author | Dan |
Sun, 02 Dec 2007 16:00:10 -0500 | |
changeset 304 | e2cb5f1432c8 |
parent 271 | f088805540ae |
parent 285 | 7846d45bd250 |
child 326 | ab66d6d1f1f4 |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
2 |
|
1 | 3 |
/* |
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
5 |
* Version 1.1.1 |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts |
|
8 |
* |
|
9 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
10 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
11 |
* |
|
12 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
13 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
14 |
*/ |
|
15 |
||
16 |
class PageUtils { |
|
17 |
||
18 |
/** |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
19 |
* Tell if a username is used or not. |
1 | 20 |
* @param $name the name to check for |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
21 |
* @return string |
1 | 22 |
*/ |
23 |
||
24 |
function checkusername($name) |
|
25 |
{ |
|
26 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
parents:
260
diff
changeset
|
27 |
$name = str_replace('_', ' ', $name); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
28 |
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\''); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
29 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
30 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
31 |
die(mysql_error()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
32 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
33 |
if ( $db->numrows() < 1) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
34 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
35 |
$db->free_result(); return('good'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
36 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
37 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
38 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
39 |
$db->free_result(); return('bad'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
40 |
} |
1 | 41 |
} |
42 |
||
43 |
/** |
|
44 |
* Get the wiki formatting source for a page |
|
45 |
* @param $page the full page id (Namespace:Pagename) |
|
46 |
* @return string |
|
47 |
* @todo (DONE) Make it require a password (just for security purposes) |
|
48 |
*/ |
|
49 |
||
50 |
function getsource($page, $password = false) |
|
51 |
{ |
|
52 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
53 |
if(!isset($paths->pages[$page])) |
|
54 |
{ |
|
55 |
return ''; |
|
56 |
} |
|
57 |
||
58 |
if(strlen($paths->pages[$page]['password']) == 40) |
|
59 |
{ |
|
60 |
if(!$password || ( $password != $paths->pages[$page]['password'])) |
|
61 |
{ |
|
62 |
return 'invalid_password'; |
|
63 |
} |
|
64 |
} |
|
65 |
||
66 |
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges |
|
67 |
return 'access_denied'; |
|
68 |
$pid = RenderMan::strToPageID($page); |
|
69 |
if($pid[1] == 'Special' || $pid[1] == 'Admin') |
|
70 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
71 |
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.'); |
1 | 72 |
} |
73 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
74 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\''); |
1 | 75 |
if ( !$e ) |
76 |
{ |
|
77 |
$db->_die('The page text could not be selected.'); |
|
78 |
} |
|
79 |
if( $db->numrows() < 1 ) |
|
80 |
{ |
|
81 |
return ''; //$db->_die('There were no rows in the text table that matched the page text query.'); |
|
82 |
} |
|
83 |
||
84 |
$r = $db->fetchrow(); |
|
85 |
$db->free_result(); |
|
86 |
$message = $r['page_text']; |
|
87 |
||
88 |
return htmlspecialchars($message); |
|
89 |
} |
|
90 |
||
91 |
/** |
|
92 |
* Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages |
|
93 |
* @param $page the full page id (Namespace:Pagename) |
|
94 |
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise |
|
95 |
* @return string |
|
96 |
*/ |
|
97 |
||
98 |
function getpage($page, $send_headers = false, $hist_id = false) |
|
99 |
{ |
|
100 |
die('PageUtils->getpage is deprecated.'); |
|
101 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
102 |
ob_start(); |
|
103 |
$pid = RenderMan::strToPageID($page); |
|
104 |
//die('<pre>'.print_r($pid, true).'</pre>'); |
|
105 |
if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40) |
|
106 |
{ |
|
107 |
password_prompt($page); |
|
108 |
} |
|
109 |
if(isset($paths->pages[$page])) |
|
110 |
{ |
|
111 |
doStats($pid[0], $pid[1]); |
|
112 |
} |
|
113 |
if($paths->custom_page || $pid[1] == 'Special') |
|
114 |
{ |
|
115 |
// If we don't have access to the page, get out and quick! |
|
116 |
if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register') |
|
117 |
{ |
|
118 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
119 |
||
120 |
if ( $send_headers ) |
|
121 |
{ |
|
122 |
$template->header(); |
|
123 |
} |
|
124 |
||
125 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
126 |
||
127 |
if ( $send_headers ) |
|
128 |
{ |
|
129 |
$template->footer(); |
|
130 |
} |
|
131 |
||
132 |
$r = ob_get_contents(); |
|
133 |
ob_end_clean(); |
|
134 |
return $r; |
|
135 |
} |
|
136 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
137 |
$fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons']; |
1 | 138 |
@call_user_func($fname); |
139 |
||
140 |
} |
|
141 |
else if ( $pid[1] == 'Admin' ) |
|
142 |
{ |
|
143 |
// If we don't have access to the page, get out and quick! |
|
144 |
if(!$session->get_permissions('read')) |
|
145 |
{ |
|
146 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
147 |
if ( $send_headers ) |
|
148 |
{ |
|
149 |
$template->header(); |
|
150 |
} |
|
151 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
152 |
if ( $send_headers ) |
|
153 |
{ |
|
154 |
$template->footer(); |
|
155 |
} |
|
156 |
$r = ob_get_contents(); |
|
157 |
ob_end_clean(); |
|
158 |
return $r; |
|
159 |
} |
|
160 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
161 |
$fname = 'page_' . $pid[1] . '_' . $pid[0]; |
1 | 162 |
if ( !function_exists($fname) ) |
163 |
{ |
|
164 |
$title = 'Page backend not found'; |
|
165 |
$message = "The administration page you are looking for was properly registered using the page API, but the backend function |
|
166 |
(<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin."; |
|
167 |
if ( $send_headers ) |
|
168 |
{ |
|
169 |
die_friendly($title, "<p>$message</p>"); |
|
170 |
} |
|
171 |
else |
|
172 |
{ |
|
173 |
echo "<h2>$title</h2>\n<p>$message</p>"; |
|
174 |
} |
|
175 |
} |
|
176 |
@call_user_func($fname); |
|
177 |
} |
|
178 |
else if ( !isset( $paths->pages[$page] ) ) |
|
179 |
{ |
|
180 |
ob_start(); |
|
181 |
$code = $plugins->setHook('page_not_found'); |
|
182 |
foreach ( $code as $cmd ) |
|
183 |
{ |
|
184 |
eval($cmd); |
|
185 |
} |
|
186 |
$text = ob_get_contents(); |
|
187 |
if ( $text != '' ) |
|
188 |
{ |
|
189 |
ob_end_clean(); |
|
190 |
return $text; |
|
191 |
} |
|
192 |
$template->header(); |
|
193 |
if($m = $paths->sysmsg('Page_not_found')) |
|
194 |
{ |
|
195 |
eval('?>'.RenderMan::render($m)); |
|
196 |
} |
|
197 |
else |
|
198 |
{ |
|
199 |
header('HTTP/1.1 404 Not Found'); |
|
200 |
echo '<h3>There is no page with this title yet.</h3> |
|
201 |
<p>You have requested a page that doesn\'t exist yet.'; |
|
202 |
if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.'; |
|
203 |
else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
204 |
if ( $session->get_permissions('history_rollback') ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
205 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
206 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
207 |
if ( !$e ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
208 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
