# HG changeset patch # User Dan # Date 1195697028 18000 # Node ID 8acd77a6c19db6d02eba65537bae11918f2bbcd9 # Parent 53ba55d33abb392992e67f6c5c2a52ce79b24e19# Parent ebcc138fe4e62f70b8f7d979bee4db88df70b2d7 Merging in updates and improvements from stable diff -r ebcc138fe4e6 -r 8acd77a6c19d ajax.php --- a/ajax.php Wed Nov 21 20:40:26 2007 -0500 +++ b/ajax.php Wed Nov 21 21:03:48 2007 -0500 @@ -1,425 +1,425 @@ -connect(); - - // result is sent using JSON - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $return = Array( - 'mode' => 'success', - 'users_real' => Array() - ); - - // should be connected to the DB now - $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; - if ( !$name ) - { - $return = array( - 'mode' => 'error', - 'error' => 'Invalid URI' - ); - die( $json->encode($return) ); - } - $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1'; - $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;'); - if ( !$q ) - { - $return = array( - 'mode' => 'error', - 'error' => 'MySQL error selecting username data: '.addslashes(mysql_error()) - ); - die( $json->encode($return) ); - } - $i = 0; - while($r = $db->fetchrow()) - { - $return['users_real'][] = $r['username']; - $i++; - } - $db->free_result(); - - // all done! :-) - $db->close(); - - echo $json->encode( $return ); - - exit; - } - - require('includes/common.php'); - - global $db, $session, $paths, $template, $plugins; // Common objects - if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); - - $_ob = ''; - - switch($_GET['_mode']) { - case "checkusername": - echo PageUtils::checkusername($_GET['name']); - break; - case "getsource": - $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; - echo PageUtils::getsource($paths->page, $p); - break; - case "getpage": - // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); - $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); - $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); - - $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; - $page->password = $pagepass; - - $page->send(); - break; - case "savepage": - $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; - $minor = isset($_POST['minor']); - $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); - if($e=='good') - { - $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); - $page->send(); - } - else - { - echo '
Error saving the page: '.$e.'
'; - } - break; - case "protect": - echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); - break; - case "histlist": - echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "rollback": - echo PageUtils::rollback( (int)$_GET['id'] ); - break; - case "comments": - $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); - if ( isset($_POST['data']) ) - { - $comments->process_json($_POST['data']); - } - else - { - die('{ "mode" : "error", "error" : "No input" }'); - } - break; - case "rename": - echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); - break; - case "flushlogs": - echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "deletepage": - $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; - if ( empty($reason) ) - die('Please enter a reason for deleting this page.'); - echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); - break; - case "delvote": - echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "resetdelvotes": - echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "getstyles": - echo PageUtils::getstyles($_GET['id']); - break; - case "catedit": - echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); - break; - case "catsave": - echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); - break; - case "setwikimode": - echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); - break; - case "setpass": - echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); - break; - case "fillusername": - break; - case "fillpagename": - $name = (isset($_GET['name'])) ? $_GET['name'] : false; - if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); - $nd = RenderMan::strToPageID($name); - $c = 0; - $u = Array(); - $n = Array(); - - $name = sanitize_page_id($name); - $name = str_replace('_', ' ', $name); - - for($i=0;$iSQL injection attempt
'; $template->footer(); break; } - echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); - break; - case "jsres": - die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); - break; - case "rdns": - if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); - $ip = $_GET['ip']; - $rdns = gethostbyaddr($ip); - if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; - else echo $rdns; - break; - case 'acljson': - $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; - echo PageUtils::acl_json($parms); - break; - case "change_theme": - if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) - { - die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); - } - if ( !$session->user_logged_in ) - { - die('You must be logged in to change your theme'); - } - // Just in case something slipped through... - $theme_id = $db->escape($_POST['theme_id']); - $style_id = $db->escape($_POST['style_id']); - $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); - if ( !