1
+ − 1
<?php
166
+ − 2
1
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
166
+ − 5
* Version 1.1.1
1
+ − 6
* Copyright (C) 2006-2007 Dan Fuhry
+ − 7
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts
+ − 8
*
+ − 9
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 10
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 11
*
+ − 12
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 13
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 14
*/
+ − 15
+ − 16
class PageUtils {
+ − 17
+ − 18
/**
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 19
* Tell if a username is used or not.
1
+ − 20
* @param $name the name to check for
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 21
* @return string
1
+ − 22
*/
+ − 23
+ − 24
function checkusername($name)
+ − 25
{
+ − 26
global $db, $session, $paths, $template, $plugins; // Common objects
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 27
$name = str_replace('_', ' ', $name);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 28
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\'');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 29
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 30
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 31
die($db->get_error());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 32
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 33
if ( $db->numrows() < 1)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 34
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 35
$db->free_result(); return('good');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 36
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 37
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 38
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 39
$db->free_result(); return('bad');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 40
}
1
+ − 41
}
+ − 42
+ − 43
/**
+ − 44
* Get the wiki formatting source for a page
+ − 45
* @param $page the full page id (Namespace:Pagename)
+ − 46
* @return string
+ − 47
* @todo (DONE) Make it require a password (just for security purposes)
+ − 48
*/
+ − 49
+ − 50
function getsource($page, $password = false)
+ − 51
{
+ − 52
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 53
if(!isset($paths->pages[$page]))
+ − 54
{
+ − 55
return '';
+ − 56
}
+ − 57
+ − 58
if(strlen($paths->pages[$page]['password']) == 40)
+ − 59
{
+ − 60
if(!$password || ( $password != $paths->pages[$page]['password']))
+ − 61
{
+ − 62
return 'invalid_password';
+ − 63
}
+ − 64
}
+ − 65
+ − 66
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges
+ − 67
return 'access_denied';
+ − 68
$pid = RenderMan::strToPageID($page);
+ − 69
if($pid[1] == 'Special' || $pid[1] == 'Admin')
+ − 70
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 71
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.');
1
+ − 72
}
+ − 73
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 74
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\'');
1
+ − 75
if ( !$e )
+ − 76
{
+ − 77
$db->_die('The page text could not be selected.');
+ − 78
}
+ − 79
if( $db->numrows() < 1 )
+ − 80
{
+ − 81
return ''; //$db->_die('There were no rows in the text table that matched the page text query.');
+ − 82
}
+ − 83
+ − 84
$r = $db->fetchrow();
+ − 85
$db->free_result();
+ − 86
$message = $r['page_text'];
+ − 87
+ − 88
return htmlspecialchars($message);
+ − 89
}
+ − 90
+ − 91
/**
+ − 92
* Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages
+ − 93
* @param $page the full page id (Namespace:Pagename)
+ − 94
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise
+ − 95
* @return string
+ − 96
*/
+ − 97
+ − 98
function getpage($page, $send_headers = false, $hist_id = false)
+ − 99
{
+ − 100
die('PageUtils->getpage is deprecated.');
+ − 101
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 102
ob_start();
+ − 103
$pid = RenderMan::strToPageID($page);
+ − 104
//die('<pre>'.print_r($pid, true).'</pre>');
+ − 105
if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40)
+ − 106
{
+ − 107
password_prompt($page);
+ − 108
}
+ − 109
if(isset($paths->pages[$page]))
+ − 110
{
+ − 111
doStats($pid[0], $pid[1]);
+ − 112
}
+ − 113
if($paths->custom_page || $pid[1] == 'Special')
+ − 114
{
+ − 115
// If we don't have access to the page, get out and quick!
+ − 116
if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register')
+ − 117
{
+ − 118
$template->tpl_strings['PAGE_NAME'] = 'Access denied';
+ − 119
+ − 120
if ( $send_headers )
+ − 121
{
+ − 122
$template->header();
+ − 123
}
+ − 124
+ − 125
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
+ − 126
+ − 127
if ( $send_headers )
+ − 128
{
+ − 129
$template->footer();
+ − 130
}
+ − 131
+ − 132
$r = ob_get_contents();
+ − 133
ob_end_clean();
+ − 134
return $r;
+ − 135
}
+ − 136
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 137
$fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons'];
1
+ − 138
@call_user_func($fname);
+ − 139
+ − 140
}
+ − 141
else if ( $pid[1] == 'Admin' )
+ − 142
{
+ − 143
// If we don't have access to the page, get out and quick!
+ − 144
if(!$session->get_permissions('read'))
+ − 145
{
+ − 146
$template->tpl_strings['PAGE_NAME'] = 'Access denied';
+ − 147
if ( $send_headers )
+ − 148
{
+ − 149
$template->header();
+ − 150
}
+ − 151
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
+ − 152
if ( $send_headers )
+ − 153
{
+ − 154
$template->footer();
+ − 155
}
+ − 156
$r = ob_get_contents();
+ − 157
ob_end_clean();
+ − 158
return $r;
+ − 159
}
+ − 160
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 161
$fname = 'page_' . $pid[1] . '_' . $pid[0];
1
+ − 162
if ( !function_exists($fname) )
+ − 163
{
+ − 164
$title = 'Page backend not found';
+ − 165
$message = "The administration page you are looking for was properly registered using the page API, but the backend function
+ − 166
(<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin.";
+ − 167
if ( $send_headers )
+ − 168
{
+ − 169
die_friendly($title, "<p>$message</p>");
+ − 170
}
+ − 171
else
+ − 172
{
+ − 173
echo "<h2>$title</h2>\n<p>$message</p>";
+ − 174
}
+ − 175
}
+ − 176
@call_user_func($fname);
+ − 177
}
+ − 178
else if ( !isset( $paths->pages[$page] ) )
+ − 179
{
+ − 180
ob_start();
+ − 181
$code = $plugins->setHook('page_not_found');
+ − 182
foreach ( $code as $cmd )
+ − 183
{
+ − 184
eval($cmd);
+ − 185
}
+ − 186
$text = ob_get_contents();
+ − 187
if ( $text != '' )
+ − 188
{
+ − 189
ob_end_clean();
+ − 190
return $text;
+ − 191
}
+ − 192
$template->header();
+ − 193
if($m = $paths->sysmsg('Page_not_found'))
+ − 194
{
+ − 195
eval('?>'.RenderMan::render($m));
+ − 196
}
+ − 197
else
+ − 198
{
+ − 199
header('HTTP/1.1 404 Not Found');
+ − 200
echo '<h3>There is no page with this title yet.</h3>
+ − 201
<p>You have requested a page that doesn\'t exist yet.';
+ − 202
if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.';
+ − 203
else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 204
if ( $session->get_permissions('history_rollback') )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 205
{
322
+ − 206
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 207
if ( !$e )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 208
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 209
$db->_die('The deletion log could not be selected.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 210
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 211
if ($db->numrows() > 0 )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 212
{
1
+ − 213
$r = $db->fetchrow();
351
+ − 214
echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on ' . enano_date('d M Y h:i a', intval($r['time_id'])) . '. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">roll back</a> the deletion.</p>';
1
+ − 215
}
+ − 216
$db->free_result();
+ − 217
}
+ − 218
echo '<p>
+ − 219
HTTP Error: 404 Not Found
+ − 220
</p>';
+ − 221
}
+ − 222
$template->footer();
+ − 223
}
+ − 224
else
+ − 225
{
+ − 226
+ − 227
// If we don't have access to the page, get out and quick!
+ − 228
if(!$session->get_permissions('read'))
+ − 229
{
+ − 230
$template->tpl_strings['PAGE_NAME'] = 'Access denied';
+ − 231
if($send_headers) $template->header();
+ − 232
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>';
+ − 233
if($send_headers) $template->footer();
+ − 234
$r = ob_get_contents();
+ − 235
ob_end_clean();
+ − 236
return $r;
+ − 237
}
+ − 238
+ − 239
ob_start();
+ − 240
$code = $plugins->setHook('page_custom_handler');
+ − 241
foreach ( $code as $cmd )
+ − 242
{
+ − 243
eval($cmd);
+ − 244
}
+ − 245
$text = ob_get_contents();
+ − 246
if ( $text != '' )
+ − 247
{
+ − 248
ob_end_clean();
+ − 249
return $text;
+ − 250
}
+ − 251
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 252
if ( $hist_id )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 253
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 254
$e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . '');
1
+ − 255
if($db->numrows() < 1)
+ − 256
{
+ − 257
$db->_die('There were no rows in the text table that matched the page text query.');
+ − 258
}
+ − 259
$r = $db->fetchrow();
+ − 260
$db->free_result();
351
+ − 261
$message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on ' . enano_date('d M Y h:i a', intval($r['time_id'])) . '.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a> | <a href="'.makeUrl($page, 'do=rollback&id=' . $hist_id) . '" onclick="ajaxRollback(\'' . $hist_id . '\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']);
1
+ − 262
+ − 263
if( !$paths->pages[$page]['special'] )
+ − 264
{
+ − 265
if($send_headers)
+ − 266
{
+ − 267
$template->header();
+ − 268
}
+ − 269
display_page_headers();
+ − 270
}
+ − 271
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 272
eval('?>' . $message);
1
+ − 273
+ − 274
if( !$paths->pages[$page]['special'] )
+ − 275
{
+ − 276
display_page_footers();
+ − 277
if($send_headers)
+ − 278
{
+ − 279
$template->footer();
+ − 280
}
+ − 281
}
+ − 282
+ − 283
} else {
+ − 284
if(!$paths->pages[$page]['special'])
+ − 285
{
+ − 286
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]);
+ − 287
}
+ − 288
else
+ − 289
{
+ − 290
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false);
+ − 291
}
+ − 292
// This line is used to debug wikiformatted code
+ − 293
// die('<pre>'.htmlspecialchars($message).'</pre>');
+ − 294
+ − 295
if( !$paths->pages[$page]['special'] )
+ − 296
{
+ − 297
if($send_headers)
+ − 298
{
+ − 299
$template->header();
+ − 300
}
+ − 301
display_page_headers();
+ − 302
}
+ − 303
+ − 304
// This is it, this is what all of Enano has been working up to...