209 |
$db->_die('The deletion log could not be selected.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
210 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
211 |
if ($db->numrows() > 0 ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
212 |
{ |
1 | 213 |
$r = $db->fetchrow(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
214 |
echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">roll back</a> the deletion.</p>'; |
1 | 215 |
} |
216 |
$db->free_result(); |
|
217 |
} |
|
218 |
echo '<p> |
|
219 |
HTTP Error: 404 Not Found |
|
220 |
</p>'; |
|
221 |
} |
|
222 |
$template->footer(); |
|
223 |
} |
|
224 |
else |
|
225 |
{ |
|
226 |
||
227 |
// If we don't have access to the page, get out and quick! |
|
228 |
if(!$session->get_permissions('read')) |
|
229 |
{ |
|
230 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
231 |
if($send_headers) $template->header(); |
|
232 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
233 |
if($send_headers) $template->footer(); |
|
234 |
$r = ob_get_contents(); |
|
235 |
ob_end_clean(); |
|
236 |
return $r; |
|
237 |
} |
|
238 |
||
239 |
ob_start(); |
|
240 |
$code = $plugins->setHook('page_custom_handler'); |
|
241 |
foreach ( $code as $cmd ) |
|
242 |
{ |
|
243 |
eval($cmd); |
|
244 |
} |
|
245 |
$text = ob_get_contents(); |
|
246 |
if ( $text != '' ) |
|
247 |
{ |
|
248 |
ob_end_clean(); |
|
249 |
return $text; |
|
250 |
} |
|
251 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
252 |
if ( $hist_id ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
253 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
254 |
$e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . ''); |
1 | 255 |
if($db->numrows() < 1) |
256 |
{ |
|
257 |
$db->_die('There were no rows in the text table that matched the page text query.'); |
|
258 |
} |
|
259 |
$r = $db->fetchrow(); |
|
260 |
$db->free_result(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
261 |
$message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on ' . $r['date_string'] . '.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a> | <a href="'.makeUrl($page, 'do=rollback&id=' . $hist_id) . '" onclick="ajaxRollback(\'' . $hist_id . '\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']); |
1 | 262 |
|
263 |
if( !$paths->pages[$page]['special'] ) |
|
264 |
{ |
|
265 |
if($send_headers) |
|
266 |
{ |
|
267 |
$template->header(); |
|
268 |
} |
|
269 |
display_page_headers(); |
|
270 |
} |
|
271 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
272 |
eval('?>' . $message); |
1 | 273 |
|
274 |
if( !$paths->pages[$page]['special'] ) |
|
275 |
{ |
|
276 |
display_page_footers(); |
|
277 |
if($send_headers) |
|
278 |
{ |
|
279 |
$template->footer(); |
|
280 |
} |
|
281 |
} |
|
282 |
||
283 |
} else { |
|
284 |
if(!$paths->pages[$page]['special']) |
|
285 |
{ |
|
286 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]); |
|
287 |
} |
|
288 |
else |
|
289 |
{ |
|
290 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false); |
|
291 |
} |
|
292 |
// This line is used to debug wikiformatted code |
|
293 |
// die('<pre>'.htmlspecialchars($message).'</pre>'); |
|
294 |
||
295 |
if( !$paths->pages[$page]['special'] ) |
|
296 |
{ |
|
297 |
if($send_headers) |
|
298 |
{ |
|
299 |
$template->header(); |
|
300 |
} |
|
301 |
display_page_headers(); |
|
302 |
} |
|
303 |
||
304 |
// This is it, this is what all of Enano has been working up to... |
|
305 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
306 |
eval('?>' . $message); |
1 | 307 |
|
308 |
if( !$paths->pages[$page]['special'] ) |
|
309 |
{ |
|
310 |
display_page_footers(); |
|
311 |
if($send_headers) |
|
312 |
{ |
|
313 |
$template->footer(); |
|
314 |
} |
|
315 |
} |
|
316 |
} |
|
317 |
} |
|
318 |
$ret = ob_get_contents(); |
|
319 |
ob_end_clean(); |
|
320 |
return $ret; |
|
321 |
} |
|
322 |
||
323 |
/** |
|
324 |
* Writes page data to the database, after verifying permissions and running the XSS filter |
|
325 |
* @param $page_id the page ID |
|
326 |
* @param $namespace the namespace |
|
327 |
* @param $message the text to save |
|
328 |
* @return string |
|
329 |
*/ |
|
330 |
||
331 |
function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false) |
|
332 |
{ |
|
333 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
334 |
$uid = sha1(microtime()); |
|
335 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
336 |
||
337 |
if(!$session->get_permissions('edit_page')) |
|
338 |
return 'Access to edit pages is denied.'; |
|
339 |
||
340 |
if(!isset($paths->pages[$pname])) |
|
341 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
342 |
$create = PageUtils::createPage($page_id, $namespace); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
343 |
if ( $create != 'good' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
344 |
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create; |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
345 |
$paths->page_exists = true; |
1 | 346 |
} |
347 |
||
260
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
348 |
// Check page protection |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
349 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
350 |
$is_protected = false; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
351 |
$page_data =& $paths->pages[$pname]; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
352 |
// Is the protection semi? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
353 |
if ( $page_data['protected'] == 2 ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
354 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
355 |
$is_protected = true; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
356 |
// Page is semi-protected. Has the user been here for at least 4 days? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
357 |
// 345600 seconds = 4 days |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
358 |
if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
359 |
$is_protected = false; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
360 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
361 |
// Is the protection full? |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
362 |
else if ( $page_data['protected'] == 1 ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
363 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
364 |
$is_protected = true; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
365 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
366 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
367 |
// If it's protected and we DON'T have even_when_protected rights, bail out |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
368 |
if ( $is_protected && !$session->get_permissions('even_when_protected') ) |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
369 |
{ |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
370 |
return 'You don\'t have the necessary permissions to edit this page.'; |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
371 |
} |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
372 |
|
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
373 |
// We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE. |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
374 |
// The exception here is the user's own userpage, which is overridden at the time of account creation. |
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
parents:
256
diff
changeset
|
375 |
// At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage. |
1 | 376 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
377 |
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings |
1 | 378 |
$message = RenderMan::preprocess_text($message, false, false); |
