author | Dan |
Sun, 26 Aug 2007 20:55:12 -0400 (2007-08-27) | |
changeset 104 | 9c17aacd5515 |
parent 103 | a8891e108c95 |
child 112 | 008b1c42be72 |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
/* |
|
3 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
4 |
* Version 1.0.1 (Loch Ness) |
1 | 5 |
* Copyright (C) 2006-2007 Dan Fuhry |
6 |
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts |
|
7 |
* |
|
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
class PageUtils { |
|
16 |
||
17 |
/** |
|
18 |
* List possible username completions |
|
19 |
* @param $name the name to check for |
|
20 |
* @return array |
|
21 |
*/ |
|
22 |
||
23 |
function checkusername($name) |
|
24 |
{ |
|
25 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
26 |
$q = $db->sql_query('SELECT username FROM '.table_prefix.'users WHERE username=\''.$db->escape(rawurldecode($name)).'\''); |
|
27 |
if(!$q) die(mysql_error()); |
|
28 |
if($db->numrows() < 1) { $db->free_result(); return('good'); } |
|
29 |
else { $db->free_result(); return('bad'); } |
|
30 |
} |
|
31 |
||
32 |
/** |
|
33 |
* Get the wiki formatting source for a page |
|
34 |
* @param $page the full page id (Namespace:Pagename) |
|
35 |
* @return string |
|
36 |
* @todo (DONE) Make it require a password (just for security purposes) |
|
37 |
*/ |
|
38 |
||
39 |
function getsource($page, $password = false) |
|
40 |
{ |
|
41 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
42 |
if(!isset($paths->pages[$page])) |
|
43 |
{ |
|
44 |
return ''; |
|
45 |
} |
|
46 |
||
47 |
if(strlen($paths->pages[$page]['password']) == 40) |
|
48 |
{ |
|
49 |
if(!$password || ( $password != $paths->pages[$page]['password'])) |
|
50 |
{ |
|
51 |
return 'invalid_password'; |
|
52 |
} |
|
53 |
} |
|
54 |
||
55 |
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges |
|
56 |
return 'access_denied'; |
|
57 |
$pid = RenderMan::strToPageID($page); |
|
58 |
if($pid[1] == 'Special' || $pid[1] == 'Admin') |
|
59 |
{ |
|
60 |
die('This type of page ('.$paths->nslist[$pid[1]].') cannot be edited because the page source code is not stored in the database.'); |
|
61 |
} |
|
62 |
||
63 |
$e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$pid[0].'\' AND namespace=\''.$pid[1].'\''); |
|
64 |
if ( !$e ) |
|
65 |
{ |
|
66 |
$db->_die('The page text could not be selected.'); |
|
67 |
} |
|
68 |
if( $db->numrows() < 1 ) |
|
69 |
{ |
|
70 |
return ''; //$db->_die('There were no rows in the text table that matched the page text query.'); |
|
71 |
} |
|
72 |
||
73 |
$r = $db->fetchrow(); |
|
74 |
$db->free_result(); |
|
75 |
$message = $r['page_text']; |
|
76 |
||
77 |
return htmlspecialchars($message); |
|
78 |
} |
|
79 |
||
80 |
/** |
|
81 |
* Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages |
|
82 |
* @param $page the full page id (Namespace:Pagename) |
|
83 |
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise |
|
84 |
* @return string |
|
85 |
*/ |
|
86 |
||
87 |
function getpage($page, $send_headers = false, $hist_id = false) |
|
88 |
{ |
|
89 |
die('PageUtils->getpage is deprecated.'); |
|
90 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
91 |
ob_start(); |
|
92 |
$pid = RenderMan::strToPageID($page); |
|
93 |
//die('<pre>'.print_r($pid, true).'</pre>'); |
|
94 |
if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40) |
|
95 |
{ |
|
96 |
password_prompt($page); |
|
97 |
} |
|
98 |
if(isset($paths->pages[$page])) |
|
99 |
{ |
|
100 |
doStats($pid[0], $pid[1]); |
|
101 |
} |
|
102 |
if($paths->custom_page || $pid[1] == 'Special') |
|
103 |
{ |
|
104 |
// If we don't have access to the page, get out and quick! |
|
105 |
if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register') |
|
106 |
{ |
|
107 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
108 |
||
109 |
if ( $send_headers ) |
|
110 |
{ |
|
111 |
$template->header(); |
|
112 |
} |
|
113 |
||
114 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
115 |
||
116 |
if ( $send_headers ) |
|
117 |
{ |
|
118 |
$template->footer(); |
|
119 |
} |
|
120 |
||
121 |
$r = ob_get_contents(); |
|
122 |
ob_end_clean(); |
|
123 |
return $r; |
|
124 |
} |
|
125 |
||
126 |
$fname = 'page_'.$pid[1].'_'.$paths->pages[$page]['urlname_nons']; |
|
127 |
@call_user_func($fname); |
|
128 |
||
129 |
} |
|
130 |
else if ( $pid[1] == 'Admin' ) |
|
131 |
{ |
|
132 |
// If we don't have access to the page, get out and quick! |
|
133 |
if(!$session->get_permissions('read')) |
|
134 |
{ |
|
135 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
136 |
if ( $send_headers ) |
|
137 |
{ |
|
138 |
$template->header(); |
|
139 |
} |
|
140 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
141 |
if ( $send_headers ) |
|
142 |
{ |
|
143 |
$template->footer(); |
|
144 |
} |
|
145 |
$r = ob_get_contents(); |
|
146 |
ob_end_clean(); |
|
147 |
return $r; |
|
148 |
} |
|
149 |
||
150 |
$fname = 'page_'.$pid[1].'_'.$pid[0]; |
|
151 |
if ( !function_exists($fname) ) |
|
152 |
{ |
|
153 |
$title = 'Page backend not found'; |
|
154 |
$message = "The administration page you are looking for was properly registered using the page API, but the backend function |
|
155 |
(<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin."; |
|
156 |
if ( $send_headers ) |
|
157 |
{ |
|
158 |
die_friendly($title, "<p>$message</p>"); |
|
159 |
} |
|
160 |
else |
|
161 |
{ |
|
162 |
echo "<h2>$title</h2>\n<p>$message</p>"; |
|
163 |
} |
|
164 |
} |
|
165 |
@call_user_func($fname); |
|
166 |
} |
|
167 |
else if ( !isset( $paths->pages[$page] ) ) |
|
168 |
{ |
|
169 |
ob_start(); |
|
170 |
$code = $plugins->setHook('page_not_found'); |
|
171 |
foreach ( $code as $cmd ) |
|
172 |
{ |
|
173 |
eval($cmd); |
|
174 |
} |
|
175 |
$text = ob_get_contents(); |
|
176 |
if ( $text != '' ) |
|
177 |
{ |
|
178 |
ob_end_clean(); |
|
179 |
return $text; |
|
180 |
} |
|
181 |
$template->header(); |
|
182 |
if($m = $paths->sysmsg('Page_not_found')) |
|
183 |
{ |
|
184 |
eval('?>'.RenderMan::render($m)); |
|
185 |
} |
|
186 |
else |
|
187 |
{ |
|
188 |
header('HTTP/1.1 404 Not Found'); |
|
189 |
echo '<h3>There is no page with this title yet.</h3> |
|
190 |
<p>You have requested a page that doesn\'t exist yet.'; |
|
191 |
if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.'; |
|
192 |
else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>'; |
|
193 |
if($session->get_permissions('history_rollback')) { |
|
194 |
$e = $db->sql_query('SELECT * FROM '.table_prefix.'logs WHERE action=\'delete\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' ORDER BY time_id DESC;'); |
|
195 |
if(!$e) $db->_die('The deletion log could not be selected.'); |
|
196 |
if($db->numrows() > 0) { |
|
197 |
$r = $db->fetchrow(); |
|
198 |
echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on '.$r['date_string'].'. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&id='.$r['time_id']).'" onclick="ajaxRollback(\''.$r['time_id'].'\'); return false;">roll back</a> the deletion.</p>'; |
|
199 |
} |
|
200 |
$db->free_result(); |
|
201 |
} |
|
202 |
echo '<p> |
|
203 |
HTTP Error: 404 Not Found |
|
204 |
</p>'; |
|
205 |
} |
|
206 |
$template->footer(); |
|
207 |
} |
|
208 |
else |
|
209 |
{ |
|
210 |
||
211 |
// If we don't have access to the page, get out and quick! |
|
212 |
if(!$session->get_permissions('read')) |
|
213 |
{ |
|
214 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
215 |
if($send_headers) $template->header(); |
|
216 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
217 |
if($send_headers) $template->footer(); |
|
218 |
$r = ob_get_contents(); |
|
219 |
ob_end_clean(); |
|
220 |
return $r; |
|
221 |
} |
|
222 |
||
223 |
ob_start(); |
|
224 |
$code = $plugins->setHook('page_custom_handler'); |
|
225 |
foreach ( $code as $cmd ) |
|
226 |
{ |
|
227 |
eval($cmd); |
|
228 |
} |
|
229 |
$text = ob_get_contents(); |
|
230 |
if ( $text != '' ) |
|
231 |
{ |
|
232 |
ob_end_clean(); |
|
233 |
return $text; |
|
234 |
} |
|
235 |
||
236 |
if($hist_id) { |
|
237 |
$e = $db->sql_query('SELECT page_text,date_string,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$paths->pages[$page]['urlname_nons'].'\' AND namespace=\''.$pid[1].'\' AND log_type=\'page\' AND action=\'edit\' AND time_id='.$db->escape($hist_id).''); |
|
238 |
if($db->numrows() < 1) |
|
239 |
{ |
|
240 |
$db->_die('There were no rows in the text table that matched the page text query.'); |
|
241 |
} |
|
242 |
$r = $db->fetchrow(); |
|
243 |
$db->free_result(); |
|
244 |
$message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on '.$r['date_string'].'.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a> | <a href="'.makeUrl($page, 'do=rollback&id='.$hist_id).'" onclick="ajaxRollback(\''.$hist_id.'\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']); |
|
245 |
||
246 |
if( !$paths->pages[$page]['special'] ) |
|
247 |
{ |
|
248 |
if($send_headers) |
|
249 |
{ |
|
250 |
$template->header(); |
|
251 |
} |
|
252 |
display_page_headers(); |
|
253 |
} |
|
254 |
||
255 |
eval('?>'.$message); |
|
256 |
||
257 |
if( !$paths->pages[$page]['special'] ) |
|
258 |
{ |
|
259 |
display_page_footers(); |
|
260 |
if($send_headers) |
|
261 |
{ |
|
262 |
$template->footer(); |
|
263 |
} |
|
264 |
} |
|
265 |
||
266 |
} else { |
|
267 |
if(!$paths->pages[$page]['special']) |
|
268 |
{ |
|
269 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]); |
|
270 |
} |
|
271 |
else |
|
272 |
{ |
|
273 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false); |
|
274 |
} |
|
275 |
// This line is used to debug wikiformatted code |
|
276 |
// die('<pre>'.htmlspecialchars($message).'</pre>'); |
|
277 |
||
278 |
if( !$paths->pages[$page]['special'] ) |
|
279 |
{ |
|
280 |
if($send_headers) |
|
281 |
{ |
|
282 |
$template->header(); |
|
283 |
} |
|
284 |
display_page_headers(); |
|
285 |
} |
|
286 |
||
287 |
// This is it, this is what all of Enano has been working up to... |
|
288 |
||
289 |
eval('?>'.$message); |
|
290 |
||
291 |
if( !$paths->pages[$page]['special'] ) |
|
292 |
{ |
|
293 |
display_page_footers(); |
|
294 |
if($send_headers) |
|
295 |
{ |
|
296 |
$template->footer(); |
|
297 |
} |
|
298 |
} |
|
299 |
} |
|
300 |
} |
|
301 |
$ret = ob_get_contents(); |
|
302 |
ob_end_clean(); |
|
303 |
return $ret; |
|
304 |
} |
|
305 |
||
306 |
/** |
|
307 |
* Writes page data to the database, after verifying permissions and running the XSS filter |
|
308 |
* @param $page_id the page ID |
|
309 |
* @param $namespace the namespace |
|
310 |
* @param $message the text to save |
|
311 |
* @return string |
|
312 |
*/ |
|
313 |
||
314 |
function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false) |
|
315 |
{ |
|
316 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
317 |
$uid = sha1(microtime()); |
|
318 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
319 |
||
320 |
if(!$session->get_permissions('edit_page')) |
|
321 |
return 'Access to edit pages is denied.'; |
|
322 |
||
323 |
if(!isset($paths->pages[$pname])) |
|
324 |
{ |
|
325 |
if(!PageUtils::createPage($page_id, $namespace)) |
|
326 |
return 'The page did not exist, and I was not able to create it. Permissions problem?'; |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
327 |
$paths->page_exists = true; |
1 | 328 |
} |
329 |
||
330 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
331 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
332 |
if(($prot || !$wiki) && $session->user_level < USER_LEVEL_ADMIN ) return('You are not authorized to edit this page.'); |
|
333 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
334 |
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings |
1 | 335 |
$message = RenderMan::preprocess_text($message, false, false); |
336 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
337 |
$msg = $db->escape($message); |
1 | 338 |
|
339 |
$minor = $minor ? 'true' : 'false'; |
|
340 |
$q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$paths->cpage['urlname_nons'].'\', \''.$paths->namespace.'\', \''.$msg.'\', \''.$uid.'\', \''.$session->username.'\', \''.$db->escape(htmlspecialchars($summary)).'\', '.$minor.');'; |
|
341 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
|
342 |
||
343 |
$q = 'UPDATE '.table_prefix.'page_text SET page_text=\''.$msg.'\',char_tag=\''.$uid.'\' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'; |
|
344 |
$e = $db->sql_query($q); |
|
345 |
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.'); |
|
346 |