+ − 305
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 306
eval('?>' . $message);
1
+ − 307
+ − 308
if( !$paths->pages[$page]['special'] )
+ − 309
{
+ − 310
display_page_footers();
+ − 311
if($send_headers)
+ − 312
{
+ − 313
$template->footer();
+ − 314
}
+ − 315
}
+ − 316
}
+ − 317
}
+ − 318
$ret = ob_get_contents();
+ − 319
ob_end_clean();
+ − 320
return $ret;
+ − 321
}
+ − 322
+ − 323
/**
+ − 324
* Writes page data to the database, after verifying permissions and running the XSS filter
+ − 325
* @param $page_id the page ID
+ − 326
* @param $namespace the namespace
+ − 327
* @param $message the text to save
+ − 328
* @return string
+ − 329
*/
+ − 330
+ − 331
function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false)
+ − 332
{
+ − 333
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 334
$uid = sha1(microtime());
+ − 335
$pname = $paths->nslist[$namespace] . $page_id;
+ − 336
+ − 337
if(!$session->get_permissions('edit_page'))
+ − 338
return 'Access to edit pages is denied.';
+ − 339
+ − 340
if(!isset($paths->pages[$pname]))
+ − 341
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 342
$create = PageUtils::createPage($page_id, $namespace);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 343
if ( $create != 'good' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 344
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create;
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 345
$paths->page_exists = true;
1
+ − 346
}
+ − 347
260
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 348
// Check page protection
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 349
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 350
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 351
$page_data =& $paths->pages[$pname];
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 352
// Is the protection semi?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 353
if ( $page_data['protected'] == 2 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 354
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 355
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 356
// Page is semi-protected. Has the user been here for at least 4 days?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 357
// 345600 seconds = 4 days
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 358
if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 359
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 360
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 361
// Is the protection full?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 362
else if ( $page_data['protected'] == 1 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 363
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 364
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 365
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 366
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 367
// If it's protected and we DON'T have even_when_protected rights, bail out
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 368
if ( $is_protected && !$session->get_permissions('even_when_protected') )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 369
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 370
return 'You don\'t have the necessary permissions to edit this page.';
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 371
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 372
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 373
// We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 374
// The exception here is the user's own userpage, which is overridden at the time of account creation.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 375
// At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage.
1
+ − 376
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 377
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings
1
+ − 378
$message = RenderMan::preprocess_text($message, false, false);
+ − 379
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 380
$msg = $db->escape($message);
1
+ − 381
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 382
$minor = $minor ? ENANO_SQL_BOOLEAN_TRUE : ENANO_SQL_BOOLEAN_FALSE;
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 383
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $paths->page_id . '\', \'' . $paths->namespace . '\', ' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');';
1
+ − 384
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
+ − 385
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 386
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';';
1
+ − 387
$e = $db->sql_query($q);
+ − 388
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.');
+ − 389
+ − 390
$paths->rebuild_page_index($page_id, $namespace);
+ − 391
+ − 392
return 'good';
+ − 393
}
+ − 394
+ − 395
/**
+ − 396
* Creates a page, both in memory and in the database.
+ − 397
* @param string $page_id
+ − 398
* @param string $namespace
+ − 399
* @return bool true on success, false on failure
+ − 400
*/
+ − 401
+ − 402
function createPage($page_id, $namespace, $name = false, $visible = 1)
+ − 403
{
+ − 404
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 405
if(in_array($namespace, Array('Special', 'Admin')))
+ − 406
{
+ − 407
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 408
return 'You can\'t create a special page in the database';
1
+ − 409
}
+ − 410
+ − 411
if(!isset($paths->nslist[$namespace]))
+ − 412
{
+ − 413
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 414
return 'Couldn\'t look up the namespace';
1
+ − 415
}
+ − 416
+ − 417
$pname = $paths->nslist[$namespace] . $page_id;
+ − 418
if(isset($paths->pages[$pname]))
+ − 419
{
+ − 420
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 421
return 'Page already exists';
1
+ − 422
}
+ − 423
+ − 424
if(!$session->get_permissions('create_page'))
+ − 425
{
+ − 426
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 427
return 'Not authorized to create pages';
1
+ − 428
}
+ − 429
+ − 430
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System')
+ − 431
{
+ − 432
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 433
return 'Not authorized to create system messages';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 434
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 435
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 436
if ( substr($page_id, 0, 8) == 'Project:' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 437
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 438
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 439
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.';
1
+ − 440
}
+ − 441
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 442
$page_id = dirtify_page_id($page_id);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 443
1
+ − 444
if ( !$name )
+ − 445
$name = str_replace('_', ' ', $page_id);
+ − 446
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is';
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 447
if(!preg_match($regex, $name))
1
+ − 448
{
+ − 449
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 450
return 'Name contains invalid characters';
1
+ − 451
}
+ − 452
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 453
$page_id = sanitize_page_id( $page_id );
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 454
1
+ − 455
$prot = ( $namespace == 'System' ) ? 1 : 0;
+ − 456
112
+ − 457
$ips = array(
+ − 458
'ip' => array(),
+ − 459
'u' => array()
+ − 460
);
+ − 461
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 462
$page_data = Array(
1
+ − 463
'name'=>$name,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 464
'urlname'=>$page_id,
1
+ − 465
'namespace'=>$namespace,
112
+ − 466
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 467
);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 468
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 469
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>');
1
+ − 470
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 471
$paths->add_page($page_data);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 472
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 473
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 474
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 475
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
1
+ − 476
+ − 477
if($qa && $qb && $qc)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 478
return 'good';
1
+ − 479
else
+ − 480
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 481
return $db->get_error();
1
+ − 482
}
+ − 483
}
+ − 484
+ − 485
/**
+ − 486
* Sets the protection level on a page.
+ − 487
* @param $page_id string the page ID
+ − 488
* @param $namespace string the namespace
+ − 489
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi
+ − 490
* @param $reason string why the page is being (un)protected
+ − 491
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() )
+ − 492
*/
+ − 493
function protect($page_id, $namespace, $level, $reason)
+ − 494
{
+ − 495
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 496
+ − 497
$pname = $paths->nslist[$namespace] . $page_id;
+ − 498
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 499
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 500
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 501
if ( !$session->get_permissions('protect') )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 502
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 503
return('Insufficient access rights');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 504
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 505
if ( !$wiki )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 506
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 507
return('Page protection only has an effect when Wiki Mode is enabled.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 508
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 509
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 510
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 511
return('Invalid $level parameter.');
1
+ − 512
}
+ − 513
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 514
switch($level)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 515
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 516
case 0:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 517
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 518
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 519
case 1:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 520
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 521
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 522
case 2:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 523
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 524
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 525
default:
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 526
return 'PageUtils::protect(): Invalid value for $level';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 527
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 528
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 529
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 530
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 531
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 532
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 533
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 534
$db->_die('The pages table was not updated.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 535
}
1
+ − 536
+ − 537
return('good');
+ − 538
}
+ − 539
+ − 540
/**
+ − 541
* Generates an HTML table with history information in it.
+ − 542
* @param $page_id the page ID
+ − 543
* @param $namespace the namespace
+ − 544
* @return string
+ − 545
*/
+ − 546
+ − 547
function histlist($page_id, $namespace)
+ − 548
{
+ − 549
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 550
global $lang;
1
+ − 551
+ − 552
if(!$session->get_permissions('history_view'))
+ − 553
return 'Access denied';
+ − 554
+ − 555
ob_start();
+ − 556
+ − 557
$pname = $paths->nslist[$namespace] . $page_id;
+ − 558
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 559
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 560
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 561
$q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 562
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.');
213
+ − 563
echo $lang->get('history_page_subtitle') . '
+ − 564
<h3>' . $lang->get('history_heading_edits') . '</h3>';
1
+ − 565
$numrows = $db->numrows();
213
+ − 566
if ( $numrows < 1 )
+ − 567
{
+ − 568
echo $lang->get('history_no_entries');
+ − 569
}
1
+ − 570
else
+ − 571
{
+ − 572
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get">
213
+ − 573
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 574
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 575
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 576
<input type="hidden" name="do" value="diff" />
1
+ − 577
<br /><span> </span>
+ − 578
<div class="tblholder">
+ − 579
<table border="0" width="100%" cellspacing="1" cellpadding="4">
+ − 580
<tr>
213
+ − 581
<th colspan="2">' . $lang->get('history_col_diff') . '</th>
+ − 582
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 583
<th>' . $lang->get('history_col_user') . '</th>
+ − 584
<th>' . $lang->get('history_col_summary') . '</th>
+ − 585
<th>' . $lang->get('history_col_minor') . '</th>
+ − 586
<th colspan="3">' . $lang->get('history_col_actions') . '</th>
1
+ − 587
</tr>'."\n"."\n";
+ − 588
$cls = 'row2';
+ − 589
$ticker = 0;
+ − 590
213
+ − 591
while ( $r = $db->fetchrow() )
+ − 592
{
1
+ − 593
+ − 594
$ticker++;
+ − 595
+ − 596
if($cls == 'row2') $cls = 'row1';
+ − 597
else $cls = 'row2';
+ − 598
+ − 599
echo '<tr>'."\n";
+ − 600
+ − 601
// Diff selection
+ − 602
if($ticker == 1)
+ − 603
{
+ − 604
$s1 = '';
+ − 605
$s2 = 'checked="checked" ';
+ − 606
}
+ − 607
elseif($ticker == 2)
+ − 608
{
+ − 609
$s1 = 'checked="checked" ';
+ − 610
$s2 = '';
+ − 611
}
+ − 612
else
+ − 613
{
+ − 614
$s1 = '';
+ − 615
$s2 = '';
+ − 616
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 617
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 618
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
1
+ − 619
+ − 620
// Date and time
351
+ − 621
echo '<td class="' . $cls . '">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">'."\n";
1
+ − 622
+ − 623
// User
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 624
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 625
{
213
+ − 626
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 627
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 628
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 629
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 630
$rc = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 631
}
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 632
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 633
if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) )
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 634
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 635
echo 'class="wikilink-nonexistent"';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 636
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 637
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n";
1
+ − 638
+ − 639
// Edit summary
213
+ − 640
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' )
+ − 641
{
+ − 642
$r['edit_summary'] = $lang->get('history_summary_clearlogs');
+ − 643
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 644
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n";
1
+ − 645
+ − 646
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 647
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n";
1
+ − 648
+ − 649
// Actions!
