Let's just say that the API loads. While a decent part of PunBB works, we've still got a LONG way to go, mainly with form validation and security. At this point, Punano is NOT secure as far as privileges and user levels go.
<?php
/***********************************************************************
Copyright (C) 2002-2005 Rickard Andersson (rickard@punbb.org)
This file is part of PunBB.
PunBB is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published
by the Free Software Foundation; either version 2 of the License,
or (at your option) any later version.
PunBB is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston,
MA 02111-1307 USA
************************************************************************/
//define('PUN_ROOT', './');
//require PUN_ROOT.'include/common.php';
global $pun_db, $pun_user, $pun_config, $lang_common;
if ($pun_user['g_read_board'] == '0')
message($lang_common['No view']);
$action = isset($_GET['action']) ? $_GET['action'] : null;
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$pid = isset($_GET['pid']) ? intval($_GET['pid']) : 0;
if ($id < 1 && $pid < 1)
message($lang_common['Bad request']);
// Load the viewtopic.php language file
require PUN_ROOT.'lang/'.$pun_user['language'].'/topic.php';
// If a post ID is specified we determine topic ID and page number so we can redirect to the correct message
if ($pid)
{
$result = $pun_db->query('SELECT topic_id FROM '.$pun_db->prefix.'posts WHERE id='.$pid) or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
if (!$pun_db->num_rows($result))
message($lang_common['Bad request']);
$id = $pun_db->result($result);
// Determine on what page the post is located (depending on $pun_user['disp_posts'])
$result = $pun_db->query('SELECT id FROM '.$pun_db->prefix.'posts WHERE topic_id='.$id.' ORDER BY posted') or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
$num_posts = $pun_db->num_rows($result);
for ($i = 0; $i < $num_posts; ++$i)
{
$cur_id = $pun_db->result($result, $i);
if ($cur_id == $pid)
break;
}
++$i; // we started at 0
$_GET['p'] = ceil($i / $pun_user['disp_posts']);
}
// If action=new, we redirect to the first new post (if any)
else if ($action == 'new' && !$pun_user['is_guest'])
{
$result = $pun_db->query('SELECT MIN(id) FROM '.$pun_db->prefix.'posts WHERE topic_id='.$id.' AND posted>'.$pun_user['last_visit']) or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
$first_new_post_id = $pun_db->result($result);
if ($first_new_post_id)
header('Location: viewtopic.php?pid='.$first_new_post_id.'#p'.$first_new_post_id);
else // If there is no new post, we go to the last post
header('Location: viewtopic.php?id='.$id.'&action=last');
exit;
}
// If action=last, we redirect to the last post
else if ($action == 'last')
{
$result = $pun_db->query('SELECT MAX(id) FROM '.$pun_db->prefix.'posts WHERE topic_id='.$id) or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
$last_post_id = $pun_db->result($result);
if ($last_post_id)
{
header('Location: viewtopic.php?pid='.$last_post_id.'#p'.$last_post_id);
exit;
}
}
// Fetch some info about the topic
if (!$pun_user['is_guest'])
$result = $pun_db->query('SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, s.user_id AS is_subscribed FROM '.$pun_db->prefix.'topics AS t INNER JOIN '.$pun_db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$pun_db->prefix.'subscriptions AS s ON (t.id=s.topic_id AND s.user_id='.$pun_user['id'].') LEFT JOIN '.$pun_db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id='.$id.' AND t.moved_to IS NULL') or error('Unable to fetch topic info', __FILE__, __LINE__, $pun_db->error());
else
$result = $pun_db->query('SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM '.$pun_db->prefix.'topics AS t INNER JOIN '.$pun_db->prefix.'forums AS f ON f.id=t.forum_id LEFT JOIN '.$pun_db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['g_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id='.$id.' AND t.moved_to IS NULL') or error('Unable to fetch topic info', __FILE__, __LINE__, $pun_db->error());
if (!$pun_db->num_rows($result))
message($lang_common['Bad request']);
$cur_topic = $pun_db->fetch_assoc($result);
// Sort out who the moderators are and if we are currently a moderator (or an admin)
$mods_array = ($cur_topic['moderators'] != '') ? unserialize($cur_topic['moderators']) : array();
$is_admmod = ($pun_user['g_id'] == PUN_ADMIN || ($pun_user['g_id'] == PUN_MOD && array_key_exists($pun_user['username'], $mods_array))) ? true : false;
// Can we or can we not post replies?