||
347 |
$paths->rebuild_page_index($page_id, $namespace); |
|
348 |
||
349 |
return 'good'; |
|
350 |
} |
|
351 |
||
352 |
/** |
|
353 |
* Creates a page, both in memory and in the database. |
|
354 |
* @param string $page_id |
|
355 |
* @param string $namespace |
|
356 |
* @return bool true on success, false on failure |
|
357 |
*/ |
|
358 |
||
359 |
function createPage($page_id, $namespace, $name = false, $visible = 1) |
|
360 |
{ |
|
361 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
362 |
if(in_array($namespace, Array('Special', 'Admin'))) |
|
363 |
{ |
|
364 |
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />'; |
|
365 |
return false; // Can't create a special page |
|
366 |
} |
|
367 |
||
368 |
if(!isset($paths->nslist[$namespace])) |
|
369 |
{ |
|
370 |
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />'; |
|
371 |
return false; // Couldn't look up namespace |
|
372 |
} |
|
373 |
||
374 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
375 |
if(isset($paths->pages[$pname])) |
|
376 |
{ |
|
377 |
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />'; |
|
378 |
return false; // Page already exists |
|
379 |
} |
|
380 |
||
381 |
if(!$session->get_permissions('create_page')) |
|
382 |
{ |
|
383 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />'; |
|
384 |
return false; // Access denied |
|
385 |
} |
|
386 |
||
387 |
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') |
|
388 |
{ |
|
389 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />'; |
|
390 |
return false; // Not authorized to create system messages |
|
391 |
} |
|
392 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
393 |
$page_id = dirtify_page_id($page_id); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
394 |
|
1 | 395 |
if ( !$name ) |
396 |
$name = str_replace('_', ' ', $page_id); |
|
397 |
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is'; |
|
398 |
if(!preg_match($regex, $page)) |
|
399 |
{ |
|
400 |
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />'; |
|
401 |
return false; // Name contains invalid characters |
|
402 |
} |
|
403 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
404 |
$page_id = sanitize_page_id( $page_id ); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
405 |
|
1 | 406 |
$prot = ( $namespace == 'System' ) ? 1 : 0; |
407 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
408 |
$page_data = Array( |
1 | 409 |
'name'=>$name, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
410 |
'urlname'=>$page_id, |
1 | 411 |
'namespace'=>$namespace, |
412 |
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>'','wiki_mode'=>2, |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
413 |
); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
414 |
|
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
415 |
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>'); |
1 | 416 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
417 |
$paths->add_page($page_data); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
418 |
|
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
419 |
$qa = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace,visible,protected) VALUES(\''.$db->escape($name).'\', \''.$db->escape($page_id).'\', \''.$namespace.'\', '. ( $visible ? '1' : '0' ) .', '.$prot.');'); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
420 |
$qb = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace) VALUES(\''.$db->escape($page_id).'\', \''.$namespace.'\');'); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
421 |
$qc = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \''.$session->username.'\', \''.$db->escape($page_id).'\', \''.$namespace.'\');'); |
1 | 422 |
|
423 |
if($qa && $qb && $qc) |
|
424 |
return true; |
|
425 |
else |
|
426 |
{ |
|
427 |
echo $db->get_error(); |
|
428 |
return false; |
|
429 |
} |
|
430 |
} |
|
431 |
||
432 |
/** |
|
433 |
* Sets the protection level on a page. |
|
434 |
* @param $page_id string the page ID |
|
435 |
* @param $namespace string the namespace |
|
436 |
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi |
|
437 |
* @param $reason string why the page is being (un)protected |
|
438 |
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() ) |
|
439 |
*/ |
|
440 |
function protect($page_id, $namespace, $level, $reason) |
|
441 |
{ |
|
442 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
443 |
||
444 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
445 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
446 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
447 |
||
448 |
if(!$session->get_permissions('protect')) return('Insufficient access rights'); |
|
449 |
if(!$wiki) return('Page protection only has an effect when Wiki Mode is enabled.'); |
|
450 |
if(!preg_match('#^([0-9]+){1}$#', (string)$level)) return('Invalid $level parameter.'); |
|
451 |
||
452 |
if($reason!='NO_REASON') { |
|
453 |
switch($level) |
|
454 |
{ |
|
455 |
case 0: |
|
456 |
$q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; |
|
457 |
break; |
|
458 |
case 1: |
|
459 |
$q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; |
|
460 |
break; |
|
461 |
case 2: |
|
462 |
$q = 'INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \''.$session->username.'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape(htmlspecialchars($reason)).'\');'; |
|
463 |
break; |
|
464 |
default: |
|
465 |
return 'PageUtils::protect(): Invalid value for $level'; |
|
466 |
break; |
|
467 |
} |
|
468 |
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); |
|
469 |
} |
|
470 |
||
471 |
$q = $db->sql_query('UPDATE '.table_prefix.'pages SET protected='.$_POST['level'].' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
472 |
if(!$q) $db->_die('The pages table was not updated.'); |
|
473 |
||
474 |
return('good'); |
|
475 |
} |
|
476 |
||
477 |
/** |
|
478 |
* Generates an HTML table with history information in it. |
|
479 |
* @param $page_id the page ID |
|
480 |
* @param $namespace the namespace |
|
481 |
* @return string |
|
482 |
*/ |
|
483 |
||
484 |
function histlist($page_id, $namespace) |
|
485 |
{ |
|
486 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
487 |
||
488 |
if(!$session->get_permissions('history_view')) |
|
489 |
return 'Access denied'; |
|
490 |
||
491 |
ob_start(); |
|
492 |
||
493 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
494 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
495 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
496 |
||
497 |
$q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' ORDER BY time_id DESC;'; |
|
498 |
if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); |
|
499 |
echo 'History of edits and actions<h3>Edits:</h3>'; |
|
500 |
$numrows = $db->numrows(); |
|
501 |
if($numrows < 1) echo 'No history entries in this category.'; |
|
502 |
else |
|
503 |
{ |
|
504 |
||
505 |
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get"> |
|
506 |
<input type="submit" value="Compare selected revisions" /> |
|
507 |
<br /><span> </span> |
|
508 |
<div class="tblholder"> |
|
509 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"> |
|
510 |
<tr> |
|
511 |
<th colspan="2">Diff</th> |
|
512 |
<th>Date/time</th> |
|
513 |
<th>User</th> |
|
514 |
<th>Edit summary</th> |
|
515 |
<th>Minor</th> |
|
516 |
<th colspan="3">Actions</th> |
|
517 |
</tr>'."\n"."\n"; |
|
518 |
$cls = 'row2'; |
|
519 |
$ticker = 0; |
|
520 |
||
521 |
while($r = $db->fetchrow()) { |
|
522 |
||
523 |
$ticker++; |
|
524 |
||
525 |
if($cls == 'row2') $cls = 'row1'; |
|
526 |
else $cls = 'row2'; |
|
527 |
||
528 |
echo '<tr>'."\n"; |
|
529 |
||
530 |
// Diff selection |
|
531 |
if($ticker == 1) |
|
532 |
{ |
|
533 |
$s1 = ''; |
|
534 |
$s2 = 'checked="checked" '; |
|
535 |
} |
|
536 |
elseif($ticker == 2) |
|
537 |
{ |
|
538 |
$s1 = 'checked="checked" '; |
|
539 |
$s2 = ''; |
|
540 |
} |
|
541 |
else |
|
542 |
{ |
|
543 |
$s1 = ''; |
|
544 |
$s2 = ''; |
|
545 |
} |
|
546 |
if($ticker > 1) echo '<td class="'.$cls.'" style="padding: 0;"><input '.$s1.'name="diff1" type="radio" value="'.$r['time_id'].'" id="diff1_'.$r['time_id'].'" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="'.$cls.'"></td>'; |
|
547 |
if($ticker < $numrows) echo '<td class="'.$cls.'" style="padding: 0;"><input '.$s2.'name="diff2" type="radio" value="'.$r['time_id'].'" id="diff2_'.$r['time_id'].'" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="'.$cls.'"></td>'; |
|
548 |
||
549 |
// Date and time |
|
550 |
echo '<td class="'.$cls.'">'.$r['date_string'].'</td class="'.$cls.'">'."\n"; |
|
551 |
||
552 |
// User |
|
553 |
if($session->get_permissions('mod_misc') && preg_match('#^([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}\.([0-9]*){1,3}$#', $r['author'])) $rc = ' style="cursor: pointer;" title="Click cell background for reverse DNS info" onclick="ajaxReverseDNS(this, \''.$r['author'].'\');"'; |
|
554 |
else $rc = ''; |
|
555 |
echo '<td class="'.$cls.'"'.$rc.'><a href="'.makeUrlNS('User', $r['author']).'" '; |
|
556 |
if(!isPage($paths->nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; |
|
557 |
echo '>'.$r['author'].'</a></td class="'.$cls.'">'."\n"; |
|
558 |
||
559 |
// Edit summary |
|
560 |
echo '<td class="'.$cls.'">'.$r['edit_summary'].'</td>'."\n"; |
|
561 |
||
562 |
// Minor edit |
|
563 |
echo '<td class="'.$cls.'" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n"; |
|
564 |
||
565 |
// Actions! |
|
566 |
echo '<td class="'.$cls.'" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'oldid='.$r['time_id']).'" onclick="ajaxHistView(\''.$r['time_id'].'\'); return false;">View revision</a></td>'."\n"; |
|
567 |
echo '<td class="'.$cls.'" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/'.$r['author']).'">View user contribs</a></td>'."\n"; |
|
568 |
echo '<td class="'.$cls.'" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id='.$r['time_id']).'" onclick="ajaxRollback(\''.$r['time_id'].'\'); return false;">Revert to this revision</a></td>'."\n"; |
|
569 |
||
570 |
echo '</tr>'."\n"."\n"; |
|
571 |
||
572 |
} |
|
573 |
echo '</table> |
|
574 |
</div> |
|
575 |
<br /> |
|
576 |
<input type="hidden" name="do" value="diff" /> |
|
577 |
<input type="submit" value="Compare selected revisions" /> |
|
578 |
</form> |
|
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
parents:
40
diff
changeset
|
579 |
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>'; |
1 | 580 |
} |
581 |
$db->free_result(); |
|
582 |
echo '<h3>Other changes:</h3>'; |
|
583 |
$q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM '.table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\' ORDER BY time_id DESC;'; |
|
584 |
if(!$db->sql_query($q)) $db->_die('The history data for the page "'.$paths->cpage['name'].'" could not be selected.'); |
|
585 |
if($db->numrows() < 1) echo 'No history entries in this category.'; |
|
586 |
else { |
|
587 |
||
588 |
echo '<div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"><tr><th>Date/time</th><th>User</th><th>Minor</th><th>Action taken</th><th>Extra info</th><th colspan="2"></th></tr>'; |
|
589 |
$cls = 'row2'; |
|
590 |
while($r = $db->fetchrow()) { |
|
591 |
||
592 |
if($cls == 'row2') $cls = 'row1'; |
|
593 |
else $cls = 'row2'; |
|
594 |
||
595 |
echo '<tr>'; |
|
596 |
||
597 |
// Date and time |
|
598 |
echo '<td class="'.$cls.'">'.$r['date_string'].'</td class="'.$cls.'">'; |
|
599 |
||
600 |
// User |
|
601 |
echo '<td class="'.$cls.'"><a href="'.makeUrlNS('User', $r['author']).'" '; |
|
602 |
if(!isPage($paths->nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; |
|
603 |
echo '>'.$r['author'].'</a></td class="'.$cls.'">'; |
|
604 |
||
605 |
||
606 |
// Minor edit |
|
607 |
echo '<td class="'.$cls.'" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'; |
|
608 |
||
609 |
// Action taken |
|
610 |
echo '<td class="'.$cls.'">'; |
|
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
611 |
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. |
1 | 612 |
if ($r['action']=='prot') echo 'Protected page</td><td class="'.$cls.'">Reason: '.$r['edit_summary']; |
613 |
elseif($r['action']=='unprot') echo 'Unprotected page</td><td class="'.$cls.'">Reason: '.$r['edit_summary']; |
|
614 |
elseif($r['action']=='semiprot') echo 'Semi-protected page</td><td class="'.$cls.'">Reason: '.$r['edit_summary']; |
|
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
615 |