213
+ − 650
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['time_id']) . '" onclick="ajaxHistView(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n";
+ − 651
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n";
+ − 652
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n";
1
+ − 653
+ − 654
echo '</tr>'."\n"."\n";
+ − 655
+ − 656
}
+ − 657
echo '</table>
+ − 658
</div>
+ − 659
<br />
+ − 660
<input type="hidden" name="do" value="diff" />
213
+ − 661
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
1
+ − 662
</form>
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
diff
changeset
+ − 663
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>';
1
+ − 664
}
+ − 665
$db->free_result();
213
+ − 666
echo '<h3>' . $lang->get('history_heading_other') . '</h3>';
322
+ − 667
$q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;';
213
+ − 668
if ( !$db->sql_query($q) )
+ − 669
{
+ − 670
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.');
+ − 671
}
+ − 672
if ( $db->numrows() < 1 )
+ − 673
{
+ − 674
echo $lang->get('history_no_entries');
+ − 675
}
+ − 676
else
+ − 677
{
1
+ − 678
213
+ − 679
echo '<div class="tblholder">
+ − 680
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr>
+ − 681
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 682
<th>' . $lang->get('history_col_user') . '</th>
+ − 683
<th>' . $lang->get('history_col_minor') . '</th>
+ − 684
<th>' . $lang->get('history_col_action_taken') . '</th>
+ − 685
<th>' . $lang->get('history_col_extra') . '</th>
+ − 686
<th colspan="2"></th>
+ − 687
</tr>';
1
+ − 688
$cls = 'row2';
+ − 689
while($r = $db->fetchrow()) {
+ − 690
+ − 691
if($cls == 'row2') $cls = 'row1';
+ − 692
else $cls = 'row2';
+ − 693
+ − 694
echo '<tr>';
+ − 695
+ − 696
// Date and time
351
+ − 697
echo '<td class="' . $cls . '">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">';
1
+ − 698
+ − 699
// User
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 700
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 701
if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 702
echo '>' . $r['author'] . '</a></td class="' . $cls . '">';
1
+ − 703
+ − 704
+ − 705
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 706
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>';
1
+ − 707
+ − 708
// Action taken
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 709
echo '<td class="' . $cls . '">';
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
diff
changeset
+ − 710
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime.
213
+ − 711
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
+ − 712
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
+ − 713
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
+ − 714
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']);
+ − 715
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">';
+ − 716
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
+ − 717
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' '.htmlspecialchars($r['edit_summary']);
1
+ − 718
echo '</td>';
+ − 719
+ − 720
// Actions!
213
+ − 721
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>';
+ − 722
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>';
1
+ − 723
+ − 724
echo '</tr>';
+ − 725
}
+ − 726
echo '</table></div>';
+ − 727
}
+ − 728
$db->free_result();
+ − 729
$ret = ob_get_contents();
+ − 730
ob_end_clean();
+ − 731
return $ret;
+ − 732
}
+ − 733
+ − 734
/**
+ − 735
* Rolls back a logged action
+ − 736
* @param $id the time ID, a.k.a. the primary key in the logs table
+ − 737
* @return string
+ − 738
*/
+ − 739
+ − 740
function rollback($id)
+ − 741
{
+ − 742
global $db, $session, $paths, $template, $plugins; // Common objects
158
+ − 743
if ( !$session->get_permissions('history_rollback') )
+ − 744
{
+ − 745
return('You are not authorized to perform rollbacks.');
+ − 746
}
+ − 747
if ( !preg_match('#^([0-9]+)$#', (string)$id) )
+ − 748
{
+ − 749
return('The value "id" on the query string must be an integer.');
+ − 750
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 751
$e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';');
158
+ − 752
if ( !$e )
+ − 753
{
+ − 754
$db->_die('The rollback data could not be selected.');
+ − 755
}
1
+ − 756
$rb = $db->fetchrow();
+ − 757
$db->free_result();
158
+ − 758
+ − 759
if ( $rb['log_type'] == 'page' && $rb['action'] != 'delete' )
+ − 760
{
+ − 761
$pagekey = $paths->nslist[$rb['namespace']] . $rb['page_id'];
+ − 762
if ( !isset($paths->pages[$pagekey]) )
+ − 763
{
+ − 764
return "Page doesn't exist";
+ − 765
}
+ − 766
$pagedata =& $paths->pages[$pagekey];
+ − 767
$protected = false;
+ − 768
// Special case: is the page protected? if so, check for even_when_protected permissions
+ − 769
if($pagedata['protected'] == 2)
+ − 770
{
+ − 771
// The page is semi-protected, determine permissions
+ − 772
if($session->user_logged_in && $session->reg_time + 60*60*24*4 < time())
+ − 773
{
+ − 774
$protected = false;
+ − 775
}
+ − 776
else
+ − 777
{
+ − 778
$protected = true;
+ − 779
}
+ − 780
}
+ − 781
else
+ − 782
{
+ − 783
$protected = ( $pagedata['protected'] == 1 );
+ − 784
}
+ − 785
+ − 786
$perms = $session->fetch_page_acl($rb['page_id'], $rb['namespace']);
+ − 787
+ − 788
if ( $protected && !$perms->get_permissions('even_when_protected') )
+ − 789
{
+ − 790
return "Because this page is protected, you need moderator rights to roll back changes.";
+ − 791
}
+ − 792
}
+ − 793
else
+ − 794
{
+ − 795
$perms =& $session;
+ − 796
}
+ − 797
+ − 798
switch($rb['log_type'])
+ − 799
{
1
+ − 800
case "page":
158
+ − 801
switch($rb['action'])
+ − 802
{
1
+ − 803
case "edit":
158
+ − 804
if ( !$perms->get_permissions('edit_page') )
+ − 805
return "You don't have permission to edit pages, so rolling back edits can't be allowed either.";
1
+ − 806
$t = $db->escape($rb['page_text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 807
$e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 808
if ( !$e )
+ − 809
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 810
return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
158
+ − 811
}
+ − 812
else
+ − 813
{
351
+ − 814
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
158
+ − 815
}
1
+ − 816
break;
+ − 817
case "rename":
158
+ − 818
if ( !$perms->get_permissions('rename') )
+ − 819
return "You don't have permission to rename pages, so rolling back renames can't be allowed either.";
1
+ − 820
$t = $db->escape($rb['edit_summary']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 821
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 822
if ( !$e )
+ − 823
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 824
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 825
}
+ − 826
else
+ − 827
{
351
+ − 828
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
158
+ − 829
}
1
+ − 830
break;
+ − 831
case "prot":
158
+ − 832
if ( !$perms->get_permissions('protect') )
+ − 833
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 834
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 835
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 836
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 837
else
351
+ − 838
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 839
break;
+ − 840
case "semiprot":
158
+ − 841
if ( !$perms->get_permissions('protect') )
+ − 842
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 843
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 844
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 845
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 846
else
351
+ − 847
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 848
break;
+ − 849
case "unprot":
158
+ − 850
if ( !$perms->get_permissions('protect') )
+ − 851
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 852
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 853
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 854
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 855
else
351
+ − 856
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 857
break;
+ − 858
case "delete":
158
+ − 859
if ( !$perms->get_permissions('history_rollback_extra') )
+ − 860
return 'Administrative privileges are required for page undeletion.';
+ − 861
if ( isset($paths->pages[$paths->cpage['urlname']]) )
+ − 862
return 'You cannot raise a dead page that is alive.';
1
+ − 863
$name = str_replace('_', ' ', $rb['page_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 864
$e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 865
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
1
+ − 866
$r = $db->fetchrow();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 867
$e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
351
+ − 868
return 'The page "' . $name . '" has been undeleted according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 869
break;
+ − 870
case "reupload":
234
d5dff8148dfe
Renaming config.php and .htaccess to *.new to allow tarbombing an Enano installation with no adverse effects; first attempt, may not work right.
Dan
diff
changeset
+ − 871
if ( !$session->get_permissions('history_rollback_extra') )
158
+ − 872
{
+ − 873
return 'Administrative privileges are required for file rollbacks.';
+ − 874
}
1
+ − 875
$newtime = time();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 876
$newdate = enano_date('d M Y h:i a');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 877
if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id))
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 878
return 'Error during query: '.$db->get_error();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 879
if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id))
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 880
return 'Error during query: '.$db->get_error();
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 881
return 'The file has been rolled back to the version uploaded on '.enano_date('d M Y h:i a', (int)$id).'.';
1
+ − 882
break;
+ − 883
default:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 884
return('Rollback of the action "' . $rb['action'] . '" is not yet supported.');
1
+ − 885
break;
+ − 886
}
+ − 887
break;
+ − 888
case "security":
+ − 889
case "login":
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 890
return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.');
1
+ − 891
break;
+ − 892
default:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 893
return('Unknown log entry type: "' . $rb['log_type'] . '"');
1
+ − 894
}
+ − 895
}
+ − 896
+ − 897
/**
+ − 898
* Posts a comment.