$e ) - die( $db->get_error() ); - die('GOOD'); - break; - case 'get_tags': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - - $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); - $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) - WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); - if ( !$q ) - $db->_die(); - - while ( $row = $db->fetchrow() ) - { - $can_del = true; - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - $can_del = false; - - if ( !$session->get_permissions($perm) ) - $can_del = false; - - if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - $can_del = false; - - $ret['tags'][] = array( - 'id' => $row['tag_id'], - 'name' => $row['tag_name'], - 'can_del' => $can_del, - 'acl' => ( $row['used_in_acl'] == 1 ) - ); - } - - echo $json->encode($ret); - - break; - case 'addtag': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $resp = array( - 'success' => false, - 'error' => 'No error', - 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), - 'in_acl' => false - ); - - // first of course, are we allowed to tag pages? - if ( !$session->get_permissions('tag_create') ) - { - $resp['error'] = 'You are not permitted to tag pages.'; - die($json->encode($resp)); - } - - // sanitize the tag name - $tag = sanitize_tag($_POST['tag']); - $tag = $db->escape($tag); - - if ( strlen($tag) < 2 ) - { - $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; - die($json->encode($resp)); - } - - // check if tag is already on page - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 ) - { - $resp['error'] = 'This page already has this tag.'; - die($json->encode($resp)); - } - $db->free_result(); - - // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access - $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 && !$can_edit_acl ) - { - $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; - die($json->encode($resp)); - } - $resp['in_acl'] = ( $db->numrows() > 0 ); - $db->free_result(); - - // we're good - $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); - if ( !$q ) - $db->_die(); - - $resp['success'] = true; - $resp['tag'] = $tag; - $resp['tag_id'] = $db->insert_id(); - - echo $json->encode($resp); - break; - case 'deltag': - - $tag_id = intval($_POST['tag_id']); - if ( empty($tag_id) ) - die('Invalid tag ID'); - - $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) - WHERE t.tag_id=' . $tag_id . ';'); - - if ( !$q ) - $db->_die(); - - if ( $db->numrows() < 1 ) - die('Could not find a tag with that ID'); - - $row = $db->fetchrow(); - $db->free_result(); - - if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) - $perms =& $session; - else - $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - die('You are not authorized to delete this tag.'); - - if ( !$perms->get_permissions($perm) ) - die('You are not authorized to delete this tag.'); - - if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - die('You are not authorized to delete this tag.'); - - // We're good - $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); - if ( !$q ) - $db->_die(); - - echo 'success'; - - break; - case 'ping': - echo 'pong'; - break; - default: - die('Hacking attempt'); - break; - } - +connect(); + + // result is sent using JSON + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $return = Array( + 'mode' => 'success', + 'users_real' => Array() + ); + + // should be connected to the DB now + $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; + if ( !$name ) + { + $return = array( + 'mode' => 'error', + 'error' => 'Invalid URI' + ); + die( $json->encode($return) ); + } + $allowanon = ( isset($_GET['allowanon']) && $_GET['allowanon'] == '1' ) ? '' : ' AND user_id > 1'; + $q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\')' . $allowanon . ' ORDER BY username ASC;'); + if ( !$q ) + { + $return = array( + 'mode' => 'error', + 'error' => 'MySQL error selecting username data: '.addslashes(mysql_error()) + ); + die( $json->encode($return) ); + } + $i = 0; + while($r = $db->fetchrow()) + { + $return['users_real'][] = $r['username']; + $i++; + } + $db->free_result(); + + // all done! :-) + $db->close(); + + echo $json->encode( $return ); + + exit; + } + + require('includes/common.php'); + + global $db, $session, $paths, $template, $plugins; // Common objects + if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); + + $_ob = ''; + + switch($_GET['_mode']) { + case "checkusername": + echo PageUtils::checkusername($_GET['name']); + break; + case "getsource": + $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; + echo PageUtils::getsource($paths->page, $p); + break; + case "getpage": + // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); + $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); + $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); + + $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; + $page->password = $pagepass; + + $page->send(); + break; + case "savepage": + $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; + $minor = isset($_POST['minor']); + $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); + if($e=='good') + { + $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); + $page->send(); + } + else + { + echo 'Error saving the page: '.$e.'