elseif($r['action']=='rename') echo 'Renamed page</td><td class="'.$cls.'">Old title: '.htmlspecialchars($r['edit_summary']); |
1 | 616 |
elseif($r['action']=='create') echo 'Created page</td><td class="'.$cls.'">'; |
28 | 617 |
elseif($r['action']=='delete') echo 'Deleted page</td><td class="'.$cls.'">Reason: '.$r['edit_summary']; |
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
618 |
elseif($r['action']=='reupload') echo 'Uploaded new file version</td><td class="'.$cls.'">Reason: '.htmlspecialchars($r['edit_summary']); |
1 | 619 |
echo '</td>'; |
620 |
||
621 |
// Actions! |
|
622 |
echo '<td class="'.$cls.'" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/'.$r['author']).'">View user contribs</a></td>'; |
|
623 |
echo '<td class="'.$cls.'" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id='.$r['time_id']).'" onclick="ajaxRollback(\''.$r['time_id'].'\'); return false;">Revert action</a></td>'; |
|
624 |
||
625 |
//echo '(<a href="#" onclick="ajaxRollback(\''.$r['time_id'].'\'); return false;">rollback</a>) <i>'.$r['date_string'].'</i> '.$r['author'].' (<a href="'.makeUrl($paths->nslist['User'].$r['author']).'">Userpage</a>, <a href="'.makeUrl($paths->nslist['Special'].'Contributions/'.$r['author']).'">Contrib</a>): '; |
|
626 |
||
627 |
if($r['minor_edit']) echo '<b> - minor edit</b>'; |
|
628 |
echo '<br />'; |
|
629 |
||
630 |
echo '</tr>'; |
|
631 |
} |
|
632 |
echo '</table></div>'; |
|
633 |
} |
|
634 |
$db->free_result(); |
|
635 |
$ret = ob_get_contents(); |
|
636 |
ob_end_clean(); |
|
637 |
return $ret; |
|
638 |
} |
|
639 |
||
640 |
/** |
|
641 |
* Rolls back a logged action |
|
642 |
* @param $id the time ID, a.k.a. the primary key in the logs table |
|
643 |
* @return string |
|
644 |
*/ |
|
645 |
||
646 |
function rollback($id) |
|
647 |
{ |
|
648 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
649 |
if(!$session->get_permissions('history_rollback')) return('You are not authorized to perform rollbacks.'); |
|
650 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) return('The value "id" on the query string must be an integer.'); |
|
651 |
$e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id.';'); |
|
652 |
if(!$e) $db->_die('The rollback data could not be selected.'); |
|
653 |
$rb = $db->fetchrow(); |
|
654 |
$db->free_result(); |
|
655 |
switch($rb['log_type']) { |
|
656 |
case "page": |
|
657 |
switch($rb['action']) { |
|
658 |
case "edit": |
|
659 |
$t = $db->escape($rb['page_text']); |
|
660 |
$e = $db->sql_query('UPDATE '.table_prefix.'page_text SET page_text=\''.$t.'\',char_tag=\''.$rb['char_tag'].'\' WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); |
|
661 |
if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
662 |
else return('The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on '.$rb['date_string'].'.'); |
|
663 |
break; |
|
664 |
case "rename": |
|
665 |
$t = $db->escape($rb['edit_summary']); |
|
666 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$t.'\' WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); |
|
667 |
if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
668 |
else return('The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("'.$rb['edit_summary'].'") before '.$rb['date_string'].'.'); |
|
669 |
break; |
|
670 |
case "prot": |
|
671 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); |
|
672 |
if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
673 |
else return('The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'); |
|
674 |
break; |
|
675 |
case "semiprot": |
|
676 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=0 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); |
|
677 |
if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
678 |
else return('The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at '.$rb['date_string'].'.'); |
|
679 |
break; |
|
680 |
case "unprot": |
|
681 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET protected=1 WHERE urlname=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\''); |
|
682 |
if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
683 |
else return('The page "'.$paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at '.$rb['date_string'].'.'); |
|
684 |
break; |
|
685 |
case "delete": |
|
686 |
if(!$session->get_permissions('history_rollback_extra')) return('Administrative privileges are required for page undeletion.'); |
|
687 |
if(isset($paths->pages[$paths->cpage['urlname']])) return('You cannot raise a dead page that is alive.'); |
|
688 |
$name = str_replace('_', ' ', $rb['page_id']); |
|
689 |
$e = $db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace) VALUES( \''.$name.'\', \''.$rb['page_id'].'\',\''.$rb['namespace'].'\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
690 |
$e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'logs WHERE page_id=\''.$rb['page_id'].'\' AND namespace=\''.$rb['namespace'].'\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
691 |
$r = $db->fetchrow(); |
|
692 |
$e = $db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\''.$rb['page_id'].'\',\''.$rb['namespace'].'\',\''.$db->escape($r['page_text']).'\',\''.$r['char_tag'].'\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
693 |
return('The page "'.$name.'" has been undeleted according to the log created at '.$rb['date_string'].'.'); |
|
694 |
break; |
|
695 |
case "reupload": |
|
696 |
if(!$session->get_permissions('history_rollbacks_extra')) return('Administrative privileges are required for file rollbacks.'); |
|
697 |
$newtime = time(); |
|
698 |
$newdate = date('d M Y h:i a'); |
|
699 |
if(!$db->sql_query('UPDATE '.table_prefix.'logs SET time_id='.$newtime.',date_string=\''.$newdate.'\' WHERE time_id='.$id)) return('Error during query: '.mysql_error()); |
|
700 |
if(!$db->sql_query('UPDATE '.table_prefix.'files SET time_id='.$newtime.' WHERE time_id='.$id)) return('Error during query: '.mysql_error()); |
|
701 |
return('The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.'); |
|
702 |
break; |
|
703 |
default: |
|
704 |
return('Rollback of the action "'.$rb['action'].'" is not yet supported.'); |
|
705 |
break; |
|
706 |
} |
|
707 |
break; |
|
708 |
case "security": |
|
709 |
case "login": |
|
710 |
return('A '.$rb['log_type'].'-related log entry cannot be rolled back.'); |
|
711 |
break; |
|
712 |
default: |
|
713 |
return('Unknown log entry type: "'.$rb['log_type'].'"'); |
|
714 |
} |
|
715 |
} |
|
716 |
||
717 |
/** |
|
718 |
* Posts a comment. |
|
719 |
* @param $page_id the page ID |
|
720 |
* @param $namespace the namespace |
|
721 |
* @param $name the name of the person posting, defaults to current username/IP |
|
722 |
* @param $subject the subject line of the comment |
|
723 |
* @param $text the comment text |
|
724 |
* @return string javascript code |
|
725 |
*/ |
|
726 |
||
727 |
function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false) |
|
728 |
{ |
|
729 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
730 |
$_ob = ''; |
|
731 |
if(!$session->get_permissions('post_comments')) |
|
732 |
return 'Access denied'; |
|
733 |
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.'); |
|
734 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
|
735 |
{ |
|
736 |
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method'); |
|
737 |
$result = $session->get_captcha($captcha_id); |
|
738 |
if($captcha_code != $result) _die('The confirmation code you entered was incorrect.'); |
|
739 |
} |
|
740 |
$text = RenderMan::preprocess_text($text); |
|
741 |
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); |
|
742 |
$subj = RenderMan::preprocess_text($subject); |
|
743 |
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; |
|
744 |
$q = 'INSERT INTO '.table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\''.$page_id.'\',\''.$namespace.'\',\''.$subj.'\',\''.$text.'\',\''.$name.'\','.$session->user_id.','.$appr.','.time().')'; |
|
745 |
$e = $db->sql_query($q); |
|
746 |
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n'.$q).'\'))'); |
|
747 |
else $_ob .= '<div class="info-box">Your comment has been posted.</div>'; |
|
748 |
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); |
|
749 |
} |
|
750 |
||
751 |
/** |
|
752 |
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments |
|
753 |
* @param $page_id the page ID |
|
754 |
* @param $namespace the namespace |
|
755 |
* @param $action administrative action to perform, default is false |
|
756 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
757 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
758 |
* @return array |
|
759 |
* @access private |
|
760 |
*/ |
|
761 |
||
762 |
function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '') |
|
763 |
{ |
|
764 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
765 |
||
766 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
767 |
||
768 |
ob_start(); |
|
769 |
||
770 |
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud |
|
771 |
{ |
|
772 |
switch($action) { |
|
773 |
case "delete": |
|
774 |
if(isset($flags['id'])) |
|
775 |
{ |
|
776 |
$q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; |
|
777 |
} else { |
|
778 |
$n = $db->escape($flags['name']); |
|
779 |
$s = $db->escape($flags['subj']); |
|
780 |
$t = $db->escape($flags['text']); |
|
781 |
$q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\' LIMIT 1;'; |
|
782 |
} |
|
783 |
$e=$db->sql_query($q); |
|
784 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); |
|
785 |
break; |
|
786 |
case "approve": |
|
787 |
if(isset($flags['id'])) |
|
788 |
{ |
|
789 |
$where = 'comment_id='.intval($flags['id']); |
|
790 |
} else { |
|
791 |
$n = $db->escape($flags['name']); |
|
792 |
$s = $db->escape($flags['subj']); |
|
793 |
$t = $db->escape($flags['text']); |
|
794 |
$where = 'name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\''; |
|
795 |
} |
|
796 |
$q = 'SELECT approved FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.' LIMIT 1;'; |
|
797 |
$e = $db->sql_query($q); |
|
798 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); |
|
799 |
$r = $db->fetchrow(); |
|
800 |
$db->free_result(); |
|
801 |
$a = ( $r['approved'] ) ? '0' : '1'; |
|
802 |
$q = 'UPDATE '.table_prefix.'comments SET approved='.$a.' WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND '.$where.';'; |
|
803 |
$e=$db->sql_query($q); |
|
804 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); |
|
805 |
if($a=='1') $v = 'Unapprove'; |
|
806 |
else $v = 'Approve'; |
|
807 |
echo 'document.getElementById("mdgApproveLink'.$_GET['id'].'").innerHTML="'.$v.'";'; |
|
808 |
break; |
|
809 |
} |
|
810 |
} |
|
811 |
||
812 |
if(!defined('ENANO_TEMPLATE_LOADED')) |
|
813 |
{ |
|
814 |
$template->load_theme($session->theme, $session->style); |
|
815 |
} |
|
816 |
||
817 |
$tpl = $template->makeParser('comment.tpl'); |
|
818 |
||
819 |
$e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=0;'); |
|
820 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
|
821 |
$num_unapp = $db->numrows(); |
|
822 |
$db->free_result(); |
|
823 |
$e = $db->sql_query('SELECT * FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND approved=1;'); |
|
824 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
|
825 |
$num_app = $db->numrows(); |
|
826 |
$db->free_result(); |
|
827 |
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature |
|
828 |
FROM '.table_prefix.'comments AS c |
|
829 |
LEFT JOIN '.table_prefix.'users AS u |
|
830 |
ON c.user_id=u.user_id |
|
831 |
WHERE page_id=\''.$page_id.'\' |
|
832 |
AND namespace=\''.$namespace.'\' ORDER BY c.time ASC;'); |
|
833 |
if(!$lq) _die('The comment text data could not be selected. '.mysql_error()); |
|
834 |
$_ob .= '<h3>Article Comments</h3>'; |
|
835 |
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; |
|
836 |
if($n==1) $s = 'is '.$n.' comment'; else $s = 'are '.$n.' comments'; |
|
837 |
if($n < 1) |
|
838 |
{ |
|
839 |
$_ob .= '<p>There are currently no comments on this '.strtolower($namespace).''; |
|
840 |
if($namespace != 'Article') $_ob .= ' page'; |
|
841 |
$_ob .= '.</p>'; |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
842 |
} else $_ob .= '<p>There '.$s.' on this article.'; |
1 | 843 |
if($session->get_permissions('mod_comments') && $num_unapp > 0) $_ob .= ' <span style="color: #D84308">'.$num_unapp.' of those are unapproved.</span>'; |
844 |