+ − 899
* @param $page_id the page ID
+ − 900
* @param $namespace the namespace
+ − 901
* @param $name the name of the person posting, defaults to current username/IP
+ − 902
* @param $subject the subject line of the comment
+ − 903
* @param $text the comment text
+ − 904
* @return string javascript code
+ − 905
*/
+ − 906
+ − 907
function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false)
+ − 908
{
+ − 909
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 910
$_ob = '';
+ − 911
if(!$session->get_permissions('post_comments'))
+ − 912
return 'Access denied';
+ − 913
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.');
+ − 914
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 915
{
+ − 916
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method');
+ − 917
$result = $session->get_captcha($captcha_id);
+ − 918
if($captcha_code != $result) _die('The confirmation code you entered was incorrect.');
+ − 919
}
+ − 920
$text = RenderMan::preprocess_text($text);
+ − 921
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name);
+ − 922
$subj = RenderMan::preprocess_text($subject);
+ − 923
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 924
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')';
1
+ − 925
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 926
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'))');
1
+ − 927
else $_ob .= '<div class="info-box">Your comment has been posted.</div>';
+ − 928
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob);
+ − 929
}
+ − 930
+ − 931
/**
+ − 932
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments
+ − 933
* @param $page_id the page ID
+ − 934
* @param $namespace the namespace
+ − 935
* @param $action administrative action to perform, default is false
+ − 936
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 937
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 938
* @return array
+ − 939
* @access private
+ − 940
*/
+ − 941
+ − 942
function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '')
+ − 943
{
+ − 944
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 945
global $lang;
1
+ − 946
+ − 947
$pname = $paths->nslist[$namespace] . $page_id;
+ − 948
+ − 949
ob_start();
+ − 950
+ − 951
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud
+ − 952
{
+ − 953
switch($action) {
+ − 954
case "delete":
+ − 955
if(isset($flags['id']))
+ − 956
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 957
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;';
1
+ − 958
} else {
+ − 959
$n = $db->escape($flags['name']);
+ − 960
$s = $db->escape($flags['subj']);
+ − 961
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 962
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 963
}
+ − 964
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 965
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 966
break;
+ − 967
case "approve":
+ − 968
if(isset($flags['id']))
+ − 969
{
+ − 970
$where = 'comment_id='.intval($flags['id']);
+ − 971
} else {
+ − 972
$n = $db->escape($flags['name']);
+ − 973
$s = $db->escape($flags['subj']);
+ − 974
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 975
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\'';
1
+ − 976
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 977
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;';
1
+ − 978
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 979
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 980
$r = $db->fetchrow();
+ − 981
$db->free_result();
+ − 982
$a = ( $r['approved'] ) ? '0' : '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 983
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';';
1
+ − 984
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 985
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
213
+ − 986
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove');
+ − 987
else $v = $lang->get('comment_btn_mod_approve');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 988
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";';
1
+ − 989
break;
+ − 990
}
+ − 991
}
+ − 992
+ − 993
if(!defined('ENANO_TEMPLATE_LOADED'))
+ − 994
{
+ − 995
$template->load_theme($session->theme, $session->style);
+ − 996
}
+ − 997
+ − 998
$tpl = $template->makeParser('comment.tpl');
+ − 999
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1000
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;');
1
+ − 1001
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 1002
$num_unapp = $db->numrows();
+ − 1003
$db->free_result();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1004
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;');
1
+ − 1005
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 1006
$num_app = $db->numrows();
+ − 1007
$db->free_result();
360
+ − 1008
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,c.ip_address,u.user_level,u.signature,u.user_has_avatar,u.avatar_type
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1009
FROM ' . table_prefix.'comments AS c
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1010
LEFT JOIN ' . table_prefix.'users AS u
1
+ − 1011
ON c.user_id=u.user_id
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1012
WHERE page_id=\'' . $page_id . '\'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1013
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1014
if(!$lq) _die('The comment text data could not be selected. '.$db->get_error());
213
+ − 1015
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>';
+ − 1016
1
+ − 1017
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app;
213
+ − 1018
+ − 1019
$subst = array(
+ − 1020
'num_comments' => $n,
226
0e6478521004
Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
diff
changeset
+ − 1021
'page_type' => $template->namespace_string
213
+ − 1022
);
+ − 1023
+ − 1024
$_ob .= '<p>';
+ − 1025
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) );
+ − 1026
+ − 1027
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 )
1
+ − 1028
{
213
+ − 1029
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 1030
}
+ − 1031
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 )
+ − 1032
{
+ − 1033
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural';
+ − 1034
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 1035
}
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
diff
changeset
+ − 1036
$_ob .= '</p>';
1
+ − 1037
$list = 'list = { ';
+ − 1038
// _die(htmlspecialchars($ttext));
+ − 1039
$i = -1;
213
+ − 1040
while ( $row = $db->fetchrow($lq) )
1
+ − 1041
{
+ − 1042
$i++;
+ − 1043
$strings = Array();
+ − 1044
$bool = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1045
if ( $session->get_permissions('mod_comments') || $row['approved'] )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1046
{
1
+ − 1047
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, ';
+ − 1048
+ − 1049
// Comment ID (used in the Javascript apps)
+ − 1050
$strings['ID'] = (string)$i;
+ − 1051
+ − 1052
// Determine the name, and whether to link to the user page or not
+ − 1053
$name = '';
304
+ − 1054
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">';
1
+ − 1055
$name .= $row['name'];
213
+ − 1056
if($row['user_id'] > 1) $name .= '</a>';
1
+ − 1057
$strings['NAME'] = $name; unset($name);
+ − 1058
+ − 1059
// Subject
+ − 1060
$s = $row['subject'];
213
+ − 1061
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>';
1
+ − 1062
$strings['SUBJECT'] = $s;
+ − 1063
+ − 1064
// Date and time
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1065
$strings['DATETIME'] = enano_date('F d, Y h:i a', $row['time']);
1
+ − 1066
+ − 1067
// User level
+ − 1068
switch($row['user_level'])
+ − 1069
{
+ − 1070
default:
+ − 1071
case USER_LEVEL_GUEST:
213
+ − 1072
$l = $lang->get('user_type_guest');
1
+ − 1073
break;
+ − 1074
case USER_LEVEL_MEMBER:
213
+ − 1075
case USER_LEVEL_CHPREF:
+ − 1076
$l = $lang->get('user_type_member');
1
+ − 1077
break;
+ − 1078
case USER_LEVEL_MOD:
213
+ − 1079
$l = $lang->get('user_type_mod');
1
+ − 1080
break;
+ − 1081
case USER_LEVEL_ADMIN:
213
+ − 1082
$l = $lang->get('user_type_admin');
1
+ − 1083
break;
+ − 1084
}
+ − 1085
$strings['USER_LEVEL'] = $l; unset($l);
+ − 1086
+ − 1087
// The actual comment data
+ − 1088
$strings['DATA'] = RenderMan::render($row['comment_data']);
+ − 1089
+ − 1090
if($session->get_permissions('edit_comments'))
+ − 1091
{
+ − 1092
// Edit link
213
+ − 1093
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>';
1
+ − 1094
+ − 1095
// Delete link
213
+ − 1096
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>';
1
+ − 1097
}
+ − 1098
else
+ − 1099
{
+ − 1100
// Edit link
+ − 1101
$strings['EDIT_LINK'] = '';
+ − 1102
+ − 1103
// Delete link
+ − 1104
$strings['DELETE_LINK'] = '';
+ − 1105
}
+ − 1106
+ − 1107
// Send PM link
213
+ − 1108
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : '';
1
+ − 1109
+ − 1110
// Add Buddy link
213
+ − 1111
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : '';
1
+ − 1112
+ − 1113
// Mod links
+ − 1114
$applink = '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1115
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">';
213
+ − 1116
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove');
+ − 1117
else $applink .= $lang->get('comment_btn_mod_approve');
1
+ − 1118
$applink .= '</a>';
+ − 1119
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink);
213
+ − 1120
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>';
360
+ − 1121
$strings['MOD_IP_LINK'] = '<span style="opacity: 0.5; filter: alpha(opacity=50);">' . ( ( empty($row['ip_address']) ) ? $lang->get('comment_btn_mod_ip_missing') : $lang->get('comment_btn_mod_ip_notimplemented') ) . '</span>';
1
+ − 1122
+ − 1123
// Signature
+ − 1124
$strings['SIGNATURE'] = '';
+ − 1125
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']);
+ − 1126
328
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1127
// Avatar
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1128
if ( $row['user_has_avatar'] == 1 )
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1129
{
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1130
$bool['user_has_avatar'] = true;
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1131
$strings['AVATAR_ALT'] = $lang->get('usercp_avatar_image_alt', array('username' => $row['name']));
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1132
$strings['AVATAR_URL'] = make_avatar_url(intval($row['user_id']), $row['avatar_type']);
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1133
$strings['USERPAGE_LINK'] = makeUrlNS('User', $row['name']);
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1134
}
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 1135
1
+ − 1136
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false;
+ − 1137
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false;
+ − 1138
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true;
+ − 1139
+ − 1140
// Done processing and compiling, now let's cook it into HTML
+ − 1141
$tpl->assign_vars($strings);
+ − 1142
$tpl->assign_bool($bool);
+ − 1143
$_ob .= $tpl->run();
+ − 1144
}
+ − 1145
}
+ − 1146
if(getConfig('comments_need_login') != '2' || $session->user_logged_in)
+ − 1147
{
213
+ − 1148
if($session->get_permissions('post_comments'))
1
+ − 1149
{
213
+ − 1150
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>';
+ − 1151
$_ob .= $lang->get('comment_postform_blurb');
+ − 1152
if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp');
+ − 1153
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 1154
{
+ − 1155
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha');
+ − 1156
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1157
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />';
213
+ − 1158
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a>
1
+ − 1159
<div id="mdgCommentForm">
+ − 1160
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em">
+ − 1161
<table border="0">
213
+ − 1162
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr>
+ − 1163
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>';
1
+ − 1164
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 1165
{
+ − 1166
$session->kill_captcha();
+ − 1167
$captcha = $session->make_captcha();
213
+ − 1168
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>';
1
+ − 1169
}
+ − 1170
$_ob .= '
213
+ − 1171
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr>
+ − 1172
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr>
1
+ − 1173
</table>
+ − 1174
</form>
+ − 1175
</div>';
+ − 1176
}
+ − 1177
} else {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1178
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>';
1
+ − 1179
}
+ − 1180
$list .= '};';
+ − 1181
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\');
+ − 1182
' . $list;
+ − 1183
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";';
+ − 1184
+ − 1185
$ret = ob_get_contents();
+ − 1186
ob_end_clean();
+ − 1187
return Array($ret, $_ob);
+ − 1188
+ − 1189
}
+ − 1190
+ − 1191
/**
+ − 1192
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments
+ − 1193
* @param $page_id the page ID
+ − 1194
* @param $namespace the namespace
+ − 1195
* @param $action administrative action to perform, default is false
+ − 1196
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 1197
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 1198
* @return string
+ − 1199
*/
+ − 1200
+ − 1201
function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '')
+ − 1202
{
+ − 1203
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1204
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 1205
return $r[0];
+ − 1206
}
+ − 1207
+ − 1208
/**
+ − 1209
* Generates HTML code for comments - used in browser compatibility mode
+ − 1210
* @param $page_id the page ID
+ − 1211
* @param $namespace the namespace
+ − 1212
* @param $action administrative action to perform, default is false
+ − 1213
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 1214
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 1215
* @return string
+ − 1216
*/
+ − 1217
+ − 1218
function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '')
+ − 1219
{
+ − 1220
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1221
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 1222
return $r[1];
+ − 1223
}
+ − 1224
+ − 1225
/**
+ − 1226
* Updates comment data.
+ − 1227
* @param $page_id the page ID
+ − 1228
* @param $namespace the namespace
+ − 1229
* @param $subject new subject
+ − 1230
* @param $text new text
+ − 1231
* @param $old_subject the old subject, unprocessed and identical to the value in the DB
+ − 1232
* @param $old_text the old text, unprocessed and identical to the value in the DB
+ − 1233
* @param $id the javascript list ID, used internally by the client-side app
+ − 1234
* @return string
+ − 1235
*/
+ − 1236
+ − 1237
function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1)
+ − 1238
{
+ − 1239
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1240
if(!$session->get_permissions('edit_comments'))
+ − 1241
return 'result="BAD";error="Access denied"';
+ − 1242
// Avoid SQL injection
+ − 1243
$old_text = $db->escape($old_text);
+ − 1244
$old_subject = $db->escape($old_subject);
+ − 1245
// Safety check - username/login
+ − 1246
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 1247
{
+ − 1248
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1249
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1250
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1251
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1252
$r = $db->fetchrow($s);
+ − 1253
$db->free_result();
+ − 1254
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1255
}
+ − 1256
$s = RenderMan::preprocess_text($subject);
+ − 1257
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1258
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1259
$result = $db->sql_query($sql);
+ − 1260
if($result)
+ − 1261
{
+ − 1262
return 'result="GOOD";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1263
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1264
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . ';
1
+ − 1265
s = unescape(\''.rawurlencode($s).'\');
+ − 1266
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');';
+ − 1267
}
+ − 1268
else
+ − 1269
{
+ − 1270
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment.
