diff -r de56132c008d -r bdac73ed481e plugins/admin/UserRanks.php --- a/plugins/admin/UserRanks.php Sun Mar 28 21:49:26 2010 -0400 +++ b/plugins/admin/UserRanks.php Sun Mar 28 23:10:46 2010 -0400 @@ -13,239 +13,239 @@ function page_Admin_UserRanks() { - global $db, $session, $paths, $template, $plugins; // Common objects - global $lang; - if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) - { - $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); - echo '

' . $lang->get('adm_err_not_auth_title') . '

'; - echo '

' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '

'; - return; - } - - // This should be a constant somewhere - $protected_ranks = array( - RANK_ID_MEMBER, - RANK_ID_MOD, - RANK_ID_ADMIN, - RANK_ID_GUEST - ); - - if ( $paths->getParam(0) == 'action.json' ) - { - // ajax call, try to decode json request - header('Content-type: application/json'); - - if ( !isset($_POST['r']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing JSON request payload' - )); - return true; - } - try - { - $request = enano_json_decode($_POST['r']); - } - catch ( Exception $e ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Invalid JSON request payload' - )); - return true; - } - - if ( !isset($request['mode']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'JSON request payload does not contain required parameter "mode"' - )); - return true; - } - - // we've got it - switch ( $request['mode'] ) - { - case 'get_rank': - // easy enough, get a rank from the DB - $rank_id = intval(@$request['rank_id']); - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - // query and fetch - $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); - if ( !$q || $db->numrows() < 1 ) - $db->die_json(); - - $row = $db->fetchrow(); - $db->free_result(); - - // why does mysql do this? - $row['rank_id'] = intval($row['rank_id']); - echo enano_json_encode($row); - break; - case 'save_rank': - // easy enough, get a rank from the DB - $rank_id = intval(@$request['rank_id']); - // note - an empty rank_style field is permitted - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - - if ( empty($request['rank_title']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_missing_rank_title') - )); - return true; - } - - // perform update - $rank_title = $db->escape($request['rank_title']); - $rank_style = $db->escape(@$request['rank_style']); - $q = $db->sql_query('UPDATE ' . table_prefix . "ranks SET rank_title = '$rank_title', rank_style = '$rank_style' WHERE rank_id = $rank_id;"); - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success' - )); - break; - case 'create_rank': - if ( empty($request['rank_title']) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_missing_rank_title') - )); - return true; - } - - $rank_title = $db->escape($request['rank_title']); - $rank_style = $db->escape(@$request['rank_style']); - - // perform insert - $q = $db->sql_query('INSERT INTO ' . table_prefix . "ranks ( rank_title, rank_style ) VALUES\n" - . " ( '$rank_title', '$rank_style' );"); - if ( !$q ) - $db->die_json(); - - $rank_id = $db->insert_id(); - if ( !$rank_id ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Refetch of rank ID failed' - )); - return true; - } - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success', - 'rank_id' => $rank_id - )); - break; - case 'delete_rank': - // nuke a rank - $rank_id = intval(@$request['rank_id']); - if ( empty($rank_id) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Missing rank ID' - )); - return true; - } - - // is this rank protected (e.g. a system rank)? - if ( in_array($rank_id, $protected_ranks) ) - { - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => $lang->get('acpur_err_cant_delete_system_rank') - )); - return true; - } - - // unset any user and groups that might be using it - $q = $db->sql_query('UPDATE ' . table_prefix . "users SET user_rank = NULL WHERE user_rank = $rank_id;"); - if ( !$q ) - $db->die_json(); - $q = $db->sql_query('UPDATE ' . table_prefix . "groups SET group_rank = NULL WHERE group_rank = $rank_id;"); - if ( !$q ) - $db->die_json(); - - // now remove the rank itself - $q = $db->sql_query('DELETE FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); - if ( !$q ) - $db->_die(); - - // regenerate the ranks cache - generate_cache_userranks(); - - echo enano_json_encode(array( - 'mode' => 'success' - )); - break; - default: - echo enano_json_encode(array( - 'mode' => 'error', - 'error' => 'Unknown requested operation' - )); - return true; - } - return true; - } - - // draw initial interface - // yes, four paragraphs of introduction. Suck it up. - echo '

' . $lang->get('acpur_heading_main') . '

'; - echo '

' . $lang->get('acpur_intro_para1') . '

'; - echo '

' . $lang->get('acpur_intro_para2') . '

'; - echo '

' . $lang->get('acpur_intro_para3') . '

'; - echo '

' . $lang->get('acpur_intro_para4') . '

'; - - // fetch ranks - $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks ORDER BY rank_title ASC;"); - if ( !$q ) - $db->_die(); - - echo '

'; - while ( $row = $db->fetchrow() ) - { - // format rank according to what its users look like - // rank titles can be stored as language strings, so have the language manager fetch this - // normally it refetches (which takes time) if a string isn't found, but it won't try to fetch - // a string that isn't in the category_stringid format - $rank_title = $lang->get($row['rank_title']); - // FIXME: make sure htmlspecialchars() is escaping quotes and backslashes - echo '' . htmlspecialchars($rank_title) . ' '; - } - echo '' . $lang->get('acpur_btn_create_init') . ' '; - echo '

'; - - echo '

'; - echo $lang->get('acpur_msg_select_rank'); - echo '

