| author | Dan |
| Thu, 12 Jul 2007 01:04:01 -0400 | |
| changeset 2 | a8a21e1c7afa |
| parent 0 | f9ffdbd96607 |
| permissions | -rw-r--r-- |
| 0 | 1 |
<?php |
2 |
/*********************************************************************** |
|
3 |
||
4 |
Copyright (C) 2002-2005 Rickard Andersson (rickard@punbb.org) |
|
5 |
||
6 |
This file is part of PunBB. |
|
7 |
||
8 |
PunBB is free software; you can redistribute it and/or modify it |
|
9 |
under the terms of the GNU General Public License as published |
|
10 |
by the Free Software Foundation; either version 2 of the License, |
|
11 |
or (at your option) any later version. |
|
12 |
||
13 |
PunBB is distributed in the hope that it will be useful, but |
|
14 |
WITHOUT ANY WARRANTY; without even the implied warranty of |
|
15 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
16 |
GNU General Public License for more details. |
|
17 |
||
18 |
You should have received a copy of the GNU General Public License |
|
19 |
along with this program; if not, write to the Free Software |
|
20 |
Foundation, Inc., 59 Temple Place, Suite 330, Boston, |
|
21 |
MA 02111-1307 USA |
|
22 |
||
23 |
************************************************************************/ |
|
24 |
||
25 |
||
26 |
if (isset($_GET['action'])) |
|
27 |
define('PUN_QUIET_VISIT', 1);
|
|
28 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
29 |
//define('PUN_ROOT', './');
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
30 |
//require PUN_ROOT.'include/common.php'; |
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
31 |
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
32 |
global $pun_db, $pun_user, $pun_config, $lang_common; |
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
33 |
|
| 0 | 34 |
|
35 |
||
36 |
// Load the misc.php language file |
|
37 |
require PUN_ROOT.'lang/'.$pun_user['language'].'/misc.php'; |
|
38 |
||
39 |
$action = isset($_GET['action']) ? $_GET['action'] : null; |
|
40 |
||
41 |
||
42 |
if ($action == 'rules') |
|
43 |
{
|
|
44 |
// Load the register.php language file |
|
45 |
require PUN_ROOT.'lang/'.$pun_user['language'].'/register.php'; |
|
46 |
||
47 |
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_register['Forum rules']; |
|
48 |
require PUN_ROOT.'header.php'; |
|
49 |
||
50 |
?> |
|
51 |
<div class="block"> |
|
52 |
<h2><span><?php echo $lang_register['Forum rules'] ?></span></h2> |
|
53 |
<div class="box"> |
|
54 |
<div class="inbox"> |
|
55 |
<p><?php echo $pun_config['o_rules_message'] ?></p> |
|
56 |
</div> |
|
57 |
</div> |
|
58 |
</div> |
|
59 |
<?php |
|
60 |
||
61 |
require PUN_ROOT.'footer.php'; |
|
62 |
} |
|
63 |
||
64 |
||
65 |
else if ($action == 'markread') |
|
66 |
{
|
|
67 |
if ($pun_user['is_guest']) |
|
68 |
message($lang_common['No permission']); |
|
69 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
70 |
$pun_db->query('UPDATE '.$pun_db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user last visit data', __FILE__, __LINE__, $pun_db->error());
|
| 0 | 71 |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
72 |
pun_redirect('index.php', $lang_misc['Mark read redirect']);
|
| 0 | 73 |
} |
74 |
||
75 |
||
76 |
else if (isset($_GET['email'])) |
|
77 |
{
|
|
78 |
if ($pun_user['is_guest']) |
|
79 |
message($lang_common['No permission']); |
|
80 |
||
81 |
$recipient_id = intval($_GET['email']); |
|
82 |
if ($recipient_id < 2) |
|
83 |
message($lang_common['Bad request']); |
|
84 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
85 |
$result = $pun_db->query('SELECT username, email, email_setting FROM '.$pun_db->prefix.'users WHERE id='.$recipient_id) or error('Unable to fetch user info', __FILE__, __LINE__, $pun_db->error());
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
