includes/pageutils.php
author Dan
Fri, 07 Dec 2007 18:47:37 -0500
changeset 314 474f8be55943
parent 304 e2cb5f1432c8
child 326 ab66d6d1f1f4
permissions -rw-r--r--
Localized remainder of on-page tools and parts of PageProcess
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     1
<?php
166
d53cc29308f4 Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents: 158
diff changeset
     2
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     3
/*
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     4
 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
166
d53cc29308f4 Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents: 158
diff changeset
     5
 * Version 1.1.1
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     6
 * Copyright (C) 2006-2007 Dan Fuhry
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     7
 * pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     8
 *
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
     9
 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    10
 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    11
 *
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    12
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    13
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    14
 */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    15
 
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    16
class PageUtils {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    17
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    18
  /**
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    19
   * Tell if a username is used or not.
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    20
   * @param $name the name to check for
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    21
   * @return string
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    22
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    23
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    24
  function checkusername($name)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    25
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    26
    global $db, $session, $paths, $template, $plugins; // Common objects
270
5bcdee999015 Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
parents: 260
diff changeset
    27
    $name = str_replace('_', ' ', $name);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    28
    $q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\'');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    29
    if ( !$q )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    30
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    31
      die(mysql_error());
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    32
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    33
    if ( $db->numrows() < 1)
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    34
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    35
      $db->free_result(); return('good');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    36
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    37
    else
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    38
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    39
      $db->free_result(); return('bad');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    40
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    41
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    42
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    43
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    44
   * Get the wiki formatting source for a page
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    45
   * @param $page the full page id (Namespace:Pagename)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    46
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    47
   * @todo (DONE) Make it require a password (just for security purposes)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    48
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    49
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    50
  function getsource($page, $password = false)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    51
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    52
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    53
    if(!isset($paths->pages[$page]))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    54
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    55
      return '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    56
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    57
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    58
    if(strlen($paths->pages[$page]['password']) == 40)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    59
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    60
      if(!$password || ( $password != $paths->pages[$page]['password']))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    61
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    62
        return 'invalid_password';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    63
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    64
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    65
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    66
    if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    67
      return 'access_denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    68
    $pid = RenderMan::strToPageID($page);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    69
    if($pid[1] == 'Special' || $pid[1] == 'Admin')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    70
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    71
      die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    72
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    73
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
    74
    $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    75
    if ( !$e )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    76
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    77
      $db->_die('The page text could not be selected.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    78
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    79
    if( $db->numrows() < 1 )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    80
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    81
      return ''; //$db->_die('There were no rows in the text table that matched the page text query.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    82
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    83
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    84
    $r = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    85
    $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    86
    $message = $r['page_text'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    87
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    88
    return htmlspecialchars($message);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    89
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    90
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    91
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    92
   * Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    93
   * @param $page the full page id (Namespace:Pagename)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    94
   * @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    95
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    96
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    97
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    98
  function getpage($page, $send_headers = false, $hist_id = false)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
    99
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   100
    die('PageUtils->getpage is deprecated.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   101
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   102
    ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   103
    $pid = RenderMan::strToPageID($page);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   104
    //die('<pre>'.print_r($pid, true).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   105
    if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   106
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   107
      password_prompt($page);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   108
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   109
    if(isset($paths->pages[$page]))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   110
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   111
      doStats($pid[0], $pid[1]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   112
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   113
    if($paths->custom_page || $pid[1] == 'Special')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   114
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   115
      // If we don't have access to the page, get out and quick!
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   116
      if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   117
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   118
        $template->tpl_strings['PAGE_NAME'] = 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   119
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   120
        if ( $send_headers )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   121
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   122
          $template->header();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   123
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   124
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   125
        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   126
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   127
        if ( $send_headers )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   128
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   129
          $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   130
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   131
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   132
        $r = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   133
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   134
        return $r;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   135
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   136
      
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   137
      $fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons'];
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   138
      @call_user_func($fname);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   139
      
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   140
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   141
    else if ( $pid[1] == 'Admin' )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   142
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   143
      // If we don't have access to the page, get out and quick!
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   144
      if(!$session->get_permissions('read'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   145
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   146
        $template->tpl_strings['PAGE_NAME'] = 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   147
        if ( $send_headers )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   148
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   149
          $template->header();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   150
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   151
        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   152
        if ( $send_headers )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   153
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   154
          $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   155
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   156
        $r = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   157
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   158
        return $r;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   159
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   160
      
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   161
      $fname = 'page_' . $pid[1] . '_' . $pid[0];
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   162
      if ( !function_exists($fname) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   163
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   164
        $title = 'Page backend not found';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   165
        $message = "The administration page you are looking for was properly registered using the page API, but the backend function
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   166
                    (<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin.";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   167
        if ( $send_headers )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   168
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   169
          die_friendly($title, "<p>$message</p>");
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   170
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   171
        else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   172
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   173
          echo "<h2>$title</h2>\n<p>$message</p>";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   174
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   175
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   176
      @call_user_func($fname);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   177
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   178
    else if ( !isset( $paths->pages[$page] ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   179
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   180
      ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   181
      $code = $plugins->setHook('page_not_found');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   182
      foreach ( $code as $cmd )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   183
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   184
        eval($cmd);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   185
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   186
      $text = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   187
      if ( $text != '' )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   188
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   189
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   190
        return $text;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   191
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   192
      $template->header();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   193
      if($m = $paths->sysmsg('Page_not_found'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   194
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   195
        eval('?>'.RenderMan::render($m));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   196
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   197
      else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   198
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   199
        header('HTTP/1.1 404 Not Found');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   200
        echo '<h3>There is no page with this title yet.</h3>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   201
               <p>You have requested a page that doesn\'t exist yet.';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   202
        if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   203
        else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   204
        if ( $session->get_permissions('history_rollback') )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   205
        {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   206
          $e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   207
          if ( !$e )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   208
          {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   209
            $db->_die('The deletion log could not be selected.');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   210
          }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   211
          if ($db->numrows() > 0 )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   212
          {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   213
            $r = $db->fetchrow();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   214
            echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&amp;id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">roll back</a> the deletion.</p>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   215
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   216
          $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   217
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   218
        echo '<p>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   219
                HTTP Error: 404 Not Found
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   220
              </p>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   221
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   222
      $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   223
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   224
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   225
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   226
      
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   227
      // If we don't have access to the page, get out and quick!
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   228
      if(!$session->get_permissions('read'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   229
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   230
        $template->tpl_strings['PAGE_NAME'] = 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   231
        if($send_headers) $template->header();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   232
        echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   233
        if($send_headers) $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   234
        $r = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   235
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   236
        return $r;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   237
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   238
      
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   239
      ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   240
      $code = $plugins->setHook('page_custom_handler');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   241
      foreach ( $code as $cmd )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   242
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   243
        eval($cmd);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   244
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   245
      $text = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   246
      if ( $text != '' )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   247
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   248
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   249
        return $text;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   250
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   251
      
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   252
      if ( $hist_id )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   253
      {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   254
        $e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . '');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   255
        if($db->numrows() < 1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   256
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   257
          $db->_die('There were no rows in the text table that matched the page text query.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   258
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   259
        $r = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   260
        $db->free_result();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   261
        $message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on ' . $r['date_string'] . '.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a>  |  <a href="'.makeUrl($page, 'do=rollback&amp;id=' . $hist_id) . '" onclick="ajaxRollback(\'' . $hist_id . '\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   262
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   263
        if( !$paths->pages[$page]['special'] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   264
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   265
          if($send_headers)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   266
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   267
            $template->header(); 
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   268
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   269
          display_page_headers();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   270
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   271
        
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   272
        eval('?>' . $message);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   273
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   274
        if( !$paths->pages[$page]['special'] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   275
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   276
          display_page_footers();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   277
          if($send_headers)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   278
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   279
            $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   280
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   281
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   282
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   283
      } else {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   284
        if(!$paths->pages[$page]['special'])
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   285
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   286
          $message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   287
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   288
        else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   289
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   290
          $message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   291
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   292
        // This line is used to debug wikiformatted code
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   293
        // die('<pre>'.htmlspecialchars($message).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   294
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   295
        if( !$paths->pages[$page]['special'] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   296
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   297
          if($send_headers)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   298
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   299
            $template->header(); 
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   300
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   301
          display_page_headers();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   302
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   303
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   304
        // This is it, this is what all of Enano has been working up to...
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   305
        
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   306
        eval('?>' . $message);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   307
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   308
        if( !$paths->pages[$page]['special'] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   309
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   310
          display_page_footers();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   311
          if($send_headers)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   312
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   313
            $template->footer();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   314
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   315
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   316
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   317
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   318
    $ret = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   319
    ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   320
    return $ret;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   321
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   322
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   323
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   324
   * Writes page data to the database, after verifying permissions and running the XSS filter
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   325
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   326
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   327
   * @param $message the text to save
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   328
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   329
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   330
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   331
  function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   332
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   333
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   334
    $uid = sha1(microtime());
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   335
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   336
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   337
    if(!$session->get_permissions('edit_page'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   338
      return 'Access to edit pages is denied.';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   339
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   340
    if(!isset($paths->pages[$pname]))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   341
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   342
      $create = PageUtils::createPage($page_id, $namespace);
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   343
      if ( $create != 'good' )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   344
        return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create;
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   345
      $paths->page_exists = true;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   346
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   347
    
260
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   348
    // Check page protection
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   349
    