elseif(!$session->get_permissions('mod_comments') && $num_unapp > 0) { $u = ($num_unapp == 1) ? "is $num_unapp comment" : "are $num_unapp comments"; $_ob .= ' However, there ' . $u . ' awating approval.'; } |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
845 |
$_ob .= '</p>'; |
1 | 846 |
$list = 'list = { '; |
847 |
// _die(htmlspecialchars($ttext)); |
|
848 |
$i = -1; |
|
849 |
while($row = $db->fetchrow($lq)) |
|
850 |
{ |
|
851 |
$i++; |
|
852 |
$strings = Array(); |
|
853 |
$bool = Array(); |
|
854 |
if($session->get_permissions('mod_comments') || $row['approved']) { |
|
855 |
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; |
|
856 |
||
857 |
// Comment ID (used in the Javascript apps) |
|
858 |
$strings['ID'] = (string)$i; |
|
859 |
||
860 |
// Determine the name, and whether to link to the user page or not |
|
861 |
$name = ''; |
|
862 |
if($row['user_id'] > 0) $name .= '<a href="'.makeUrlNS('User', str_replace(' ', '_', $row['name'])).'">'; |
|
863 |
$name .= $row['name']; |
|
864 |
if($row['user_id'] > 0) $name .= '</a>'; |
|
865 |
$strings['NAME'] = $name; unset($name); |
|
866 |
||
867 |
// Subject |
|
868 |
$s = $row['subject']; |
|
869 |
if(!$row['approved']) $s .= ' <span style="color: #D84308">(Unapproved)</span>'; |
|
870 |
$strings['SUBJECT'] = $s; |
|
871 |
||
872 |
// Date and time |
|
873 |
$strings['DATETIME'] = date('F d, Y h:i a', $row['time']); |
|
874 |
||
875 |
// User level |
|
876 |
switch($row['user_level']) |
|
877 |
{ |
|
878 |
default: |
|
879 |
case USER_LEVEL_GUEST: |
|
880 |
$l = 'Guest'; |
|
881 |
break; |
|
882 |
case USER_LEVEL_MEMBER: |
|
883 |
$l = 'Member'; |
|
884 |
break; |
|
885 |
case USER_LEVEL_MOD: |
|
886 |
$l = 'Moderator'; |
|
887 |
break; |
|
888 |
case USER_LEVEL_ADMIN: |
|
889 |
$l = 'Administrator'; |
|
890 |
break; |
|
891 |
} |
|
892 |
$strings['USER_LEVEL'] = $l; unset($l); |
|
893 |
||
894 |
// The actual comment data |
|
895 |
$strings['DATA'] = RenderMan::render($row['comment_data']); |
|
896 |
||
897 |
if($session->get_permissions('edit_comments')) |
|
898 |
{ |
|
899 |
// Edit link |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
900 |
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id='.$row['comment_id']).'" id="editbtn_'.$i.'">edit</a>'; |
1 | 901 |
|
902 |
// Delete link |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
903 |
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id='.$row['comment_id']).'">delete</a>'; |
1 | 904 |
} |
905 |
else |
|
906 |
{ |
|
907 |
// Edit link |
|
908 |
$strings['EDIT_LINK'] = ''; |
|
909 |
||
910 |
// Delete link |
|
911 |
$strings['DELETE_LINK'] = ''; |
|
912 |
} |
|
913 |
||
914 |
// Send PM link |
|
915 |
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/'.$row['name']).'">Send private message</a><br />' : ''; |
|
916 |
||
917 |
// Add Buddy link |
|
918 |
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 0 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/'.$row['name']).'">Add to buddy list</a>' : ''; |
|
919 |
||
920 |
// Mod links |
|
921 |
$applink = ''; |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
922 |
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id='.$row['comment_id']).'" id="mdgApproveLink'.$i.'">'; |
1 | 923 |
if($row['approved']) $applink .= 'Unapprove'; |
924 |
else $applink .= 'Approve'; |
|
925 |
$applink .= '</a>'; |
|
926 |
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink); |
|
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
927 |
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id='.$row['comment_id']).'">Delete</a>'; |
1 | 928 |
|
929 |
// Signature |
|
930 |
$strings['SIGNATURE'] = ''; |
|
931 |
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']); |
|
932 |
||
933 |
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false; |
|
934 |
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false; |
|
935 |
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true; |
|
936 |
||
937 |
// Done processing and compiling, now let's cook it into HTML |
|
938 |
$tpl->assign_vars($strings); |
|
939 |
$tpl->assign_bool($bool); |
|
940 |
$_ob .= $tpl->run(); |
|
941 |
} |
|
942 |
} |
|
943 |
if(getConfig('comments_need_login') != '2' || $session->user_logged_in) |
|
944 |
{ |
|
945 |
if(!$session->get_permissions('post_comments')) |
|
946 |
{ |
|
947 |
$_ob .= '<h3>Got something to say?</h3><p>Access to post comments on this page is denied.</p>'; |
|
948 |
} |
|
949 |
else |
|
950 |
{ |
|
951 |
$_ob .= '<h3>Got something to say?</h3>If you have comments or suggestions on this article, you can shout it out here.'; |
|
952 |
if(getConfig('approve_comments')=='1') $_ob .= ' Before your comment will be visible to the public, a moderator will have to approve it.'; |
|
953 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) $_ob .= ' Because you are not logged in, you will need to enter a visual confirmation before your comment will be posted.'; |
|
954 |
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="'.$session->username.'" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />'; |
|
955 |
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">Leave a comment...</a> |
|
956 |
<div id="mdgCommentForm"> |
|
957 |
<h3>Comment form</h3> |
|
958 |
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em"> |
|
959 |
<table border="0"> |
|
960 |
<tr><td>Your name or screen name:</td><td>'.$sn.'</td></tr> |
|
961 |
<tr><td>Comment subject:</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>'; |
|
962 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
|
963 |
{ |
|
964 |
$session->kill_captcha(); |
|
965 |
$captcha = $session->make_captcha(); |
|
966 |
$_ob .= '<tr><td>Visual confirmation:<br /><small>Please enter the code you see on the right.</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/'.$captcha).'" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="'.$captcha.'" /><br />Code: <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("If you can\'t read the code, click on the image to generate a new one.");</script><noscript>If you can\'t read the code, please refresh this page to generate a new one.</noscript></small></td></tr>'; |
|
967 |
} |
|
968 |
$_ob .= ' |
|
969 |
<tr><td valign="top">Comment text:<br />(most HTML will be stripped)</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr> |
|
970 |
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="Submit Comment" /></td></tr> |
|
971 |
</table> |
|
972 |
</form> |
|
973 |
</div>'; |
|
974 |
} |
|
975 |
} else { |
|
976 |
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/'.$pname.'%2523comments').'">Log in</a></p>'; |
|
977 |
} |
|
978 |
$list .= '};'; |
|
979 |
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); |
|
980 |
' . $list; |
|
981 |
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";'; |
|
982 |
||
983 |
$ret = ob_get_contents(); |
|
984 |
ob_end_clean(); |
|
985 |
return Array($ret, $_ob); |
|
986 |
||
987 |
} |
|
988 |
||
989 |
/** |
|
990 |
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments |
|
991 |
* @param $page_id the page ID |
|
992 |
* @param $namespace the namespace |
|
993 |
* @param $action administrative action to perform, default is false |
|
994 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
995 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
996 |
* @return string |
|
997 |
*/ |
|
998 |
||
999 |
function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1000 |
{ |
|
1001 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1002 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1003 |
return $r[0]; |
|
1004 |
} |
|
1005 |
||
1006 |
/** |
|
1007 |
* Generates HTML code for comments - used in browser compatibility mode |
|
1008 |
* @param $page_id the page ID |
|
1009 |
* @param $namespace the namespace |
|
1010 |
* @param $action administrative action to perform, default is false |
|
1011 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
1012 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
1013 |
* @return string |
|
1014 |
*/ |
|
1015 |
||
1016 |
function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1017 |
{ |
|
1018 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1019 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1020 |
return $r[1]; |
|
1021 |
} |
|
1022 |
||
1023 |
/** |
|
1024 |
* Updates comment data. |
|
1025 |
* @param $page_id the page ID |
|
1026 |
* @param $namespace the namespace |
|
1027 |
* @param $subject new subject |
|
1028 |
* @param $text new text |
|
1029 |
* @param $old_subject the old subject, unprocessed and identical to the value in the DB |
|
1030 |
* @param $old_text the old text, unprocessed and identical to the value in the DB |
|
1031 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1032 |
* @return string |
|
1033 |
*/ |
|
1034 |
||
1035 |
function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1) |
|
1036 |
{ |
|
1037 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1038 |
if(!$session->get_permissions('edit_comments')) |
|
1039 |
return 'result="BAD";error="Access denied"'; |
|
1040 |
// Avoid SQL injection |
|
1041 |
$old_text = $db->escape($old_text); |
|
1042 |
$old_subject = $db->escape($old_subject); |
|
1043 |
// Safety check - username/login |
|
1044 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1045 |
{ |
|
1046 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
1047 |
$q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; |
|
1048 |
$s = $db->sql_query($q); |
|
1049 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1050 |
$r = $db->fetchrow($s); |
|
1051 |
$db->free_result(); |
|
1052 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1053 |
} |
|
1054 |
$s = RenderMan::preprocess_text($subject); |
|
1055 |
$t = RenderMan::preprocess_text($text); |
|
1056 |
$sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_data=\''.$old_text.'\' AND subject=\''.$old_subject.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; |
|
1057 |
$result = $db->sql_query($sql); |
|
1058 |
if($result) |
|
1059 |
{ |
|
1060 |
return 'result="GOOD"; |
|
1061 |
list['.$id.'][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); |
|
1062 |
list['.$id.'][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = '.$id.'; |
|
1063 |
s = unescape(\''.rawurlencode($s).'\'); |
|
1064 |
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; |
|
1065 |
} |
|
1066 |
else |
|
1067 |
{ |
|
1068 |
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. |
|
1069 |
Performed SQL: |
|
1070 |
'.$sql.' |
|
1071 |
||
1072 |
Error returned by MySQL: '.mysql_error()).'");'; |
|
1073 |
} |
|
1074 |
} |
|
1075 |
||
1076 |
/** |
|
1077 |
* Updates comment data using the comment_id column instead of the old, messy way |
|
1078 |
* @param $page_id the page ID |
|
1079 |
* @param $namespace the namespace |
|
1080 |
* @param $subject new subject |
|
1081 |
* @param $text new text |
|
1082 |
* @param $id the comment ID (primary key in enano_comments table) |
|
1083 |
* @return string |
|
1084 |
*/ |
|
1085 |
||
1086 |
function savecomment_neater($page_id, $namespace, $subject, $text, $id) |
|
1087 |
{ |
|
1088 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1089 |
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety'); |
|
1090 |
if(!$session->get_permissions('edit_comments')) |
|
1091 |
return 'Access denied'; |
|
1092 |
// Safety check - username/login |
|
1093 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1094 |
{ |
|
1095 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
1096 |
$q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; |
|
1097 |
$s = $db->sql_query($q); |
|
1098 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1099 |
$r = $db->fetchrow($s); |
|
1100 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1101 |
$db->free_result(); |
|
1102 |
} |
|
1103 |
$s = RenderMan::preprocess_text($subject); |
|
1104 |
$t = RenderMan::preprocess_text($text); |
|
1105 |
$sql = 'UPDATE '.table_prefix.'comments SET subject=\''.$s.'\',comment_data=\''.$t.'\' WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; |
|
1106 |
$result = $db->sql_query($sql); |
|
1107 |
if($result) |
|
1108 |
return 'good'; |
|
1109 |
else return 'Enano encountered a problem whilst saving the comment. |
|
1110 |
Performed SQL: |
|
1111 |
'.$sql.' |
|
1112 |
||
1113 |
Error returned by MySQL: '.mysql_error(); |
|
1114 |
} |
|
1115 |
||
1116 |
/** |
|
1117 |
* Deletes a comment. |
|
1118 |
* @param $page_id the page ID |