379 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
380 |
$msg = $db->escape($message); |
1 | 381 |
|
382 |
$minor = $minor ? 'true' : 'false'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
383 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');'; |
1 | 384 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
385 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
386 |
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'; |
1 | 387 |
$e = $db->sql_query($q); |
388 |
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.'); |
|
389 |
||
390 |
$paths->rebuild_page_index($page_id, $namespace); |
|
391 |
||
392 |
return 'good'; |
|
393 |
} |
|
394 |
||
395 |
/** |
|
396 |
* Creates a page, both in memory and in the database. |
|
397 |
* @param string $page_id |
|
398 |
* @param string $namespace |
|
399 |
* @return bool true on success, false on failure |
|
400 |
*/ |
|
401 |
||
402 |
function createPage($page_id, $namespace, $name = false, $visible = 1) |
|
403 |
{ |
|
404 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
405 |
if(in_array($namespace, Array('Special', 'Admin'))) |
|
406 |
{ |
|
407 |
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
408 |
return 'You can\'t create a special page in the database'; |
1 | 409 |
} |
410 |
||
411 |
if(!isset($paths->nslist[$namespace])) |
|
412 |
{ |
|
413 |
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
414 |
return 'Couldn\'t look up the namespace'; |
1 | 415 |
} |
416 |
||
417 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
418 |
if(isset($paths->pages[$pname])) |
|
419 |
{ |
|
420 |
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
421 |
return 'Page already exists'; |
1 | 422 |
} |
423 |
||
424 |
if(!$session->get_permissions('create_page')) |
|
425 |
{ |
|
426 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
427 |
return 'Not authorized to create pages'; |
1 | 428 |
} |
429 |
||
430 |
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') |
|
431 |
{ |
|
432 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
433 |
return 'Not authorized to create system messages'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
434 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
435 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
436 |
if ( substr($page_id, 0, 8) == 'Project:' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
437 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
438 |
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
439 |
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.'; |
1 | 440 |
} |
441 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
442 |
$page_id = dirtify_page_id($page_id); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
443 |
|
1 | 444 |
if ( !$name ) |
445 |
$name = str_replace('_', ' ', $page_id); |
|
446 |
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is'; |
|
447 |
if(!preg_match($regex, $page)) |
|
448 |
{ |
|
449 |
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
450 |
return 'Name contains invalid characters'; |
1 | 451 |
} |
452 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
453 |
$page_id = sanitize_page_id( $page_id ); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
454 |
|
1 | 455 |
$prot = ( $namespace == 'System' ) ? 1 : 0; |
456 |
||
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
457 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
458 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
459 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
460 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
461 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
462 |
$page_data = Array( |
1 | 463 |
'name'=>$name, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
464 |
'urlname'=>$page_id, |
1 | 465 |
'namespace'=>$namespace, |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
466 |
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
467 |
); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
468 |
|
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
469 |
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>'); |
1 | 470 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
471 |
$paths->add_page($page_data); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
472 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
473 |
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
474 |
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
475 |
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
1 | 476 |
|
477 |
if($qa && $qb && $qc) |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
478 |
return 'good'; |
1 | 479 |
else |
480 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
481 |
return $db->get_error(); |
1 | 482 |
} |
483 |
} |
|
484 |
||
485 |
/** |
|
486 |
* Sets the protection level on a page. |
|
487 |
* @param $page_id string the page ID |
|
488 |
* @param $namespace string the namespace |
|
489 |
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi |
|
490 |
* @param $reason string why the page is being (un)protected |
|
491 |
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() ) |
|
492 |
*/ |
|
493 |
function protect($page_id, $namespace, $level, $reason) |
|
494 |
{ |
|
495 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
496 |
||
497 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
498 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
499 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
500 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
501 |
if ( !$session->get_permissions('protect') ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
502 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
503 |
return('Insufficient access rights'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
504 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
505 |
if ( !$wiki ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
506 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
507 |
return('Page protection only has an effect when Wiki Mode is enabled.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
508 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
509 |
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
510 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
511 |
return('Invalid $level parameter.'); |
1 | 512 |
} |
513 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
514 |
switch($level) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
515 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
516 |
case 0: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
517 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
518 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
519 |
case 1: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
520 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
521 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
522 |
case 2: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
523 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
524 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
525 |
default: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
526 |
return 'PageUtils::protect(): Invalid value for $level'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
527 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
528 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
529 |
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
530 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
531 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
532 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
533 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
534 |