'; - echo ''; + global $db, $session, $paths, $template, $plugins; // Common objects + global $lang; + if ( $session->auth_level < USER_LEVEL_ADMIN || $session->user_level < USER_LEVEL_ADMIN ) + { + $login_link = makeUrlNS('Special', 'Login/' . $paths->nslist['Special'] . 'Administration', 'level=' . USER_LEVEL_ADMIN, true); + echo '

' . $lang->get('adm_err_not_auth_title') . '

'; + echo '

' . $lang->get('adm_err_not_auth_body', array( 'login_link' => $login_link )) . '

'; + return; + } + + // This should be a constant somewhere + $protected_ranks = array( + RANK_ID_MEMBER, + RANK_ID_MOD, + RANK_ID_ADMIN, + RANK_ID_GUEST + ); + + if ( $paths->getParam(0) == 'action.json' ) + { + // ajax call, try to decode json request + header('Content-type: application/json'); + + if ( !isset($_POST['r']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing JSON request payload' + )); + return true; + } + try + { + $request = enano_json_decode($_POST['r']); + } + catch ( Exception $e ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Invalid JSON request payload' + )); + return true; + } + + if ( !isset($request['mode']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'JSON request payload does not contain required parameter "mode"' + )); + return true; + } + + // we've got it + switch ( $request['mode'] ) + { + case 'get_rank': + // easy enough, get a rank from the DB + $rank_id = intval(@$request['rank_id']); + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + // query and fetch + $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); + if ( !$q || $db->numrows() < 1 ) + $db->die_json(); + + $row = $db->fetchrow(); + $db->free_result(); + + // why does mysql do this? + $row['rank_id'] = intval($row['rank_id']); + echo enano_json_encode($row); + break; + case 'save_rank': + // easy enough, get a rank from the DB + $rank_id = intval(@$request['rank_id']); + // note - an empty rank_style field is permitted + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + + if ( empty($request['rank_title']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_missing_rank_title') + )); + return true; + } + + // perform update + $rank_title = $db->escape($request['rank_title']); + $rank_style = $db->escape(@$request['rank_style']); + $q = $db->sql_query('UPDATE ' . table_prefix . "ranks SET rank_title = '$rank_title', rank_style = '$rank_style' WHERE rank_id = $rank_id;"); + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success' + )); + break; + case 'create_rank': + if ( empty($request['rank_title']) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_missing_rank_title') + )); + return true; + } + + $rank_title = $db->escape($request['rank_title']); + $rank_style = $db->escape(@$request['rank_style']); + + // perform insert + $q = $db->sql_query('INSERT INTO ' . table_prefix . "ranks ( rank_title, rank_style ) VALUES\n" + . " ( '$rank_title', '$rank_style' );"); + if ( !$q ) + $db->die_json(); + + $rank_id = $db->insert_id(); + if ( !$rank_id ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Refetch of rank ID failed' + )); + return true; + } + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success', + 'rank_id' => $rank_id + )); + break; + case 'delete_rank': + // nuke a rank + $rank_id = intval(@$request['rank_id']); + if ( empty($rank_id) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Missing rank ID' + )); + return true; + } + + // is this rank protected (e.g. a system rank)? + if ( in_array($rank_id, $protected_ranks) ) + { + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => $lang->get('acpur_err_cant_delete_system_rank') + )); + return true; + } + + // unset any user and groups that might be using it + $q = $db->sql_query('UPDATE ' . table_prefix . "users SET user_rank = NULL WHERE user_rank = $rank_id;"); + if ( !$q ) + $db->die_json(); + $q = $db->sql_query('UPDATE ' . table_prefix . "groups SET group_rank = NULL WHERE group_rank = $rank_id;"); + if ( !$q ) + $db->die_json(); + + // now remove the rank itself + $q = $db->sql_query('DELETE FROM ' . table_prefix . "ranks WHERE rank_id = $rank_id;"); + if ( !$q ) + $db->_die(); + + // regenerate the ranks cache + generate_cache_userranks(); + + echo enano_json_encode(array( + 'mode' => 'success' + )); + break; + default: + echo enano_json_encode(array( + 'mode' => 'error', + 'error' => 'Unknown requested operation' + )); + return true; + } + return true; + } + + // draw initial interface + // yes, four paragraphs of introduction. Suck it up. + echo '

' . $lang->get('acpur_heading_main') . '

'; + echo '

' . $lang->get('acpur_intro_para1') . '

'; + echo '

' . $lang->get('acpur_intro_para2') . '

'; + echo '

' . $lang->get('acpur_intro_para3') . '

'; + echo '

' . $lang->get('acpur_intro_para4') . '

'; + + // fetch ranks + $q = $db->sql_query('SELECT rank_id, rank_title, rank_style FROM ' . table_prefix . "ranks ORDER BY rank_title ASC;"); + if ( !$q ) + $db->_die(); + + echo '

'; + while ( $row = $db->fetchrow() ) + { + // format rank according to what its users look like + // rank titles can be stored as language strings, so have the language manager fetch this + // normally it refetches (which takes time) if a string isn't found, but it won't try to fetch + // a string that isn't in the category_stringid format + $rank_title = $lang->get($row['rank_title']); + // FIXME: make sure htmlspecialchars() is escaping quotes and backslashes + echo '' . htmlspecialchars($rank_title) . ' '; + } + echo '' . $lang->get('acpur_btn_create_init') . ' '; + echo '

'; + + echo '

'; + echo $lang->get('acpur_msg_select_rank'); + echo '

'; + echo ''; } ?>