|
1119 |
* @param $namespace the namespace |
|
1120 |
* @param $name the name the user posted under |
|
1121 |
* @param $subj the subject of the comment to be deleted |
|
1122 |
* @param $text the text of the comment to be deleted |
|
1123 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1124 |
* @return string |
|
1125 |
*/ |
|
1126 |
||
1127 |
function deletecomment($page_id, $namespace, $name, $subj, $text, $id) |
|
1128 |
{ |
|
1129 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1130 |
||
1131 |
if(!$session->get_permissions('edit_comments')) |
|
1132 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1133 |
||
1134 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1135 |
$n = $db->escape($name); |
|
1136 |
$s = $db->escape($subj); |
|
1137 |
$t = $db->escape($text); |
|
1138 |
||
1139 |
// Safety check - username/login |
|
1140 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1141 |
{ |
|
1142 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
1143 |
$q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_data=\''.$t.'\' AND subject=\''.$s.'\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; |
|
1144 |
$s = $db->sql_query($q); |
|
1145 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1146 |
$r = $db->fetchrow($s); |
|
1147 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1148 |
$db->free_result(); |
|
1149 |
} |
|
1150 |
$q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND name=\''.$n.'\' AND subject=\''.$s.'\' AND comment_data=\''.$t.'\' LIMIT 1;'; |
|
1151 |
$e=$db->sql_query($q); |
|
1152 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); |
|
1153 |
return('good'); |
|
1154 |
} |
|
1155 |
||
1156 |
/** |
|
1157 |
* Deletes a comment in a cleaner fashion. |
|
1158 |
* @param $page_id the page ID |
|
1159 |
* @param $namespace the namespace |
|
1160 |
* @param $id the comment ID (primary key) |
|
1161 |
* @return string |
|
1162 |
*/ |
|
1163 |
||
1164 |
function deletecomment_neater($page_id, $namespace, $id) |
|
1165 |
{ |
|
1166 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1167 |
||
1168 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1169 |
||
1170 |
if(!$session->get_permissions('edit_comments')) |
|
1171 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1172 |
||
1173 |
// Safety check - username/login |
|
1174 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1175 |
{ |
|
1176 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
1177 |
$q = 'SELECT c.name FROM '.table_prefix.'comments c, '.table_prefix.'users u WHERE comment_id='.$id.' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND u.user_id=c.user_id;'; |
|
1178 |
$s = $db->sql_query($q); |
|
1179 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1180 |
$r = $db->fetchrow($s); |
|
1181 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1182 |
$db->free_result(); |
|
1183 |
} |
|
1184 |
$q = 'DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\' AND comment_id='.$id.' LIMIT 1;'; |
|
1185 |
$e=$db->sql_query($q); |
|
1186 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n'.$q).'\'));'); |
|
1187 |
return('good'); |
|
1188 |
} |
|
1189 |
||
1190 |
/** |
|
1191 |
* Renames a page. |
|
1192 |
* @param $page_id the page ID |
|
1193 |
* @param $namespace the namespace |
|
1194 |
* @param $name the new name for the page |
|
1195 |
* @return string error string or success message |
|
1196 |
*/ |
|
1197 |
||
1198 |
function rename($page_id, $namespace, $name) |
|
1199 |
{ |
|
1200 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1201 |
||
1202 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
1203 |
||
1204 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
1205 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
1206 |
||
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1207 |
if( empty($name)) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1208 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1209 |
die('Name is too short'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1210 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1211 |
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1212 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1213 |
$e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \''.$db->escape($paths->cpage['urlname_nons']).'\', \''.$paths->namespace.'\', \''.$db->escape($session->username).'\', \''.$db->escape($paths->cpage['name']).'\')'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1214 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1215 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1216 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1217 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1218 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET name=\''.$db->escape($name).'\' WHERE urlname=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1219 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1220 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1221 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1222 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1223 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1224 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1225 |
return('The page "'.$paths->pages[$pname]['name'].'" has been renamed to "'.$name.'". You are encouraged to leave a comment explaining your action.' . "\n\n" . 'You will see the change take effect the next time you reload this page.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1226 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1227 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1228 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1229 |
{ |
1 | 1230 |
return('Access is denied.'); |
1231 |
} |
|
1232 |
} |
|
1233 |
||
1234 |
/** |
|
1235 |
* Flushes (clears) the action logs for a given page |
|
1236 |
* @param $page_id the page ID |
|
1237 |
* @param $namespace the namespace |
|
1238 |
* @return string error/success string |
|
1239 |
*/ |
|
1240 |
||
1241 |
function flushlogs($page_id, $namespace) |
|
1242 |
{ |
|
1243 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1244 |
if(!$session->get_permissions('clear_logs')) die('Administrative privileges are required to flush logs, you loser.'); |
|
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1245 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'logs WHERE page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\';'); |
1 | 1246 |
if(!$e) $db->_die('The log entries could not be deleted.'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1247 |
|
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1248 |
// If the page exists, make a backup of it in case it gets spammed/vandalized |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1249 |
// If not, the admin's probably deleting a trash page |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1250 |
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1251 |
{ |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1252 |
$e = $db->sql_query('SELECT page_text,char_tag FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1253 |
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1254 |
$row = $db->fetchrow(); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1255 |
$db->free_result(); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1256 |
$q='INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \''.$page_id.'\', \''.$namespace.'\', \''.$db->escape($row['page_text']).'\', \''.$row['char_tag'].'\', \''.$session->username.'\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1257 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1258 |
} |
1 | 1259 |
return('The logs for this page have been cleared. A backup of this page has been added to the logs table so that this page can be restored in case of vandalism or spam later.'); |
1260 |
} |
|
1261 |
||
1262 |
/** |
|
1263 |
* Deletes a page. |
|
28 | 1264 |
* @param string $page_id the condemned page ID |
1265 |
* @param string $namespace the condemned namespace |
|
1266 |
* @param string The reason for deleting the page in question |
|
1 | 1267 |
* @return string |
1268 |
*/ |
|
1269 |
||
28 | 1270 |
function deletepage($page_id, $namespace, $reason) |
1 | 1271 |
{ |
1272 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1273 |
$perms = $session->fetch_page_acl($page_id, $namespace); |
|
28 | 1274 |
$x = trim($reason); |
1275 |
if ( empty($x) ) |
|
1276 |
{ |
|
1277 |
return 'Invalid reason for deletion passed'; |
|
1278 |
} |
|
1279 |
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); |
|
1280 |
$e = $db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \''.$page_id.'\', \''.$namespace.'\', \''.$session->username.'\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); |
|
1 | 1281 |
if(!$e) $db->_die('The page log entry could not be inserted.'); |
1282 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); |
|
1283 |
if(!$e) $db->_die('The page categorization entries could not be deleted.'); |
|
1284 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); |
|
1285 |
if(!$e) $db->_die('The page comments could not be deleted.'); |
|
1286 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'page_text WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); |
|
1287 |
if(!$e) $db->_die('The page text entry could not be deleted.'); |
|
1288 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'pages WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''); |
|
1289 |
if(!$e) $db->_die('The page entry could not be deleted.'); |
|
1290 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'files WHERE page_id=\''.$page_id.'\''); |
|
1291 |
if(!$e) $db->_die('The file entry could not be deleted.'); |
|
1292 |
return('This page has been deleted. Note that there is still a log of edits and actions in the database, and anyone with admin rights can raise this page from the dead unless the log is cleared. If the deleted file is an image, there may still be cached thumbnails of it in the cache/ directory, which is inaccessible to users.'); |
|
1293 |
} |
|
1294 |
||
1295 |
/** |
|
1296 |
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting |
|
1297 |
* @param $page_id the page ID |
|
1298 |
* @param $namespace the namespace |
|
1299 |
* @return string |
|
1300 |
*/ |
|
1301 |
||
1302 |
function delvote($page_id, $namespace) |
|
1303 |
{ |
|
1304 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1305 |
if(!$session->get_permissions('vote_delete')) |
|
1306 |
return 'Access denied'; |
|
1307 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
1308 |
$cv = $paths->pages[$pname]['delvotes']; |
|
1309 |
$ips = $paths->pages[$pname]['delvote_ips']; |
|
1310 |
$ips = explode('|', $ips); |
|
1311 |
if(in_array($_SERVER['REMOTE_ADDR'], $ips)) return('It appears that you have already voted to have this page deleted.'); |
|
1312 |
if($session->user_logged_in) |
|
1313 |
if(in_array($session->username, $ips)) |
|
1314 |
return('It appears that you have already voted to have this page deleted.'); |
|
1315 |
$ips[] = $_SERVER['REMOTE_ADDR']; |
|
1316 |
if($session->user_logged_in) $ips[] = $session->username; |
|
1317 |
$ips = implode('|', $ips); |
|
1318 |
$ips = substr($ips, 1, strlen($ips)); |
|
1319 |
$cv++; |
|
1320 |
$q = 'UPDATE '.table_prefix.'pages SET delvotes='.$cv.',delvote_ips=\''.$ips.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; |
|
1321 |
$w = $db->sql_query($q); |
|
1322 |
if(!$w) return("Error updating pages table: ".mysql_error()."\n\nAttemped SQL:\n".$q); |
|
1323 |
return('Your vote to have this page deleted has been cast.'."\nYou are encouraged to leave a comment explaining the reason for your vote."); |
|
1324 |
} |
|
1325 |
||
1326 |
/** |
|
1327 |
* Resets the number of votes against a page to 0. |
|
1328 |
* @param $page_id the page ID |
|
1329 |
* @param $namespace the namespace |
|
1330 |
* @return string |
|
1331 |
*/ |
|
1332 |
||
1333 |
function resetdelvotes($page_id, $namespace) |
|
1334 |
{ |
|
1335 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1336 |
if(!$session->get_permissions('vote_reset')) die('You need moderator rights in order to do this, stinkin\' hacker.'); |
|
1337 |
$q = 'UPDATE '.table_prefix.'pages SET delvotes=0,delvote_ips=\'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\''; |
|
1338 |
$e = $db->sql_query($q); |
|
1339 |
if(!$e) $db->_die('The number of delete votes was not reset.'); |