$db->_die('The pages table was not updated.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
535 |
} |
1 | 536 |
|
537 |
return('good'); |
|
538 |
} |
|
539 |
||
540 |
/** |
|
541 |
* Generates an HTML table with history information in it. |
|
542 |
* @param $page_id the page ID |
|
543 |
* @param $namespace the namespace |
|
544 |
* @return string |
|
545 |
*/ |
|
546 |
||
547 |
function histlist($page_id, $namespace) |
|
548 |
{ |
|
549 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
550 |
global $lang; |
1 | 551 |
|
552 |
if(!$session->get_permissions('history_view')) |
|
553 |
return 'Access denied'; |
|
554 |
||
555 |
ob_start(); |
|
556 |
||
557 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
558 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
559 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
560 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
561 |
$q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
562 |
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
563 |
echo $lang->get('history_page_subtitle') . ' |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
564 |
<h3>' . $lang->get('history_heading_edits') . '</h3>'; |
1 | 565 |
$numrows = $db->numrows(); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
566 |
if ( $numrows < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
567 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
568 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
569 |
} |
1 | 570 |
else |
571 |
{ |
|
572 |
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
573 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
574 |
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
575 |
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
576 |
<input type="hidden" name="do" value="diff" /> |
1 | 577 |
<br /><span> </span> |
578 |
<div class="tblholder"> |
|
579 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"> |
|
580 |
<tr> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
581 |
<th colspan="2">' . $lang->get('history_col_diff') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
582 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
583 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
584 |
<th>' . $lang->get('history_col_summary') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
585 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
586 |
<th colspan="3">' . $lang->get('history_col_actions') . '</th> |
1 | 587 |
</tr>'."\n"."\n"; |
588 |
$cls = 'row2'; |
|
589 |
$ticker = 0; |
|
590 |
||
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
591 |
while ( $r = $db->fetchrow() ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
592 |
{ |
1 | 593 |
|
594 |
$ticker++; |
|
595 |
||
596 |
if($cls == 'row2') $cls = 'row1'; |
|
597 |
else $cls = 'row2'; |
|
598 |
||
599 |
echo '<tr>'."\n"; |
|
600 |
||
601 |
// Diff selection |
|
602 |
if($ticker == 1) |
|
603 |
{ |
|
604 |
$s1 = ''; |
|
605 |
$s2 = 'checked="checked" '; |
|
606 |
} |
|
607 |
elseif($ticker == 2) |
|
608 |
{ |
|
609 |
$s1 = 'checked="checked" '; |
|
610 |
$s2 = ''; |
|
611 |
} |
|
612 |
else |
|
613 |
{ |
|
614 |
$s1 = ''; |
|
615 |
$s2 = ''; |
|
616 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
617 |
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
618 |
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
1 | 619 |
|
620 |
// Date and time |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
621 |
echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">'."\n"; |
1 | 622 |
|
623 |
// User |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
624 |
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
625 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
626 |
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
627 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
628 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
629 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
630 |
$rc = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
631 |
} |
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
632 |
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" '; |
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
633 |
if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) ) |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
634 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
635 |
echo 'class="wikilink-nonexistent"'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
636 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
637 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n"; |
1 | 638 |
|
639 |
// Edit summary |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
640 |
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
641 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
642 |
$r['edit_summary'] = $lang->get('history_summary_clearlogs'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
643 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
644 |
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n"; |
1 | 645 |
|
646 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
647 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n"; |
1 | 648 |
|
649 |
// Actions! |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
650 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['time_id']) . '" onclick="ajaxHistView(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n"; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
651 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n"; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
652 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n"; |
1 | 653 |
|
654 |
echo '</tr>'."\n"."\n"; |
|
655 |
||
656 |
} |
|
657 |
echo '</table> |
|
658 |
</div> |
|
659 |
<br /> |
|
660 |
<input type="hidden" name="do" value="diff" /> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
661 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
1 | 662 |
</form> |
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
parents:
40
diff
changeset
|
663 |
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>'; |
1 | 664 |
} |
665 |
$db->free_result(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
666 |
echo '<h3>' . $lang->get('history_heading_other') . '</h3>'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
667 |
$q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
668 |
if ( !$db->sql_query($q) ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
669 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
670 |
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
671 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
672 |
if ( $db->numrows() < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
673 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
674 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
675 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
676 |
else |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
677 |
{ |
1 | 678 |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
679 |
echo '<div class="tblholder"> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
680 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
681 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
682 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
683 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
684 |
<th>' . $lang->get('history_col_action_taken') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
685 |
<th>' . $lang->get('history_col_extra') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
686 |
<th colspan="2"></th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
687 |
</tr>'; |
1 | 688 |
$cls = 'row2'; |
689 |
while($r = $db->fetchrow()) { |
|
690 |
||
691 |