+ − 1271
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1272
' . $sql . '
1
+ − 1273
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1274
Error returned by MySQL: '.$db->get_error()).'");';
1
+ − 1275
}
+ − 1276
}
+ − 1277
+ − 1278
/**
+ − 1279
* Updates comment data using the comment_id column instead of the old, messy way
+ − 1280
* @param $page_id the page ID
+ − 1281
* @param $namespace the namespace
+ − 1282
* @param $subject new subject
+ − 1283
* @param $text new text
+ − 1284
* @param $id the comment ID (primary key in enano_comments table)
+ − 1285
* @return string
+ − 1286
*/
+ − 1287
+ − 1288
function savecomment_neater($page_id, $namespace, $subject, $text, $id)
+ − 1289
{
+ − 1290
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1291
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety');
+ − 1292
if(!$session->get_permissions('edit_comments'))
+ − 1293
return 'Access denied';
+ − 1294
// Safety check - username/login
+ − 1295
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 1296
{
+ − 1297
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1298
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1299
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1300
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1301
$r = $db->fetchrow($s);
+ − 1302
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1303
$db->free_result();
+ − 1304
}
+ − 1305
$s = RenderMan::preprocess_text($subject);
+ − 1306
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1307
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1308
$result = $db->sql_query($sql);
+ − 1309
if($result)
+ − 1310
return 'good';
+ − 1311
else return 'Enano encountered a problem whilst saving the comment.
+ − 1312
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1313
' . $sql . '
1
+ − 1314
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1315
Error returned by MySQL: '.$db->get_error();
1
+ − 1316
}
+ − 1317
+ − 1318
/**
+ − 1319
* Deletes a comment.
+ − 1320
* @param $page_id the page ID
+ − 1321
* @param $namespace the namespace
+ − 1322
* @param $name the name the user posted under
+ − 1323
* @param $subj the subject of the comment to be deleted
+ − 1324
* @param $text the text of the comment to be deleted
+ − 1325
* @param $id the javascript list ID, used internally by the client-side app
+ − 1326
* @return string
+ − 1327
*/
+ − 1328
+ − 1329
function deletecomment($page_id, $namespace, $name, $subj, $text, $id)
+ − 1330
{
+ − 1331
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1332
+ − 1333
if(!$session->get_permissions('edit_comments'))
+ − 1334
return 'alert("Access to delete/edit comments is denied");';
+ − 1335
+ − 1336
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 1337
$n = $db->escape($name);
+ − 1338
$s = $db->escape($subj);
+ − 1339
$t = $db->escape($text);
+ − 1340
+ − 1341
// Safety check - username/login
+ − 1342
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 1343
{
+ − 1344
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1345
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1346
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1347
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1348
$r = $db->fetchrow($s);
+ − 1349
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1350
$db->free_result();
+ − 1351
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1352
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 1353
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1354
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1355
return('good');
+ − 1356
}
+ − 1357
+ − 1358
/**
+ − 1359
* Deletes a comment in a cleaner fashion.
+ − 1360
* @param $page_id the page ID
+ − 1361
* @param $namespace the namespace
+ − 1362
* @param $id the comment ID (primary key)
+ − 1363
* @return string
+ − 1364
*/
+ − 1365
+ − 1366
function deletecomment_neater($page_id, $namespace, $id)
+ − 1367
{
+ − 1368
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1369
+ − 1370
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 1371
+ − 1372
if(!$session->get_permissions('edit_comments'))
+ − 1373
return 'alert("Access to delete/edit comments is denied");';
+ − 1374
+ − 1375
// Safety check - username/login
+ − 1376
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 1377
{
+ − 1378
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1379
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1380
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1381
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1382
$r = $db->fetchrow($s);
+ − 1383
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1384
$db->free_result();
+ − 1385
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1386
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;';
1
+ − 1387
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1388
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1389
return('good');
+ − 1390
}
+ − 1391
+ − 1392
/**
+ − 1393
* Renames a page.
+ − 1394
* @param $page_id the page ID
+ − 1395
* @param $namespace the namespace
+ − 1396
* @param $name the new name for the page
+ − 1397
* @return string error string or success message
+ − 1398
*/
+ − 1399
+ − 1400
function rename($page_id, $namespace, $name)
+ − 1401
{
+ − 1402
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1403
global $lang;
1
+ − 1404
+ − 1405
$pname = $paths->nslist[$namespace] . $page_id;
+ − 1406
+ − 1407
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 1408
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 1409
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1410
if( empty($name))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1411
{
214
+ − 1412
return($lang->get('ajax_rename_too_short'));
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1413
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1414
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' ))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1415
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1416
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->page_id) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1417
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1418
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1419
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1420
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1421
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1422
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1423
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1424
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1425
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1426
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1427
{
214
+ − 1428
$subst = array(
+ − 1429
'page_name_old' => $paths->pages[$pname]['name'],
+ − 1430
'page_name_new' => $name
+ − 1431
);
+ − 1432
return $lang->get('ajax_rename_success', $subst);
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1433
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1434
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1435
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1436
{
214
+ − 1437
return($lang->get('etc_access_denied'));
1
+ − 1438
}
+ − 1439
}
+ − 1440
+ − 1441
/**
+ − 1442
* Flushes (clears) the action logs for a given page
+ − 1443
* @param $page_id the page ID
+ − 1444
* @param $namespace the namespace
+ − 1445
* @return string error/success string
+ − 1446
*/
+ − 1447
+ − 1448
function flushlogs($page_id, $namespace)
+ − 1449
{
+ − 1450
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1451
global $lang;
240
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1452
if ( !is_object($lang) && defined('IN_ENANO_INSTALL') )
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1453
{
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1454
// This is a special exception for the Enano installer, which doesn't init languages yet.
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1455
$lang = new Language('eng');
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1456
}
351
+ − 1457
if(!$session->get_permissions('clear_logs') && !defined('IN_ENANO_INSTALL'))
214
+ − 1458
{
+ − 1459
return $lang->get('etc_access_denied');
+ − 1460
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1461
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
1
+ − 1462
if(!$e) $db->_die('The log entries could not be deleted.');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1463
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1464
// If the page exists, make a backup of it in case it gets spammed/vandalized
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1465
// If not, the admin's probably deleting a trash page
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1466
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) )
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1467
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1468
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1469
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1470
$row = $db->fetchrow();
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1471
$db->free_result();
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1472
$minor_edit = ( ENANO_DBLAYER == 'MYSQL' ) ? 'false' : '0';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1473
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.$minor_edit.');';
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1474
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1475
}
214
+ − 1476
return $lang->get('ajax_clearlogs_success');
1
+ − 1477
}
+ − 1478
+ − 1479
/**
+ − 1480
* Deletes a page.
28
+ − 1481
* @param string $page_id the condemned page ID
+ − 1482
* @param string $namespace the condemned namespace
+ − 1483
* @param string The reason for deleting the page in question
1
+ − 1484
* @return string
+ − 1485
*/
+ − 1486
28
+ − 1487
function deletepage($page_id, $namespace, $reason)
1
+ − 1488
{
+ − 1489
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1490
global $lang;
1
+ − 1491
$perms = $session->fetch_page_acl($page_id, $namespace);
28
+ − 1492
$x = trim($reason);
+ − 1493
if ( empty($x) )
+ − 1494
{
214
+ − 1495
return $lang->get('ajax_delete_need_reason');
28
+ − 1496
}
+ − 1497
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1498
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
1
+ − 1499
if(!$e) $db->_die('The page log entry could not be inserted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1500
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1501
if(!$e) $db->_die('The page categorization entries could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1502
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1503
if(!$e) $db->_die('The page comments could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1504
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1505
if(!$e) $db->_die('The page text entry could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1506
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1507
if(!$e) $db->_die('The page entry could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1508
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\'');
1
+ − 1509
if(!$e) $db->_die('The file entry could not be deleted.');
214
+ − 1510
return $lang->get('ajax_delete_success');
1
+ − 1511
}
+ − 1512
+ − 1513
/**
+ − 1514
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting
+ − 1515
* @param $page_id the page ID
+ − 1516
* @param $namespace the namespace
+ − 1517
* @return string
+ − 1518
*/
+ − 1519
+ − 1520
function delvote($page_id, $namespace)
+ − 1521
{
+ − 1522
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1523
global $lang;
112
+ − 1524
if ( !$session->get_permissions('vote_delete') )
+ − 1525
{
214
+ − 1526
return $lang->get('etc_access_denied');
112
+ − 1527
}
+ − 1528
+ − 1529
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' )
+ − 1530
{
+ − 1531
return 'Special pages and system messages can\'t be voted for deletion.';
+ − 1532
}
+ − 1533
+ − 1534
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id);
+ − 1535
+ − 1536
if ( !isset($paths->pages[$pname]) )
+ − 1537
{
+ − 1538
return 'The page does not exist.';
+ − 1539
}
+ − 1540
+ − 1541
$cv =& $paths->pages[$pname]['delvotes'];
+ − 1542
$ips = $paths->pages[$pname]['delvote_ips'];
+ − 1543
+ − 1544
if ( empty($ips) )
+ − 1545
{
+ − 1546
$ips = array(
+ − 1547
'ip' => array(),
+ − 1548
'u' => array()
+ − 1549
);
+ − 1550
}
+ − 1551
else
+ − 1552
{
+ − 1553
$ips = @unserialize($ips);
+ − 1554
if ( !$ips )
+ − 1555
{
+ − 1556
$ips = array(
+ − 1557
'ip' => array(),
+ − 1558
'u' => array()
+ − 1559
);
+ − 1560
}
+ − 1561
}
+ − 1562
+ − 1563
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) )
+ − 1564
{
214
+ − 1565
return $lang->get('ajax_delvote_already_voted');
112
+ − 1566
}
+ − 1567
+ − 1568
$ips['u'][] = $session->username;
+ − 1569
$ips['ip'][] = $_SERVER['REMOTE_ADDR'];
+ − 1570
$ips = $db->escape( serialize($ips) );
+ − 1571
1
+ − 1572
$cv++;
112
+ − 1573
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1574
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1575
$w = $db->sql_query($q);
112
+ − 1576
214
+ − 1577
return $lang->get('ajax_delvote_success');
1
+ − 1578
}
+ − 1579
+ − 1580
/**
+ − 1581
* Resets the number of votes against a page to 0.