|
1340 |
else return('The number of votes for having this page deleted has been reset to zero.'); |
|
1341 |
} |
|
1342 |
||
1343 |
/** |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1344 |
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON. |
1 | 1345 |
* @param $id the name of the directory for the theme |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1346 |
* @return string JSON string with an array containing a list of themes |
1 | 1347 |
*/ |
1348 |
||
1349 |
function getstyles() |
|
1350 |
{ |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1351 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1352 |
|
1 | 1353 |
$dir = './themes/'.$_GET['id'].'/css/'; |
1354 |
$list = Array(); |
|
1355 |
// Open a known directory, and proceed to read its contents |
|
1356 |
if (is_dir($dir)) { |
|
1357 |
if ($dh = opendir($dir)) { |
|
1358 |
while (($file = readdir($dh)) !== false) { |
|
1359 |
if(preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css') { // _printable.css should be included with every theme |
|
1360 |
// it should be a copy of the original style, but |
|
1361 |
// mostly black and white |
|
1362 |
// Note to self: document this |
|
1363 |
$list[] = substr($file, 0, strlen($file)-4); |
|
1364 |
} |
|
1365 |
} |
|
1366 |
closedir($dh); |
|
1367 |
} |
|
1368 |
} |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1369 |
else |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1370 |
{ |
39
c83ff194977a
Changed animation on flying message boxes; bugfix for "Array" response in theme changer; added diff CSS to enano-shared; allowed spaces in username during install
Dan
parents:
32
diff
changeset
|
1371 |
return($json->encode(Array('mode' => 'error', 'error' => $dir.' is not a dir'))); |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1372 |
} |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1373 |
|
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1374 |
return $json->encode($list); |
1 | 1375 |
} |
1376 |
||
1377 |
/** |
|
1378 |
* Assembles a Javascript app with category information |
|
1379 |
* @param $page_id the page ID |
|
1380 |
* @param $namespace the namespace |
|
1381 |
* @return string Javascript code |
|
1382 |
*/ |
|
1383 |
||
1384 |
function catedit($page_id, $namespace) |
|
1385 |
{ |
|
1386 |
$d = PageUtils::catedit_raw($page_id, $namespace); |
|
1387 |
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');'; |
|
1388 |
} |
|
1389 |
||
1390 |
/** |
|
1391 |
* Does the actual HTML/javascript generation for cat editing, but returns an array |
|
1392 |
* @access private |
|
1393 |
*/ |
|
1394 |
||
1395 |
function catedit_raw($page_id, $namespace) |
|
1396 |
{ |
|
1397 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1398 |
ob_start(); |
|
1399 |
$_ob = ''; |
|
1400 |
$e = $db->sql_query('SELECT category_id FROM '.table_prefix.'categories WHERE page_id=\''.$paths->cpage['urlname_nons'].'\' AND namespace=\''.$paths->namespace.'\''); |
|
1401 |
if(!$e) jsdie('Error selecting category information for current page: '.mysql_error()); |
|
1402 |
$cat_current = Array(); |
|
1403 |
while($r = $db->fetchrow()) |
|
1404 |
{ |
|
1405 |
$cat_current[] = $r; |
|
1406 |
} |
|
1407 |
$db->free_result(); |
|
1408 |
$cat_all = Array(); |
|
1409 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1410 |
{ |
|
1411 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1412 |
} |
|
1413 |
||
1414 |
// Make $cat_all an associative array, like $paths->pages |
|
1415 |
$sz = sizeof($cat_all); |
|
1416 |
for($i=0;$i<$sz;$i++) |
|
1417 |
{ |
|
1418 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1419 |
} |
|
1420 |
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of |
|
1421 |
$cat_info = $cat_all; |
|
1422 |
for($i=0;$i<sizeof($cat_current);$i++) |
|
1423 |
{ |
|
1424 |
$un = $cat_current[$i]['category_id']; |
|
1425 |
$cat_info[$un]['member'] = true; |
|
1426 |
} |
|
1427 |
// Now copy the information we just set into the numerically named keys |
|
1428 |
for($i=0;$i<sizeof($cat_info)/2;$i++) |
|
1429 |
{ |
|
1430 |
$un = $cat_info[$i]['urlname_nons']; |
|
1431 |
$cat_info[$i] = $cat_info[$un]; |
|
1432 |
} |
|
1433 |
||
1434 |
echo 'catlist = new Array();'; // Initialize the client-side category list |
|
1435 |
$_ob .= '<h3>Select which categories this page should be included in.</h3> |
|
1436 |
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">'; |
|
1437 |
if ( sizeof($cat_info) < 1 ) |
|
1438 |
{ |
|
1439 |
$_ob .= '<p>There are no categories on this site yet.</p>'; |
|
1440 |
} |
|
1441 |
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ ) |
|
1442 |
{ |
|
1443 |
// Protection code added 1/3/07 |
|
1444 |
// Updated 3/4/07 |
|
1445 |
$is_prot = false; |
|
1446 |
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category'); |
|
1447 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1448 |
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ) |
|
1449 |
$is_prot = true; |
|
1450 |
$prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; |
|
1451 |
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : ''; |
|
1452 |
echo 'catlist['.$i.'] = \''.$cat_info[$i]['urlname_nons'].'\';'; |
|
1453 |
$_ob .= '<span class="catCheck"><input '.$prot.' name="'.$cat_info[$i]['urlname_nons'].'" id="mdgCat_'.$cat_info[$i]['urlname_nons'].'" type="checkbox"'; |
|
1454 |
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"'; |
|
1455 |
$_ob .= '/> <label for="mdgCat_'.$cat_info[$i]['urlname_nons'].'">'.$cat_info[$i]['name'].$prottext.'</label></span><br />'; |
|
1456 |
} |
|
1457 |
||
1458 |
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; |
|
1459 |
||
1460 |
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="Save changes" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="Cancel" /></div></form>'; |
|
1461 |
||
1462 |
$cont = ob_get_contents(); |
|
1463 |
ob_end_clean(); |
|
1464 |
return Array($cont, $_ob); |
|
1465 |
} |
|
1466 |
||
1467 |
/** |
|
1468 |
* Saves category information |
|
1469 |
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked! |
|
1470 |
* @param $page_id string the page ID |
|
1471 |
* @param $namespace string the namespace |
|
1472 |
* @param $which_cats array associative array of categories to put the page in |
|
1473 |
* @return string "GOOD" on success, error string on failure |
|
1474 |
*/ |
|
1475 |
||
1476 |
function catsave($page_id, $namespace, $which_cats) |
|
1477 |
{ |
|
1478 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1479 |
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information'); |
|
1480 |
||
1481 |
$page_perms = $session->fetch_page_acl($page_id, $namespace); |
|
1482 |
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id]; |
|
1483 |
||
1484 |
$cat_all = Array(); |
|
1485 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1486 |
{ |
|
1487 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1488 |
} |
|
1489 |
||
1490 |
// Make $cat_all an associative array, like $paths->pages |
|
1491 |
$sz = sizeof($cat_all); |
|
1492 |
for($i=0;$i<$sz;$i++) |
|
1493 |
{ |
|
1494 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1495 |
} |
|
1496 |
||
1497 |
$rowlist = Array(); |
|
1498 |
||
1499 |
for($i=0;$i<sizeof($cat_all)/2;$i++) |
|
1500 |
{ |
|
1501 |
$auth = true; |
|
1502 |
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category'); |
|
1503 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1504 |
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) || |
|
1505 |
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) ) |
|
1506 |
$auth = false; |
|
1507 |
if(!$auth) |
|
1508 |
{ |
|
1509 |
// Find out if the page is currently in the category |
|
1510 |
$q = $db->sql_query('SELECT * FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
1511 |
if(!$q) |
|
1512 |
return 'MySQL error: '.$db->get_error(); |
|
1513 |
if($db->numrows() > 0) |
|
1514 |
{ |
|
1515 |
$auth = true; |
|
1516 |
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state |
|
1517 |
} |
|
1518 |
$db->free_result(); |
|
1519 |
} |
|
1520 |
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\''.$page_id.'\', \''.$namespace.'\', \''.$cat_all[$i]['urlname_nons'].'\')'; |
|
1521 |
} |
|
1522 |
if(sizeof($rowlist) > 0) |
|
1523 |
{ |
|
1524 |
$val = implode(',', $rowlist); |
|
1525 |
$q = 'INSERT INTO '.table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; |
|
1526 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
1527 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
|
1528 |
$e = $db->sql_query($q); |
|
1529 |
if(!$e) $db->_die('The new category data could not be inserted.'); |
|
1530 |
return('GOOD'); |
|
1531 |
} |
|
1532 |
else |
|
1533 |
{ |
|
1534 |
$e = $db->sql_query('DELETE FROM '.table_prefix.'categories WHERE page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
1535 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
|
1536 |
return('GOOD'); |
|
1537 |
} |
|
1538 |
} |
|
1539 |
||
1540 |
/** |
|
1541 |
* Sets the wiki mode level for a page. |
|
1542 |
* @param $page_id string the page ID |
|
1543 |
* @param $namespace string the namespace |
|
1544 |
* @param $level int 0 for off, 1 for on, 2 for use global setting |
|
1545 |
* @return string "GOOD" on success, error string on failure |
|
1546 |
*/ |
|
1547 |
||
1548 |
function setwikimode($page_id, $namespace, $level) |
|
1549 |
{ |
|
1550 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1551 |
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); |
|
1552 |
if(!isset($level) || (isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level))) return('Invalid mode string'); |
|
1553 |
$q = $db->sql_query('UPDATE '.table_prefix.'pages SET wiki_mode='.$level.' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
1554 |
if(!$q) return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
|
1555 |
return('GOOD'); |
|
1556 |
} |
|
1557 |
||
1558 |
/** |
|
1559 |
* Sets the access password for a page. |
|
1560 |
* @param $page_id string the page ID |
|
1561 |
* @param $namespace string the namespace |
|
1562 |
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed |
|
1563 |
* @return string |
|
1564 |
*/ |
|
1565 |
||
1566 |
function setpass($page_id, $namespace, $pass) |
|
1567 |
{ |
|
1568 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1569 |
// Determine permissions |
|
1570 |
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '') |
|
1571 |
$a = $session->get_permissions('password_reset'); |
|
1572 |
else |
|
1573 |
$a = $session->get_permissions('password_set'); |
|
1574 |
if(!$a) |
|
1575 |
return 'Access is denied'; |
|
1576 |
if(!isset($pass)) return('Password was not set on URL'); |
|
1577 |
$p = $pass; |
|
1578 |
if(!preg_match('#([0-9a-f]){40,40}#', $p)) $p = sha1($p); |
|
1579 |
if($p=='da39a3ee5e6b4b0d3255bfef95601890afd80709') $p = ''; |
|
1580 |
$e = $db->sql_query('UPDATE '.table_prefix.'pages SET password=\''.$p.'\' WHERE urlname=\''.$page_id.'\' AND namespace=\''.$namespace.'\';'); |
|
1581 |
if(!$e) die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
|
1582 |
if($p=='') return('The password for this page has been disabled.'); |
|
1583 |
else return('The password for this page has been set.'); |
|
1584 |
} |
|
1585 |
||
1586 |
/** |
|
1587 |
* Generates some preview HTML |
|
1588 |
* @param $text string the wikitext to use |
|
1589 |
* @return string |
|
1590 |
*/ |
|
1591 |
||
1592 |
function genPreview($text) |
|
1593 |
{ |
|
102
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1594 |
$ret = '<div class="info-box"><b>Reminder:</b> This is only a preview - your changes to this page have not yet been saved.</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 1em 0 1em 1em;">'; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1595 |
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false)); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1596 |
ob_start(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1597 |
eval('?>' . $text); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1598 |
$text = ob_get_contents(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1599 |
ob_end_clean(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1600 |
$ret .= $text; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1601 |
$ret .= '</div>'; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1602 |
return $ret; |
1 | 1603 |
} |
1604 |
||
1605 |
/** |
|
1606 |