if($cls == 'row2') $cls = 'row1'; |
|
692 |
else $cls = 'row2'; |
|
693 |
||
694 |
echo '<tr>'; |
|
695 |
||
696 |
// Date and time |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
697 |
echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">'; |
1 | 698 |
|
699 |
// User |
|
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
700 |
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" '; |
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
parents:
270
diff
changeset
|
701 |
if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
702 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'; |
1 | 703 |
|
704 |
||
705 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
706 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'; |
1 | 707 |
|
708 |
// Action taken |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
709 |
echo '<td class="' . $cls . '">'; |
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
710 |
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
711 |
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
712 |
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
713 |
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
714 |
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
715 |
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
716 |
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
717 |
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' '.htmlspecialchars($r['edit_summary']); |
1 | 718 |
echo '</td>'; |
719 |
||
720 |
// Actions! |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
721 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
722 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>'; |
1 | 723 |
|
724 |
echo '</tr>'; |
|
725 |
} |
|
726 |
echo '</table></div>'; |
|
727 |
} |
|
728 |
$db->free_result(); |
|
729 |
$ret = ob_get_contents(); |
|
730 |
ob_end_clean(); |
|
731 |
return $ret; |
|
732 |
} |
|
733 |
||
734 |
/** |
|
735 |
* Rolls back a logged action |
|
736 |
* @param $id the time ID, a.k.a. the primary key in the logs table |
|
737 |
* @return string |
|
738 |
*/ |
|
739 |
||
740 |
function rollback($id) |
|
741 |
{ |
|
742 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
158 | 743 |
if ( !$session->get_permissions('history_rollback') ) |
744 |
{ |
|
745 |
return('You are not authorized to perform rollbacks.'); |
|
746 |
} |
|
747 |
if ( !preg_match('#^([0-9]+)$#', (string)$id) ) |
|
748 |
{ |
|
749 |
return('The value "id" on the query string must be an integer.'); |
|
750 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
751 |
$e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';'); |
158 | 752 |
if ( !$e ) |
753 |
{ |
|
754 |
$db->_die('The rollback data could not be selected.'); |
|
755 |
} |
|
1 | 756 |
$rb = $db->fetchrow(); |
757 |
$db->free_result(); |
|
158 | 758 |
|
759 |
if ( $rb['log_type'] == 'page' && $rb['action'] != 'delete' ) |
|
760 |
{ |
|
761 |
$pagekey = $paths->nslist[$rb['namespace']] . $rb['page_id']; |
|
762 |
if ( !isset($paths->pages[$pagekey]) ) |
|
763 |
{ |
|
764 |
return "Page doesn't exist"; |
|
765 |
} |
|
766 |
$pagedata =& $paths->pages[$pagekey]; |
|
767 |
$protected = false; |
|
768 |
// Special case: is the page protected? if so, check for even_when_protected permissions |
|
769 |
if($pagedata['protected'] == 2) |
|
770 |
{ |
|
771 |
// The page is semi-protected, determine permissions |
|
772 |
if($session->user_logged_in && $session->reg_time + 60*60*24*4 < time()) |
|
773 |
{ |
|
774 |
$protected = false; |
|
775 |
} |
|
776 |
else |
|
777 |
{ |
|
778 |
$protected = true; |
|
779 |
} |
|
780 |
} |
|
781 |
else |
|
782 |
{ |
|
783 |
$protected = ( $pagedata['protected'] == 1 ); |
|
784 |
} |
|
785 |
||
786 |
$perms = $session->fetch_page_acl($rb['page_id'], $rb['namespace']); |
|
787 |
||
788 |
if ( $protected && !$perms->get_permissions('even_when_protected') ) |
|
789 |
{ |
|
790 |
return "Because this page is protected, you need moderator rights to roll back changes."; |
|
791 |
} |
|
792 |
} |
|
793 |
else |
|
794 |
{ |
|
795 |
$perms =& $session; |
|
796 |
} |
|
797 |
||
798 |
switch($rb['log_type']) |
|
799 |
{ |
|
1 | 800 |
case "page": |
158 | 801 |
switch($rb['action']) |
802 |
{ |
|
1 | 803 |
case "edit": |
158 | 804 |
if ( !$perms->get_permissions('edit_page') ) |
805 |
return "You don't have permission to edit pages, so rolling back edits can't be allowed either."; |
|
1 | 806 |
$t = $db->escape($rb['page_text']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
807 |
$e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 808 |
if ( !$e ) |
809 |
{ |
|
810 |
return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
811 |
} |
|
812 |
else |
|
813 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
814 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . $rb['date_string'] . '.'; |
158 | 815 |
} |
1 | 816 |
break; |
817 |
case "rename": |
|
158 | 818 |
if ( !$perms->get_permissions('rename') ) |
819 |
return "You don't have permission to rename pages, so rolling back renames can't be allowed either."; |
|
1 | 820 |
$t = $db->escape($rb['edit_summary']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
821 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 822 |
if ( !$e ) |
823 |
{ |
|
824 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
825 |
} |
|
826 |
else |
|
827 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
828 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . $rb['date_string'] . '.'; |
158 | 829 |
} |
1 | 830 |
break; |
831 |
case "prot": |
|
158 | 832 |
if ( !$perms->get_permissions('protect') ) |
833 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
834 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 835 |
if ( !$e ) |
836 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
837 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
838 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 839 |
break; |
840 |
case "semiprot": |
|
158 | 841 |
if ( !$perms->get_permissions('protect') ) |
842 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
843 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 844 |
if ( !$e ) |
845 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
846 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
847 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 848 |
break; |
849 |
case "unprot": |
|
158 | 850 |
if ( !$perms->get_permissions('protect') ) |
851 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
852 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 853 |
if ( !$e ) |
854 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
855 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
856 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 857 |
break; |
858 |
case "delete": |
|
158 | 859 |
if ( !$perms->get_permissions('history_rollback_extra') ) |
860 |
return 'Administrative privileges are required for page undeletion.'; |
|
861 |
if ( isset($paths->pages[$paths->cpage['urlname']]) ) |
|
862 |
return 'You cannot raise a dead page that is alive.'; |
|
1 | 863 |
$name = str_replace('_', ' ', $rb['page_id']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
864 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
865 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
1 | 866 |
$r = $db->fetchrow(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
867 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
868 |
return 'The page "' . $name . '" has been undeleted according to the log created at ' . $rb['date_string'] . '.'; |
1 | 869 |
break; |
870 |
case "reupload": |
|
234
d5dff8148dfe
Renaming config.php and .htaccess to *.new to allow tarbombing an Enano installation with no adverse effects; first attempt, may not work right.