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   350
    $is_protected = false;
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   351
    $page_data =& $paths->pages[$pname];
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   352
    // Is the protection semi?
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   353
    if ( $page_data['protected'] == 2 )
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   354
    {
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   355
      $is_protected = true;
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   356
      // Page is semi-protected. Has the user been here for at least 4 days?
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   357
      // 345600 seconds = 4 days
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   358
      if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() )
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   359
        $is_protected = false;
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   360
    }
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   361
    // Is the protection full?
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   362
    else if ( $page_data['protected'] == 1 )
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   363
    {
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   364
      $is_protected = true;
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   365
    }
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   366
    
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   367
    // If it's protected and we DON'T have even_when_protected rights, bail out
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   368
    if ( $is_protected && !$session->get_permissions('even_when_protected') )
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   369
    {
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   370
      return 'You don\'t have the necessary permissions to edit this page.';
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   371
    }
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   372
    
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   373
    // We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE.
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   374
    // The exception here is the user's own userpage, which is overridden at the time of account creation.
661beb9b0fa3 Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents: 256
diff changeset
   375
    // At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage.
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   376
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   377
    // Strip potentially harmful tags and PHP from the message, dependent upon permissions settings
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   378
    $message = RenderMan::preprocess_text($message, false, false);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   379
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   380
    $msg = $db->escape($message);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   381
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   382
    $minor = $minor ? 'true' : 'false';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   383
    $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   384
    if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   385
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   386
    $q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   387
    $e = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   388
    if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   389
      
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   390
    $paths->rebuild_page_index($page_id, $namespace);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   391
      
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   392
    return 'good';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   393
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   394
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   395
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   396
   * Creates a page, both in memory and in the database.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   397
   * @param string $page_id
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   398
   * @param string $namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   399
   * @return bool true on success, false on failure
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   400
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   401
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   402
  function createPage($page_id, $namespace, $name = false, $visible = 1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   403
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   404
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   405
    if(in_array($namespace, Array('Special', 'Admin')))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   406
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   407
      // echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   408
      return 'You can\'t create a special page in the database';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   409
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   410
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   411
    if(!isset($paths->nslist[$namespace]))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   412
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   413
      // echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   414
      return 'Couldn\'t look up the namespace';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   415
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   416
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   417
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   418
    if(isset($paths->pages[$pname]))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   419
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   420
      // echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   421
      return 'Page already exists';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   422
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   423
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   424
    if(!$session->get_permissions('create_page'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   425
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   426
      // echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   427
      return 'Not authorized to create pages';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   428
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   429
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   430
    if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   431
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   432
      // echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   433
      return 'Not authorized to create system messages';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   434
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   435
    
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   436
    if ( substr($page_id, 0, 8) == 'Project:' )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   437
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   438
      // echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   439
      return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   440
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   441
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   442
    $page_id = dirtify_page_id($page_id);
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   443
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   444
    if ( !$name )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   445
      $name = str_replace('_', ' ', $page_id);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   446
    $regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   447
    if(!preg_match($regex, $page))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   448
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   449
      //echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   450
      return 'Name contains invalid characters';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   451
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   452
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   453
    $page_id = sanitize_page_id( $page_id );
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   454
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   455
    $prot = ( $namespace == 'System' ) ? 1 : 0;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   456
    
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   457
    $ips = array(
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   458
      'ip' => array(),
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   459
      'u' => array()
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   460
      );
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   461
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   462
    $page_data = Array(
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   463
      'name'=>$name,
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   464
      'urlname'=>$page_id,
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   465
      'namespace'=>$namespace,
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
   466
      'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2,
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   467
    );
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   468
    
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   469
    // die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   470
    
21
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   471
    $paths->add_page($page_data);
663fcf528726 Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents: 19
diff changeset
   472
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   473
    $qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   474
    $qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   475
    $qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   476
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   477
    if($qa && $qb && $qc)
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   478
      return 'good';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   479
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   480
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   481
      return $db->get_error();
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   482
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   483
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   484
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   485
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   486
   * Sets the protection level on a page.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   487
   * @param $page_id string the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   488
   * @param $namespace string the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   489
   * @param $level int level of protection - 0 is off, 1 is full, 2 is semi
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   490
   * @param $reason string why the page is being (un)protected
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   491
   * @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   492
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   493
  function protect($page_id, $namespace, $level, $reason)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   494
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   495
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   496
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   497
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   498
    $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   499
    $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   500
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   501
    if ( !$session->get_permissions('protect') )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   502
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   503
      return('Insufficient access rights');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   504
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   505
    if ( !$wiki )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   506
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   507
      return('Page protection only has an effect when Wiki Mode is enabled.');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   508
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   509
    if ( !preg_match('#^([0-9]+){1}$#', (string)$level) )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   510
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   511
      return('Invalid $level parameter.');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   512
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   513
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   514
    switch($level)
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   515
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   516
      case 0:
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   517
        $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   518
        break;
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   519
      case 1:
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   520
        $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   521
        break;
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   522
      case 2:
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   523
        $q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   524
        break;
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   525
      default:
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   526
        return 'PageUtils::protect(): Invalid value for $level';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   527
        break;
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   528
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   529
    if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   530
    
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   531
    $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   532
    if ( !$q )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   533
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   534
      $db->_die('The pages table was not updated.');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   535
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   536
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   537
    return('good');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   538
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   539
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   540
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   541
   * Generates an HTML table with history information in it.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   542
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   543
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   544
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   545
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   546
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   547
  function histlist($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   548
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   549
    global $db, $session, $paths, $template, $plugins; // Common objects
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   550
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   551
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   552
    if(!$session->get_permissions('history_view'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   553
      return 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   554
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   555
    ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   556
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   557
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   558
    $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   559
    $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   560
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   561
    $q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   562
    if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.');
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   563
    echo $lang->get('history_page_subtitle') . '
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   564
          <h3>' . $lang->get('history_heading_edits') . '</h3>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   565
    $numrows = $db->numrows();
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   566
    if ( $numrows < 1 )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   567
    {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   568
      echo $lang->get('history_no_entries');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   569
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   570
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   571
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   572
      echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get">
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   573
            <input type="submit" value="' . $lang->get('history_btn_compare') . '" />
115
261f367623af Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents: 112
diff changeset
   574
            ' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . '
261f367623af Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents: 112
diff changeset
   575
            ' . ( $session->sid_super ? '<input type="hidden" name="auth"  value="' . $session->sid_super . '" />' : '') . '
261f367623af Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents: 112
diff changeset
   576
            <input type="hidden" name="do" value="diff" />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   577
            <br /><span>&nbsp;</span>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   578
            <div class="tblholder">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   579
            <table border="0" width="100%" cellspacing="1" cellpadding="4">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   580
            <tr>
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   581
              <th colspan="2">' . $lang->get('history_col_diff') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   582
              <th>' . $lang->get('history_col_datetime') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   583
              <th>' . $lang->get('history_col_user') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   584
              <th>' . $lang->get('history_col_summary') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   585
              <th>' . $lang->get('history_col_minor') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   586
              <th colspan="3">' . $lang->get('history_col_actions') . '</th>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   587
            </tr>'."\n"."\n";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   588
      $cls = 'row2';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   589
      $ticker = 0;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   590
      
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   591
      while ( $r = $db->fetchrow() )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   592
      {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   593
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   594
        $ticker++;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   595
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   596
        if($cls == 'row2') $cls = 'row1';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   597
        else $cls = 'row2';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   598
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   599
        echo '<tr>'."\n";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   600
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   601
        // Diff selection
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   602
        if($ticker == 1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   603
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   604
          $s1 = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   605
          $s2 = 'checked="checked" ';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   606
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   607
        elseif($ticker == 2)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   608
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   609
          $s1 = 'checked="checked" ';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   610
          $s2 = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   611
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   612
        else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   613
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   614
          $s1 = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   615
          $s2 = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   616
        }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   617
        if($ticker > 1)        echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   618
        if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   619
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   620
        // Date and time
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   621
        echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">'."\n";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   622
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   623
        // User
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   624
        if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   625
        {
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   626
          $rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   627
        }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   628
        else
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   629
        {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   630
          $rc = '';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   631
        }
285
7846d45bd250 Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents: 270
diff changeset
   632
        echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250 Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents: 270
diff changeset
   633
        if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) )
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   634
        {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   635
          echo 'class="wikilink-nonexistent"';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   636
        }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   637
        echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   638
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   639
        // Edit summary
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   640
        if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   641
        {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   642
          $r['edit_summary'] = $lang->get('history_summary_clearlogs');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   643
        }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   644
        echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   645
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   646
        // Minor edit
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   647
        echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   648
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   649
        // Actions!
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   650
        echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['time_id']) . '" onclick="ajaxHistView(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n";
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   651
        echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n";
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   652
        echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&amp;id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   653
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   654
        echo '</tr>'."\n"."\n";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   655
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   656
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   657
      echo '</table>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   658
            </div>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   659
            <br />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   660
            <input type="hidden" name="do" value="diff" />
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   661
            <input type="submit" value="' . $lang->get('history_btn_compare') . '" />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   662
            </form>
57
b354deeaa4c4 Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
parents: 40
diff changeset
   663
            <script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   664
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   665
    $db->free_result();
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   666
    echo '<h3>' . $lang->get('history_heading_other') . '</h3>';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   667
    $q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;';
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   668
    if ( !$db->sql_query($q) )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   669
    {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   670
      $db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   671
    }
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   672
    if ( $db->numrows() < 1 )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   673
    {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   674
      echo $lang->get('history_no_entries');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   675
    }
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   676
    else
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   677
    {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   678
      