* Makes a scrollable box |
|
1607 |
* @param string $text the inner HTML |
|
1608 |
* @param int $height Optional - the maximum height. Defaults to 250. |
|
1609 |
* @return string |
|
1610 |
*/ |
|
1611 |
||
1612 |
function scrollBox($text, $height = 250) |
|
1613 |
{ |
|
1614 |
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">'.$text.'</div>'; |
|
1615 |
} |
|
1616 |
||
1617 |
/** |
|
1618 |
* Generates a diff summary between two page revisions. |
|
1619 |
* @param $page_id the page ID |
|
1620 |
* @param $namespace the namespace |
|
1621 |
* @param $id1 the time ID of the first revision |
|
1622 |
* @param $id2 the time ID of the second revision |
|
1623 |
* @return string XHTML-formatted diff |
|
1624 |
*/ |
|
1625 |
||
1626 |
function pagediff($page_id, $namespace, $id1, $id2) |
|
1627 |
{ |
|
1628 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1629 |
if(!$session->get_permissions('history_view')) |
|
1630 |
return 'Access denied'; |
|
1631 |
if(!preg_match('#^([0-9]+)$#', (string)$id1) || |
|
1632 |
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; |
|
1633 |
// OK we made it through security |
|
1634 |
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries |
|
1635 |
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id1.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); |
|
1636 |
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM '.table_prefix.'logs WHERE time_id='.$id2.' AND log_type=\'page\' AND action=\'edit\' AND page_id=\''.$page_id.'\' AND namespace=\''.$namespace.'\';')) return 'MySQL error: '.mysql_error(); |
|
1637 |
$row1 = $db->fetchrow($q1); |
|
1638 |
$db->free_result($q1); |
|
1639 |
$row2 = $db->fetchrow($q2); |
|
1640 |
$db->free_result($q2); |
|
1641 |
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.'; |
|
1642 |
$text1 = $row1['page_text']; |
|
1643 |
$text2 = $row2['page_text']; |
|
1644 |
$time1 = date('F d, Y h:i a', $id1); |
|
1645 |
$time2 = date('F d, Y h:i a', $id2); |
|
1646 |
$_ob = " |
|
1647 |
<p>Comparing revisions: {$time1} → {$time2}</p> |
|
1648 |
"; |
|
1649 |
// Free some memory |
|
1650 |
unset($row1, $row2, $q1, $q2); |
|
1651 |
||
1652 |
$_ob .= RenderMan::diff($text1, $text2); |
|
1653 |
return $_ob; |
|
1654 |
} |
|
1655 |
||
1656 |
/** |
|
1657 |
* Gets ACL information about the selected page for target type X and target ID Y. |
|
1658 |
* @param string $page_id The page ID |
|
1659 |
* @param string $namespace The namespace |
|
1660 |
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id. |
|
1661 |
* @return array |
|
1662 |
*/ |
|
1663 |
||
1664 |
function acl_editor($parms = Array()) |
|
1665 |
{ |
|
1666 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1667 |
if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN) |
|
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1668 |
{ |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1669 |
return Array( |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1670 |
'mode' => 'error', |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1671 |
'error' => 'You are not authorized to view or edit access control lists.' |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1672 |
); |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1673 |
} |
1 | 1674 |
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; |
1675 |
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; |
|
1676 |
$page_id =& $parms['page_id']; |
|
1677 |
$namespace =& $parms['namespace']; |
|
1678 |
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\''.$db->escape($page_id).'\' AND a.namespace=\''.$db->escape($namespace).'\''; |
|
1679 |
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\''.$db->escape($page_id).'\' AND namespace=\''.$db->escape($namespace).'\''; |
|
1680 |
//die(print_r($page_id,true)); |
|
1681 |
$template->load_theme(); |
|
1682 |
// $perms_obj = $session->fetch_page_acl($page_id, $namespace); |
|
1683 |
$perms_obj =& $session; |
|
1684 |
$return = Array(); |
|
1685 |
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') ) |
|
1686 |
{ |
|
1687 |
return Array( |
|
1688 |
'mode' => 'error', |
|
1689 |
'error' => 'It seems that (a) the file acledit.tpl is missing from these theme, and (b) the JSON response is working.', |
|
1690 |
); |
|
1691 |
} |
|
1692 |
$return['template'] = $template->extract_vars('acledit.tpl'); |
|
1693 |
$return['page_id'] = $page_id; |
|
1694 |
$return['namespace'] = $namespace; |
|
1695 |
if(isset($parms['mode'])) |
|
1696 |
{ |
|
1697 |
switch($parms['mode']) |
|
1698 |
{ |
|
1699 |
case 'listgroups': |
|
1700 |
$return['groups'] = Array(); |
|
1701 |
$q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups ORDER BY group_name ASC;'); |
|
1702 |
while($row = $db->fetchrow()) |
|
1703 |
{ |
|
1704 |
$return['groups'][] = Array( |
|
1705 |
'id' => $row['group_id'], |
|
1706 |
'name' => $row['group_name'], |
|
1707 |
); |
|
1708 |
} |
|
1709 |
$db->free_result(); |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1710 |
$return['page_groups'] = Array(); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1711 |
$q = $db->sql_query('SELECT pg_id,pg_name FROM '.table_prefix.'page_groups ORDER BY pg_name ASC;'); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1712 |
if ( !$q ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1713 |
return Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1714 |
'mode' => 'error', |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1715 |
'error' => $db->get_error() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1716 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1717 |
while ( $row = $db->fetchrow() ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1718 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1719 |
$return['page_groups'][] = Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1720 |
'id' => $row['pg_id'], |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1721 |
'name' => $row['pg_name'] |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1722 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1723 |
} |
1 | 1724 |
break; |
1725 |
case 'seltarget': |
|
1726 |
$return['mode'] = 'seltarget'; |
|
1727 |
$return['acl_types'] = $perms_obj->acl_types; |
|
1728 |
$return['acl_deps'] = $perms_obj->acl_deps; |
|
1729 |
$return['acl_descs'] = $perms_obj->acl_descs; |
|
1730 |
$return['target_type'] = $parms['target_type']; |
|
1731 |
$return['target_id'] = $parms['target_id']; |
|
1732 |
switch($parms['target_type']) |
|
1733 |
{ |
|
1734 |
case ACL_TYPE_USER: |
|
1735 |
$q = $db->sql_query('SELECT a.rules,u.user_id FROM '.table_prefix.'users AS u |
|
1736 |
LEFT JOIN '.table_prefix.'acl AS a |
|
1737 |
ON a.target_id=u.user_id |
|
1738 |
WHERE a.target_type='.ACL_TYPE_USER.' |
|
1739 |
AND u.username=\''.$db->escape($parms['target_id']).'\' |
|
1740 |
'.$page_where_clause.';'); |
|
1741 |
if(!$q) |
|
1742 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1743 |
if($db->numrows() < 1) |
|
1744 |
{ |
|
1745 |
$return['type'] = 'new'; |
|
1746 |
$q = $db->sql_query('SELECT user_id FROM '.table_prefix.'users WHERE username=\''.$db->escape($parms['target_id']).'\';'); |
|
1747 |
if(!$q) |
|
1748 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1749 |
if($db->numrows() < 1) |
|
1750 |
return Array('mode'=>'error','error'=>'The username you entered was not found.'); |
|
1751 |
$row = $db->fetchrow(); |
|
1752 |
$return['target_name'] = $return['target_id']; |
|
1753 |
$return['target_id'] = intval($row['user_id']); |
|
1754 |
$return['current_perms'] = $session->acl_types; |
|
1755 |
} |
|
1756 |
else |
|
1757 |
{ |
|
1758 |
$return['type'] = 'edit'; |
|
1759 |
$row = $db->fetchrow(); |
|
1760 |
$return['target_name'] = $return['target_id']; |
|
1761 |
$return['target_id'] = intval($row['user_id']); |
|
1762 |
$return['current_perms'] = $session->acl_merge($perms_obj->acl_types, $session->string_to_perm($row['rules'])); |
|
1763 |
} |
|
1764 |
$db->free_result(); |
|
1765 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1766 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 1767 |
{ |
1768 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
1769 |
{ |
|
1770 |
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
1771 |
{ |
|
1772 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; |
|
1773 |
unset($return['current_perms'][$i]); |
|
1774 |
unset($return['acl_types'][$i]); |
|
1775 |
unset($return['acl_descs'][$i]); |
|
1776 |
unset($return['acl_deps'][$i]); |
|
1777 |
} |
|
1778 |
} |
|
1779 |
} |
|
1780 |
break; |
|
1781 |
case ACL_TYPE_GROUP: |
|
1782 |
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM '.table_prefix.'groups AS g |
|
1783 |
LEFT JOIN '.table_prefix.'acl AS a |
|
1784 |
ON a.target_id=g.group_id |
|
1785 |
WHERE a.target_type='.ACL_TYPE_GROUP.' |
|
1786 |
AND g.group_id=\''.intval($parms['target_id']).'\' |
|
1787 |
'.$page_where_clause.';'); |
|
1788 |
if(!$q) |
|
1789 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1790 |
if($db->numrows() < 1) |
|
1791 |
{ |
|
1792 |
$return['type'] = 'new'; |
|
1793 |
$q = $db->sql_query('SELECT group_id,group_name FROM '.table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); |
|
1794 |
if(!$q) |
|
1795 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1796 |
if($db->numrows() < 1) |
|
1797 |
return Array('mode'=>'error','error'=>'The group ID you submitted is not valid.'); |
|
1798 |
$row = $db->fetchrow(); |
|
1799 |
$return['target_name'] = $row['group_name']; |
|
1800 |
$return['target_id'] = intval($row['group_id']); |
|
1801 |
$return['current_perms'] = $session->acl_types; |
|
1802 |
} |
|
1803 |
else |
|
1804 |
{ |
|
1805 |
$return['type'] = 'edit'; |
|
1806 |
$row = $db->fetchrow(); |
|
1807 |
$return['target_name'] = $row['group_name']; |
|
1808 |
$return['target_id'] = intval($row['group_id']); |
|
1809 |
$return['current_perms'] = $session->acl_merge($session->acl_types, $session->string_to_perm($row['rules'])); |
|
1810 |
} |
|
1811 |
$db->free_result(); |
|
1812 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1813 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 1814 |
{ |
1815 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
1816 |
{ |
|
1817 |
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
1818 |
{ |
|
1819 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n"; |
|
1820 |
unset($return['current_perms'][$i]); |
|
1821 |
unset($return['acl_types'][$i]); |
|
1822 |
unset($return['acl_descs'][$i]); |
|
1823 |
unset($return['acl_deps'][$i]); |
|
1824 |
} |
|
1825 |
} |
|
1826 |
} |
|
1827 |
//return Array('mode'=>'debug','text'=>print_r($return, true)); |
|
1828 |
break; |
|
1829 |
default: |
|
1830 |
return Array('mode'=>'error','error','Invalid ACL type ID'); |
|
1831 |
break; |
|
1832 |
} |
|
1833 |
return $return; |
|
1834 |
break; |
|
1835 |
case 'save_new': |
|
1836 |
case 'save_edit': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1837 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1838 |
{ |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1839 |
return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1840 |
} |
1 | 1841 |
$q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
1842 |
'.$page_where_clause_lite.';'); |
|
1843 |
if(!$q) |
|
1844 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
1845 |
$rules = $session->perm_to_string($parms['perms']); |
|
1846 |
if ( sizeof ( $rules ) < 1 ) |
|
1847 |
{ |
|
1848 |
return array( |
|
1849 |
'mode' => 'error', |
|
1850 |
'error' => 'Supplied rule list has a length of zero' |
|
1851 |
); |
|
1852 |
} |
|
1853 |
$q = ($page_id && $namespace) ? 'INSERT INTO '.table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) |
|
1854 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($page_id).'\', \''.$db->escape($namespace).'\', \''.$db->escape($rules).'\' )' : |
|
1855 |
'INSERT INTO '.table_prefix.'acl ( target_type, target_id, rules ) |
|
1856 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \''.$db->escape($rules).'\' )'; |
|
1857 |
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error()); |
|
1858 |
return Array( |
|
1859 |
'mode' => 'success', |
|
1860 |
'target_type' => $parms['target_type'], |
|
1861 |
'target_id' => $parms['target_id'], |
|
1862 |
'target_name' => $parms['target_name'], |
|
1863 |
'page_id' => $page_id, |
|
1864 |
'namespace' => $namespace, |
|
1865 |
); |
|
1866 |
break; |
|
1867 |