'; + } + break; + case "protect": + echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); + break; + case "histlist": + echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "rollback": + echo PageUtils::rollback( (int)$_GET['id'] ); + break; + case "comments": + $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); + if ( isset($_POST['data']) ) + { + $comments->process_json($_POST['data']); + } + else + { + die('{ "mode" : "error", "error" : "No input" }'); + } + break; + case "rename": + echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); + break; + case "flushlogs": + echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "deletepage": + $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; + if ( empty($reason) ) + die('Please enter a reason for deleting this page.'); + echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); + break; + case "delvote": + echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "resetdelvotes": + echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "getstyles": + echo PageUtils::getstyles($_GET['id']); + break; + case "catedit": + echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "catsave": + echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); + break; + case "setwikimode": + echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); + break; + case "setpass": + echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); + break; + case "fillusername": + break; + case "fillpagename": + $name = (isset($_GET['name'])) ? $_GET['name'] : false; + if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); + $nd = RenderMan::strToPageID($name); + $c = 0; + $u = Array(); + $n = Array(); + + $name = sanitize_page_id($name); + $name = str_replace('_', ' ', $name); + + for($i=0;$iSQL injection attempt
'; $template->footer(); break; } + echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); + break; + case "jsres": + die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); + break; + case "rdns": + if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); + $ip = $_GET['ip']; + $rdns = gethostbyaddr($ip); + if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; + else echo $rdns; + break; + case 'acljson': + $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; + echo PageUtils::acl_json($parms); + break; + case "change_theme": + if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) + { + die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); + } + if ( !$session->user_logged_in ) + { + die('You must be logged in to change your theme'); + } + // Just in case something slipped through... + $theme_id = $db->escape($_POST['theme_id']); + $style_id = $db->escape($_POST['style_id']); + $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); + if ( !$e ) + die( $db->get_error() ); + die('GOOD'); + break; + case 'get_tags': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + + $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); + $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) + WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); + if ( !$q ) + $db->_die(); + + while ( $row = $db->fetchrow() ) + { + $can_del = true; + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + $can_del = false; + + if ( !$session->get_permissions($perm) ) + $can_del = false; + + if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + $can_del = false; + + $ret['tags'][] = array( + 'id' => $row['tag_id'], + 'name' => $row['tag_name'], + 'can_del' => $can_del, + 'acl' => ( $row['used_in_acl'] == 1 ) + ); + } + + echo $json->encode($ret); + + break; + case 'addtag': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $resp = array( + 'success' => false, + 'error' => 'No error', + 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), + 'in_acl' => false + ); + + // first of course, are we allowed to tag pages? + if ( !