author | Dan |
Wed, 08 Jul 2009 18:50:54 -0400 | |
changeset 1041 | 403a05b74f80 |
parent 1016 | 6d32d80b2192 |
child 1081 | 745200a9cc2a |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/* |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
parents:
800
diff
changeset
|
5 |
* Version 1.1.6 (Caoineag beta 1) |
536 | 6 |
* Copyright (C) 2006-2008 Dan Fuhry |
1 | 7 |
* |
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
/** |
|
16 |
* Class that handles comments. Has HTML/Javascript frontend support. |
|
17 |
* @package Enano CMS |
|
18 |
* @subpackage Comment manager |
|
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
parents:
748
diff
changeset
|
19 |
* @license GNU General Public License <http://www.gnu.org/licenses/gpl-2.0.html> |
1 | 20 |
*/ |
21 |
||
22 |
class Comments |
|
23 |
{ |
|
24 |
# |
|
25 |
# VARIABLES |
|
26 |
# |
|
27 |
||
28 |
/** |
|
29 |
* Current list of comments. |
|
30 |
* @var array |
|
31 |
*/ |
|
32 |
||
33 |
var $comments = Array(); |
|
34 |
||
35 |
/** |
|
36 |
* Object to track permissions. |
|
37 |
* @var object |
|
38 |
*/ |
|
39 |
||
40 |
var $perms; |
|
41 |
||
42 |
# |
|
43 |
# METHODS |
|
44 |
# |
|
45 |
||
46 |
/** |
|
47 |
* Constructor. |
|
48 |
* @param string Page ID of the page to load comments for |
|
49 |
* @param string Namespace of the page to load comments for |
|
50 |
*/ |
|
51 |
||
52 |
function __construct($page_id, $namespace) |
|
53 |
{ |
|
54 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
55 |
||
56 |
// Initialize permissions |
|
322
5f1cd51bf1be
Many changes. Installer with PostgreSQL is broken badly and will be for some time.
Dan
parents:
320
diff
changeset
|
57 |
if ( $page_id == $paths->page_id && $namespace == $paths->namespace ) |
1 | 58 |
$this->perms =& $GLOBALS['session']; |
59 |
else |
|
60 |
$this->perms = $session->fetch_page_acl($page_id, $namespace); |
|
61 |
||
62 |
$this->page_id = $db->escape($page_id); |
|
63 |
$this->namespace = $db->escape($namespace); |
|
64 |
} |
|
65 |
||
66 |
/** |
|
67 |
* Processes a command in JSON format. |
|
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
68 |
* @param mixed Either the JSON-encoded input string, probably something sent from the Javascript/AJAX frontend, or an equivalent array |
1 | 69 |
*/ |
70 |
||
71 |
function process_json($json) |
|
72 |
{ |
|
73 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
74 |
global $lang; |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
75 |
|
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
76 |
$is_json = !is_array($json); |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
77 |
|
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
78 |
if ( $is_json ) |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
79 |
{ |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
80 |
$data = enano_json_decode($json); |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
81 |
$data = decode_unicode_array($data); |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
82 |
} |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
83 |
else |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
84 |
{ |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
85 |
$data =& $json; |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
86 |
} |
1 | 87 |
if ( !isset($data['mode']) ) |
88 |
{ |
|
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
89 |
$ret = Array('mode'=>'error','error'=>'No mode defined!'); |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
90 |
echo enano_json_encode($ret); |
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
91 |
return $ret; |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
92 |
} |
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
parents:
825
diff
changeset
|
93 |
if ( getConfig('enable_comments', '1') == '0' ) |
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
94 |
{ |
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
95 |
$ret = Array('mode'=>'error','error'=>'Comments are not enabled on this site.'); |
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
96 |
echo enano_json_encode($ret); |
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
parents:
78
diff
changeset
|
97 |
return $ret; |
1 | 98 |
} |
99 |
$ret = Array(); |
|
100 |
$ret['mode'] = $data['mode']; |
|
101 |
switch ( $data['mode'] ) |
|
102 |
{ |
|
103 |
case 'fetch': |
|
104 |
if ( !$template->theme_loaded ) |
|
105 |
$template->load_theme(); |
|
106 |
if ( !isset($data['have_template']) ) |
|
107 |
{ |
|
108 |
$ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl'); |
|
109 |
} |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
110 |
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c |
1 | 111 |
LEFT JOIN '.table_prefix.'users AS u |
112 |
ON (u.user_id=c.user_id) |
|
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
113 |
LEFT JOIN '.table_prefix.'buddies AS b |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
114 |
ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL) |