if ($cur_topic['closed'] == '0')
{
if (($cur_topic['post_replies'] == '' && $pun_user['g_post_replies'] == '1') || $cur_topic['post_replies'] == '1' || $is_admmod)
$post_link = '<a href="post.php?tid='.$id.'">'.$lang_topic['Post reply'].'</a>';
else
$post_link = ' ';
}
else
{
$post_link = $lang_topic['Topic closed'];
if ($is_admmod)
$post_link .= ' / <a href="post.php?tid='.$id.'">'.$lang_topic['Post reply'].'</a>';
}
// Determine the post offset (based on $_GET['p'])
$num_pages = ceil(($cur_topic['num_replies'] + 1) / $pun_user['disp_posts']);
$p = (!isset($_GET['p']) || $_GET['p'] <= 1 || $_GET['p'] > $num_pages) ? 1 : $_GET['p'];
$start_from = $pun_user['disp_posts'] * ($p - 1);
// Generate paging links
$paging_links = $lang_common['Pages'].': '.pun_paginate($num_pages, $p, 'viewtopic.php?id='.$id);
if ($pun_config['o_censoring'] == '1')
$cur_topic['subject'] = censor_words($cur_topic['subject']);
$quickpost = false;
if ($pun_config['o_quickpost'] == '1' &&
!$pun_user['is_guest'] &&
($cur_topic['post_replies'] == '1' || ($cur_topic['post_replies'] == '' && $pun_user['g_post_replies'] == '1')) &&
($cur_topic['closed'] == '0' || $is_admmod))
{
$required_fields = array('req_message' => $lang_common['Message']);
$quickpost = true;
}
if (!$pun_user['is_guest'] && $pun_config['o_subscriptions'] == '1')
{
if ($cur_topic['is_subscribed'])
// I apologize for the variable naming here. It's a mix of subscription and action I guess :-)
$subscraction = '<p class="subscribelink clearb">'.$lang_topic['Is subscribed'].' - <a href="misc.php?unsubscribe='.$id.'">'.$lang_topic['Unsubscribe'].'</a></p>'."\n";
else
$subscraction = '<p class="subscribelink clearb"><a href="misc.php?subscribe='.$id.'">'.$lang_topic['Subscribe'].'</a></p>'."\n";
}
else
$subscraction = '<div class="clearer"></div>'."\n";
$page_title = pun_htmlspecialchars($pun_config['o_board_title'].' / '.$cur_topic['subject']);
define('PUN_ALLOW_INDEX', 1);
require PUN_ROOT.'header.php';
?>
<div class="linkst">
<div class="inbox">
<p class="pagelink conl"><?php echo $paging_links ?></p>
<p class="postlink conr"><?php echo $post_link ?></p>
<ul><li><a href="index.php"><?php echo $lang_common['Index'] ?></a></li><li> » <a href="viewforum.php?id=<?php echo $cur_topic['forum_id'] ?>"><?php echo pun_htmlspecialchars($cur_topic['forum_name']) ?></a></li><li> » <?php echo pun_htmlspecialchars($cur_topic['subject']) ?></li></ul>
<div class="clearer"></div>
</div>
</div>
<?php
require PUN_ROOT.'include/parser.php';
$bg_switch = true; // Used for switching background color in posts
$post_count = 0; // Keep track of post numbers
// Retrieve the posts (and their respective poster/online status)
$result = $pun_db->query('SELECT eu.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM '.$pun_db->prefix.'posts AS p INNER JOIN '.$pun_db->prefix.'users AS u ON u.id=p.poster_id INNER JOIN '.table_prefix.'users AS eu ON eu.user_id=u.id INNER JOIN '.$pun_db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$pun_db->prefix.'online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id='.$id.' ORDER BY p.id LIMIT '.$start_from.','.$pun_user['disp_posts'], true) or error('Unable to fetch post info', __FILE__, __LINE__, $pun_db->error());
while ($cur_post = $pun_db->fetch_assoc($result))
{
$post_count++;
$user_avatar = '';
$user_info = array();
$user_contacts = array();
$post_actions = array();
$is_online = '';
$signature = '';
// If the poster is a registered user.