Dan
parents:
194
diff
changeset
|
871 |
if ( !$session->get_permissions('history_rollback_extra') ) |
158 | 872 |
{ |
873 |
return 'Administrative privileges are required for file rollbacks.'; |
|
874 |
} |
|
1 | 875 |
$newtime = time(); |
876 |
$newdate = date('d M Y h:i a'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
877 |
if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id)) |
158 | 878 |
return 'Error during query: '.mysql_error(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
879 |
if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id)) |
158 | 880 |
return 'Error during query: '.mysql_error(); |
881 |
return 'The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.'; |
|
1 | 882 |
break; |
883 |
default: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
884 |
return('Rollback of the action "' . $rb['action'] . '" is not yet supported.'); |
1 | 885 |
break; |
886 |
} |
|
887 |
break; |
|
888 |
case "security": |
|
889 |
case "login": |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
890 |
return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.'); |
1 | 891 |
break; |
892 |
default: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
893 |
return('Unknown log entry type: "' . $rb['log_type'] . '"'); |
1 | 894 |
} |
895 |
} |
|
896 |
||
897 |
/** |
|
898 |
* Posts a comment. |
|
899 |
* @param $page_id the page ID |
|
900 |
* @param $namespace the namespace |
|
901 |
* @param $name the name of the person posting, defaults to current username/IP |
|
902 |
* @param $subject the subject line of the comment |
|
903 |
* @param $text the comment text |
|
904 |
* @return string javascript code |
|
905 |
*/ |
|
906 |
||
907 |
function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false) |
|
908 |
{ |
|
909 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
910 |
$_ob = ''; |
|
911 |
if(!$session->get_permissions('post_comments')) |
|
912 |
return 'Access denied'; |
|
913 |
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.'); |
|
914 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
|
915 |
{ |
|
916 |
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method'); |
|
917 |
$result = $session->get_captcha($captcha_id); |
|
918 |
if($captcha_code != $result) _die('The confirmation code you entered was incorrect.'); |
|
919 |
} |
|
920 |
$text = RenderMan::preprocess_text($text); |
|
921 |
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); |
|
922 |
$subj = RenderMan::preprocess_text($subject); |
|
923 |
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
924 |
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')'; |
1 | 925 |
$e = $db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
926 |
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n' . $q) . '\'))'); |
1 | 927 |
else $_ob .= '<div class="info-box">Your comment has been posted.</div>'; |
928 |
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); |
|
929 |
} |
|
930 |
||
931 |
/** |
|
932 |
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments |
|
933 |
* @param $page_id the page ID |
|
934 |
* @param $namespace the namespace |
|
935 |
* @param $action administrative action to perform, default is false |
|
936 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
937 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
938 |
* @return array |
|
939 |
* @access private |
|
940 |
*/ |
|
941 |
||
942 |
function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '') |
|
943 |
{ |
|
944 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
945 |
global $lang; |
1 | 946 |
|
947 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
948 |
||
949 |
ob_start(); |
|
950 |
||
951 |
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud |
|
952 |
{ |
|
953 |
switch($action) { |
|
954 |
case "delete": |
|
955 |
if(isset($flags['id'])) |
|
956 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
957 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; |
1 | 958 |
} else { |
959 |
$n = $db->escape($flags['name']); |
|
960 |
$s = $db->escape($flags['subj']); |
|
961 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
962 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 963 |
} |
964 |
$e=$db->sql_query($q); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
965 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 966 |
break; |
967 |
case "approve": |
|
968 |
if(isset($flags['id'])) |
|
969 |
{ |
|
970 |
$where = 'comment_id='.intval($flags['id']); |
|
971 |
} else { |
|
972 |
$n = $db->escape($flags['name']); |
|
973 |
$s = $db->escape($flags['subj']); |
|
974 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
975 |
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\''; |
1 | 976 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
977 |
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;'; |
1 | 978 |
$e = $db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
979 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 980 |
$r = $db->fetchrow(); |
981 |
$db->free_result(); |
|
982 |
$a = ( $r['approved'] ) ? '0' : '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
983 |
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';'; |
1 | 984 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
985 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
986 |
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
987 |
else $v = $lang->get('comment_btn_mod_approve'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
988 |
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";'; |
1 | 989 |
break; |
990 |
} |
|
991 |
} |
|
992 |
||
993 |
if(!defined('ENANO_TEMPLATE_LOADED')) |
|
994 |
{ |
|
995 |
$template->load_theme($session->theme, $session->style); |
|
996 |
} |
|
997 |
||
998 |
$tpl = $template->makeParser('comment.tpl'); |
|
999 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1000 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;'); |
1 | 1001 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
1002 |
$num_unapp = $db->numrows(); |
|
1003 |
$db->free_result(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1004 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;'); |
1 | 1005 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
1006 |
$num_app = $db->numrows(); |
|
1007 |
$db->free_result(); |
|
1008 |
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1009 |
FROM ' . table_prefix.'comments AS c |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1010 |
