plugins/PrivateMessages.php
changeset 343 7e6537fd4730
parent 318 eec2dfd2f0a3
equal deleted inserted replaced
342:a78b0798a116 343:7e6537fd4730
    94       $db->free_result();
    94       $db->free_result();
    95       if(!$q) $db->_die('The message was not successfully moved.');
    95       if(!$q) $db->_die('The message was not successfully moved.');
    96       die_friendly('Message status', '<p>Your message has been moved to the folder "'.$fname.'".</p><p><a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">Return to inbox</a></p>');
    96       die_friendly('Message status', '<p>Your message has been moved to the folder "'.$fname.'".</p><p><a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">Return to inbox</a></p>');
    97       break;
    97       break;
    98     case 'Delete':
    98     case 'Delete':
       
    99     	csrf_request_confirm();
    99       $id = $argv[1];
   100       $id = $argv[1];
   100       if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', '<p>Invalid message ID</p>');
   101       if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', '<p>Invalid message ID</p>');
   101       $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.'');
   102       $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.'');
   102       if(!$q) $db->_die('The message data could not be selected.');
   103       if(!$q) $db->_die('The message data could not be selected.');
   103       $r = $db->fetchrow();
   104       $r = $db->fetchrow();
   109       break;
   110       break;
   110     case 'Compose':
   111     case 'Compose':
   111       if($argv[1]=='Send' && isset($_POST['_send']))
   112       if($argv[1]=='Send' && isset($_POST['_send']))
   112       {
   113       {
   113         // Check each POST DATA parameter...
   114         // Check each POST DATA parameter...
       
   115         csrf_request_confirm();
   114         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   116         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   115         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   117         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   116         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   118         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   117         $namelist = $_POST['to'];
   119         $namelist = $_POST['to'];
   118         $namelist = str_replace(', ', ',', $namelist);
   120         $namelist = str_replace(', ', ',', $namelist);
   131         if(!$result) $db->_die('The message could not be sent.');
   133         if(!$result) $db->_die('The message could not be sent.');
   132         else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>');
   134         else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>');
   133         return;
   135         return;
   134       } elseif($argv[1]=='Send' && isset($_POST['_savedraft'])) {
   136       } elseif($argv[1]=='Send' && isset($_POST['_savedraft'])) {
   135         // Check each POST DATA parameter...
   137         // Check each POST DATA parameter...
       
   138         csrf_request_confirm();
   136         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   139         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   137         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   140         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   138         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   141         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   139         $namelist = $_POST['to'];
   142         $namelist = $_POST['to'];
   140         $namelist = str_replace(', ', ',', $namelist);
   143         $namelist = str_replace(', ', ',', $namelist);
   190         echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Compose/Send').'" method="post" onsubmit="if(!submitAuthorized) return false;">';
   193         echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Compose/Send').'" method="post" onsubmit="if(!submitAuthorized) return false;">';
   191         ?>
   194         ?>
   192         <br />
   195         <br />
   193         <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
   196         <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
   194           <tr><th colspan="2">Compose new private message</th></tr>
   197           <tr><th colspan="2">Compose new private message</th></tr>
   195           <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma; you<br />can send this message to up to <b><?php echo (string)MAX_PMS_PER_BATCH; ?></b> users.</small></td><td class="row1"><?php echo $template->username_field('to', (isset($_POST['_savedraft'])) ? $_POST['to'] : $to ); ?></td></tr>
   198           <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma; you<br />can send this message to up to <b><?php echo (string)MAX_PMS_PER_BATCH; ?></b> users.</small></td><td class="row1"><?php echo $template->username_field('to', (isset($_POST['_savedraft'])) ? htmlspecialchars($_POST['to']) : $to ); ?></td></tr>
   196           <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $subj; ?>" /></td></tr>
   199           <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo htmlspecialchars($_POST['subject']); else echo $subj; ?>" /></td></tr>
   197           <tr><td class="row1">Message:</td><td class="row1" style="min-width: 80%;"><textarea rows="20" cols="40" name="message" style="width: 100%;"><?php if(isset($_POST['_savedraft'])) echo $_POST['message']; else echo $text; ?></textarea></td></tr>
   200           <tr><td class="row1">Message:</td><td class="row1" style="min-width: 80%;"><textarea rows="20" cols="40" name="message" style="width: 100%;"><?php if(isset($_POST['_savedraft'])) echo htmlspecialchars($_POST['message']); else echo $text; ?></textarea></td></tr>
   198           <tr><th colspan="2"><input type="submit" name="_send" value="Send message" />  <input type="submit" name="_savedraft" value="Save as draft" /> <input type="submit" name="_inbox" value="Back to Inbox" /></th></tr>
   201           <tr><th colspan="2"><input type="submit" name="_send" value="Send message" />  <input type="submit" name="_savedraft" value="Save as draft" /> <input type="submit" name="_inbox" value="Back to Inbox" /></th></tr>
   199         </table></div>
   202         </table></div>
       
   203         <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" />
   200         <?php
   204         <?php
   201         echo '</form>';
   205         echo '</form>';
   202         $template->footer();
   206         $template->footer();
   203       break;
   207       break;
   204     case 'Edit':
   208     case 'Edit':
   212       $fname = $argv[2];
   216       $fname = $argv[2];
   213       
   217       
   214       if(isset($_POST['_send']))
   218       if(isset($_POST['_send']))
   215       {
   219       {
   216         // Check each POST DATA parameter...
   220         // Check each POST DATA parameter...
       