case 'delete': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1868 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1869 |
{ |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1870 |
return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
1871 |
} |
1 | 1872 |
$q = $db->sql_query('DELETE FROM '.table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
1873 |
'.$page_where_clause_lite.';'); |
|
1874 |
if(!$q) |
|
1875 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
1876 |
return Array( |
|
1877 |
'mode' => 'delete', |
|
1878 |
'target_type' => $parms['target_type'], |
|
1879 |
'target_id' => $parms['target_id'], |
|
1880 |
'target_name' => $parms['target_name'], |
|
1881 |
'page_id' => $page_id, |
|
1882 |
'namespace' => $namespace, |
|
1883 |
); |
|
1884 |
break; |
|
1885 |
default: |
|
1886 |
return Array('mode'=>'error','error'=>'Hacking attempt'); |
|
1887 |
break; |
|
1888 |
} |
|
1889 |
} |
|
1890 |
return $return; |
|
1891 |
} |
|
1892 |
||
1893 |
/** |
|
1894 |
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string. |
|
1895 |
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string. |
|
1896 |
* @return string |
|
1897 |
*/ |
|
1898 |
||
1899 |
function acl_json($parms = '{ }') |
|
1900 |
{ |
|
1901 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1902 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
|
1903 |
$parms = $json->decode($parms); |
|
1904 |
$ret = PageUtils::acl_editor($parms); |
|
1905 |
$ret = $json->encode($ret); |
|
1906 |
return $ret; |
|
1907 |
} |
|
1908 |
||
1909 |
/** |
|
1910 |
* A non-Javascript frontend for the ACL API. |
|
1911 |
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor() |
|
1912 |
*/ |
|
1913 |
||
1914 |
function aclmanager($parms) |
|
1915 |
{ |
|
1916 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1917 |
ob_start(); |
|
1918 |
// Convenience |
|
1919 |
$formstart = '<form |
|
1920 |
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '" |
|
1921 |
method="post" enctype="multipart/form-data" |
|
1922 |
onsubmit="if(!submitAuthorized) return false;" |
|
1923 |
>'; |
|
1924 |
$formend = '</form>'; |
|
1925 |
$parms = PageUtils::acl_preprocess($parms); |
|
1926 |
$response = PageUtils::acl_editor($parms); |
|
1927 |
$response = PageUtils::acl_postprocess($response); |
|
1928 |
||
1929 |
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>'); |
|
1930 |
||
1931 |
switch($response['mode']) |
|
1932 |
{ |
|
1933 |
case 'debug': |
|
1934 |
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>'; |
|
1935 |
break; |
|
1936 |
case 'stage1': |
|
1937 |
echo '<h3>Manage page access</h3> |
|
1938 |
<p>Please select who should be affected by this access rule.</p>'; |
|
1939 |
echo $formstart; |
|
1940 |
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> A usergroup</label></p> |
|
1941 |
<p><select name="data[target_id_grp]">'; |
|
1942 |
foreach ( $response['groups'] as $group ) |
|
1943 |
{ |
|
1944 |
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>'; |
|
1945 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1946 |
// page group selector |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1947 |
$groupsel = ''; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1948 |
if ( count($response['page_groups']) > 0 ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1949 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1950 |
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> A group of pages</label></p> |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1951 |
<p><select name="data[pg_id]">'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1952 |
foreach ( $response['page_groups'] as $grp ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1953 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1954 |
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1955 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1956 |
$groupsel .= '</select></p>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1957 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1958 |
|
1 | 1959 |
echo '</select></p> |
1960 |
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> A specific user</label></p> |
|
1961 |
<p>' . $template->username_field('data[target_id_user]') . '</p> |
|
1962 |
<p>What should this access rule control?</p> |
|
1963 |
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> Only this page</p> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
1964 |
' . $groupsel . ' |
1 | 1965 |
<p><label><input name="data[scope]" value="entire_site" type="radio" /> The entire site</p> |
1966 |
<div style="margin: 0 auto 0 0; text-align: right;"> |
|
1967 |
<input name="data[mode]" value="seltarget" type="hidden" /> |
|
1968 |
<input type="hidden" name="data[page_id]" value="' . $paths->cpage['urlname_nons'] . '" /> |
|
1969 |
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" /> |
|
1970 |
<input type="submit" value="Next >" /> |
|
1971 |
</div>'; |
|
1972 |
echo $formend; |
|
1973 |
break; |
|
1974 |
case 'success': |
|
1975 |
echo '<div class="info-box"> |
|
1976 |
<b>Permissions updated</b><br /> |
|
1977 |
The permissions for ' . $response['target_name'] . ' on this page have been updated successfully.<br /> |
|
1978 |
' . $formstart . ' |
|
1979 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
1980 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
1981 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
1982 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
1983 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
1984 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
1985 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
1986 |
<input type="submit" value="Return to ACL editor" /> <input type="submit" name="data[act_go_stage1]" value="Return to user/scope selection" /> |
|
1987 |
' . $formend . ' |
|
1988 |
</div>'; |
|
1989 |
break; |
|
1990 |
case 'delete': |
|
1991 |
echo '<div class="info-box"> |
|
1992 |
<b>Rule deleted</b><br /> |
|
1993 |
The selected access rule has been successfully deleted.<br /> |
|
1994 |
' . $formstart . ' |
|
1995 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
1996 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
1997 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
1998 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
1999 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2000 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2001 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
2002 |
<input type="submit" value="Return to ACL editor" /> <input type="submit" name="data[act_go_stage1]" value="Return to user/scope selection" /> |
|
2003 |
' . $formend . ' |
|
2004 |
</div>'; |
|
2005 |
break; |
|
2006 |
case 'seltarget': |
|
2007 |
if ( $response['type'] == 'edit' ) |
|
2008 |
{ |
|
2009 |
echo '<h3>Editing permissions</h3>'; |
|
2010 |
} |
|
2011 |
else |
|
2012 |
{ |
|
2013 |
echo '<h3>Create new rule</h3>'; |
|
2014 |
} |
|
2015 |
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? 'group' : 'user'; |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2016 |
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? 'this group of pages' : 'this page' ) : 'this entire site'; |
1 | 2017 |
echo 'This panel allows you to edit what the '.$type.' "'.$response['target_name'].'" can do on <b>'.$scope.'</b>. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; |
2018 |
echo $formstart; |
|
2019 |
$parser = $template->makeParserText( $response['template']['acl_field_begin'] ); |
|
2020 |
echo $parser->run(); |
|
2021 |
$parser = $template->makeParserText( $response['template']['acl_field_item'] ); |
|
2022 |
$cls = 'row2'; |
|
2023 |
foreach ( $response['acl_types'] as $acl_type => $value ) |
|
2024 |
{ |
|
2025 |
$vars = Array( |
|
2026 |
'FIELD_DENY_CHECKED' => '', |
|
2027 |
'FIELD_DISALLOW_CHECKED' => '', |
|
2028 |
'FIELD_WIKIMODE_CHECKED' => '', |
|
2029 |
'FIELD_ALLOW_CHECKED' => '', |
|
2030 |
); |
|
2031 |
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1'; |
|
2032 |
$vars['ROW_CLASS'] = $cls; |
|
2033 |
||
2034 |
switch ( $response['current_perms'][$acl_type] ) |
|
2035 |
{ |
|
2036 |
case AUTH_ALLOW: |
|
2037 |
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"'; |
|
2038 |
break; |
|
2039 |
case AUTH_WIKIMODE: |
|
2040 |
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"'; |
|
2041 |
break; |
|
2042 |
case AUTH_DISALLOW: |
|
2043 |
default: |
|
2044 |
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"'; |
|
2045 |
break; |
|
2046 |
case AUTH_DENY: |
|
2047 |
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"'; |
|
2048 |
break; |
|
2049 |
} |
|
2050 |
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']'; |
|
2051 |
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type]; |
|
2052 |
$parser->assign_vars($vars); |
|
2053 |
echo $parser->run(); |
|
2054 |
} |
|
2055 |
$parser = $template->makeParserText( $response['template']['acl_field_end'] ); |
|
2056 |
echo $parser->run(); |
|
2057 |
echo '<div style="margin: 10px auto 0 0; text-align: right;"> |
|
2058 |
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" /> |
|
2059 |
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" /> |
|
2060 |
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" /> |
|
2061 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2062 |
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" /> |
|
2063 |
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" /> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2064 |
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="Save changes" /> <input type="submit" name="data[act_delete_rule]" value="Delete rule" style="color: #AA0000;" onclick="return confirm(\'Do you really want to delete this ACL rule?\');" />' : '<input type="submit" value="Create rule" />' ) . ' |
1 | 2065 |
</div>'; |
2066 |
echo $formend; |
|
2067 |
break; |
|
2068 |
case 'error': |
|
2069 |
ob_end_clean(); |
|
2070 |
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>'); |
|
2071 |
break; |
|
2072 |
} |
|
2073 |
$ret = ob_get_contents(); |
|
2074 |
ob_end_clean(); |
|
2075 |
echo |
|
2076 |
$template->getHeader() . |
|
2077 |
$ret . |
|
2078 |
$template->getFooter(); |
|
2079 |
} |
|
2080 |
||
2081 |
/** |
|
2082 |
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle |
|
2083 |
* @param array The posted data |
|
2084 |
* @return array |
|
2085 |
* @access private |
|
2086 |
*/ |
|
2087 |
||
2088 |
function acl_preprocess($parms) |
|
2089 |
{ |
|
2090 |
if ( !isset($parms['mode']) ) |
|
2091 |
// Nothing to do |
|
2092 |
return $parms; |
|
2093 |
switch ( $parms['mode'] ) |
|
2094 |
{ |
|
2095 |
case 'seltarget': |
|
2096 |
||
2097 |
// Who's affected? |
|
2098 |
$parms['target_type'] = intval( $parms['target_type'] ); |
|
2099 |
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user']; |
|
2100 |
||
2101 |
case 'save_edit': |
|
2102 |
case 'save_new': |
|
2103 |
if ( isset($parms['act_delete_rule']) ) |
|
2104 |
{ |
|
2105 |
$parms['mode'] = 'delete'; |
|
2106 |
} |
|
2107 |
||
2108 |
// Scope (just this page or entire site?) |
|
2109 |
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) ) |
|
2110 |
{ |
|
2111 |
$parms['page_id'] = false; |
|
2112 |
$parms['namespace'] = false; |
|
2113 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2114 |
else if ( $parms['scope'] == 'page_group' ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2115 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2116 |
$parms['page_id'] = $parms['pg_id']; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2117 |
$parms['namespace'] = '__PageGroup'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2118 |
} |
1 | 2119 |
|
2120 |
break; |
|
2121 |
} |
|
2122 |
||
2123 |
if ( isset($parms['act_go_stage1']) ) |
|
2124 |
{ |
|
2125 |
$parms = array( |
|
2126 |
'mode' => 'listgroups' |
|
2127 |
); |
|
2128 |
} |
|
2129 |
||
2130 |
return $parms; |
|
2131 |
} |
|
2132 |
||
2133 |
function acl_postprocess($response) |
|
2134 |
{ |
|
2135 |
if(!isset($response['mode'])) |
|
2136 |
{ |
|
2137 |
if ( isset($response['groups']) ) |
|
2138 |
$response['mode'] = 'stage1'; |
|
2139 |
else |
|
2140 |
$response = Array( |
|
2141 |
'mode' => 'error', |
|
2142 |
'error' => 'Invalid action passed by API backend.', |
|
2143 |
); |
|
2144 |
} |
|
2145 |
return $response; |
|
2146 |
} |
|
2147 |
||
2148 |
} |
|
2149 |
||
2150 |
?> |