diff -r 4e7762863437 -r a050ff3d4509 plugins/nuggie/usercp.php --- a/plugins/nuggie/usercp.php Thu Jan 31 21:35:46 2008 -0500 +++ b/plugins/nuggie/usercp.php Fri Feb 01 21:54:00 2008 -0500 @@ -262,7 +262,210 @@ break; case 'Posts': - echo 'module Posts'; + if ( $paths->getParam(2) == 'AjaxHandler' ) + { + ob_end_clean(); + + if ( !isset($_POST['act']) ) + die(); + + switch($_POST['act']) + { + case 'delete': + header('Content-type: application/json'); + + if ( !isset($_POST['post_id']) ) + die(); + + if ( strval(intval($_POST['post_id'])) !== $_POST['post_id'] ) + die(); + + // make sure it's ok + $post_id =& $_POST['post_id']; + $post_id = intval($post_id); + $q = $db->sql_query('SELECT post_author FROM ' . table_prefix . 'blog_posts WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->die_json(); + if ( $db->numrows() < 1 ) + die('That post doesn\'t exist.'); + + list($author) = $db->fetchrow_num(); + $author = intval($author); + if ( $author !== $session->user_id && !$session->get_permissions('nuggie_edit_other') ) + die('No permissions'); + + // try to delete the post... + $q = $db->sql_query('DELETE FROM ' . table_prefix . 'blog_posts WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->die_json(); + + echo '1'; + + break; + case 'publish': + if ( !isset($_POST['post_id']) ) + die(); + + if ( strval(intval($_POST['post_id'])) !== $_POST['post_id'] ) + die(); + + if ( !in_array(@$_POST['state'], array('0', '1')) ) + die(); + + $state = intval($_POST['state']); + $post_id =& $_POST['post_id']; + $post_id = intval($post_id); + + // validate permissions + $q = $db->sql_query('SELECT post_author FROM ' . table_prefix . 'blog_posts WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->die_json(); + if ( $db->numrows() < 1 ) + die('That post doesn\'t exist.'); + + list($author) = $db->fetchrow_num(); + $author = intval($author); + if ( $author !== $session->user_id && !$session->get_permissions('nuggie_edit_other') ) + die('No permissions'); + + // try to delete the post... + $q = $db->sql_query('UPDATE ' . table_prefix . 'blog_posts SET post_published = ' . $state . ' WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->die_json(); + + echo "good;$state"; + + break; + } + + $db->close(); + exit(); + } + + if ( isset($_POST['action']) ) + { + $action =& $_POST['action']; + // Parse parameters + if ( strpos($action, ';') ) + { + // Parameter section + $parms = substr($action, strpos($action, ';') + 1); + + // Action name section + $action = substr($action, 0, strpos($action, ';')); + + // Match all parameters + preg_match_all('/([a-z0-9_]+)=(.+?)(;|$)/', $parms, $matches); + $parms = array(); + + // For each full parameter, assign $parms an associative value + foreach ( $matches[0] as $i => $_ ) + { + $parm = $matches[2][$i]; + + // Is this parameter in the form of an integer? + // (designed to ease validation later) + if ( preg_match('/^[0-9]+$/', $parm) ) + // Yes, run intval(), this enabling is_int()-ish checks + $parm = intval($parm); + + $parms[$matches[1][$i]] = $parm; + } + } + switch ( $action ) + { + case 'edit': + if ( !is_int(@$parms['id']) ) + break; + // This is hackish. Really, REALLY hackish. + $_SERVER['PATH_INFO'] = '.../' . $paths->nslist['Special'] . 'Preferences/Blog/Write/' . $parms['id']; + nuggie_user_cp('Blog'); + return true; + break; + case 'delete': + + if ( !is_int(@$parms['id']) ) + break; + + // make sure it's ok + $post_id = $parms['id']; + $post_id = intval($post_id); + $q = $db->sql_query('SELECT post_author FROM ' . table_prefix . 'blog_posts WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() < 1 ) + die('That post doesn\'t exist.'); + + list($author) = $db->fetchrow_num(); + $author = intval($author); + if ( $author !== $session->user_id && !$session->get_permissions('nuggie_edit_other') ) + die('No permissions'); + + // try to delete the post... + $q = $db->sql_query('DELETE FROM ' . table_prefix . 'blog_posts WHERE post_id = ' . $post_id . ';'); + if ( !$q ) + $db->_die(); + + echo '
Post deleted.
'; + + break; + } + } + + // include some javascript for management + echo ''; + + // the form + // +------------------+------------+------+-----+---------+----------------+ + // | Field | Type | Null | Key | Default | Extra | + // +------------------+------------+------+-----+---------+----------------+ + // | post_id | int(15) | NO | PRI | NULL | auto_increment | + // | post_title | text | NO | | | | + // | post_title_clean | text | NO | | | | + // | post_author | int(12) | NO | | 1 | | + // | post_text | longtext | NO | | | | + // | post_timestamp | int(32) | NO | | 0 | | + // | post_published | tinyint(1) | NO | | 0 | | + // +------------------+------------+------+-----+---------+----------------+ + + echo '
'; + + $q = $db->sql_query('SELECT post_id, post_title, post_title_clean, post_timestamp, post_published FROM ' . table_prefix . 'blog_posts WHERE post_author = ' . $session->user_id . ' ORDER BY post_timestamp DESC;'); + if ( !$q ) + $db->_die(); + + echo '
+ '; + + echo ' + + + + + + '; + + while ( $row = $db->fetchrow() ) + { + echo ''; + + $uri = makeUrlNS('Blog', $session->username . date('/Y/n/j/', $row['post_timestamp']) . $row['post_title_clean'], false, true); + + echo ''; + echo ''; + $cls = ( $row['post_published'] == 1 ) ? 'row3_green' : 'row3_red'; + echo ''; + echo ''; + echo ''; + + echo ''; + } + + echo '
#Post titlePublishedTime
' . $row['post_id'] . '' . "" . htmlspecialchars($row['post_title']) . '' . ( ( $row['post_published'] == 1 ) ? 'Yes' : 'No' ) . '' . ( function_exists('enano_date') ? enano_date('Y-m-d', $row['post_timestamp']) : date('Y-m-d h:i', $row['post_timestamp']) ) . '
+
'; + + echo '
'; + break; case 'Write':