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
115 |
LEFT JOIN '.table_prefix.'ranks AS r |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
116 |
ON ( ( u.user_rank = r.rank_id ) ) |
1 | 117 |
WHERE page_id=\'' . $this->page_id . '\' |
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
118 |
AND namespace=\'' . $this->namespace . '\' |
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
119 |
GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend |
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
120 |
ORDER BY c.time ASC;'); |
1 | 121 |
$count_appr = 0; |
122 |
$count_total = 0; |
|
123 |
$count_unappr = 0; |
|
124 |
$ret['comments'] = Array(); |
|
125 |
if (!$q) |
|
126 |
$db->die_json(); |
|
1011
96119a79cf81
Comments: fixed failure to supply $q to fetchrow() in JSON fetcher
Dan
parents:
972
diff
changeset
|
127 |
if ( $row = $db->fetchrow($q) ) |
1 | 128 |
{ |
129 |
do { |
|
130 |
||
131 |
// Increment counters |
|
132 |
$count_total++; |
|
133 |
( $row['approved'] == 1 ) ? $count_appr++ : $count_unappr++; |
|
134 |
||
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
135 |
if ( !$this->perms->get_permissions('mod_comments') && $row['approved'] != COMMENT_APPROVED ) |
1 | 136 |
continue; |
137 |
||
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
138 |
// Localize the rank |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
139 |
$row = array_merge($row, $session->get_user_rank(intval($row['user_id']))); |
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
140 |
|
1 | 141 |
// Send the source |
142 |
$row['comment_source'] = $row['comment_data']; |
|
143 |
||
144 |
// Format text |
|
145 |
$row['comment_data'] = RenderMan::render($row['comment_data']); |
|
146 |
||
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
147 |
if ( $row['is_buddy'] == 1 && $row['is_friend'] == 0 ) |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
148 |
{ |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
149 |
$seed = md5(sha1(mt_rand() . microtime())); |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
150 |
$wrapper = ' |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
151 |
<div id="posthide_'.$seed.'" style="display: none;"> |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
152 |
' . $row['comment_data'] . ' |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
153 |
</div> |
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
154 |
<p><span style="opacity: 0.4; filter: alpha(opacity=40);">' . $lang->get('comment_msg_foe_comment_hidden') . '</span> <span style="text-align: right;"><a href="#showpost" onclick="document.getElementById(\'posthide_'.$seed.'\').style.display=\'block\'; this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode); return false;">' . $lang->get('comment_btn_display_foe_comment') . '</a></span></p> |
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
155 |
'; |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
156 |
$row['comment_data'] = $wrapper; |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
157 |
} |
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
parents:
86
diff
changeset
|
158 |
|
1 | 159 |
// Format date |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
334
diff
changeset
|
160 |
$row['time'] = enano_date('F d, Y h:i a', $row['time']); |
1 | 161 |
|
162 |
// Format signature |
|
163 |
$row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : ''; |
|
164 |
||
359 | 165 |
// Do we have the IP? |
166 |
$row['have_ip'] = ( $row['have_ip'] == 1 ); |
|
167 |
||
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
168 |
// Avatar URL |
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
169 |
$row['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']); |
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
170 |
|
1 | 171 |
// Add the comment to the list |
172 |
$ret['comments'][] = $row; |
|
173 |
||
1011
96119a79cf81
Comments: fixed failure to supply $q to fetchrow() in JSON fetcher
Dan
parents:
972
diff
changeset
|
174 |
} while ( $row = $db->fetchrow($q) ); |
1 | 175 |
} |
176 |
$db->free_result(); |
|
177 |
$ret['count_appr'] = $count_appr; |
|
178 |
$ret['count_total'] = $count_total; |
|
179 |
$ret['count_unappr'] = $count_unappr; |
|
180 |
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments'); |
|
181 |
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments'); |
|
182 |
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments'); |
|
748
e39454295bbb
Added makeSwitchable Dynano method for textareas; enabled support for makeSwitchable in comment runtime
Dan
parents:
685
diff
changeset
|
183 |
$ret['auth_edit_wysiwyg'] = $this->perms->get_permissions('edit_wysiwyg'); |
1 | 184 |
$ret['user_id'] = $session->user_id; |
185 |
$ret['username'] = $session->username; |
|
186 |
$ret['logged_in'] = $session->user_logged_in; |
|
187 |
||
188 |
$ret['user_level'] = Array(); |
|
189 |
$ret['user_level']['guest'] = USER_LEVEL_GUEST; |
|
190 |
$ret['user_level']['member'] = USER_LEVEL_MEMBER; |