   221         csrf_request_confirm();
   217         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   222         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   218         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   223         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   219         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   224         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   220         $namelist = $_POST['to'];
   225         $namelist = $_POST['to'];
   221         $namelist = str_replace(', ', ',', $namelist);
   226         $namelist = str_replace(', ', ',', $namelist);
   229         if(!$result) $db->_die('The message could not be sent.');
   234         if(!$result) $db->_die('The message could not be sent.');
   230         else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>');
   235         else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>');
   231         return;
   236         return;
   232       } elseif(isset($_POST['_savedraft'])) {
   237       } elseif(isset($_POST['_savedraft'])) {
   233         // Check each POST DATA parameter...
   238         // Check each POST DATA parameter...
       
   239         csrf_request_confirm();
   234         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   240         if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>');
   235         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   241         if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>');
   236         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   242         if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>');
   237         $namelist = $_POST['to'];
   243         $namelist = $_POST['to'];
   238         $namelist = str_replace(', ', ',', $namelist);
   244         $namelist = str_replace(', ', ',', $namelist);
   249         else $to = '';
   255         else $to = '';
   250         $template->header();
   256         $template->header();
   251         userprefs_show_menu();
   257         userprefs_show_menu();
   252         echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Edit/'.$id).'" method="post">';
   258         echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Edit/'.$id).'" method="post">';
   253         ?>
   259         ?>
       
   260         <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" />
   254         <br />
   261         <br />
   255         <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
   262         <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4">
   256           <tr><th colspan="2">Edit draft</th></tr>
   263           <tr><th colspan="2">Edit draft</th></tr>
   257           <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma</small></td><td class="row1"><input name="to" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['to']; else echo $r['message_to']; ?>" /></td></tr>
   264           <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma</small></td><td class="row1"><input name="to" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['to']; else echo $r['message_to']; ?>" /></td></tr>
   258           <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $r['subject']; ?>" /></td></tr>
   265           <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $r['subject']; ?>" /></td></tr>
   315           if($argv[1] == 'Drafts' || $argv[1] == 'Outbox') $act = 'Edit';
   322           if($argv[1] == 'Drafts' || $argv[1] == 'Outbox') $act = 'Edit';
   316           else $act = 'View';
   323           else $act = 'View';
   317           if(!$q) $db->_die('The private message data could not be selected.');
   324           if(!$q) $db->_die('The private message data could not be selected.');
   318           echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/PostHandler').'" method="post"><div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"><tr><th colspan="4" style="text-align: left;">Folder: '.$argv[1].'</th></tr><tr><th class="subhead">';
   325           echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/PostHandler').'" method="post"><div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"><tr><th colspan="4" style="text-align: left;">Folder: '.$argv[1].'</th></tr><tr><th class="subhead">';
   319           if($fname == 'drafts' || $fname == 'Outbox') echo 'To'; else echo 'From';
   326           if($fname == 'drafts' || $fname == 'Outbox') echo 'To'; else echo 'From';
       
   327           ?><input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /><?php
   320           echo '</th><th class="subhead">Subject</th><th class="subhead">Date</th><th class="subhead">Mark</th></tr>';
   328           echo '</th><th class="subhead">Subject</th><th class="subhead">Date</th><th class="subhead">Mark</th></tr>';
   321           if($db->numrows() < 1)
   329           if($db->numrows() < 1)
   322             echo '<tr><td style="text-align: center;" class="row1" colspan="4">No messages in this folder.</td></tr>';
   330             echo '<tr><td style="text-align: center;" class="row1" colspan="4">No messages in this folder.</td></tr>';
   323           else {
   331           else {
   324             $cls = 'row2';
   332             $cls = 'row2';
   349       break;
   357       break;
   350     case 'PostHandler':
   358     case 'PostHandler':
   351       $fname = $db->escape(strtolower($_POST['folder']));
   359       $fname = $db->escape(strtolower($_POST['folder']));
   352       if($fname=='drafts' || $fname=='outbox')
   360       if($fname=='drafts' || $fname=='outbox')
   353       {
   361       {
   354         $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\' ORDER BY date DESC;');  
   362       	$fname = $fname == 'outbox' ? 'inbox' : $fname;
       
   363       	$readsnip = $fname == 'inbox' ? ' AND message_read = 0' : '';
       
   364         $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\'' . $readsnip . ' ORDER BY date DESC;');
   355       } else {
   365       } else {
   356         $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_to=\''.$session->username.'\' ORDER BY date DESC;');
   366         $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_to=\''.$session->username.'\' ORDER BY date DESC;');
   357       }
   367       }
   358       if(!$q) $db->_die('The private message data could not be selected.');
   368       if(!$q) $db->_die('The private message data could not be selected.');
   359           
   369       
       
   370       csrf_request_confirm();
       
   371       
   360       if(isset($_POST['archive'])) {
   372       if(isset($_POST['archive'])) {
   361         while($row = $db->fetchrow($q))
   373         while($row = $db->fetchrow($q))
   362         {
   374         {
   363           if(isset($_POST['marked_'.$row['message_id']]))
   375           if(isset($_POST['marked_'.$row['message_id']]))
   364           {
   376           {
   371         while($row = $db->fetchrow($q))
   383         while($row = $db->fetchrow($q))
   372         {
   384         {
   373           if(isset($_POST['marked_'.$row['message_id']]))
   385           if(isset($_POST['marked_'.$row['message_id']]))
   374           {
   386           {
   375             $e = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$row['message_id'].';');
   387             $e = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$row['message_id'].';');
   376             if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully moved.');
   388             if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully removed.');
   377             $db->free_result();
   389             $db->free_result();
   378           }
   390           }
   379         }
   391         }
   380       } elseif(isset($_POST['deleteall'])) {
   392       } elseif(isset($_POST['deleteall'])) {
   381         while($row = $db->fetchrow($q))
   393         while($row = $db->fetchrow($q))