86 |
if (!$pun_db->num_rows($result)) |
| 0 | 87 |
message($lang_common['Bad request']); |
88 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
89 |
list($recipient, $recipient_email, $email_setting) = $pun_db->fetch_row($result); |
| 0 | 90 |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
91 |
if ($email_setting == 2 && $pun_user['g_id'] < PUN_MOD) |
| 0 | 92 |
message($lang_misc['Form e-mail disabled']); |
93 |
||
94 |
||
95 |
if (isset($_POST['form_sent'])) |
|
96 |
{
|
|
97 |
// Clean up message and subject from POST |
|
98 |
$subject = pun_trim($_POST['req_subject']); |
|
99 |
$message = pun_trim($_POST['req_message']); |
|
100 |
||
101 |
if ($subject == '') |
|
102 |
message($lang_misc['No e-mail subject']); |
|
103 |
else if ($message == '') |
|
104 |
message($lang_misc['No e-mail message']); |
|
105 |
else if (strlen($message) > 65535) |
|
106 |
message($lang_misc['Too long e-mail message']); |
|
107 |
||
108 |
// Load the "form e-mail" template |
|
109 |
$mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/form_email.tpl')); |
|
110 |
||
111 |
// The first row contains the subject |
|
112 |
$first_crlf = strpos($mail_tpl, "\n"); |
|
113 |
$mail_subject = trim(substr($mail_tpl, 8, $first_crlf-8)); |
|
114 |
$mail_message = trim(substr($mail_tpl, $first_crlf)); |
|
115 |
||
116 |
$mail_subject = str_replace('<mail_subject>', $subject, $mail_subject);
|
|
117 |
$mail_message = str_replace('<sender>', $pun_user['username'], $mail_message);
|
|
118 |
$mail_message = str_replace('<board_title>', $pun_config['o_board_title'], $mail_message);
|
|
119 |
$mail_message = str_replace('<mail_message>', $message, $mail_message);
|
|
120 |
$mail_message = str_replace('<board_mailer>', $pun_config['o_board_title'].' '.$lang_common['Mailer'], $mail_message);
|
|
121 |
||
122 |
require_once PUN_ROOT.'include/email.php'; |
|
123 |
||
124 |
pun_mail($recipient_email, $mail_subject, $mail_message, '"'.str_replace('"', '', $pun_user['username']).'" <'.$pun_user['email'].'>');
|
|
125 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
126 |
pun_redirect(htmlspecialchars($_POST['redirect_url']), $lang_misc['E-mail sent redirect']); |
| 0 | 127 |
} |
128 |
||
129 |
||
130 |
// Try to determine if the data in HTTP_REFERER is valid (if not, we redirect to the users profile after the e-mail is sent) |
|
131 |
$redirect_url = (isset($_SERVER['HTTP_REFERER']) && preg_match('#^'.preg_quote($pun_config['o_base_url']).'/(.*?)\.php#i', $_SERVER['HTTP_REFERER'])) ? htmlspecialchars($_SERVER['HTTP_REFERER']) : 'index.php';
|
|
132 |
||
133 |
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_misc['Send e-mail to'].' '.pun_htmlspecialchars($recipient); |
|
134 |
$required_fields = array('req_subject' => $lang_misc['E-mail subject'], 'req_message' => $lang_misc['E-mail message']);
|
|
135 |
$focus_element = array('email', 'req_subject');
|
|
136 |
require PUN_ROOT.'header.php'; |
|
137 |
||
138 |
?> |
|
139 |
<div class="blockform"> |
|
140 |
<h2><span><?php echo $lang_misc['Send e-mail to'] ?> <?php echo pun_htmlspecialchars($recipient) ?></span></h2> |
|
141 |
<div class="box"> |
|
142 |
<form id="email" method="post" action="misc.php?email=<?php echo $recipient_id ?>" onsubmit="this.submit.disabled=true;if(process_form(this)){return true;}else{this.submit.disabled=false;return false;}">
|
|
143 |
<div class="inform"> |
|
144 |
<fieldset> |
|
145 |
<legend><?php echo $lang_misc['Write e-mail'] ?></legend> |
|
146 |
<div class="infldset txtarea"> |
|
147 |
<input type="hidden" name="form_sent" value="1" /> |
|
148 |
<input type="hidden" name="redirect_url" value="<?php echo $redirect_url ?>" /> |
|
149 |
<label><strong><?php echo $lang_misc['E-mail subject'] ?></strong><br /> |