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   679
      echo '<div class="tblholder">
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   680
              <table border="0" width="100%" cellspacing="1" cellpadding="4"><tr>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   681
                <th>' . $lang->get('history_col_datetime') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   682
                <th>' . $lang->get('history_col_user') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   683
                <th>' . $lang->get('history_col_minor') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   684
                <th>' . $lang->get('history_col_action_taken') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   685
                <th>' . $lang->get('history_col_extra') . '</th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   686
                <th colspan="2"></th>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   687
              </tr>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   688
      $cls = 'row2';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   689
      while($r = $db->fetchrow()) {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   690
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   691
        if($cls == 'row2') $cls = 'row1';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   692
        else $cls = 'row2';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   693
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   694
        echo '<tr>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   695
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   696
        // Date and time
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   697
        echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   698
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   699
        // User
285
7846d45bd250 Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents: 270
diff changeset
   700
        echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250 Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents: 270
diff changeset
   701
        if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   702
        echo '>' . $r['author'] . '</a></td class="' . $cls . '">';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   703
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   704
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   705
        // Minor edit
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   706
        echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   707
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   708
        // Action taken
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   709
        echo '<td class="' . $cls . '">';
81
d7fc25acd3f3 Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents: 78
diff changeset
   710
        // Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime.
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   711
        if    ($r['action']=='prot')     echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   712
        elseif($r['action']=='unprot')   echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   713
        elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   714
        elseif($r['action']=='rename')   echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']);
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   715
        elseif($r['action']=='create')   echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   716
        elseif($r['action']=='delete')   echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   717
        elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' '.htmlspecialchars($r['edit_summary']);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   718
        echo '</td>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   719
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   720
        // Actions!
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   721
        echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   722
        echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&amp;id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   723
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   724
        echo '</tr>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   725
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   726
      echo '</table></div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   727
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   728
    $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   729
    $ret = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   730
    ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   731
    return $ret;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   732
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   733
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   734
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   735
   * Rolls back a logged action
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   736
   * @param $id the time ID, a.k.a. the primary key in the logs table
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   737
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   738
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   739
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   740
  function rollback($id)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   741
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   742
    global $db, $session, $paths, $template, $plugins; // Common objects
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   743
    if ( !$session->get_permissions('history_rollback') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   744
    {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   745
      return('You are not authorized to perform rollbacks.');
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   746
    }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   747
    if ( !preg_match('#^([0-9]+)$#', (string)$id) )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   748
    {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   749
      return('The value "id" on the query string must be an integer.');
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   750
    }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   751
    $e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   752
    if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   753
    {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   754
      $db->_die('The rollback data could not be selected.');
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   755
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   756
    $rb = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   757
    $db->free_result();
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   758
    
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   759
    if ( $rb['log_type'] == 'page' && $rb['action'] != 'delete' )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   760
    {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   761
      $pagekey = $paths->nslist[$rb['namespace']] . $rb['page_id'];
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   762
      if ( !isset($paths->pages[$pagekey]) )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   763
      {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   764
        return "Page doesn't exist";
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   765
      }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   766
      $pagedata =& $paths->pages[$pagekey];
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   767
      $protected = false;
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   768
      // Special case: is the page protected? if so, check for even_when_protected permissions
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   769
      if($pagedata['protected'] == 2)
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   770
      {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   771
        // The page is semi-protected, determine permissions
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   772
        if($session->user_logged_in && $session->reg_time + 60*60*24*4 < time()) 
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   773
        {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   774
          $protected = false;
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   775
        }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   776
        else
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   777
        {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   778
          $protected = true;
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   779
        }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   780
      }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   781
      else
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   782
      {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   783
        $protected = ( $pagedata['protected'] == 1 );
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   784
      }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   785
      
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   786
      $perms = $session->fetch_page_acl($rb['page_id'], $rb['namespace']);
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   787
      
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   788
      if ( $protected && !$perms->get_permissions('even_when_protected') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   789
      {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   790
        return "Because this page is protected, you need moderator rights to roll back changes.";
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   791
      }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   792
    }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   793
    else
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   794
    {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   795
      $perms =& $session;
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   796
    }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   797
    
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   798
    switch($rb['log_type'])
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   799
    {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   800
      case "page":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   801
        switch($rb['action'])
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   802
        {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   803
          case "edit":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   804
            if ( !$perms->get_permissions('edit_page') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   805
              return "You don't have permission to edit pages, so rolling back edits can't be allowed either.";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   806
            $t = $db->escape($rb['page_text']);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   807
            $e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   808
            if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   809
            {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   810
              return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   811
            }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   812
            else
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   813
            {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   814
              return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . $rb['date_string'] . '.';
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   815
            }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   816
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   817
          case "rename":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   818
            if ( !$perms->get_permissions('rename') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   819
              return "You don't have permission to rename pages, so rolling back renames can't be allowed either.";
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   820
            $t = $db->escape($rb['edit_summary']);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   821
            $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   822
            if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   823
            {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   824
              return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   825
            }
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   826
            else
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   827
            {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   828
              return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . $rb['date_string'] . '.';
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   829
            }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   830
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   831
          case "prot":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   832
            if ( !$perms->get_permissions('protect') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   833
              return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   834
            $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   835
            if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   836
              return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   837
            else
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   838
              return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   839
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   840
          case "semiprot":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   841
            if ( !$perms->get_permissions('protect') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   842
              return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   843
            $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   844
            if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   845
              return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   846
            else
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   847
              return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   848
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   849
          case "unprot":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   850
            if ( !$perms->get_permissions('protect') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   851
              return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   852
            $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   853
            if ( !$e )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   854
              return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   855
            else
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   856
              return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . $rb['date_string'] . '.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   857
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   858
          case "delete":
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   859
            if ( !$perms->get_permissions('history_rollback_extra') )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   860
              return 'Administrative privileges are required for page undeletion.';
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   861
            if ( isset($paths->pages[$paths->cpage['urlname']]) )
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   862
              return 'You cannot raise a dead page that is alive.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   863
            $name = str_replace('_', ' ', $rb['page_id']);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   864
            $e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   865
            $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   866
            $r = $db->fetchrow();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   867
            $e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   868
            return 'The page "' . $name . '" has been undeleted according to the log created at ' . $rb['date_string'] . '.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   869
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   870
          case "reupload":
234
d5dff8148dfe Renaming config.php and .htaccess to *.new to allow tarbombing an Enano installation with no adverse effects; first attempt, may not work right.
Dan
parents: 194
diff changeset
   871
            if ( !$session->get_permissions('history_rollback_extra') )
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   872
            {
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   873
              return 'Administrative privileges are required for file rollbacks.';
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   874
            }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   875
            $newtime = time();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   876
            $newdate = date('d M Y h:i a');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   877
            if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id))
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   878
              return 'Error during query: '.mysql_error();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   879
            if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id))
158
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   880
              return 'Error during query: '.mysql_error();
ebf00a7d21db SECURITY: tightened up validation for rollbacks
Dan
parents: 142
diff changeset
   881
            return 'The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   882
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   883
          default:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   884
            return('Rollback of the action "' . $rb['action'] . '" is not yet supported.');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   885
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   886
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   887
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   888
      case "security":
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   889
      case "login":
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   890
        return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   891
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   892
      default:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   893
        return('Unknown log entry type: "' . $rb['log_type'] . '"');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   894
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   895
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   896
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   897
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   898
   * Posts a comment.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   899
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   900
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   901
   * @param $name the name of the person posting, defaults to current username/IP
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   902
   * @param $subject the subject line of the comment
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   903
   * @param $text the comment text
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   904
   * @return string javascript code
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   905
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   906
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   907
  function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   908
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   909
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   910
    $_ob = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   911
    if(!$session->get_permissions('post_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   912
      return 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   913
    if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   914
    if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   915
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   916
      if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   917
      $result = $session->get_captcha($captcha_id);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   918
      if($captcha_code != $result) _die('The confirmation code you entered was incorrect.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   919
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   920
    $text = RenderMan::preprocess_text($text);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   921
    $name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   922
    $subj = RenderMan::preprocess_text($subject);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   923
    if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   924
    $q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   925
    $e = $db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   926
    if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n' . $q) . '\'))');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   927
    else $_ob .= '<div class="info-box">Your comment has been posted.</div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   928
    return PageUtils::comments($page_id, $namespace, false, Array(), $_ob);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   929
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   930
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   931
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   932
   * Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   933
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   934
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   935
   * @param $action administrative action to perform, default is false
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   936
   * @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   937
   * @param $_ob text to prepend to output, used by PageUtils::addcomment
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   938
   * @return array
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   939
   * @access private
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   940
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   941
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   942
  function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   943
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   944
    global $db, $session, $paths, $template, $plugins; // Common objects
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   945
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   946
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   947
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   948
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   949
    ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   950
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   951
    if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   952
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   953
      switch($action) {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   954
      case "delete":
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   955
        if(isset($flags['id']))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   956
        {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   957
          $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   958
        } else {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   959
          $n = $db->escape($flags['name']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   960
          $s = $db->escape($flags['subj']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   961
          $t = $db->escape($flags['text']);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   962
          $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   963
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   964
        $e=$db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   965
        if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   966
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   967
      case "approve":
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   968
        if(isset($flags['id']))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   969
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   970
          $where = 'comment_id='.intval($flags['id']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   971
        } else {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   972
          $n = $db->escape($flags['name']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   973
          $s = $db->escape($flags['subj']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   974
          $t = $db->escape($flags['text']);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   975
          $where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   976
        }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   977
        $q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   978
        $e = $db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   979
        if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   980
        $r = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   981
        $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   982
        $a = ( $r['approved'] ) ? '0' : '1';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   983
        $q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   984
        $e=$db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   985
        if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));');
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   986
        if($a=='1') $v = $lang->get('comment_btn_mod_unapprove');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
   987
        else $v = $lang->get('comment_btn_mod_approve');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
   988
        echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   989
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   990
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   991
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   992
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   993
    if(!defined('ENANO_TEMPLATE_LOADED'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   994
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   995
      $template->load_theme($session->theme, $session->style);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   996
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   997
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   998
    $tpl = $template->makeParser('comment.tpl');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
   999
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1000
    $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1001
    if(!$e) $db->_die('The comment text data could not be selected.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1002
    $num_unapp = $db->numrows();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1003
    $db->free_result();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1004
    $e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1005
    if(!$e) $db->_die('The comment text data could not be selected.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1006
    $num_app = $db->numrows();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1007
    $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1008
    $lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1009
                  FROM ' . table_prefix.'comments AS c
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1010
                  LEFT JOIN ' . table_prefix.'users AS u
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1011
                    ON c.user_id=u.user_id
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1012
                  WHERE page_id=\'' . $page_id . '\'
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1013
                  AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1014
    if(!$lq) _die('The comment text data could not be selected. '.mysql_error());
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1015
    $_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1016
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1017
    $n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app;
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1018
    