if ($cur_post['poster_id'] > 1)
{
$username = '<a href="profile.php?id='.$cur_post['poster_id'].'">'.pun_htmlspecialchars($cur_post['username']).'</a>';
$user_title = get_title($cur_post);
if ($pun_config['o_censoring'] == '1')
$user_title = censor_words($user_title);
// Format the online indicator
$is_online = ($cur_post['is_online'] == $cur_post['poster_id']) ? '<strong>'.$lang_topic['Online'].'</strong>' : $lang_topic['Offline'];
if ($pun_config['o_avatars'] == '1' && $cur_post['use_avatar'] == '1' && $pun_user['show_avatars'] != '0')
{
if ($img_size = @getimagesize($pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.gif'))
$user_avatar = '<img src="'.$pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.gif" '.$img_size[3].' alt="" />';
else if ($img_size = @getimagesize($pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.jpg'))
$user_avatar = '<img src="'.$pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.jpg" '.$img_size[3].' alt="" />';
else if ($img_size = @getimagesize($pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.png'))
$user_avatar = '<img src="'.$pun_config['o_avatars_dir'].'/'.$cur_post['poster_id'].'.png" '.$img_size[3].' alt="" />';
}
else
$user_avatar = '';
// We only show location, register date, post count and the contact links if "Show user info" is enabled
if ($pun_config['o_show_user_info'] == '1')
{
if ($cur_post['location'] != '')
{
if ($pun_config['o_censoring'] == '1')
$cur_post['location'] = censor_words($cur_post['location']);
$user_info[] = '<dd>'.$lang_topic['From'].': '.pun_htmlspecialchars($cur_post['location']);
}
$user_info[] = '<dd>'.$lang_common['Registered'].': '.date($pun_config['o_date_format'], $cur_post['registered']);
if ($pun_config['o_show_post_count'] == '1' || $pun_user['g_id'] >= USER_LEVEL_MEMBER)
$user_info[] = '<dd>'.$lang_common['Posts'].': '.$cur_post['num_posts'];
// Now let's deal with the contact links (E-mail and URL)
if (($cur_post['email_setting'] == '0' && !$pun_user['is_guest']) || $pun_user['g_id'] >= USER_LEVEL_MEMBER)
$user_contacts[] = '<a href="mailto:'.$cur_post['email'].'">'.$lang_common['E-mail'].'</a>';
else if ($cur_post['email_setting'] == '1' && !$pun_user['is_guest'])
$user_contacts[] = '<a href="misc.php?email='.$cur_post['poster_id'].'">'.$lang_common['E-mail'].'</a>';
if ($cur_post['url'] != '')
$user_contacts[] = '<a href="'.pun_htmlspecialchars($cur_post['url']).'">'.$lang_topic['Website'].'</a>';
}
if ($pun_user['g_id'] >= USER_LEVEL_MEMBER)
{
$user_info[] = '<dd>IP: <a href="moderate.php?get_host='.$cur_post['id'].'">'.$cur_post['poster_ip'].'</a>';
if ($cur_post['admin_note'] != '')
$user_info[] = '<dd>'.$lang_topic['Note'].': <strong>'.pun_htmlspecialchars($cur_post['admin_note']).'</strong>';
}
}
// If the poster is a guest (or a user that has been deleted)
else
{
$username = pun_htmlspecialchars($cur_post['username']);
$user_title = get_title($cur_post);
if ($pun_user['g_id'] >= USER_LEVEL_MEMBER)
$user_info[] = '<dd>IP: <a href="moderate.php?get_host='.$cur_post['id'].'">'.$cur_post['poster_ip'].'</a>';
if ($pun_config['o_show_user_info'] == '1' && $cur_post['poster_email'] != '' && !$pun_user['is_guest'])
$user_contacts[] = '<a href="mailto:'.$cur_post['poster_email'].'">'.$lang_common['E-mail'].'</a>';
}
// Generation post action array (quote, edit, delete etc.)