+ − 1582
* @param $page_id the page ID
+ − 1583
* @param $namespace the namespace
+ − 1584
* @return string
+ − 1585
*/
+ − 1586
+ − 1587
function resetdelvotes($page_id, $namespace)
+ − 1588
{
+ − 1589
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1590
global $lang;
+ − 1591
if(!$session->get_permissions('vote_reset'))
+ − 1592
{
+ − 1593
return $lang->get('etc_access_denied');
+ − 1594
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1595
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1596
$e = $db->sql_query($q);
+ − 1597
if(!$e) $db->_die('The number of delete votes was not reset.');
214
+ − 1598
else
+ − 1599
{
+ − 1600
return $lang->get('ajax_delvote_reset_success');
+ − 1601
}
1
+ − 1602
}
+ − 1603
+ − 1604
/**
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1605
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON.
1
+ − 1606
* @param $id the name of the directory for the theme
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1607
* @return string JSON string with an array containing a list of themes
1
+ − 1608
*/
+ − 1609
+ − 1610
function getstyles()
+ − 1611
{
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1612
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1613
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) )
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1614
return enano_json_encode(false);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1615
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1616
$dir = './themes/' . $_GET['id'] . '/css/';
1
+ − 1617
$list = Array();
+ − 1618
// Open a known directory, and proceed to read its contents
+ − 1619
if (is_dir($dir)) {
+ − 1620
if ($dh = opendir($dir)) {
+ − 1621
while (($file = readdir($dh)) !== false) {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1622
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1623
{ // it should be a copy of the original style, but
1
+ − 1624
// mostly black and white
+ − 1625
// Note to self: document this
+ − 1626
$list[] = substr($file, 0, strlen($file)-4);
+ − 1627
}
+ − 1628
}
+ − 1629
closedir($dh);
+ − 1630
}
+ − 1631
}
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1632
else
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1633
{
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1634
return(enano_json_encode(Array('mode' => 'error', 'error' => $dir.' is not a dir')));
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1635
}
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1636
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1637
return enano_json_encode($list);
1
+ − 1638
}
+ − 1639
+ − 1640
/**
+ − 1641
* Assembles a Javascript app with category information
+ − 1642
* @param $page_id the page ID
+ − 1643
* @param $namespace the namespace
+ − 1644
* @return string Javascript code
+ − 1645
*/
+ − 1646
+ − 1647
function catedit($page_id, $namespace)
+ − 1648
{
+ − 1649
$d = PageUtils::catedit_raw($page_id, $namespace);
+ − 1650
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');';
+ − 1651
}
+ − 1652
+ − 1653
/**
+ − 1654
* Does the actual HTML/javascript generation for cat editing, but returns an array
+ − 1655
* @access private
+ − 1656
*/
+ − 1657
+ − 1658
function catedit_raw($page_id, $namespace)
+ − 1659
{
+ − 1660
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1661
global $lang;
+ − 1662
1
+ − 1663
ob_start();
+ − 1664
$_ob = '';
322
+ − 1665
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\'');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1666
if(!$e) jsdie('Error selecting category information for current page: '.$db->get_error());
1
+ − 1667
$cat_current = Array();
+ − 1668
while($r = $db->fetchrow())
+ − 1669
{
+ − 1670
$cat_current[] = $r;
+ − 1671
}
+ − 1672
$db->free_result();
+ − 1673
$cat_all = Array();
+ − 1674
for($i=0;$i<sizeof($paths->pages)/2;$i++)
+ − 1675
{
+ − 1676
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1677
}
+ − 1678
+ − 1679
// Make $cat_all an associative array, like $paths->pages
+ − 1680
$sz = sizeof($cat_all);
+ − 1681
for($i=0;$i<$sz;$i++)
+ − 1682
{
+ − 1683
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1684
}
+ − 1685
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of
+ − 1686
$cat_info = $cat_all;
+ − 1687
for($i=0;$i<sizeof($cat_current);$i++)
+ − 1688
{
+ − 1689
$un = $cat_current[$i]['category_id'];
+ − 1690
$cat_info[$un]['member'] = true;
+ − 1691
}
+ − 1692
// Now copy the information we just set into the numerically named keys
+ − 1693
for($i=0;$i<sizeof($cat_info)/2;$i++)
+ − 1694
{
+ − 1695
$un = $cat_info[$i]['urlname_nons'];
+ − 1696
$cat_info[$i] = $cat_info[$un];
+ − 1697
}
+ − 1698
+ − 1699
echo 'catlist = new Array();'; // Initialize the client-side category list
214
+ − 1700
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3>
1
+ − 1701
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">';
+ − 1702
if ( sizeof($cat_info) < 1 )
+ − 1703
{
214
+ − 1704
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>';
1
+ − 1705
}
+ − 1706
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ )
+ − 1707
{
+ − 1708
// Protection code added 1/3/07
+ − 1709
// Updated 3/4/07
+ − 1710
$is_prot = false;
+ − 1711
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category');
+ − 1712
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1713
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) )
+ − 1714
$is_prot = true;
+ − 1715
$prot = ( $is_prot ) ? ' disabled="disabled" ' : '';
+ − 1716
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1717
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1718
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"';
1
+ − 1719
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1720
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />';
1
+ − 1721
}
+ − 1722
+ − 1723
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : '';
+ − 1724
214
+ − 1725
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>';
1
+ − 1726
+ − 1727
$cont = ob_get_contents();
+ − 1728
ob_end_clean();
+ − 1729
return Array($cont, $_ob);
+ − 1730
}
+ − 1731
+ − 1732
/**
+ − 1733
* Saves category information
+ − 1734
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked!
+ − 1735
* @param $page_id string the page ID
+ − 1736
* @param $namespace string the namespace
+ − 1737
* @param $which_cats array associative array of categories to put the page in
+ − 1738
* @return string "GOOD" on success, error string on failure
+ − 1739
*/
+ − 1740
+ − 1741
function catsave($page_id, $namespace, $which_cats)
+ − 1742
{
+ − 1743
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1744
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information');
+ − 1745
+ − 1746
$page_perms = $session->fetch_page_acl($page_id, $namespace);
+ − 1747
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id];
+ − 1748
+ − 1749
$cat_all = Array();
+ − 1750
for($i=0;$i<sizeof($paths->pages)/2;$i++)
+ − 1751
{
+ − 1752
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1753
}
+ − 1754
+ − 1755
// Make $cat_all an associative array, like $paths->pages
+ − 1756
$sz = sizeof($cat_all);
+ − 1757
for($i=0;$i<$sz;$i++)
+ − 1758
{
+ − 1759
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1760
}
+ − 1761
+ − 1762
$rowlist = Array();
+ − 1763
+ − 1764
for($i=0;$i<sizeof($cat_all)/2;$i++)
+ − 1765
{
+ − 1766
$auth = true;
+ − 1767
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category');
+ − 1768
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1769
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ||
+ − 1770
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) )
+ − 1771
$auth = false;
+ − 1772
if(!$auth)
+ − 1773
{
+ − 1774
// Find out if the page is currently in the category
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1775
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1776
if(!$q)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1777
return 'MySQL error: ' . $db->get_error();
1
+ − 1778
if($db->numrows() > 0)
+ − 1779
{
+ − 1780
$auth = true;
+ − 1781
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state
+ − 1782
}
+ − 1783
$db->free_result();
+ − 1784
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1785
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')';
1
+ − 1786
}
+ − 1787
if(sizeof($rowlist) > 0)
+ − 1788
{
+ − 1789
$val = implode(',', $rowlist);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1790
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1791
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1792
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1793
$e = $db->sql_query($q);
+ − 1794
if(!$e) $db->_die('The new category data could not be inserted.');
+ − 1795
return('GOOD');
+ − 1796
}
+ − 1797
else
+ − 1798
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1799
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1800
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1801
return('GOOD');
+ − 1802
}
+ − 1803
}
+ − 1804
+ − 1805
/**
+ − 1806
* Sets the wiki mode level for a page.
+ − 1807
* @param $page_id string the page ID
+ − 1808
* @param $namespace string the namespace
+ − 1809
* @param $level int 0 for off, 1 for on, 2 for use global setting
+ − 1810
* @return string "GOOD" on success, error string on failure
+ − 1811
*/
+ − 1812
+ − 1813
function setwikimode($page_id, $namespace, $level)
+ − 1814
{
+ − 1815
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1816
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1817
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1818
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1819
return('Invalid mode string');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1820
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1821
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1822
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1823
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1824
return('Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1825
}
1
+ − 1826
return('GOOD');
+ − 1827
}
+ − 1828
+ − 1829
/**
+ − 1830
* Sets the access password for a page.
+ − 1831
* @param $page_id string the page ID
+ − 1832
* @param $namespace string the namespace
+ − 1833
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed
+ − 1834
* @return string
+ − 1835
*/
+ − 1836
+ − 1837
function setpass($page_id, $namespace, $pass)
+ − 1838
{
+ − 1839
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1840
global $lang;
1
+ − 1841
// Determine permissions
+ − 1842
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '')
+ − 1843
$a = $session->get_permissions('password_reset');
+ − 1844
else
+ − 1845
$a = $session->get_permissions('password_set');
+ − 1846
if(!$a)
214
+ − 1847
return $lang->get('etc_access_denied');
1
+ − 1848
if(!isset($pass)) return('Password was not set on URL');
+ − 1849
$p = $pass;
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1850
if ( !preg_match('#([0-9a-f]){40,40}#', $p) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1851
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1852
$p = sha1($p);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1853
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1854
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1855
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1856
$p = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1857
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1858
if ( !$e )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1859
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1860
die('PageUtils::setpass(): Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1861
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1862
// Is the new password blank?