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1019
    $subst = array(
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1020
        'num_comments' => $n,
226
0e6478521004 Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
parents: 219
diff changeset
  1021
        'page_type' => $template->namespace_string
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1022
      );
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1023
    
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1024
    $_ob .= '<p>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1025
    $_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) );
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1026
    
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1027
    if ( $session->get_permissions('mod_comments') && $num_unapp > 0 )
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1028
    {
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1029
      $_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1030
    }
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1031
    else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 )
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1032
    {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1033
      $ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1034
      $_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1035
    }
78
4df25dfdde63 Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents: 73
diff changeset
  1036
    $_ob .= '</p>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1037
    $list = 'list = { ';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1038
    // _die(htmlspecialchars($ttext));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1039
    $i = -1;
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1040
    while ( $row = $db->fetchrow($lq) )
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1041
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1042
      $i++;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1043
      $strings = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1044
      $bool = Array();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1045
      if ( $session->get_permissions('mod_comments') || $row['approved'] )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1046
      {
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1047
        $list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, ';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1048
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1049
        // Comment ID (used in the Javascript apps)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1050
        $strings['ID'] = (string)$i;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1051
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1052
        // Determine the name, and whether to link to the user page or not
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1053
        $name = '';
304
e2cb5f1432c8 Merging in the newly stable Coblynau
Dan
parents: 271 285
diff changeset
  1054
        if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1055
        $name .= $row['name'];
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1056
        if($row['user_id'] > 1) $name .= '</a>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1057
        $strings['NAME'] = $name; unset($name);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1058
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1059
        // Subject
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1060
        $s = $row['subject'];
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1061
        if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1062
        $strings['SUBJECT'] = $s;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1063
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1064
        // Date and time
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1065
        $strings['DATETIME'] = date('F d, Y h:i a', $row['time']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1066
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1067
        // User level
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1068
        switch($row['user_level'])
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1069
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1070
          default:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1071
          case USER_LEVEL_GUEST:
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1072
            $l = $lang->get('user_type_guest');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1073
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1074
          case USER_LEVEL_MEMBER:
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1075
          case USER_LEVEL_CHPREF:
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1076
            $l = $lang->get('user_type_member');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1077
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1078
          case USER_LEVEL_MOD:
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1079
            $l = $lang->get('user_type_mod');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1080
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1081
          case USER_LEVEL_ADMIN:
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1082
            $l = $lang->get('user_type_admin');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1083
            break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1084
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1085
        $strings['USER_LEVEL'] = $l; unset($l);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1086
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1087
        // The actual comment data
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1088
        $strings['DATA'] = RenderMan::render($row['comment_data']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1089
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1090
        if($session->get_permissions('edit_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1091
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1092
          // Edit link
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1093
          $strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&amp;sub=editcomment&amp;id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1094
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1095
          // Delete link
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1096
          $strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&amp;sub=deletecomment&amp;id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1097
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1098
        else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1099
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1100
          // Edit link
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1101
          $strings['EDIT_LINK'] = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1102
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1103
          // Delete link
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1104
          $strings['DELETE_LINK'] = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1105
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1106
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1107
        // Send PM link
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1108
        $strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : '';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1109
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1110
        // Add Buddy link
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1111
        $strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : '';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1112
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1113
        // Mod links
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1114
        $applink = '';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1115
        $applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&amp;sub=admin&amp;action=approve&amp;id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">';
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1116
        if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1117
        else $applink .= $lang->get('comment_btn_mod_approve');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1118
        $applink .= '</a>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1119
        $strings['MOD_APPROVE_LINK'] = $applink; unset($applink);
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1120
        $strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&amp;sub=admin&amp;action=delete&amp;id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1121
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1122
        // Signature
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1123
        $strings['SIGNATURE'] = '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1124
        if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1125
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1126
        $bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1127
        $bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1128
        $bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1129
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1130
        // Done processing and compiling, now let's cook it into HTML
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1131
        $tpl->assign_vars($strings);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1132
        $tpl->assign_bool($bool);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1133
        $_ob .= $tpl->run();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1134
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1135
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1136
    if(getConfig('comments_need_login') != '2' || $session->user_logged_in)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1137
    {
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1138
      if($session->get_permissions('post_comments'))
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1139
      {
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1140
        $_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>';
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1141
        $_ob .= $lang->get('comment_postform_blurb');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1142
        if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1143
        if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1144
        {
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1145
          $_ob .= ' ' . $lang->get('comment_postform_blurb_captcha');
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1146
        }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1147
        $sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />';
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1148
        $_ob .= '  <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1149
        <div id="mdgCommentForm">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1150
        <form action="'.makeUrlNS($namespace, $page_id, 'do=comments&amp;sub=postcomment').'" method="post" style="margin-left: 1em">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1151
        <table border="0">
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1152
        <tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1153
        <tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1154
        if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1155
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1156
          $session->kill_captcha();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1157
          $captcha = $session->make_captcha();
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1158
          $_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1159
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1160
        $_ob .= '
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1161
        <tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr>
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1162
        <tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1163
        </table>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1164
        </form>
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1165
        </div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1166
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1167
    } else {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1168
      $_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1169
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1170
    $list .= '};';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1171
    echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1172
    ' . $list;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1173
    echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1174
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1175
    $ret = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1176
    ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1177
    return Array($ret, $_ob);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1178
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1179
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1180
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1181
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1182
   * Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1183
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1184
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1185
   * @param $action administrative action to perform, default is false
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1186
   * @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1187
   * @param $_ob text to prepend to output, used by PageUtils::addcomment
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1188
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1189
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1190
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1191
  function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1192
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1193
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1194
    $r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1195
    return $r[0];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1196
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1197
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1198
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1199
   * Generates HTML code for comments - used in browser compatibility mode
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1200
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1201
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1202
   * @param $action administrative action to perform, default is false
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1203
   * @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1204
   * @param $_ob text to prepend to output, used by PageUtils::addcomment
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1205
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1206
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1207
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1208
  function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1209
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1210
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1211
    $r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1212
    return $r[1];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1213
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1214
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1215
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1216
   * Updates comment data.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1217
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1218
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1219
   * @param $subject new subject
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1220
   * @param $text new text
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1221
   * @param $old_subject the old subject, unprocessed and identical to the value in the DB
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1222
   * @param $old_text the old text, unprocessed and identical to the value in the DB
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1223
   * @param $id the javascript list ID, used internally by the client-side app
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1224
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1225
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1226
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1227
  function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1228
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1229
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1230
    if(!$session->get_permissions('edit_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1231
      return 'result="BAD";error="Access denied"';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1232
    // Avoid SQL injection
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1233
    $old_text    = $db->escape($old_text);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1234
    $old_subject = $db->escape($old_subject);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1235
    // Safety check - username/login
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1236
    if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1237
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1238
      if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1239
      $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1240
      $s = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1241
      if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1242
      $r = $db->fetchrow($s);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1243
      $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1244
      if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1245
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1246
    $s = RenderMan::preprocess_text($subject);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1247
    $t = RenderMan::preprocess_text($text);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1248
    $sql  = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1249
    $result = $db->sql_query($sql);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1250
    if($result)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1251
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1252
      return 'result="GOOD";
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1253
                      list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1254
                      list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . ';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1255
      s = unescape(\''.rawurlencode($s).'\');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1256
      t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1257
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1258
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1259
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1260
      return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1261
      Performed SQL:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1262
      ' . $sql . '
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1263
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1264
      Error returned by MySQL: '.mysql_error()).'");';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1265
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1266
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1267
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1268
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1269
   * Updates comment data using the comment_id column instead of the old, messy way
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1270
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1271
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1272
   * @param $subject new subject
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1273
   * @param $text new text
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1274
   * @param $id the comment ID (primary key in enano_comments table)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1275
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1276
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1277
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1278
  function savecomment_neater($page_id, $namespace, $subject, $text, $id)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1279
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1280
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1281
    if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1282
    if(!$session->get_permissions('edit_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1283
      return 'Access denied';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1284
    // Safety check - username/login
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1285
    if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1286
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1287
      if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1288
      $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1289
      $s = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1290
      if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1291
      $r = $db->fetchrow($s);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1292
      if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1293
      $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1294
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1295
    $s = RenderMan::preprocess_text($subject);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1296
    $t = RenderMan::preprocess_text($text);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1297
    $sql  = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1298
    $result = $db->sql_query($sql);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1299
    if($result)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1300
    return 'good';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1301
    else return 'Enano encountered a problem whilst saving the comment.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1302
    Performed SQL:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1303
    ' . $sql . '
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1304
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1305
    Error returned by MySQL: '.mysql_error();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1306
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1307
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1308
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1309
   * Deletes a comment.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1310
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1311
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1312
   * @param $name the name the user posted under
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1313
   * @param $subj the subject of the comment to be deleted
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1314
   * @param $text the text of the comment to be deleted
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1315
   * @param $id the javascript list ID, used internally by the client-side app
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1316
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1317
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1318
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1319
  function deletecomment($page_id, $namespace, $name, $subj, $text, $id)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1320
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1321
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1322
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1323
    if(!$session->get_permissions('edit_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1324
      return 'alert("Access to delete/edit comments is denied");';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1325
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1326
    if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1327
    $n = $db->escape($name);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1328
    $s = $db->escape($subj);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1329
    $t = $db->escape($text);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1330
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1331
    // Safety check - username/login
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1332
    if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1333
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1334
      if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1335
      $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1336
      $s = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1337
      if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1338
      $r = $db->fetchrow($s);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1339
      if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1340
      $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1341
    }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1342
    $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1343
    $e=$db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1344
    if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1345
    return('good');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1346
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1347
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1348
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1349
   * Deletes a comment in a cleaner fashion.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1350
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1351
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1352
   * @param $id the comment ID (primary key)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1353
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1354
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1355
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1356
  function deletecomment_neater($page_id, $namespace, $id)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1357
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1358
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1359
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1360
    if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1361
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1362
    if(!$session->get_permissions('edit_comments'))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1363
      return 'alert("Access to delete/edit comments is denied");';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1364
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1365
    // Safety check - username/login
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1366
    if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1367
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1368
      if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1369
      $q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1370
      $s = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1371
      if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1372
      $r = $db->fetchrow($s);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1373
      if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1374
      $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1375
    }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1376
    $q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1377
    $e=$db->sql_query($q);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1378
    if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1379
    return('good');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1380
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1381
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1382
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1383
   * Renames a page.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1384
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1385
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1386
   * @param $name the new name for the page
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1387
   * @return string error string or success message
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1388
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1389
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1390
  function rename($page_id, $namespace, $name)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1391
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1392
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1393
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1394
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1395
    $pname = $paths->nslist[$namespace] . $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1396
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1397
    $prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1398
    $wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1399
    