LEFT JOIN ' . table_prefix.'users AS u |
1 | 1011 |
ON c.user_id=u.user_id |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1012 |
WHERE page_id=\'' . $page_id . '\' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1013 |
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;'); |
1 | 1014 |
if(!$lq) _die('The comment text data could not be selected. '.mysql_error()); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1015 |
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1016 |
|
1 | 1017 |
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1018 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1019 |
$subst = array( |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1020 |
'num_comments' => $n, |
226
0e6478521004
Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
parents:
219
diff
changeset
|
1021 |
'page_type' => $template->namespace_string |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1022 |
); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1023 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1024 |
$_ob .= '<p>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1025 |
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) ); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1026 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1027 |
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1 | 1028 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1029 |
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1030 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1031 |
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1032 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1033 |
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1034 |
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1035 |
} |
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
1036 |
$_ob .= '</p>'; |
1 | 1037 |
$list = 'list = { '; |
1038 |
// _die(htmlspecialchars($ttext)); |
|
1039 |
$i = -1; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1040 |
while ( $row = $db->fetchrow($lq) ) |
1 | 1041 |
{ |
1042 |
$i++; |
|
1043 |
$strings = Array(); |
|
1044 |
$bool = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1045 |
if ( $session->get_permissions('mod_comments') || $row['approved'] ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1046 |
{ |
1 | 1047 |
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; |
1048 |
||
1049 |
// Comment ID (used in the Javascript apps) |
|
1050 |
$strings['ID'] = (string)$i; |
|
1051 |
||
1052 |
// Determine the name, and whether to link to the user page or not |
|
1053 |
$name = ''; |
|
304 | 1054 |
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">'; |
1 | 1055 |
$name .= $row['name']; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1056 |
if($row['user_id'] > 1) $name .= '</a>'; |
1 | 1057 |
$strings['NAME'] = $name; unset($name); |
1058 |
||
1059 |
// Subject |
|
1060 |
$s = $row['subject']; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1061 |
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>'; |
1 | 1062 |
$strings['SUBJECT'] = $s; |
1063 |
||
1064 |
// Date and time |
|
1065 |
$strings['DATETIME'] = date('F d, Y h:i a', $row['time']); |
|
1066 |
||
1067 |
// User level |
|
1068 |
switch($row['user_level']) |
|
1069 |
{ |
|
1070 |
default: |
|
1071 |
case USER_LEVEL_GUEST: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1072 |
$l = $lang->get('user_type_guest'); |
1 | 1073 |
break; |
1074 |
case USER_LEVEL_MEMBER: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1075 |
case USER_LEVEL_CHPREF: |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1076 |
$l = $lang->get('user_type_member'); |
1 | 1077 |
break; |
1078 |
case USER_LEVEL_MOD: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1079 |
$l = $lang->get('user_type_mod'); |
1 | 1080 |
break; |
1081 |
case USER_LEVEL_ADMIN: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1082 |
$l = $lang->get('user_type_admin'); |
1 | 1083 |
break; |
1084 |
} |
|
1085 |
$strings['USER_LEVEL'] = $l; unset($l); |
|
1086 |
||
1087 |
// The actual comment data |
|
1088 |
$strings['DATA'] = RenderMan::render($row['comment_data']); |
|
1089 |
||
1090 |
if($session->get_permissions('edit_comments')) |
|
1091 |
{ |
|
1092 |
// Edit link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1093 |
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>'; |
1 | 1094 |
|
1095 |
// Delete link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1096 |
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>'; |
1 | 1097 |
} |
1098 |
else |
|
1099 |
{ |
|
1100 |
// Edit link |
|
1101 |
$strings['EDIT_LINK'] = ''; |
|
1102 |
||
1103 |
// Delete link |
|
1104 |
$strings['DELETE_LINK'] = ''; |
|
1105 |
} |
|
1106 |
||
1107 |
// Send PM link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1108 |
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : ''; |
1 | 1109 |
|
1110 |
// Add Buddy link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1111 |
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : ''; |
1 | 1112 |
|
1113 |
// Mod links |
|
1114 |
$applink = ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1115 |
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1116 |
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1117 |
else $applink .= $lang->get('comment_btn_mod_approve'); |
1 | 1118 |
$applink .= '</a>'; |
1119 |
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1120 |
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>'; |
1 | 1121 |
|
1122 |
// Signature |
|
1123 |
$strings['SIGNATURE'] = ''; |
|
1124 |
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']); |
|
1125 |
||
1126 |
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false; |
|
1127 |
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false; |
|
1128 |
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true; |
|
1129 |
||
1130 |
// Done processing and compiling, now let's cook it into HTML |
|
1131 |
$tpl->assign_vars($strings); |
|
1132 |
$tpl->assign_bool($bool); |
|
1133 |
$_ob .= $tpl->run(); |
|
1134 |
} |
|
1135 |
} |
|
1136 |
if(getConfig('comments_need_login') != '2' || $session->user_logged_in) |
|
1137 |
{ |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1138 |
if($session->get_permissions('post_comments')) |
1 | 1139 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1140 |
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1141 |
$_ob .= $lang->get('comment_postform_blurb'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1142 |