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1863
if ( $p == '' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1864
{
214
+ − 1865
return $lang->get('ajax_password_disable_success');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1866
}
214
+ − 1867
else
+ − 1868
{
+ − 1869
return $lang->get('ajax_password_success');
+ − 1870
}
1
+ − 1871
}
+ − 1872
+ − 1873
/**
+ − 1874
* Generates some preview HTML
+ − 1875
* @param $text string the wikitext to use
+ − 1876
* @return string
+ − 1877
*/
+ − 1878
+ − 1879
function genPreview($text)
+ − 1880
{
214
+ − 1881
global $lang;
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 1882
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 10px 0;">';
102
+ − 1883
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false));
+ − 1884
ob_start();
+ − 1885
eval('?>' . $text);
+ − 1886
$text = ob_get_contents();
+ − 1887
ob_end_clean();
+ − 1888
$ret .= $text;
+ − 1889
$ret .= '</div>';
+ − 1890
return $ret;
1
+ − 1891
}
+ − 1892
+ − 1893
/**
+ − 1894
* Makes a scrollable box
+ − 1895
* @param string $text the inner HTML
+ − 1896
* @param int $height Optional - the maximum height. Defaults to 250.
+ − 1897
* @return string
+ − 1898
*/
+ − 1899
+ − 1900
function scrollBox($text, $height = 250)
+ − 1901
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1902
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>';
1
+ − 1903
}
+ − 1904
+ − 1905
/**
+ − 1906
* Generates a diff summary between two page revisions.
+ − 1907
* @param $page_id the page ID
+ − 1908
* @param $namespace the namespace
+ − 1909
* @param $id1 the time ID of the first revision
+ − 1910
* @param $id2 the time ID of the second revision
+ − 1911
* @return string XHTML-formatted diff
+ − 1912
*/
+ − 1913
+ − 1914
function pagediff($page_id, $namespace, $id1, $id2)
+ − 1915
{
+ − 1916
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 1917
global $lang;
1
+ − 1918
if(!$session->get_permissions('history_view'))
214
+ − 1919
return $lang->get('etc_access_denied');
1
+ − 1920
if(!preg_match('#^([0-9]+)$#', (string)$id1) ||
+ − 1921
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt';
+ − 1922
// OK we made it through security
+ − 1923
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1924
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error();
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1925
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error();
1
+ − 1926
$row1 = $db->fetchrow($q1);
+ − 1927
$db->free_result($q1);
+ − 1928
$row2 = $db->fetchrow($q2);
+ − 1929
$db->free_result($q2);
+ − 1930
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.';
+ − 1931
$text1 = $row1['page_text'];
+ − 1932
$text2 = $row2['page_text'];
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1933
$time1 = enano_date('F d, Y h:i a', $id1);
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1934
$time2 = enano_date('F d, Y h:i a', $id2);
1
+ − 1935
$_ob = "
213
+ − 1936
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p>
1
+ − 1937
";
+ − 1938
// Free some memory
+ − 1939
unset($row1, $row2, $q1, $q2);
+ − 1940
+ − 1941
$_ob .= RenderMan::diff($text1, $text2);
+ − 1942
return $_ob;
+ − 1943
}
+ − 1944
+ − 1945
/**
+ − 1946
* Gets ACL information about the selected page for target type X and target ID Y.
+ − 1947
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id.
+ − 1948
* @return array
+ − 1949
*/
+ − 1950
+ − 1951
function acl_editor($parms = Array())
+ − 1952
{
+ − 1953
global $db, $session, $paths, $template, $plugins; // Common objects
218
+ − 1954
global $lang;
+ − 1955
1
+ − 1956
if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
40
+ − 1957
{
+ − 1958
return Array(
+ − 1959
'mode' => 'error',
218
+ − 1960
'error' => $lang->get('acl_err_access_denied')
40
+ − 1961
);
+ − 1962
}
1
+ − 1963
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
+ − 1964
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
+ − 1965
$page_id =& $parms['page_id'];
+ − 1966
$namespace =& $parms['namespace'];
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1967
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\'';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1968
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\'';
1
+ − 1969
//die(print_r($page_id,true));
+ − 1970
$template->load_theme();
+ − 1971
// $perms_obj = $session->fetch_page_acl($page_id, $namespace);
+ − 1972
$perms_obj =& $session;
+ − 1973
$return = Array();
+ − 1974
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') )
+ − 1975
{
+ − 1976
return Array(
+ − 1977
'mode' => 'error',
218
+ − 1978
'error' => $lang->get('acl_err_missing_template'),
1
+ − 1979
);
+ − 1980
}
+ − 1981
$return['template'] = $template->extract_vars('acledit.tpl');
+ − 1982
$return['page_id'] = $page_id;
+ − 1983
$return['namespace'] = $namespace;
+ − 1984
if(isset($parms['mode']))
+ − 1985
{
+ − 1986
switch($parms['mode'])
+ − 1987
{
+ − 1988
case 'listgroups':
+ − 1989
$return['groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1990
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;');
1
+ − 1991
while($row = $db->fetchrow())
+ − 1992
{
+ − 1993
$return['groups'][] = Array(
+ − 1994
'id' => $row['group_id'],
+ − 1995
'name' => $row['group_name'],
+ − 1996
);
+ − 1997
}
+ − 1998
$db->free_result();
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1999
$return['page_groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2000
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;');
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2001
if ( !$q )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2002
return Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2003
'mode' => 'error',
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2004
'error' => $db->get_error()
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2005
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2006
while ( $row = $db->fetchrow() )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2007
{
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2008
$return['page_groups'][] = Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2009
'id' => $row['pg_id'],
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2010
'name' => $row['pg_name']
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2011
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2012
}
1
+ − 2013
break;
+ − 2014
case 'seltarget':
+ − 2015
$return['mode'] = 'seltarget';
+ − 2016
$return['acl_types'] = $perms_obj->acl_types;
+ − 2017
$return['acl_deps'] = $perms_obj->acl_deps;
+ − 2018
$return['acl_descs'] = $perms_obj->acl_descs;
+ − 2019
$return['target_type'] = $parms['target_type'];
+ − 2020
$return['target_id'] = $parms['target_id'];
+ − 2021
switch($parms['target_type'])
+ − 2022
{
+ − 2023
case ACL_TYPE_USER:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2024
$q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2025
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 2026
ON a.target_id=u.user_id
+ − 2027
WHERE a.target_type='.ACL_TYPE_USER.'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2028
AND u.username=\'' . $db->escape($parms['target_id']) . '\'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2029
' . $page_where_clause . ';');
1
+ − 2030
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2031
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 2032
if($db->numrows() < 1)
+ − 2033
{
+ − 2034
$return['type'] = 'new';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2035
$q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';');
1
+ − 2036
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2037
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 2038
if($db->numrows() < 1)
218
+ − 2039
return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found'));
1
+ − 2040
$row = $db->fetchrow();
+ − 2041
$return['target_name'] = $return['target_id'];
+ − 2042
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2043
$return['current_perms'] = array();
1
+ − 2044
}
+ − 2045
else
+ − 2046
{
+ − 2047
$return['type'] = 'edit';
+ − 2048
$row = $db->fetchrow();
+ − 2049
$return['target_name'] = $return['target_id'];
+ − 2050
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2051
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 2052
}
+ − 2053
$db->free_result();
+ − 2054
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2055
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 2056
{
+ − 2057
foreach ( $return['current_perms'] AS $i => $perm )
+ − 2058
{
+ − 2059
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 2060
{
+ − 2061
// echo "// SCOPE CONTROL: eliminating: $i\n";
+ − 2062
unset($return['current_perms'][$i]);
+ − 2063
unset($return['acl_types'][$i]);
+ − 2064
unset($return['acl_descs'][$i]);
+ − 2065
unset($return['acl_deps'][$i]);
+ − 2066
}
+ − 2067
}
+ − 2068
}
+ − 2069
break;
+ − 2070
case ACL_TYPE_GROUP:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2071
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2072
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 2073
ON a.target_id=g.group_id
+ − 2074
WHERE a.target_type='.ACL_TYPE_GROUP.'
+ − 2075
AND g.group_id=\''.intval($parms['target_id']).'\'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2076
' . $page_where_clause . ';');
1
+ − 2077
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2078
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 2079
if($db->numrows() < 1)
+ − 2080
{
+ − 2081
$return['type'] = 'new';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2082
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';');
1
+ − 2083
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2084
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 2085
if($db->numrows() < 1)
218
+ − 2086
return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id'));
1
+ − 2087
$row = $db->fetchrow();
+ − 2088
$return['target_name'] = $row['group_name'];
+ − 2089
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2090
$return['current_perms'] = array();
1
+ − 2091
}
+ − 2092
else
+ − 2093
{
+ − 2094
$return['type'] = 'edit';
+ − 2095
$row = $db->fetchrow();
+ − 2096
$return['target_name'] = $row['group_name'];
+ − 2097
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2098
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 2099
}
+ − 2100
$db->free_result();
+ − 2101
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 2102
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 2103
{
+ − 2104
foreach ( $return['current_perms'] AS $i => $perm )
+ − 2105
{
+ − 2106
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 2107
{
+ − 2108
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n";
+ − 2109
unset($return['current_perms'][$i]);
+ − 2110
unset($return['acl_types'][$i]);
+ − 2111
unset($return['acl_descs'][$i]);
+ − 2112
unset($return['acl_deps'][$i]);
+ − 2113
}
+ − 2114
}
+ − 2115
}
+ − 2116
//return Array('mode'=>'debug','text'=>print_r($return, true));
+ − 2117
break;
+ − 2118
default:
+ − 2119
return Array('mode'=>'error','error','Invalid ACL type ID');
+ − 2120
break;
+ − 2121
}
+ − 2122
return $return;
+ − 2123
break;
+ − 2124
case 'save_new':
+ − 2125
case 'save_edit':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2126
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2127
{
218
+ − 2128
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2129
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2130
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2131
' . $page_where_clause_lite . ';');
1
+ − 2132
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2133
return Array('mode'=>'error','error'=>$db->get_error());
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2134
if ( sizeof ( $parms['perms'] ) < 1 )
1
+ − 2135
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2136
// As of 1.1.x, this returns success because the rule length is zero if the user selected "inherit" in all columns
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2137
return Array(
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2138
'mode' => 'success',
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2139
'target_type' => $parms['target_type'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2140
'target_id' => $parms['target_id'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2141
'target_name' => $parms['target_name'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2142
'page_id' => $page_id,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2143
'namespace' => $namespace,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2144
);
1
+ − 2145
}
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2146
$rules = $session->perm_to_string($parms['perms']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2147
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2148
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' :
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2149
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2150
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2151
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 2152
return Array(
+ − 2153
'mode' => 'success',
+ − 2154
'target_type' => $parms['target_type'],
+ − 2155
'target_id' => $parms['target_id'],
+ − 2156
'target_name' => $parms['target_name'],
+ − 2157
'page_id' => $page_id,
+ − 2158
'namespace' => $namespace,
+ − 2159
);
+ − 2160
break;
+ − 2161
case 'delete':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2162
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2163
{
218
+ − 2164
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 2165
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2166
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 2167
' . $page_where_clause_lite . ';');
1
+ − 2168
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2169
return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 2170
return Array(
+ − 2171
'mode' => 'delete',
+ − 2172
'target_type' => $parms['target_type'],
+ − 2173
'target_id' => $parms['target_id'],
+ − 2174
'target_name' => $parms['target_name'],
+ − 2175
'page_id' => $page_id,
+ − 2176
'namespace' => $namespace,
+ − 2177
);
+ − 2178
break;
+ − 2179
default:
+ − 2180
return Array('mode'=>'error','error'=>'Hacking attempt');
+ − 2181
break;
+ − 2182
}
+ − 2183
}
+ − 2184
return $return;
+ − 2185
}
+ − 2186
+ − 2187
/**
+ − 2188
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string.