15
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1400
    if( empty($name)) 
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1401
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1402
      return($lang->get('ajax_rename_too_short'));
15
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1403
    }
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1404
    if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' ))
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1405
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1406
      $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')');
15
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1407
      if ( !$e )
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1408
      {
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1409
        $db->_die('The page title could not be updated.');
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1410
      }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1411
      $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
15
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1412
      if ( !$e )
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1413
      {
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1414
        $db->_die('The page title could not be updated.');
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1415
      }
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1416
      else
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1417
      {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1418
        $subst = array(
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1419
          'page_name_old' => $paths->pages[$pname]['name'],
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1420
          'page_name_new' => $name
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1421
          );
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1422
        return $lang->get('ajax_rename_success', $subst);
15
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1423
      }
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1424
    }
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1425
    else
ad5986a53197 Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents: 1
diff changeset
  1426
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1427
      return($lang->get('etc_access_denied'));
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1428
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1429
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1430
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1431
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1432
   * Flushes (clears) the action logs for a given page
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1433
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1434
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1435
   * @return string error/success string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1436
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1437
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1438
  function flushlogs($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1439
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1440
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1441
    global $lang;
240
f0149a27df5f Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents: 238
diff changeset
  1442
    if ( !is_object($lang) && defined('IN_ENANO_INSTALL') )
f0149a27df5f Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents: 238
diff changeset
  1443
    {
f0149a27df5f Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents: 238
diff changeset
  1444
      // This is a special exception for the Enano installer, which doesn't init languages yet.
f0149a27df5f Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents: 238
diff changeset
  1445
      $lang = new Language('eng');
f0149a27df5f Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents: 238
diff changeset
  1446
    }
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1447
    if(!$session->get_permissions('clear_logs'))
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1448
    {
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1449
      return $lang->get('etc_access_denied');
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1450
    }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1451
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1452
    if(!$e) $db->_die('The log entries could not be deleted.');
32
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1453
    
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1454
    // If the page exists, make a backup of it in case it gets spammed/vandalized
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1455
    // If not, the admin's probably deleting a trash page
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1456
    if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) )
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1457
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1458
      $e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
32
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1459
      if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.');
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1460
      $row = $db->fetchrow();
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1461
      $db->free_result();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1462
      $q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.'false'.');';
32
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1463
      if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
4d87aad3c4c0 Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents: 29
diff changeset
  1464
    }
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1465
    return $lang->get('ajax_clearlogs_success');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1466
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1467
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1468
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1469
   * Deletes a page.
28
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1470
   * @param string $page_id the condemned page ID
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1471
   * @param string $namespace the condemned namespace
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1472
   * @param string The reason for deleting the page in question
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1473
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1474
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1475
   
28
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1476
  function deletepage($page_id, $namespace, $reason)
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1477
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1478
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1479
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1480
    $perms = $session->fetch_page_acl($page_id, $namespace);
28
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1481
    $x = trim($reason);
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1482
    if ( empty($x) )
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1483
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1484
      return $lang->get('ajax_delete_need_reason');
28
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1485
    }
dd2edcdc6c03 Deleting pages now requires a reason
Dan
parents: 21
diff changeset
  1486
    if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1487
    $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1488
    if(!$e) $db->_die('The page log entry could not be inserted.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1489
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1490
    if(!$e) $db->_die('The page categorization entries could not be deleted.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1491
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1492
    if(!$e) $db->_die('The page comments could not be deleted.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1493
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1494
    if(!$e) $db->_die('The page text entry could not be deleted.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1495
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1496
    if(!$e) $db->_die('The page entry could not be deleted.');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1497
    $e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1498
    if(!$e) $db->_die('The file entry could not be deleted.');
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1499
    return $lang->get('ajax_delete_success');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1500
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1501
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1502
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1503
   * Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1504
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1505
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1506
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1507
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1508
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1509
  function delvote($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1510
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1511
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1512
    global $lang;
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1513
    if ( !$session->get_permissions('vote_delete') )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1514
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1515
      return $lang->get('etc_access_denied');
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1516
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1517
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1518
    if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1519
    {
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1520
      return 'Special pages and system messages can\'t be voted for deletion.';
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1521
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1522
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1523
    $pname = $paths->nslist[$namespace] . sanitize_page_id($page_id);
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1524
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1525
    if ( !isset($paths->pages[$pname]) )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1526
    {
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1527
      return 'The page does not exist.';
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1528
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1529
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1530
    $cv  =& $paths->pages[$pname]['delvotes'];
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1531
    $ips =  $paths->pages[$pname]['delvote_ips'];
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1532
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1533
    if ( empty($ips) )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1534
    {
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1535
      $ips = array(
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1536
        'ip' => array(),
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1537
        'u' => array()
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1538
        );
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1539
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1540
    else
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1541
    {
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1542
      $ips = @unserialize($ips);
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1543
      if ( !$ips )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1544
      {
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1545
        $ips = array(
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1546
        'ip' => array(),
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1547
        'u' => array()
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1548
        );
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1549
      }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1550
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1551
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1552
    if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) )
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1553
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1554
      return $lang->get('ajax_delvote_already_voted');
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1555
    }
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1556
    
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1557
    $ips['u'][] = $session->username;
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1558
    $ips['ip'][] = $_SERVER['REMOTE_ADDR'];
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1559
    $ips = $db->escape( serialize($ips) );
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1560
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1561
    $cv++;
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1562
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1563
    $q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1564
    $w = $db->sql_query($q);
112
008b1c42be72 Rewrote all code related to delvote_ips column to use serialize()
Dan
parents: 103
diff changeset
  1565
    
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1566
    return $lang->get('ajax_delvote_success');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1567
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1568
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1569
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1570
   * Resets the number of votes against a page to 0.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1571
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1572
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1573
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1574
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1575
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1576
  function resetdelvotes($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1577
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1578
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1579
    global $lang;
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1580
    if(!$session->get_permissions('vote_reset'))
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1581
    {
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1582
      return $lang->get('etc_access_denied');
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1583
    }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1584
    $q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1585
    $e = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1586
    if(!$e) $db->_die('The number of delete votes was not reset.');
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1587
    else
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1588
    {
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1589
      return $lang->get('ajax_delvote_reset_success');
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1590
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1591
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1592
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1593
  /**
29
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1594
   * Gets a list of styles for a given theme name. As of Banshee, this returns JSON.
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1595
   * @param $id the name of the directory for the theme
29
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1596
   * @return string JSON string with an array containing a list of themes
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1597
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1598
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1599
  function getstyles()
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1600
  {
29
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1601
    $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1602
    
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1603
    if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1604
      return $json->encode(false);
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1605
    