|
191 |
$ret['user_level']['mod'] = USER_LEVEL_MOD; |
|
192 |
$ret['user_level']['admin'] = USER_LEVEL_ADMIN; |
|
193 |
||
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
parents:
825
diff
changeset
|
194 |
$ret['approval_needed'] = ( getConfig('approve_comments', '0') == '1' ); |
1 | 195 |
$ret['guest_posting'] = getConfig('comments_need_login'); |
196 |
||
197 |
if ( $ret['guest_posting'] == '1' && !$session->user_logged_in ) |
|
198 |
{ |
|
199 |
$session->kill_captcha(); |
|
200 |
$ret['captcha'] = $session->make_captcha(); |
|
201 |
} |
|
202 |
break; |
|
203 |
case 'edit': |
|
204 |
$cid = (string)$data['id']; |
|
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
205 |
if ( !ctype_digit($cid) || intval($cid) < 1 ) |
1 | 206 |
{ |
207 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
208 |
return false; |
|
209 |
} |
|
210 |
$cid = intval($cid); |
|
211 |
$q = $db->sql_query('SELECT c.user_id,c.approved FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';'); |
|
212 |
if(!$q) |
|
213 |
$db->die_json(); |
|
214 |
$row = $db->fetchrow(); |
|
215 |
$uid = intval($row['user_id']); |
|
216 |
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) ); |
|
217 |
if(!$can_edit) |
|
218 |
{ |
|
219 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
220 |
return false; |
|
221 |
} |
|
222 |
$data['data'] = str_replace("\r", '', $data['data']); // Windows compatibility |
|
223 |
$text = RenderMan::preprocess_text($data['data'], true, false); |
|
224 |
$text2 = $db->escape($text); |
|
225 |
$subj = $db->escape(htmlspecialchars($data['subj'])); |
|
226 |
$q = $db->sql_query('UPDATE '.table_prefix.'comments SET subject=\'' . $subj . '\',comment_data=\'' . $text2 . '\' WHERE comment_id=' . $cid . ';'); |
|
227 |
if(!$q) |
|
228 |
$db->die_json(); |
|
229 |
$ret = Array( |
|
230 |
'mode' => 'redraw', |
|
231 |
'id' => $data['local_id'], |
|
232 |
'subj' => htmlspecialchars($data['subj']), |
|
233 |
'text' => RenderMan::render($text), |
|
234 |
'src' => $text, |
|
235 |
'approved' => $row['approved'] |
|
236 |
); |
|
237 |
break; |
|
238 |
case 'delete': |
|
239 |
$cid = (string)$data['id']; |
|
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
240 |
if ( !ctype_digit($cid) || intval($cid) < 1 ) |
1 | 241 |
{ |
242 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
243 |
return false; |
|
244 |
} |
|
245 |
$cid = intval($cid); |
|
246 |
$q = $db->sql_query('SELECT c.user_id FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';'); |
|
247 |
if(!$q) |
|
248 |
$db->die_json(); |
|
249 |
$row = $db->fetchrow(); |
|
250 |
$uid = intval($row['user_id']); |
|
251 |
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) ); |
|
252 |
if(!$can_edit) |
|
253 |
{ |
|
254 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
255 |
return false; |
|
256 |
} |
|
257 |
$q = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE comment_id='.$cid.';'); |
|
258 |
if(!$q) |
|
259 |
$db->die_json(); |
|
260 |
$ret = Array( |
|
261 |
'mode' => 'annihilate', |
|
262 |
'id' => $data['local_id'] |
|
263 |
); |
|
264 |
break; |
|
265 |
case 'submit': |
|
266 |
||
267 |
// Now for a huge round of security checks... |
|
268 |
||
269 |
$errors = Array(); |
|
270 |
||
271 |
// Authorization |
|
272 |
// Like the rest of the ACL system, this call is a one-stop check for ALL ACL entries. |
|
273 |
if ( !$this->perms->get_permissions('post_comments') ) |
|
74
68469a95658d
Various bugfixes and cleanups, too much to remember... see the diffs for what got changed :-)
Dan
parents:
73
diff
changeset
|
274 |
$errors[] = 'The site security policy prevents your user account from posting comments;'; |
1 | 275 |
|
276 |
// Guest authorization |
|
277 |
if ( getConfig('comments_need_login') == '2' && !$session->user_logged_in ) |
|
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
278 |
$errors[] = $lang->get('comment_err_need_login'); |
1 | 279 |
|
280 |
// CAPTCHA code |
|
281 |
if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in ) |
|
282 |
{ |
|
283 |
$real_code = $session->get_captcha($data['captcha_id']); |
|
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
284 |
if ( strtolower($real_code) !== strtolower($data['captcha_code']) ) |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
285 |
$errors[] = $lang->get('comment_err_captcha_wrong'); |
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
parents:
166
diff
changeset
|
286 |
$session->kill_captcha(); |
1 | 287 |
} |
288 |
||
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
289 |
// Spam check |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
290 |
$spam_policy = getConfig('comment_spam_policy', 'moderate'); |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
291 |
$sc_name = ( $session->user_logged_in ) ? $session->username : $data['name']; |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
292 |
$sc_mail = ( $session->user_logged_in ) ? $session->email : false; |
972
437f2505d340
Band-Aided user_homepage undefined index error in comments.