|
150 |
<input class="longinput" type="text" name="req_subject" size="75" maxlength="70" tabindex="1" /><br /></label> |
|
151 |
<label><strong><?php echo $lang_misc['E-mail message'] ?></strong><br /> |
|
152 |
<textarea name="req_message" rows="10" cols="75" tabindex="2"></textarea><br /></label> |
|
153 |
<p><?php echo $lang_misc['E-mail disclosure note'] ?></p> |
|
154 |
</div> |
|
155 |
</fieldset> |
|
156 |
</div> |
|
157 |
<p><input type="submit" name="submit" value="<?php echo $lang_common['Submit'] ?>" tabindex="3" accesskey="s" /><a href="javascript:history.go(-1)"><?php echo $lang_common['Go back'] ?></a></p> |
|
158 |
</form> |
|
159 |
</div> |
|
160 |
</div> |
|
161 |
<?php |
|
162 |
||
163 |
require PUN_ROOT.'footer.php'; |
|
164 |
} |
|
165 |
||
166 |
||
167 |
else if (isset($_GET['report'])) |
|
168 |
{
|
|
169 |
if ($pun_user['is_guest']) |
|
170 |
message($lang_common['No permission']); |
|
171 |
||
172 |
$post_id = intval($_GET['report']); |
|
173 |
if ($post_id < 1) |
|
174 |
message($lang_common['Bad request']); |
|
175 |
||
176 |
if (isset($_POST['form_sent'])) |
|
177 |
{
|
|
178 |
// Clean up reason from POST |
|
179 |
$reason = pun_linebreaks(pun_trim($_POST['req_reason'])); |
|
180 |
if ($reason == '') |
|
181 |
message($lang_misc['No reason']); |
|
182 |
||
183 |
// Get the topic ID |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
184 |
$result = $pun_db->query('SELECT topic_id FROM '.$pun_db->prefix.'posts WHERE id='.$post_id) or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
185 |
if (!$pun_db->num_rows($result)) |
| 0 | 186 |
message($lang_common['Bad request']); |
187 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
188 |
$topic_id = $pun_db->result($result); |
| 0 | 189 |
|
190 |
// Get the subject and forum ID |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
191 |
$result = $pun_db->query('SELECT subject, forum_id FROM '.$pun_db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $pun_db->error());
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
192 |
if (!$pun_db->num_rows($result)) |
| 0 | 193 |
message($lang_common['Bad request']); |
194 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
195 |
list($subject, $forum_id) = $pun_db->fetch_row($result); |
| 0 | 196 |
|
197 |
// Should we use the internal report handling? |
|
198 |
if ($pun_config['o_report_method'] == 0 || $pun_config['o_report_method'] == 2) |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
199 |
$pun_db->query('INSERT INTO '.$pun_db->prefix.'reports (post_id, topic_id, forum_id, reported_by, created, message) VALUES('.$post_id.', '.$topic_id.', '.$forum_id.', '.$pun_user['id'].', '.time().', \''.$pun_db->escape($reason).'\')' ) or error('Unable to create report', __FILE__, __LINE__, $pun_db->error());
|
| 0 | 200 |
|
201 |
// Should we e-mail the report? |
|
202 |
if ($pun_config['o_report_method'] == 1 || $pun_config['o_report_method'] == 2) |
|
203 |
{
|
|
204 |
// We send it to the complete mailing-list in one swoop |
|
205 |
if ($pun_config['o_mailing_list'] != '') |
|
206 |
{
|
|
207 |
$mail_subject = 'Report('.$forum_id.') - \''.$subject.'\'';
|
|
208 |
$mail_message = 'User \''.$pun_user['username'].'\' has reported the following message:'."\n".$pun_config['o_base_url'].'/viewtopic.php?pid='.$post_id.'#p'.$post_id."\n\n".'Reason:'."\n".$reason; |
|
209 |
||
210 |
require PUN_ROOT.'include/email.php'; |
|
211 |
||
212 |
pun_mail($pun_config['o_mailing_list'], $mail_subject, $mail_message); |
|
213 |
} |
|
214 |
} |
|
215 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
216 |
pun_redirect('viewtopic.php?pid='.$post_id.'#p'.$post_id, $lang_misc['Report redirect']);
|
| 0 | 217 |
} |
218 |
||
219 |