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1606
    $dir = './themes/' . $_GET['id'] . '/css/';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1607
    $list = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1608
    // Open a known directory, and proceed to read its contents
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1609
    if (is_dir($dir)) {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1610
      if ($dh = opendir($dir)) {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1611
        while (($file = readdir($dh)) !== false) {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1612
          if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1613
          {                                                                         // it should be a copy of the original style, but
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1614
                                                                                    // mostly black and white
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1615
                                                                                    // Note to self: document this
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1616
            $list[] = substr($file, 0, strlen($file)-4);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1617
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1618
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1619
        closedir($dh);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1620
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1621
    }
29
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1622
    else
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1623
    {
39
c83ff194977a Changed animation on flying message boxes; bugfix for "Array" response in theme changer; added diff CSS to enano-shared; allowed spaces in username during install
Dan
parents: 32
diff changeset
  1624
      return($json->encode(Array('mode' => 'error', 'error' => $dir.' is not a dir')));
29
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1625
    }
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1626
    
e5484a9e0818 Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents: 28
diff changeset
  1627
    return $json->encode($list);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1628
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1629
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1630
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1631
   * Assembles a Javascript app with category information
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1632
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1633
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1634
   * @return string Javascript code
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1635
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1636
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1637
  function catedit($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1638
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1639
    $d = PageUtils::catedit_raw($page_id, $namespace);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1640
    return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1641
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1642
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1643
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1644
   * Does the actual HTML/javascript generation for cat editing, but returns an array
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1645
   * @access private
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1646
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1647
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1648
  function catedit_raw($page_id, $namespace)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1649
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1650
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1651
    global $lang;
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1652
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1653
    ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1654
    $_ob = '';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1655
    $e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\'');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1656
    if(!$e) jsdie('Error selecting category information for current page: '.mysql_error());
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1657
    $cat_current = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1658
    while($r = $db->fetchrow())
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1659
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1660
      $cat_current[] = $r;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1661
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1662
    $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1663
    $cat_all = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1664
    for($i=0;$i<sizeof($paths->pages)/2;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1665
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1666
      if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1667
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1668
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1669
    // Make $cat_all an associative array, like $paths->pages
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1670
    $sz = sizeof($cat_all);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1671
    for($i=0;$i<$sz;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1672
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1673
      $cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1674
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1675
    // Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1676
    $cat_info = $cat_all;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1677
    for($i=0;$i<sizeof($cat_current);$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1678
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1679
      $un = $cat_current[$i]['category_id'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1680
      $cat_info[$un]['member'] = true;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1681
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1682
    // Now copy the information we just set into the numerically named keys
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1683
    for($i=0;$i<sizeof($cat_info)/2;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1684
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1685
      $un = $cat_info[$i]['urlname_nons'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1686
      $cat_info[$i] = $cat_info[$un];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1687
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1688
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1689
    echo 'catlist = new Array();'; // Initialize the client-side category list
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1690
    $_ob .= '<h3>' . $lang->get('catedit_title') . '</h3>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1691
             <form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1692
    if ( sizeof($cat_info) < 1 )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1693
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1694
      $_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1695
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1696
    for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1697
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1698
      // Protection code added 1/3/07
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1699
      // Updated 3/4/07
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1700
      $is_prot = false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1701
      $perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1702
      if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1703
         ( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1704
         $is_prot = true;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1705
      $prot = ( $is_prot ) ? ' disabled="disabled" ' : '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1706
      $prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : '';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1707
      echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1708
      $_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1709
      if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1710
      $_ob .= '/>  <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1711
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1712
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1713
    $disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : '';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1714
      
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1715
    $_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1716
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1717
    $cont = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1718
    ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1719
    return Array($cont, $_ob);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1720
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1721
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1722
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1723
   * Saves category information
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1724
   * WARNING: If $which_cats is empty, all the category information for the selected page will be nuked!
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1725
   * @param $page_id string the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1726
   * @param $namespace string the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1727
   * @param $which_cats array associative array of categories to put the page in
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1728
   * @return string "GOOD" on success, error string on failure
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1729
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1730
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1731
  function catsave($page_id, $namespace, $which_cats)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1732
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1733
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1734
    if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1735
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1736
    $page_perms = $session->fetch_page_acl($page_id, $namespace);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1737
    $page_data =& $paths->pages[$paths->nslist[$namespace].$page_id];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1738
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1739
    $cat_all = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1740
    for($i=0;$i<sizeof($paths->pages)/2;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1741
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1742
      if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1743
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1744
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1745
    // Make $cat_all an associative array, like $paths->pages
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1746
    $sz = sizeof($cat_all);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1747
    for($i=0;$i<$sz;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1748
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1749
      $cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1750
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1751
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1752
    $rowlist = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1753
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1754
    for($i=0;$i<sizeof($cat_all)/2;$i++)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1755
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1756
      $auth = true;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1757
      $perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1758
      if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1759
         ( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ||
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1760
         ( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1761
         $auth = false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1762
      if(!$auth)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1763
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1764
        // Find out if the page is currently in the category
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1765
        $q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1766
        if(!$q)
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1767
          return 'MySQL error: ' . $db->get_error();
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1768
        if($db->numrows() > 0)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1769
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1770
          $auth = true;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1771
          $which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1772
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1773
        $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1774
      }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1775
      if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1776
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1777
    if(sizeof($rowlist) > 0)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1778
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1779
      $val = implode(',', $rowlist);
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1780
      $q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1781
      $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1782
      if(!$e) $db->_die('The old category data could not be deleted.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1783
      $e = $db->sql_query($q);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1784
      if(!$e) $db->_die('The new category data could not be inserted.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1785
      return('GOOD');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1786
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1787
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1788
    {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1789
      $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1790
      if(!$e) $db->_die('The old category data could not be deleted.');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1791
      return('GOOD');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1792
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1793
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1794
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1795
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1796
   * Sets the wiki mode level for a page.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1797
   * @param $page_id string the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1798
   * @param $namespace string the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1799
   * @param $level int 0 for off, 1 for on, 2 for use global setting
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1800
   * @return string "GOOD" on success, error string on failure
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1801
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1802
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1803
  function setwikimode($page_id, $namespace, $level)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1804
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1805
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1806
    if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1807
    if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1808
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1809
      return('Invalid mode string');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1810
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1811
    $q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1812
    if ( !$q )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1813
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1814
      return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1815
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1816
    return('GOOD');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1817
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1818
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1819
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1820
   * Sets the access password for a page.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1821
   * @param $page_id string the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1822
   * @param $namespace string the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1823
   * @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1824
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1825
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1826
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1827
  function setpass($page_id, $namespace, $pass)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1828
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1829
    global $db, $session, $paths, $template, $plugins; // Common objects
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1830
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1831
    // Determine permissions
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1832
    if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1833
      $a = $session->get_permissions('password_reset');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1834
    else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1835
      $a = $session->get_permissions('password_set');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1836
    if(!$a)
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1837
      return $lang->get('etc_access_denied');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1838
    if(!isset($pass)) return('Password was not set on URL');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1839
    $p = $pass;
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1840
    if ( !preg_match('#([0-9a-f]){40,40}#', $p) )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1841
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1842
      $p = sha1($p);
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1843
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1844
    if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1845
      // sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1846
      $p = '';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1847
    $e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1848
    if ( !$e )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1849
    {
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1850
      die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1851
    }
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1852
    // Is the new password blank?
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1853
    if ( $p == '' )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1854
    {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1855
      return $lang->get('ajax_password_disable_success');
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1856
    }
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1857
    else
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1858
    {
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1859
      return $lang->get('ajax_password_success');
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1860
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1861
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1862
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1863
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1864
   * Generates some preview HTML
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1865
   * @param $text string the wikitext to use
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1866
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1867
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1868
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1869
  function genPreview($text)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1870
  {
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1871
    global $lang;
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1872
    $ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 1em 0 1em 1em;">';
102
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1873
    $text = RenderMan::render(RenderMan::preprocess_text($text, false, false));
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1874
    ob_start();
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1875
    eval('?>' . $text);
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1876
    $text = ob_get_contents();
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1877
    ob_end_clean();
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1878
    $ret .= $text;
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1879
    $ret .= '</div>';
d807dcd7aed7 [comments] fixed edit button (source wasn't getting filled)
Dan
parents: 81
diff changeset
  1880
    return $ret;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1881
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1882
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1883
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1884
   * Makes a scrollable box
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1885
   * @param string $text the inner HTML
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1886
   * @param int $height Optional - the maximum height. Defaults to 250.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1887
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1888
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1889
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1890
  function scrollBox($text, $height = 250)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1891
  {
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1892
    return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1893
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1894
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1895
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1896
   * Generates a diff summary between two page revisions.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1897
   * @param $page_id the page ID
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1898
   * @param $namespace the namespace
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1899
   * @param $id1 the time ID of the first revision
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1900
   * @param $id2 the time ID of the second revision
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1901
   * @return string XHTML-formatted diff
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1902
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1903
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1904
  function pagediff($page_id, $namespace, $id1, $id2)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1905
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1906
    global $db, $session, $paths, $template, $plugins; // Common objects
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1907
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1908
    if(!$session->get_permissions('history_view'))
214
a6ed8b6cdbe1 All on-page AJAX applets should be localized now
Dan
parents: 213
diff changeset
  1909
      return $lang->get('etc_access_denied');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1910
    if(!preg_match('#^([0-9]+)$#', (string)$id1) ||
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1911
       !preg_match('#^([0-9]+)$#', (string)$id2  )) return 'SQL injection attempt';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1912
    // OK we made it through security
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1913
    // Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1914
    if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error();
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1915
    if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error();
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1916
    $row1 = $db->fetchrow($q1);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1917
    $db->free_result($q1);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1918
    $row2 = $db->fetchrow($q2);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1919
    $db->free_result($q2);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1920
    if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1921
    $text1 = $row1['page_text'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1922
    $text2 = $row2['page_text'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1923
    $time1 = date('F d, Y h:i a', $id1);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1924
    $time2 = date('F d, Y h:i a', $id2);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1925
    $_ob = "
213
1316404e4ea8 Localized history page and static HTML comment interface
Dan
parents: 204
diff changeset
  1926
    <p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} &rarr; {$time2}</p>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1927
    ";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1928
    // Free some memory
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1929
    unset($row1, $row2, $q1, $q2);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1930
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1931
    $_ob .= RenderMan::diff($text1, $text2);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1932
    return $_ob;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1933
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1934
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1935
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1936
   * Gets ACL information about the selected page for target type X and target ID Y.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1937
   * @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1938
   * @return array
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1939
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1940
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1941
  function acl_editor($parms = Array())
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1942
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1943
    global $db, $session, $paths, $template, $plugins; // Common objects
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  1944
    global $lang;
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  1945
    