Dan
parents:
832
diff
changeset
|
293 |
$sc_url = ( $session->user_logged_in ) ? @$session->user_extra['user_homepage'] : false; |
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
294 |
$spamcheck = $spam_policy === 'accept' ? true : spamalyze($data['text'], $sc_name, $sc_mail, $sc_url); |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
295 |
if ( !$spamcheck && $spam_policy === 'reject' ) |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
296 |
{ |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
297 |
$errors[] = $lang->get('comment_err_spamcheck_failed_rejected'); |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
298 |
} |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
299 |
|
1 | 300 |
if ( count($errors) > 0 ) |
301 |
{ |
|
302 |
$ret = Array( |
|
303 |
'mode' => 'error', |
|
304 |
'error' => implode("\n", $errors) |
|
305 |
); |
|
306 |
} |
|
307 |
else |
|
308 |
{ |
|
309 |
// We're authorized! |
|
310 |
||
311 |
// Preprocess |
|
312 |
$name = ( $session->user_logged_in ) ? htmlspecialchars($session->username) : htmlspecialchars($data['name']); |
|
313 |
$subj = htmlspecialchars($data['subj']); |
|
314 |
$text = RenderMan::preprocess_text($data['text'], true, false); |
|
315 |
$src = $text; |
|
316 |
$sql_text = $db->escape($text); |
|
317 |
$text = RenderMan::render($text); |
|
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
parents:
825
diff
changeset
|
318 |
$appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED; |
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
319 |
if ( $appr === COMMENT_APPROVED && $spam_policy === 'moderate' && !$spamcheck ) |
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
320 |
$appr = COMMENT_SPAM; |
1 | 321 |
$time = time(); |
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
parents:
334
diff
changeset
|
322 |
$date = enano_date('F d, Y h:i a', $time); |
359 | 323 |
$ip = $_SERVER['REMOTE_ADDR']; |
324 |
if ( !is_valid_ip($ip) ) |
|
325 |
die('Hacking attempt'); |
|
1 | 326 |
|
327 |
// Send it to the database |
|
359 | 328 |
$q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " . |
329 |
"('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');"); |
|
1 | 330 |
if(!$q) |
331 |
$db->die_json(); |
|
332 |
||
333 |
// Re-fetch |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
334 |
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type FROM '.table_prefix.'comments AS c |
1 | 335 |
LEFT JOIN '.table_prefix.'users AS u |
336 |
ON (u.user_id=c.user_id) |
|
337 |
WHERE page_id=\'' . $this->page_id . '\' |
|
338 |
AND namespace=\'' . $this->namespace . '\' |
|
339 |
AND time='.$time.' ORDER BY comment_id DESC LIMIT 1;'); |
|
340 |
if(!$q) |
|
341 |
$db->die_json(); |
|
342 |
||
343 |
$row = $db->fetchrow(); |
|
344 |
$db->free_result(); |
|
345 |
$row['time'] = $date; |
|
346 |
$row['comment_data'] = $text; |
|
347 |
$row['comment_source'] = $src; |
|
348 |
$ret = Array( |
|
349 |
'mode' => 'materialize' |
|
350 |
); |
|
351 |
$ret = enano_safe_array_merge($ret, $row); |
|
352 |
||
353 |
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments'); |
|
354 |
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments'); |
|
355 |
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments'); |
|
356 |
$ret['user_id'] = $session->user_id; |
|
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
parents:
536
diff
changeset
|
357 |
$ret['rank_data'] = $session->get_user_rank($session->user_id); |
1 | 358 |
$ret['username'] = $session->username; |
359 |
$ret['logged_in'] = $session->user_logged_in; |
|
360 |
$ret['signature'] = RenderMan::render($row['signature']); |
|
361 |
||
362 |
$ret['user_level_list'] = Array(); |
|
363 |
$ret['user_level_list']['guest'] = USER_LEVEL_GUEST; |
|
364 |
$ret['user_level_list']['member'] = USER_LEVEL_MEMBER; |
|
365 |
$ret['user_level_list']['mod'] = USER_LEVEL_MOD; |
|
366 |
$ret['user_level_list']['admin'] = USER_LEVEL_ADMIN; |
|
621
68f8a9cc0a18
Added Gravatar support! And it's really configurable too.