$session->get_permissions('tag_create') ) + { + $resp['error'] = 'You are not permitted to tag pages.'; + die($json->encode($resp)); + } + + // sanitize the tag name + $tag = sanitize_tag($_POST['tag']); + $tag = $db->escape($tag); + + if ( strlen($tag) < 2 ) + { + $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; + die($json->encode($resp)); + } + + // check if tag is already on page + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 ) + { + $resp['error'] = 'This page already has this tag.'; + die($json->encode($resp)); + } + $db->free_result(); + + // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access + $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 && !$can_edit_acl ) + { + $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; + die($json->encode($resp)); + } + $resp['in_acl'] = ( $db->numrows() > 0 ); + $db->free_result(); + + // we're good + $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); + if ( !$q ) + $db->_die(); + + $resp['success'] = true; + $resp['tag'] = $tag; + $resp['tag_id'] = $db->insert_id(); + + echo $json->encode($resp); + break; + case 'deltag': + + $tag_id = intval($_POST['tag_id']); + if ( empty($tag_id) ) + die('Invalid tag ID'); + + $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) + WHERE t.tag_id=' . $tag_id . ';'); + + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + die('Could not find a tag with that ID'); + + $row = $db->fetchrow(); + $db->free_result(); + + if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) + $perms =& $session; + else + $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + die('You are not authorized to delete this tag.'); + + if ( !$perms->get_permissions($perm) ) + die('You are not authorized to delete this tag.'); + + if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + die('You are not authorized to delete this tag.'); + + // We're good + $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); + if ( !$q ) + $db->_die(); + + echo 'success'; + + break; + case 'ping': + echo 'pong'; + break; + default: + die('Hacking attempt'); + break; + } + ?> \ No newline at end of file diff -r ebcc138fe4e6 -r 8acd77a6c19d includes/clientside/static/acl.js --- a/includes/clientside/static/acl.js Wed Nov 21 20:40:26 2007 -0500 +++ b/includes/clientside/static/acl.js Wed Nov 21 21:03:48 2007 -0500 @@ -59,7 +59,7 @@ { document.getElementById(aclManagerID+'_main').innerHTML = ''; document.getElementById(aclManagerID + '_back').style.display = 'none'; - document.getElementById(aclManagerID + '_next').value = 'Next >'; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_wizard_next'); groups = parseJSON(ajax.responseText); if ( groups.mode == 'error' ) { @@ -104,13 +104,13 @@ grpb.onclick = function() { seed = this.className; document.getElementById('enACL_grpbox_'+seed).style.display = 'block'; document.getElementById('enACL_usrbox_'+seed).style.display = 'none'; }; lbl = document.createElement('label'); lbl.appendChild(grpb); - lbl.appendChild(document.createTextNode('A usergroup')); + lbl.appendChild(document.createTextNode($lang.get('acl_radio_usergroup'))); lbl.style.display = 'block'; span.appendChild(grpsel); anoninfo = document.createElement('div'); anoninfo.className = 'info-box-mini'; - anoninfo.appendChild(document.createTextNode('To edit permissions for guests, select "a specific user", and enter Anonymous as the username.')); + anoninfo.appendChild(document.createTextNode($lang.get('acl_msg_guest_howto'))); span.appendChild(document.createElement('br')); span.appendChild(anoninfo); @@ -122,7 +122,7 @@ usrb.onclick = function() { seed = this.className; document.getElementById('enACL_grpbox_'+seed).style.display = 'none'; document.getElementById('enACL_usrbox_'+seed).style.display = 'block'; }; lbl2 = document.createElement('label'); lbl2.appendChild(usrb); - lbl2.appendChild(document.createTextNode('A specific user')); + lbl2.appendChild(document.createTextNode($lang.get('acl_radio_user'))); lbl2.style.display = 'block'; usrsel = document.createElement('input'); @@ -167,21 +167,21 @@ lblPage = document.createElement('label'); lblPage.style.display = 'block'; lblPage.appendChild(scopeRadioPage); - lblPage.appendChild(document.createTextNode('Only this page')); + lblPage.appendChild(document.createTextNode($lang.get('acl_radio_scope_thispage'))); lblGlobal = document.createElement('label'); lblGlobal.style.display = 'block'; lblGlobal.appendChild(scopeRadioGlobal); - lblGlobal.appendChild(document.createTextNode('The entire website')); + lblGlobal.appendChild(document.createTextNode($lang.get('acl_radio_scope_wholesite'))); lblGroup = document.createElement('label'); lblGroup.style.display = 'block'; lblGroup.appendChild(scopeRadioGroup); - lblGroup.appendChild(document.createTextNode('A group of pages')); + lblGroup.appendChild(document.createTextNode($lang.get('acl_radio_scope_pagegroup'))); scopediv1.appendChild(lblPage); scopediv2.appendChild(lblGroup); scopediv3.appendChild(lblGlobal); scopedesc = document.createElement('p'); - scopedesc.appendChild(document.createTextNode('What should this access rule control?')); + scopedesc.appendChild(document.createTextNode($lang.get('acl_lbl_scope'))); scopePGrp = document.createElement('select'); scopePGrp.style.marginLeft = '13px'; @@ -219,10 +219,10 @@ container.style.paddingTop = '50px'; head = document.createElement('h2'); - head.appendChild(document.createTextNode('Manage page access')); + head.appendChild(document.createTextNode($lang.get('acl_lbl_welcome_title'))); desc = document.createElement('p'); - desc.appendChild(document.createTextNode('Please select who should be affected by this access rule.')); + desc.appendChild(document.createTextNode($lang.get('acl_lbl_welcome_body'))); container.appendChild(head); container.appendChild(desc); @@ -319,11 +319,14 @@ // Build the ACL edit form // try { - act_desc = ( data.type == 'new' ) ? 'Create access rule' : 'Editing permissions'; - target_type_t = ( data.target_type == 1 ) ? 'group' : 'user'; - target_name_t = data.target_name; - var scope_type = ( data.page_id == false && data.namespace == false ) ? 'this entire site' : ( data.namespace == '__PageGroup' ) ? 'this group of pages' : 'this page'; - html = 'This panel allows you to edit what the '+target_type_t+' "'+target_name_t+'" can do on ' + scope_type + '. Unless you set a permission to "Deny", these permissions may be overridden by other rules.
'; + + var act_desc = ( data.type == 'new' ) ? $lang.get('acl_lbl_editwin_title_create') : $lang.get('acl_lbl_editwin_title_edit'); + var target_type_t = ( data.target_type == 1 ) ? $lang.get('acl_target_type_group') : $lang.get('acl_target_type_user'); + var target_name_t = data.target_name; + var scope_type = ( data.page_id == false && data.namespace == false ) ? $lang.get('acl_scope_type_wholesite') : ( data.namespace == '__PageGroup' ) ? $lang.get('acl_scope_type_pagegroup') : $lang.get('acl_scope_type_thispage'); + + html = '' + $lang.get('acl_lbl_editwin_body', { target_type: target_type_t, target: target_name_t, scope_type: scope_type }) + '
'; parser = new templateParser(data.template.acl_field_begin); html += parser.run(); @@ -335,7 +338,14 @@ cls = ( cls == 'row1' ) ? 'row2' : 'row1'; p = new templateParser(data.template.acl_field_item); vars = new Object(); - vars['FIELD_DESC'] = data.acl_descs[i]; + if ( data.acl_descs[i].match(/^([a-z0-9_]+)$/) ) + { + vars['FIELD_DESC'] = $lang.get(data.acl_descs[i]); + } + else + { + vars['FIELD_DESC'] = data.acl_descs[i]; + } vars['FIELD_DENY_CHECKED'] = ''; vars['FIELD_DISALLOW_CHECKED'] = ''; vars['FIELD_WIKIMODE_CHECKED'] = ''; @@ -367,7 +377,7 @@ html += parser.run(); if(data.type == 'edit') - html += ''; + html += '' + $lang.get('acl_lbl_deleterule') + '