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1946
    if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
40
723bb7acf914 Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents: 39
diff changeset
  1947
    {
723bb7acf914 Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents: 39
diff changeset
  1948
      return Array(
723bb7acf914 Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents: 39
diff changeset
  1949
        'mode' => 'error',
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  1950
        'error' => $lang->get('acl_err_access_denied')
40
723bb7acf914 Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents: 39
diff changeset
  1951
        );
723bb7acf914 Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents: 39
diff changeset
  1952
    }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1953
    $parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1954
    $parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1955
    $page_id =& $parms['page_id'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1956
    $namespace =& $parms['namespace'];
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1957
    $page_where_clause      = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\'';
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1958
    $page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\'';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1959
    //die(print_r($page_id,true));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1960
    $template->load_theme();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1961
    // $perms_obj = $session->fetch_page_acl($page_id, $namespace);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1962
    $perms_obj =& $session;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1963
    $return = Array();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1964
    if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1965
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1966
      return Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1967
        'mode' => 'error',
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  1968
        'error' => $lang->get('acl_err_missing_template'),
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1969
      );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1970
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1971
    $return['template'] = $template->extract_vars('acledit.tpl');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1972
    $return['page_id'] = $page_id;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1973
    $return['namespace'] = $namespace;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1974
    if(isset($parms['mode']))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1975
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1976
      switch($parms['mode'])
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1977
      {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1978
        case 'listgroups':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1979
          $return['groups'] = Array();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1980
          $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1981
          while($row = $db->fetchrow())
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1982
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1983
            $return['groups'][] = Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1984
              'id' => $row['group_id'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1985
              'name' => $row['group_name'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1986
              );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1987
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  1988
          $db->free_result();
73
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1989
          $return['page_groups'] = Array();
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  1990
          $q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;');
73
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1991
          if ( !$q )
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1992
            return Array(
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1993
              'mode' => 'error',
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1994
              'error' => $db->get_error()
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1995
              );
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1996
          while ( $row = $db->fetchrow() )
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1997
          {
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1998
            $return['page_groups'][] = Array(
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  1999
                'id' => $row['pg_id'],
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  2000
                'name' => $row['pg_name']
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  2001
              );
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  2002
          }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2003
          break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2004
        case 'seltarget':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2005
          $return['mode'] = 'seltarget';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2006
          $return['acl_types'] = $perms_obj->acl_types;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2007
          $return['acl_deps'] = $perms_obj->acl_deps;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2008
          $return['acl_descs'] = $perms_obj->acl_descs;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2009
          $return['target_type'] = $parms['target_type'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2010
          $return['target_id'] = $parms['target_id'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2011
          switch($parms['target_type'])
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2012
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2013
            case ACL_TYPE_USER:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2014
              $q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2015
                  LEFT JOIN ' . table_prefix.'acl AS a
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2016
                    ON a.target_id=u.user_id
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2017
                  WHERE a.target_type='.ACL_TYPE_USER.'
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2018
                    AND u.username=\'' . $db->escape($parms['target_id']) . '\'
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2019
                    ' . $page_where_clause . ';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2020
              if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2021
                return(Array('mode'=>'error','error'=>mysql_error()));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2022
              if($db->numrows() < 1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2023
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2024
                $return['type'] = 'new';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2025
                $q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2026
                if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2027
                  return(Array('mode'=>'error','error'=>mysql_error()));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2028
                if($db->numrows() < 1)
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  2029
                  return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found'));
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2030
                $row = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2031
                $return['target_name'] = $return['target_id'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2032
                $return['target_id'] = intval($row['user_id']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2033
                $return['current_perms'] = $session->acl_types;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2034
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2035
              else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2036
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2037
                $return['type'] = 'edit';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2038
                $row = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2039
                $return['target_name'] = $return['target_id'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2040
                $return['target_id'] = intval($row['user_id']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2041
                $return['current_perms'] = $session->acl_merge($perms_obj->acl_types, $session->string_to_perm($row['rules']));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2042
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2043
              $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2044
              // Eliminate types that don't apply to this namespace
73
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  2045
              if ( $namespace && $namespace != '__PageGroup' )
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2046
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2047
                foreach ( $return['current_perms'] AS $i => $perm )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2048
                {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2049
                  if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2050
                  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2051
                    // echo "// SCOPE CONTROL: eliminating: $i\n";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2052
                    unset($return['current_perms'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2053
                    unset($return['acl_types'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2054
                    unset($return['acl_descs'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2055
                    unset($return['acl_deps'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2056
                  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2057
                }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2058
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2059
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2060
            case ACL_TYPE_GROUP:
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2061
              $q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2062
                  LEFT JOIN ' . table_prefix.'acl AS a
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2063
                    ON a.target_id=g.group_id
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2064
                  WHERE a.target_type='.ACL_TYPE_GROUP.'
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2065
                    AND g.group_id=\''.intval($parms['target_id']).'\'
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2066
                    ' . $page_where_clause . ';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2067
              if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2068
                return(Array('mode'=>'error','error'=>mysql_error()));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2069
              if($db->numrows() < 1)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2070
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2071
                $return['type'] = 'new';
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2072
                $q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2073
                if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2074
                  return(Array('mode'=>'error','error'=>mysql_error()));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2075
                if($db->numrows() < 1)
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  2076
                  return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id'));
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2077
                $row = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2078
                $return['target_name'] = $row['group_name'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2079
                $return['target_id'] = intval($row['group_id']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2080
                $return['current_perms'] = $session->acl_types;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2081
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2082
              else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2083
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2084
                $return['type'] = 'edit';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2085
                $row = $db->fetchrow();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2086
                $return['target_name'] = $row['group_name'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2087
                $return['target_id'] = intval($row['group_id']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2088
                $return['current_perms'] = $session->acl_merge($session->acl_types, $session->string_to_perm($row['rules']));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2089
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2090
              $db->free_result();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2091
              // Eliminate types that don't apply to this namespace
73
0a74676a2f2f Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents: 57
diff changeset
  2092
              if ( $namespace && $namespace != '__PageGroup' )
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2093
              {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2094
                foreach ( $return['current_perms'] AS $i => $perm )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2095
                {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2096
                  if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2097
                  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2098
                    // echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n";
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2099
                    unset($return['current_perms'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2100
                    unset($return['acl_types'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2101
                    unset($return['acl_descs'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2102
                    unset($return['acl_deps'][$i]);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2103
                  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2104
                }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2105
              }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2106
              //return Array('mode'=>'debug','text'=>print_r($return, true));
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2107
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2108
            default:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2109
              return Array('mode'=>'error','error','Invalid ACL type ID');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2110
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2111
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2112
          return $return;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2113
          break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2114
        case 'save_new':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2115
        case 'save_edit':
19
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2116
          if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2117
          {
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  2118
            return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2119
          }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2120
          $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2121
            ' . $page_where_clause_lite . ';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2122
          if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2123
            return Array('mode'=>'error','error'=>mysql_error());
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2124
          $rules = $session->perm_to_string($parms['perms']);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2125
          if ( sizeof ( $rules ) < 1 )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2126
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2127
            return array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2128
                'mode' => 'error', 
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  2129
                'error' => $lang->get('acl_err_zero_list')
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2130
              );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2131
          }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2132
          $q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2133
                                             VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' :
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2134
                                          'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules )
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2135
                                             VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2136
          if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error());
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2137
          return Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2138
              'mode' => 'success',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2139
              'target_type' => $parms['target_type'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2140
              'target_id' => $parms['target_id'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2141
              'target_name' => $parms['target_name'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2142
              'page_id' => $page_id,
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2143
              'namespace' => $namespace,
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2144
            );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2145
          break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2146
        case 'delete':
19
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2147
          if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2148
          {
218
e878bcf0227e Javascripted ACL editor interface localized
Dan
parents: 214
diff changeset
  2149
            return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89 Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents: 16
diff changeset
  2150
          }
194
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2151
          $q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9 SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents: 158
diff changeset
  2152
            ' . $page_where_clause_lite . ';');
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2153
          if(!$q)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2154
            return Array('mode'=>'error','error'=>mysql_error());
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2155
          return Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2156
              'mode' => 'delete',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2157
              'target_type' => $parms['target_type'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2158
              'target_id' => $parms['target_id'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2159
              'target_name' => $parms['target_name'],
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2160
              'page_id' => $page_id,
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2161
              'namespace' => $namespace,
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2162
            );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2163
          break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2164
        default:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2165
          return Array('mode'=>'error','error'=>'Hacking attempt');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2166
          break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2167
      }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2168
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2169
    return $return;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2170
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2171
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2172
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2173
   * Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2174
   * @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2175
   * @return string
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2176
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2177
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2178
  function acl_json($parms = '{ }')
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2179
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2180
    global $db, $session, $paths, $template, $plugins; // Common objects
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2181
    $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2182
    $parms = $json->decode($parms);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2183
    $ret = PageUtils::acl_editor($parms);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2184
    $ret = $json->encode($ret);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2185
    return $ret;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2186
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2187
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2188
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2189
   * A non-Javascript frontend for the ACL API.
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2190
   * @param array The request data, if any, this should be in the format required by PageUtils::acl_editor()
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2191
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2192
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2193
  function aclmanager($parms)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2194
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2195
    global $db, $session, $paths, $template, $plugins; // Common objects
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2196
    global $lang;
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2197
    ob_start();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2198
    // Convenience
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2199
    $formstart = '<form 
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2200
                    action="' . makeUrl($paths->page, 'do=aclmanager', true) . '"
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2201
                    method="post" enctype="multipart/form-data"
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2202
                    onsubmit="if(!submitAuthorized) return false;"
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2203
                    >';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2204
    $formend   = '</form>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2205
    $parms    = PageUtils::acl_preprocess($parms);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2206
    $response = PageUtils::acl_editor($parms);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2207
    $response = PageUtils::acl_postprocess($response);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2208
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2209
    //die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2210
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2211
    switch($response['mode'])
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2212
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2213
      case 'debug':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2214
        echo '<pre>' . htmlspecialchars($response['text']) . '</pre>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2215
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2216
      case 'stage1':
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2217
        echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3>
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2218
              <p>' . $lang->get('acl_lbl_welcome_body') . '</p>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2219
        echo $formstart;
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2220
        echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2221
              <p><select name="data[target_id_grp]">';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2222
        foreach ( $response['groups'] as $group )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2223
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2224
          echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2225
        }
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2226
        