if (!$is_admmod)
{
if (!$pun_user['is_guest'])
$post_actions[] = '<li class="postreport"><a href="misc.php?report='.$cur_post['id'].'">'.$lang_topic['Report'].'</a>';
if ($cur_topic['closed'] == '0')
{
if ($cur_post['poster_id'] == $pun_user['id'])
{
if ((($start_from + $post_count) == 1 && $pun_user['g_delete_topics'] == '1') || (($start_from + $post_count) > 1 && $pun_user['g_delete_posts'] == '1'))
$post_actions[] = '<li class="postdelete"><a href="delete.php?id='.$cur_post['id'].'">'.$lang_topic['Delete'].'</a>';
if ($pun_user['g_edit_posts'] == '1')
$post_actions[] = '<li class="postedit"><a href="edit.php?id='.$cur_post['id'].'">'.$lang_topic['Edit'].'</a>';
}
if (($cur_topic['post_replies'] == '' && $pun_user['g_post_replies'] == '1') || $cur_topic['post_replies'] == '1')
$post_actions[] = '<li class="postquote"><a href="post.php?tid='.$id.'&qid='.$cur_post['id'].'">'.$lang_topic['Quote'].'</a>';
}
}
else
$post_actions[] = '<li class="postreport"><a href="misc.php?report='.$cur_post['id'].'">'.$lang_topic['Report'].'</a>'.$lang_topic['Link separator'].'</li><li class="postdelete"><a href="delete.php?id='.$cur_post['id'].'">'.$lang_topic['Delete'].'</a>'.$lang_topic['Link separator'].'</li><li class="postedit"><a href="edit.php?id='.$cur_post['id'].'">'.$lang_topic['Edit'].'</a>'.$lang_topic['Link separator'].'</li><li class="postquote"><a href="post.php?tid='.$id.'&qid='.$cur_post['id'].'">'.$lang_topic['Quote'].'</a>';
// Switch the background color for every message.
$bg_switch = ($bg_switch) ? $bg_switch = false : $bg_switch = true;
$vtbg = ($bg_switch) ? ' roweven' : ' rowodd';
// Perform the main parsing of the message (BBCode, smilies, censor words etc)
$cur_post['message'] = parse_message($cur_post['message'], $cur_post['hide_smilies']);
// Do signature parsing/caching
if ($cur_post['signature'] != '' && $pun_user['show_sig'] != '0')
{
if (isset($signature_cache[$cur_post['poster_id']]))
$signature = $signature_cache[$cur_post['poster_id']];
else
{
$signature = parse_signature($cur_post['signature']);
$signature_cache[$cur_post['poster_id']] = $signature;
}
}
?>
<div id="p<?php echo $cur_post['id'] ?>" class="blockpost<?php echo $vtbg ?><?php if (($post_count + $start_from) == 1) echo ' firstpost'; ?>">
<h2><span><span class="conr">#<?php echo ($start_from + $post_count) ?> </span><a href="viewtopic.php?pid=<?php echo $cur_post['id'].'#p'.$cur_post['id'] ?>"><?php echo format_time($cur_post['posted']) ?></a></span></h2>
<div class="box">
<div class="inbox">
<div class="postleft">
<dl>
<dt><strong><?php echo $username ?></strong></dt>
<dd class="usertitle"><strong><?php echo $user_title ?></strong></dd>
<dd class="postavatar"><?php echo $user_avatar ?></dd>
<?php if (count($user_info)) echo "\t\t\t\t\t".implode('</dd>'."\n\t\t\t\t\t", $user_info).'</dd>'."\n"; ?>
<?php if (count($user_contacts)) echo "\t\t\t\t\t".'<dd class="usercontacts">'.implode(' ', $user_contacts).'</dd>'."\n"; ?>
</dl>
</div>
<div class="postright">
<h3><?php if (($post_count + $start_from) > 1) echo ' Re: '; ?><?php echo pun_htmlspecialchars($cur_topic['subject']) ?></h3>
<div class="postmsg">
<?php echo $cur_post['message']."\n" ?>