'; var main = document.getElementById(aclManagerID + '_main'); main.innerHTML = html; @@ -383,7 +393,7 @@ aclPermList = array_keys(data.acl_types); document.getElementById(aclManagerID + '_back').style.display = 'inline'; - document.getElementById(aclManagerID + '_next').value = 'Save Changes'; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_save_changes'); // } catch(e) { alert(e); aclDebug(ajax.responseText); } @@ -393,24 +403,24 @@ note.className = 'info-box'; note.style.marginLeft = '0'; var b = document.createElement('b'); - b.appendChild(document.createTextNode('Permissions updated')); + b.appendChild(document.createTextNode($lang.get('acl_lbl_save_success_title'))); note.appendChild(b); note.appendChild(document.createElement('br')); - note.appendChild(document.createTextNode('The permissions for '+data.target_name+' on this page have been updated successfully. If you changed permissions that affect your user account, you may not see changes until you reload the page.')); + note.appendChild(document.createTextNode($lang.get('acl_lbl_save_success_body', { target_name: data.target_name }))); note.appendChild(document.createElement('br')); var a = document.createElement('a'); a.href = 'javascript:void(0);'; a.onclick = function() { this.parentNode.parentNode.removeChild(this.parentNode); return false; }; - a.appendChild(document.createTextNode('[ dismiss :')); + a.appendChild(document.createTextNode('[ ' + $lang.get('acl_btn_success_dismiss') + ' :')); note.appendChild(a); var a2 = document.createElement('a'); a2.href = 'javascript:void(0);'; a2.onclick = function() { killACLManager(); return false; }; - a2.appendChild(document.createTextNode(': close manager ]')); + a2.appendChild(document.createTextNode(': ' + $lang.get('acl_btn_success_close') + ' ]')); note.appendChild(a2); document.getElementById(aclManagerID + '_main').insertBefore(note, document.getElementById(aclManagerID + '_main').firstChild); if(!document.getElementById(aclManagerID+'_deletelnk')) - document.getElementById(aclManagerID + '_main').innerHTML += ''; + document.getElementById(aclManagerID + '_main').innerHTML += '' + $lang.get('acl_lbl_deleterule') + '
'; //fadeInfoBoxes(); document.getElementById(aclManagerID+'_main').scrollTop = 0; @@ -428,7 +438,7 @@ { document.getElementById(aclManagerID+'_main').innerHTML = ''; document.getElementById(aclManagerID + '_back').style.display = 'none'; - document.getElementById(aclManagerID + '_next').value = 'Next >'; + document.getElementById(aclManagerID + '_next').value = $lang.get('etc_wizard_next'); var thispage = strToPageID(title); groups.page_id = thispage[0]; groups.namespace = thispage[1]; @@ -441,20 +451,20 @@ note.style.width = '558px'; note.id = 'aclSuccessNotice_' + Math.floor(Math.random() * 100000); b = document.createElement('b'); - b.appendChild(document.createTextNode('Entry deleted')); + b.appendChild(document.createTextNode($lang.get('acl_lbl_delete_success_title'))); note.appendChild(b); note.appendChild(document.createElement('br')); - note.appendChild(document.createTextNode('The access rules for '+aclDataCache.target_name+' on this page have been deleted.')); + note.appendChild(document.createTextNode($lang.get('acl_lbl_delete_success_title', { target_name: aclDataCache.target_name }))); note.appendChild(document.createElement('br')); a = document.createElement('a'); a.href = '#'; a.onclick = function() { opacity(this.parentNode.id, 100, 0, 1000); setTimeout('var div = document.getElementById("' + this.parentNode.id + '"); div.parentNode.removeChild(div);', 1100); return false; }; - a.appendChild(document.createTextNode('[ dismiss :')); + a.appendChild(document.createTextNode('[ ' + $lang.get('acl_btn_success_dismiss') + ' :')); note.appendChild(a); a = document.createElement('a'); a.href = '#'; a.onclick = function() { killACLManager(); return false; }; - a.appendChild(document.createTextNode(': close manager ]')); + a.appendChild(document.createTextNode(': ' + $lang.get('acl_btn_success_close') + ' ]')); note.appendChild(a); document.getElementById(aclManagerID + '_main').insertBefore(note, document.getElementById(aclManagerID + '_main').firstChild); //fadeInfoBoxes(); @@ -542,7 +552,7 @@ back = document.createElement('input'); back.type = 'button'; - back.value = '< Back'; + back.value = $lang.get('etc_wizard_back'); back.style.fontWeight = 'normal'; back.onclick = function() { ajaxACLSwitchToSelector(); return false; }; back.style.display = 'none'; @@ -550,14 +560,14 @@ saver = document.createElement('input'); saver.type = 'submit'; - saver.value = 'Next >'; + saver.value = $lang.get('etc_wizard_next'); saver.style.fontWeight = 'bold'; saver.id = aclManagerID + '_next'; closer = document.createElement('input'); closer.type = 'button'; - closer.value = 'Cancel Changes'; - closer.onclick = function() { if(!confirm('Do you really want to close the ACL manager?')) return false; killACLManager(); return false; } + closer.value = $lang.get('etc_cancel_changes'); + closer.onclick = function() { if(!confirm($lang.get('acl_msg_closeacl_confirm'))) return false; killACLManager(); return false; } spacer1 = document.createTextNode(' '); spacer2 = document.createTextNode(' '); @@ -624,7 +634,7 @@ var target_type = parseInt(getRadioState(thefrm, 'target_type', ['1', '2'])); if(isNaN(target_type)) { - alert('Please select a target type.'); + alert($lang.get('acl_err_pleaseselect_targettype')); return false; } target_id = ( target_type == 1 ) ? parseInt(thefrm.group_id.value) : thefrm.username.value; @@ -666,7 +676,7 @@ } if(target_id == '') { - alert('Please enter a username.'); + alert($lang.get('acl_err_pleaseselect_username')); return false; } __aclJSONSubmitAjaxHandler(obj); diff -r ebcc138fe4e6 -r 8acd77a6c19d includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Wed Nov 21 20:40:26 2007 -0500 +++ b/includes/clientside/static/ajax.js Wed Nov 21 21:03:48 2007 -0500 @@ -71,7 +71,7 @@ if(ajax.readyState == 4) { unsetAjaxLoading(); if(edit_open) { - c=confirm('Do you really want to revert your changes?'); + c=confirm($lang.get('editor_msg_revert_confirm')); if(!c) return; } edit_open = true; @@ -82,18 +82,18 @@ // Allow the textarea grippifier to re-create the resizer control on the textarea grippied_textareas.pop(in_array('ajaxEditArea', grippied_textareas)); } - disableUnload('If you do, any changes that you have made to this page will be lost.'); + disableUnload($lang.get('editor_msg_unload')); var switcher = ( readCookie('enano_editor_mode') == 'tinymce' ) ? - 'wikitext editor | graphical editor' : - 'wikitext editor | graphical editor' ; + '' + $lang.get('editor_btn_wikitext') + ' | ' + $lang.get('editor_btn_graphical') : + $lang.get('editor_btn_wikitext') + ' | ' + $lang.get('editor_btn_graphical') + '' ; document.getElementById('ajaxEditContainer').innerHTML = '\ \ ' + switcher + 'Fetching an encryption key...
\ -Not working? Use the alternate login form.
\ +' + $lang.get('user_login_ajax_fetching_key') + '
\ +' + $lang.get('user_login_ajax_link_fullform', { link_full_form: makeUrlNS('Special', 'Login/' + title) }) + '
\ \Username: | \ + | ' + $lang.get('user_login_field_username') + ': | \ |
Password: | \ + | ' + $lang.get('user_login_field_password') + ': | \ |
\
- Trouble logging in? Try the full login form. '; + ' + $lang.get('user_login_ajax_link_fullform', { link_full_form: makeUrlNS('Special', 'Login/' + title, 'level=' + level) }) + ' '; if ( level <= USER_LEVEL_MEMBER ) { form_html += ' \ - Did you forget your password? \ - Maybe you need to create an account.'; + ' + $lang.get('user_login_ajax_link_forgotpass', { forgotpass_link: makeUrlNS('Special', 'PasswordReset') }) + ' \ + ' + $lang.get('user_login_createaccount_blurb', { reg_link: makeUrlNS('Special', 'Register') }); } - form_html += ' \ + form_html += ' \ | \
Logging in...
\ +' + $lang.get('user_login_ajax_loggingin') + '
\ \