103
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2227
        // page group selector
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2228
        $groupsel = '';
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2229
        if ( count($response['page_groups']) > 0 )
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2230
        {
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2231
          $groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p>
103
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2232
                       <p><select name="data[pg_id]">';
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2233
          foreach ( $response['page_groups'] as $grp )
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2234
          {
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2235
            $groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>';
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2236
          }
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2237
          $groupsel .= '</select></p>';
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2238
        }
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2239
        
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2240
        echo '</select></p>
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2241
              <p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2242
              <p>' . $template->username_field('data[target_id_user]') . '</p>
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2243
              <p>' . $lang->get('acl_lbl_scope') . '</p>
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2244
              <p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p>
103
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2245
              ' . $groupsel . '
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2246
              <p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p>
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2247
              <div style="margin: 0 auto 0 0; text-align: right;">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2248
                <input name="data[mode]" value="seltarget" type="hidden" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2249
                <input type="hidden" name="data[page_id]" value="' . $paths->cpage['urlname_nons'] . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2250
                <input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" />
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2251
                <input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2252
              </div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2253
        echo $formend;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2254
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2255
      case 'success':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2256
        echo '<div class="info-box">
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2257
                <b>' . $lang->get('acl_lbl_save_success_title') . '</b><br />
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2258
                ' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2259
                ' . $formstart . '
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2260
                <input type="hidden" name="data[mode]" value="seltarget" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2261
                <input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2262
                <input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2263
                <input type="hidden" name="data[target_id_grp]"  value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2264
                <input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2265
                <input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2266
                <input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2267
                <input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2268
                ' . $formend . '
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2269
              </div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2270
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2271
      case 'delete':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2272
        echo '<div class="info-box">
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2273
                <b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br />
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2274
                ' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2275
                ' . $formstart . '
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2276
                <input type="hidden" name="data[mode]" value="seltarget" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2277
                <input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2278
                <input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2279
                <input type="hidden" name="data[target_id_grp]"  value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2280
                <input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2281
                <input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2282
                <input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2283
                <input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2284
                ' . $formend . '
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2285
              </div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2286
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2287
      case 'seltarget':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2288
        if ( $response['type'] == 'edit' )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2289
        {
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2290
          echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2291
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2292
        else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2293
        {
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2294
          echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>';
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2295
        }
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2296
        $type  = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user');
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2297
        $scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite');
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2298
        $subs = array(
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2299
            'target_type' => $type,
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2300
            'target' => $response['target_name'],
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2301
            'scope_type' => $scope
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2302
          );
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2303
        echo $lang->get('acl_lbl_editwin_body', $subs);
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2304
        echo $formstart;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2305
        $parser = $template->makeParserText( $response['template']['acl_field_begin'] );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2306
        echo $parser->run();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2307
        $parser = $template->makeParserText( $response['template']['acl_field_item'] );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2308
        $cls = 'row2';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2309
        foreach ( $response['acl_types'] as $acl_type => $value )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2310
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2311
          $vars = Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2312
              'FIELD_DENY_CHECKED' => '',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2313
              'FIELD_DISALLOW_CHECKED' => '',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2314
              'FIELD_WIKIMODE_CHECKED' => '',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2315
              'FIELD_ALLOW_CHECKED' => '',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2316
            );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2317
          $cls = ( $cls == 'row1' ) ? 'row2' : 'row1';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2318
          $vars['ROW_CLASS'] = $cls;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2319
          
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2320
          switch ( $response['current_perms'][$acl_type] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2321
          {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2322
            case AUTH_ALLOW:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2323
              $vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2324
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2325
            case AUTH_WIKIMODE:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2326
              $vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2327
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2328
            case AUTH_DISALLOW:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2329
            default:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2330
              $vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2331
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2332
             case AUTH_DENY:
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2333
              $vars['FIELD_DENY_CHECKED'] = 'checked="checked"';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2334
              break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2335
          }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2336
          $vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']';
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2337
          if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) )
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2338
          {
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2339
            $vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]);
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2340
          }
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2341
          else
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2342
          {
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2343
            $vars['FIELD_DESC'] = $response['acl_descs'][$acl_type];
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2344
          }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2345
          $parser->assign_vars($vars);
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2346
          echo $parser->run();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2347
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2348
        $parser = $template->makeParserText( $response['template']['acl_field_end'] );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2349
        echo $parser->run();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2350
        echo '<div style="margin: 10px auto 0 0; text-align: right;">
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2351
                <input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2352
                <input type="hidden" name="data[page_id]" value="'   . (( $response['page_id']   ) ? $response['page_id']   : 'false') . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2353
                <input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2354
                <input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2355
                <input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" />
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2356
                <input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" />
219
b1530b6a06d2 Failsafe ACL editor interface localized
Dan
parents: 218
diff changeset
  2357
                ' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" />&nbsp;&nbsp;<input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . '
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2358
              </div>';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2359
        echo $formend;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2360
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2361
      case 'error':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2362
        ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2363
        die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>');
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2364
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2365
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2366
    $ret = ob_get_contents();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2367
    ob_end_clean();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2368
    echo
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2369
      $template->getHeader() .
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2370
      $ret .
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2371
      $template->getFooter();
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2372
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2373
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2374
  /**
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2375
   * Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2376
   * @param array The posted data
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2377
   * @return array
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2378
   * @access private
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2379
   */
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2380
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2381
  function acl_preprocess($parms)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2382
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2383
    if ( !isset($parms['mode']) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2384
      // Nothing to do
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2385
      return $parms;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2386
    switch ( $parms['mode'] )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2387
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2388
      case 'seltarget':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2389
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2390
        // Who's affected?
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2391
        $parms['target_type'] = intval( $parms['target_type'] );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2392
        $parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user'];
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2393
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2394
      case 'save_edit':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2395
      case 'save_new':
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2396
        if ( isset($parms['act_delete_rule']) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2397
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2398
          $parms['mode'] = 'delete';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2399
        }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2400
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2401
        // Scope (just this page or entire site?)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2402
        if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2403
        {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2404
          $parms['page_id']   = false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2405
          $parms['namespace'] = false;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2406
        }
103
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2407
        else if ( $parms['scope'] == 'page_group' )
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2408
        {
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2409
          $parms['page_id'] = $parms['pg_id'];
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2410
          $parms['namespace'] = '__PageGroup';
a8891e108c95 Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents: 102
diff changeset
  2411
        }
1
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2412
        
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2413
        break;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2414
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2415
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2416
    if ( isset($parms['act_go_stage1']) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2417
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2418
      $parms = array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2419
          'mode' => 'listgroups'
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2420
        );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2421
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2422
    
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2423
    return $parms;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2424
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2425
  
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2426
  function acl_postprocess($response)
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2427
  {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2428
    if(!isset($response['mode']))
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2429
    {
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2430
      if ( isset($response['groups']) )
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2431
        $response['mode'] = 'stage1';
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2432
      else
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2433
        $response = Array(
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2434
            'mode' => 'error',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2435
            'error' => 'Invalid action passed by API backend.',
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2436
          );
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2437
    }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2438
    return $response;
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2439
  }
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2440
   
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2441
}
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2442
fe660c52c48f Adding /includes
dan@scribus.fuhry.local.fuhry.local
parents:
diff changeset
  2443
?>