<?php if ($cur_post['edited'] != '') echo "\t\t\t\t\t".'<p class="postedit"><em>'.$lang_topic['Last edit'].' '.pun_htmlspecialchars($cur_post['edited_by']).' ('.format_time($cur_post['edited']).')</em></p>'."\n"; ?>
</div>
<?php if ($signature != '') echo "\t\t\t\t".'<div class="postsignature"><hr />'.$signature.'</div>'."\n"; ?>
</div>
<div class="clearer"></div>
<div class="postfootleft"><?php if ($cur_post['poster_id'] > 1) echo '<p>'.$is_online.'</p>'; ?></div>
<div class="postfootright"><?php echo (count($post_actions)) ? '<ul>'.implode($lang_topic['Link separator'].'</li>', $post_actions).'</li></ul></div>'."\n" : '<div> </div></div>'."\n" ?>
</div>
</div>
</div>
<?php
}
?>
<div class="postlinksb">
<div class="inbox">
<p class="postlink conr"><?php echo $post_link ?></p>
<p class="pagelink conl"><?php echo $paging_links ?></p>
<ul><li><a href="index.php"><?php echo $lang_common['Index'] ?></a></li><li> » <a href="viewforum.php?id=<?php echo $cur_topic['forum_id'] ?>"><?php echo pun_htmlspecialchars($cur_topic['forum_name']) ?></a></li><li> » <?php echo pun_htmlspecialchars($cur_topic['subject']) ?></li></ul>
<?php echo $subscraction ?>
</div>
</div>
<?php
// Display quick post if enabled
if ($quickpost)
{
?>
<div class="blockform">
<h2><span><?php echo $lang_topic['Quick post'] ?></span></h2>
<div class="box">
<form method="post" action="post.php?tid=<?php echo $id ?>" onsubmit="this.submit.disabled=true;if(process_form(this)){return true;}else{this.submit.disabled=false;return false;}">
<div class="inform">
<fieldset>
<legend><?php echo $lang_common['Write message legend'] ?></legend>
<div class="infldset txtarea">
<input type="hidden" name="form_sent" value="1" />
<input type="hidden" name="form_user" value="<?php echo (!$pun_user['is_guest']) ? pun_htmlspecialchars($pun_user['username']) : 'Guest'; ?>" />
<label><textarea name="req_message" rows="7" cols="75" tabindex="1"></textarea></label>
<ul class="bblinks">
<li><a href="help.php#bbcode" onclick="window.open(this.href); return false;"><?php echo $lang_common['BBCode'] ?></a>: <?php echo ($pun_config['p_message_bbcode'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
<li><a href="help.php#img" onclick="window.open(this.href); return false;"><?php echo $lang_common['img tag'] ?></a>: <?php echo ($pun_config['p_message_img_tag'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
<li><a href="help.php#smilies" onclick="window.open(this.href); return false;"><?php echo $lang_common['Smilies'] ?></a>: <?php echo ($pun_config['o_smilies'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
</ul>
</div>
</fieldset>
</div>
<p><input type="submit" name="submit" tabindex="2" value="<?php echo $lang_common['Submit'] ?>" accesskey="s" /></p>
</form>
</div>
</div>
<?php
}
// Increment "num_views" for topic
$low_prio = ($db_type == 'mysql') ? 'LOW_PRIORITY ' : '';
$pun_db->query('UPDATE '.$low_prio.$pun_db->prefix.'topics SET num_views=num_views+1 WHERE id='.$id) or error('Unable to update topic', __FILE__, __LINE__, $pun_db->error());
$forum_id = $cur_topic['forum_id'];
$footer_style = 'viewtopic';
require PUN_ROOT.'footer.php';