Dan
parents:
541
diff
changeset
|
367 |
$ret['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']); |
1 | 368 |
} |
369 |
||
370 |
break; |
|
371 |
case 'approve': |
|
372 |
if ( !$this->perms->get_permissions('mod_comments') ) |
|
373 |
{ |
|
374 |
$ret = Array( |
|
375 |
'mode' => 'error', |
|
376 |
'error' => 'You are not authorized to moderate comments.' |
|
377 |
); |
|
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
parents:
328
diff
changeset
|
378 |
echo enano_json_encode($ret); |
1 | 379 |
return $ret; |
380 |
} |
|
381 |
||
382 |
$cid = (string)$data['id']; |
|
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
parents:
801
diff
changeset
|
383 |
if ( !ctype_digit($cid) || intval($cid) < 1 ) |
1 | 384 |
{ |
385 |
echo '{"mode":"error","error":"HACKING ATTEMPT"}'; |
|
386 |
return false; |
|
387 |
} |
|
388 |
$cid = intval($cid); |
|
389 |
$q = $db->sql_query('SELECT subject,approved FROM '.table_prefix.'comments WHERE comment_id='.$cid.';'); |
|
390 |
if(!$q || $db->numrows() < 1) |
|
391 |
$db->die_json(); |
|
392 |
$row = $db->fetchrow(); |
|
393 |
$db->free_result(); |
|
394 |
$appr = ( $row['approved'] == '1' ) ? '0' : '1'; |
|
395 |
$q = $db->sql_query('UPDATE '.table_prefix."comments SET approved=$appr WHERE comment_id=$cid;"); |
|
396 |
if (!$q) |
|
397 |
$db->die_json(); |
|
398 |
||
399 |
$ret = Array( |
|
400 |
'mode' => 'redraw', |
|
401 |
'approved' => $appr, |
|
402 |
'subj' => $row['subject'], |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
21
diff
changeset
|
403 |
'id' => $data['local_id'], |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
21
diff
changeset
|
404 |
'approve_updated' => 'yes' |
1 | 405 |
); |
406 |
||
407 |
break; |
|
359 | 408 |
case 'view_ip': |
409 |
if ( !$session->get_permissions('mod_comments') ) |
|
410 |
{ |
|
411 |
return array( |
|
412 |
'mode' => 'error', |
|
413 |
'error' => 'Unauthorized' |
|
414 |
); |
|
415 |
} |
|
416 |
// fetch comment info |
|
417 |
if ( !is_int($data['id']) ) |
|
418 |
{ |
|
419 |
return array( |
|
420 |
'mode' => 'error', |
|
421 |
'error' => 'Unauthorized' |
|
422 |
); |
|
423 |
} |
|
424 |
$id =& $data['id']; |
|
425 |
$q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';'); |
|
426 |
if ( !$q || $db->numrows() < 1 ) |
|
427 |
{ |
|
428 |
$db->die_json(); |
|
429 |
} |
|
430 |
list($ip_addr, $name) = $db->fetchrow_num($q); |
|
431 |
$db->free_result(); |
|
432 |
$name = $db->escape($name); |
|
433 |
$username = $db->escape($session->username); |
|
434 |
// log this action |
|
435 |
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n " |
|
436 |
. "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );"); |
|
437 |
if ( !$q ) |
|
438 |
$db->die_json(); |
|
439 |
||
440 |
// send packet |
|
441 |
$ret = array( |
|
442 |
'mode' => 'redraw', |
|
443 |
'ip_addr' => $ip_addr, |
|
444 |
'local_id' => $data['local_id'] |
|
445 |
); |
|
446 |
break; |
|
1 | 447 |
default: |
448 |
$ret = Array( |
|
449 |
'mode' => 'error', |
|
450 |
'error' => $data['mode'] . ' is not a valid request mode' |
|
451 |
); |
|
452 |
break; |
|
453 |
} |
|
1016
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
454 |
if ( $is_json ) |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
455 |
echo enano_json_encode($ret); |
6d32d80b2192
Comments: SECURITY: Fixed IP not recorded in non-JSON submit and a few other non-security issues
Dan
parents:
1011
diff
changeset
|
456 |
|
1 | 457 |
return $ret; |
458 |
} |
|
459 |
||
460 |
} // class Comments |
|
461 |