape($request['rank_title']); + $rank_style = $db->escape(@$request['rank_style']); + $q = $db->sql_query('UPDATE ' . table_prefix . "ranks SET rank_title = '$rank_title', rank_style = '$rank_style' WHERE rank_id = $rank_id;"); + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success' + )); + break; + case 'create_rank': + if ( empty($request['rank_title']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_missing_rank_title') + )); + return true; + } + + $rank_title = $db->escape($request['rank_title']); + $rank_style = $db->escape(@$request['rank_style']); + + // perform insert + $q = $db->sql_query('INSERT INTO ' . table_prefix . "ranks ( rank_title, rank_style ) VALUES\n" + . " ( '$rank_title', '$rank_style' );"); + if ( !$q ) + $db->die_json(); + + $rank_id = $db->insert_id(); + if ( !$rank_id ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Refetch of rank ID failed' + )); + return true; + } + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success', + 'rank_id' => $rank_id + )); + break; + case 'delete_rank': + // nuke a rank + $rank_id = intval(@$request['rank_id']); + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + + // is this rank protected (e.g. a system rank)? + if ( in_array($rank_id, $protected_ranks) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_cant_delete_system_rank') + )); + return true; + } + + // unset any user and groups that might be using it + $q = $db->sql_query('UPDATE ' . table_prefix . "users SET user_rank = NULL WHERE user_rank = $rank_id;"); + if ( !$q ) + $db->die_json(); + $q = $db->sql_query('UPDATE ' . table_prefix . "groups SET group_rank = NULL WHERE group_rank = $rank_id;"); + if ( !$q ) + $db->die_json(); + + // now remove the rank itself + $q = $db->sql_query('DELETE FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); + if ( !$q ) + $db->_die(); + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success' + )); + break; + default: + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Unknown requested operation' + )); + return true; + } + return true; + } + + // draw initial interface + // yes, four paragraphs of introduction. Suck it up. + echo '<h3>' . $lang->get('acpur_heading_main') . '</h3>'; + echo '<p>' . $lang->get('acpur_intro_para1') . '</p>'; + echo '<p>' . $lang->get('acpur_intro_para2') . '</p>'; + echo '<p>' . $lang->get('acpur_intro_para3') . '</p>'; + echo '<p>' . $lang->get('acpur_intro_para4') . '</p>'; + + // fetch ranks + $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks ORDER BY rank_title ASC;"); + if ( !$q ) + $db->_die(); + + echo '<div class="rankadmin-left" id="admin_ranks_container_left">'; + while ( $row = $db->fetchrow() ) + { + // format rank according to what its users look like + // rank titles can be stored as language strings, so have the language manager fetch this + // normally it refetches (which takes time) if a string isn't found, but it won't try to fetch + // a string that isn't in the category_stringid format + $rank_title = $lang->get($row['rank_title']); + // FIXME: make sure htmlspecialchars() is escaping quotes and backslashes + echo '<a href="#rank_edit:' . $row['rank_id'] . '" onclick="ajaxInitRankEdit(' . $row['rank_id'] . '); return false;" class="rankadmin-editlink" style="' . htmlspecialchars($row['rank_style']) . '" id="rankadmin_editlink_' . $row['rank_id'] . '">' . htmlspecialchars($rank_title) . '</a> '; + } + echo '<a href="#rank_create" onclick="ajaxInitRankCreate(); return false;" class="rankadmin-editlink rankadmin-createlink" id="rankadmin_createlink">' . $lang->get('acpur_btn_create_init') . '</a> '; + echo '</div>'; + + echo '<div class="rankadmin-right" id="admin_ranks_container_right">'; + echo $lang->get('acpur_msg_select_rank'); + echo '</div>'; + echo '<span class="menuclear"></span>'; } ?>