+ − 2189
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string.
+ − 2190
* @return string
+ − 2191
*/
+ − 2192
+ − 2193
function acl_json($parms = '{ }')
+ − 2194
{
+ − 2195
global $db, $session, $paths, $template, $plugins; // Common objects
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 2196
$parms = enano_json_decode($parms);
1
+ − 2197
$ret = PageUtils::acl_editor($parms);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 2198
$ret = enano_json_encode($ret);
1
+ − 2199
return $ret;
+ − 2200
}
+ − 2201
+ − 2202
/**
+ − 2203
* A non-Javascript frontend for the ACL API.
+ − 2204
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor()
+ − 2205
*/
+ − 2206
+ − 2207
function aclmanager($parms)
+ − 2208
{
+ − 2209
global $db, $session, $paths, $template, $plugins; // Common objects
219
+ − 2210
global $lang;
1
+ − 2211
ob_start();
+ − 2212
// Convenience
+ − 2213
$formstart = '<form
+ − 2214
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '"
+ − 2215
method="post" enctype="multipart/form-data"
+ − 2216
onsubmit="if(!submitAuthorized) return false;"
+ − 2217
>';
+ − 2218
$formend = '</form>';
+ − 2219
$parms = PageUtils::acl_preprocess($parms);
+ − 2220
$response = PageUtils::acl_editor($parms);
+ − 2221
$response = PageUtils::acl_postprocess($response);
+ − 2222
+ − 2223
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>');
+ − 2224
+ − 2225
switch($response['mode'])
+ − 2226
{
+ − 2227
case 'debug':
+ − 2228
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>';
+ − 2229
break;
+ − 2230
case 'stage1':
219
+ − 2231
echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3>
+ − 2232
<p>' . $lang->get('acl_lbl_welcome_body') . '</p>';
1
+ − 2233
echo $formstart;
219
+ − 2234
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p>
1
+ − 2235
<p><select name="data[target_id_grp]">';
+ − 2236
foreach ( $response['groups'] as $group )
+ − 2237
{
+ − 2238
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>';
+ − 2239
}
219
+ − 2240
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2241
// page group selector
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2242
$groupsel = '';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2243
if ( count($response['page_groups']) > 0 )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2244
{
219
+ − 2245
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2246
<p><select name="data[pg_id]">';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2247
foreach ( $response['page_groups'] as $grp )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2248
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2249
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2250
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2251
$groupsel .= '</select></p>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2252
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2253
1
+ − 2254
echo '</select></p>
219
+ − 2255
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p>
1
+ − 2256
<p>' . $template->username_field('data[target_id_user]') . '</p>
219
+ − 2257
<p>' . $lang->get('acl_lbl_scope') . '</p>
+ − 2258
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2259
' . $groupsel . '
219
+ − 2260
<p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p>
1
+ − 2261
<div style="margin: 0 auto 0 0; text-align: right;">
+ − 2262
<input name="data[mode]" value="seltarget" type="hidden" />
322
+ − 2263
<input type="hidden" name="data[page_id]" value="' . $paths->page_id . '" />
1
+ − 2264
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" />
219
+ − 2265
<input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" />
1
+ − 2266
</div>';
+ − 2267
echo $formend;
+ − 2268
break;
+ − 2269
case 'success':
+ − 2270
echo '<div class="info-box">
219
+ − 2271
<b>' . $lang->get('acl_lbl_save_success_title') . '</b><br />
+ − 2272
' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br />
1
+ − 2273
' . $formstart . '
+ − 2274
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2275
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2276
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2277
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2278
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2279
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2280
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2281
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2282
' . $formend . '
+ − 2283
</div>';
+ − 2284
break;
+ − 2285
case 'delete':
+ − 2286
echo '<div class="info-box">
219
+ − 2287
<b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br />
+ − 2288
' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br />
1
+ − 2289
' . $formstart . '
+ − 2290
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2291
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2292
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2293
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2294
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2295
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2296
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2297
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2298
' . $formend . '
+ − 2299
</div>';
+ − 2300
break;
+ − 2301
case 'seltarget':
+ − 2302
if ( $response['type'] == 'edit' )
+ − 2303
{
219
+ − 2304
echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>';
1
+ − 2305
}
+ − 2306
else
+ − 2307
{
219
+ − 2308
echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>';
1
+ − 2309
}
219
+ − 2310
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user');
+ − 2311
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite');
+ − 2312
$subs = array(
+ − 2313
'target_type' => $type,
+ − 2314
'target' => $response['target_name'],
+ − 2315
'scope_type' => $scope
+ − 2316
);
+ − 2317
echo $lang->get('acl_lbl_editwin_body', $subs);
1
+ − 2318
echo $formstart;
+ − 2319
$parser = $template->makeParserText( $response['template']['acl_field_begin'] );
+ − 2320
echo $parser->run();
+ − 2321
$parser = $template->makeParserText( $response['template']['acl_field_item'] );
+ − 2322
$cls = 'row2';
+ − 2323
foreach ( $response['acl_types'] as $acl_type => $value )
+ − 2324
{
+ − 2325
$vars = Array(
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2326
'FIELD_INHERIT_CHECKED' => '',
1
+ − 2327
'FIELD_DENY_CHECKED' => '',
+ − 2328
'FIELD_DISALLOW_CHECKED' => '',
+ − 2329
'FIELD_WIKIMODE_CHECKED' => '',
+ − 2330
'FIELD_ALLOW_CHECKED' => '',
+ − 2331
);
+ − 2332
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1';
+ − 2333
$vars['ROW_CLASS'] = $cls;
+ − 2334
+ − 2335
switch ( $response['current_perms'][$acl_type] )
+ − 2336
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2337
case 'i':
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2338
default:
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2339
$vars['FIELD_INHERIT_CHECKED'] = 'checked="checked"';
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2340
break;
1
+ − 2341
case AUTH_ALLOW:
+ − 2342
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"';
+ − 2343
break;
+ − 2344
case AUTH_WIKIMODE:
+ − 2345
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"';
+ − 2346
break;
+ − 2347
case AUTH_DISALLOW:
+ − 2348
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"';
+ − 2349
break;
+ − 2350
case AUTH_DENY:
+ − 2351
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"';
+ − 2352
break;
+ − 2353
}
+ − 2354
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']';
219
+ − 2355
if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) )
+ − 2356
{
+ − 2357
$vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]);
+ − 2358
}
+ − 2359
else
+ − 2360
{
+ − 2361
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type];
+ − 2362
}
1
+ − 2363
$parser->assign_vars($vars);
+ − 2364
echo $parser->run();
+ − 2365
}
+ − 2366
$parser = $template->makeParserText( $response['template']['acl_field_end'] );
+ − 2367
echo $parser->run();
+ − 2368
echo '<div style="margin: 10px auto 0 0; text-align: right;">
+ − 2369
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" />
+ − 2370
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" />
+ − 2371
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" />
+ − 2372
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2373
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" />
+ − 2374
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" />
219
+ − 2375
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" /> <input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . '
1
+ − 2376
</div>';
+ − 2377
echo $formend;
+ − 2378
break;
+ − 2379
case 'error':
+ − 2380
ob_end_clean();
+ − 2381
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>');
+ − 2382
break;
+ − 2383
}
+ − 2384
$ret = ob_get_contents();
+ − 2385
ob_end_clean();
+ − 2386
echo
+ − 2387
$template->getHeader() .
+ − 2388
$ret .
+ − 2389
$template->getFooter();
+ − 2390
}
+ − 2391
+ − 2392
/**
+ − 2393
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle
+ − 2394
* @param array The posted data
+ − 2395
* @return array
+ − 2396
* @access private
+ − 2397
*/
+ − 2398
+ − 2399
function acl_preprocess($parms)
+ − 2400
{
+ − 2401
if ( !isset($parms['mode']) )
+ − 2402
// Nothing to do
+ − 2403
return $parms;
+ − 2404
switch ( $parms['mode'] )
+ − 2405
{
+ − 2406
case 'seltarget':
+ − 2407
+ − 2408
// Who's affected?
+ − 2409
$parms['target_type'] = intval( $parms['target_type'] );
+ − 2410
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user'];
+ − 2411
+ − 2412
case 'save_edit':
+ − 2413
case 'save_new':
+ − 2414
if ( isset($parms['act_delete_rule']) )
+ − 2415
{
+ − 2416
$parms['mode'] = 'delete';
+ − 2417
}
+ − 2418
+ − 2419
// Scope (just this page or entire site?)
+ − 2420
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) )
+ − 2421
{
+ − 2422
$parms['page_id'] = false;
+ − 2423
$parms['namespace'] = false;
+ − 2424
}
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2425
else if ( $parms['scope'] == 'page_group' )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2426
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2427
$parms['page_id'] = $parms['pg_id'];
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2428
$parms['namespace'] = '__PageGroup';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2429
}
1
+ − 2430
+ − 2431
break;
+ − 2432
}
+ − 2433
+ − 2434
if ( isset($parms['act_go_stage1']) )
+ − 2435
{
+ − 2436
$parms = array(
+ − 2437
'mode' => 'listgroups'
+ − 2438
);
+ − 2439
}
+ − 2440
+ − 2441
return $parms;
+ − 2442
}
+ − 2443
+ − 2444
function acl_postprocess($response)
+ − 2445
{
+ − 2446
if(!isset($response['mode']))
+ − 2447
{
+ − 2448
if ( isset($response['groups']) )
+ − 2449
$response['mode'] = 'stage1';
+ − 2450
else
+ − 2451
$response = Array(
+ − 2452
'mode' => 'error',
+ − 2453
'error' => 'Invalid action passed by API backend.',
+ − 2454
);
+ − 2455
}
+ − 2456
return $response;
+ − 2457
}
+ − 2458
+ − 2459
}
+ − 2460
+ − 2461
?>