||
220 |
$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_misc['Report post']; |
|
221 |
$required_fields = array('req_reason' => $lang_misc['Reason']);
|
|
222 |
$focus_element = array('report', 'req_reason');
|
|
223 |
require PUN_ROOT.'header.php'; |
|
224 |
||
225 |
?> |
|
226 |
<div class="blockform"> |
|
227 |
<h2><span><?php echo $lang_misc['Report post'] ?></span></h2> |
|
228 |
<div class="box"> |
|
229 |
<form id="report" method="post" action="misc.php?report=<?php echo $post_id ?>" onsubmit="this.submit.disabled=true;if(process_form(this)){return true;}else{this.submit.disabled=false;return false;}">
|
|
230 |
<div class="inform"> |
|
231 |
<fieldset> |
|
232 |
<legend><?php echo $lang_misc['Reason desc'] ?></legend> |
|
233 |
<div class="infldset txtarea"> |
|
234 |
<input type="hidden" name="form_sent" value="1" /> |
|
235 |
<label><strong><?php echo $lang_misc['Reason'] ?></strong><br /><textarea name="req_reason" rows="5" cols="60"></textarea><br /></label> |
|
236 |
</div> |
|
237 |
</fieldset> |
|
238 |
</div> |
|
239 |
<p><input type="submit" name="submit" value="<?php echo $lang_common['Submit'] ?>" accesskey="s" /><a href="javascript:history.go(-1)"><?php echo $lang_common['Go back'] ?></a></p> |
|
240 |
</form> |
|
241 |
</div> |
|
242 |
</div> |
|
243 |
<?php |
|
244 |
||
245 |
require PUN_ROOT.'footer.php'; |
|
246 |
} |
|
247 |
||
248 |
||
249 |
else if (isset($_GET['subscribe'])) |
|
250 |
{
|
|
251 |
if ($pun_user['is_guest'] || $pun_config['o_subscriptions'] != '1') |
|
252 |
message($lang_common['No permission']); |
|
253 |
||
254 |
$topic_id = intval($_GET['subscribe']); |
|
255 |
if ($topic_id < 1) |
|
256 |
message($lang_common['Bad request']); |
|
257 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
258 |
$result = $pun_db->query('SELECT 1 FROM '.$pun_db->prefix.'subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $pun_db->error());
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
259 |
if ($pun_db->num_rows($result)) |
| 0 | 260 |
message($lang_misc['Already subscribed']); |
261 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
262 |
$pun_db->query('INSERT INTO '.$pun_db->prefix.'subscriptions (user_id, topic_id) VALUES('.$pun_user['id'].' ,'.$topic_id.')') or error('Unable to add subscription', __FILE__, __LINE__, $pun_db->error());
|
| 0 | 263 |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
264 |
pun_redirect('viewtopic.php?id='.$topic_id, $lang_misc['Subscribe redirect']);
|
| 0 | 265 |
} |
266 |
||
267 |
||
268 |
else if (isset($_GET['unsubscribe'])) |
|
269 |
{
|
|
270 |
if ($pun_user['is_guest'] || $pun_config['o_subscriptions'] != '1') |
|
271 |
message($lang_common['No permission']); |
|
272 |
||
273 |
$topic_id = intval($_GET['unsubscribe']); |
|
274 |
if ($topic_id < 1) |
|
275 |
message($lang_common['Bad request']); |
|
276 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
277 |
$result = $pun_db->query('SELECT 1 FROM '.$pun_db->prefix.'subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $pun_db->error());
|
|
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
278 |
if (!$pun_db->num_rows($result)) |
| 0 | 279 |
message($lang_misc['Not subscribed']); |
280 |
||
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
281 |
$pun_db->query('DELETE FROM '.$pun_db->prefix.'subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to remove subscription', __FILE__, __LINE__, $pun_db->error());
|
| 0 | 282 |
|
|
2
a8a21e1c7afa
Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
Dan
parents:
0
diff
changeset
|
283 |
pun_redirect('viewtopic.php?id='.$topic_id, $lang_misc['Unsubscribe redirect']);
|
| 0 | 284 |
} |
285 |
||
286 |
||
287 |
else |
|
288 |
message($lang_common['Bad request']); |