if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1143 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1144 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1145 |
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1146 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1147 |
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1148 |
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a> |
1 | 1149 |
<div id="mdgCommentForm"> |
1150 |
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em"> |
|
1151 |
<table border="0"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1152 |
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1153 |
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>'; |
1 | 1154 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
1155 |
{ |
|
1156 |
$session->kill_captcha(); |
|
1157 |
$captcha = $session->make_captcha(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1158 |
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>'; |
1 | 1159 |
} |
1160 |
$_ob .= ' |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1161 |
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1162 |
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr> |
1 | 1163 |
</table> |
1164 |
</form> |
|
1165 |
</div>'; |
|
1166 |
} |
|
1167 |
} else { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1168 |
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>'; |
1 | 1169 |
} |
1170 |
$list .= '};'; |
|
1171 |
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); |
|
1172 |
' . $list; |
|
1173 |
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";'; |
|
1174 |
||
1175 |
$ret = ob_get_contents(); |
|
1176 |
ob_end_clean(); |
|
1177 |
return Array($ret, $_ob); |
|
1178 |
||
1179 |
} |
|
1180 |
||
1181 |
/** |
|
1182 |
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments |
|
1183 |
* @param $page_id the page ID |
|
1184 |
* @param $namespace the namespace |
|
1185 |
* @param $action administrative action to perform, default is false |
|
1186 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
1187 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
1188 |
* @return string |
|
1189 |
*/ |
|
1190 |
||
1191 |
function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1192 |
{ |
|
1193 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1194 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1195 |
return $r[0]; |
|
1196 |
} |
|
1197 |
||
1198 |
/** |
|
1199 |
* Generates HTML code for comments - used in browser compatibility mode |
|
1200 |
* @param $page_id the page ID |
|
1201 |
* @param $namespace the namespace |
|
1202 |
* @param $action administrative action to perform, default is false |
|
1203 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
1204 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
1205 |
* @return string |
|
1206 |
*/ |
|
1207 |
||
1208 |
function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1209 |
{ |
|
1210 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1211 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1212 |
return $r[1]; |
|
1213 |
} |
|
1214 |
||
1215 |
/** |
|
1216 |
* Updates comment data. |
|
1217 |
* @param $page_id the page ID |
|
1218 |
* @param $namespace the namespace |
|
1219 |
* @param $subject new subject |
|
1220 |
* @param $text new text |
|
1221 |
* @param $old_subject the old subject, unprocessed and identical to the value in the DB |
|
1222 |
* @param $old_text the old text, unprocessed and identical to the value in the DB |
|
1223 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1224 |
* @return string |
|
1225 |
*/ |
|
1226 |
||
1227 |
function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1) |
|
1228 |
{ |
|
1229 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1230 |
if(!$session->get_permissions('edit_comments')) |
|
1231 |
return 'result="BAD";error="Access denied"'; |
|
1232 |
// Avoid SQL injection |
|
1233 |
$old_text = $db->escape($old_text); |
|
1234 |
$old_subject = $db->escape($old_subject); |
|
1235 |
// Safety check - username/login |
|
1236 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1237 |
{ |
|
1238 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1239 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1240 |
$s = $db->sql_query($q); |
1241 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1242 |
$r = $db->fetchrow($s); |
|
1243 |
$db->free_result(); |
|
1244 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1245 |
} |
|
1246 |
$s = RenderMan::preprocess_text($subject); |
|
1247 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1248 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1249 |
$result = $db->sql_query($sql); |
1250 |
if($result) |
|
1251 |
{ |
|
1252 |
return 'result="GOOD"; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1253 |
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1254 |
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . '; |
1 | 1255 |
s = unescape(\''.rawurlencode($s).'\'); |
1256 |
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; |
|
1257 |
} |
|
1258 |
else |
|
1259 |
{ |
|
1260 |
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. |
|
1261 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1262 |
' . $sql . ' |
1 | 1263 |
|
1264 |
Error returned by MySQL: '.mysql_error()).'");'; |
|
1265 |
} |
|
1266 |
} |
|
1267 |
||
1268 |
/** |
|
1269 |
* Updates comment data using the comment_id column instead of the old, messy way |
|
1270 |
* @param $page_id the page ID |
|
1271 |
* @param $namespace the namespace |
|
1272 |
* @param $subject new subject |
|
1273 |
* @param $text new text |
|
1274 |
* @param $id the comment ID (primary key in enano_comments table) |
|
1275 |
* @return string |
|
1276 |
*/ |
|
1277 |
||
1278 |
function savecomment_neater($page_id, $namespace, $subject, $text, $id) |
|
1279 |
{ |
|
1280 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1281 |
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety'); |
|
1282 |
if(!$session->get_permissions('edit_comments')) |
|
1283 |
return 'Access denied'; |
|
1284 |
// Safety check - username/login |
|
1285 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1286 |
{ |
|
1287 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1288 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1289 |
$s = $db->sql_query($q); |
1290 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1291 |
$r = $db->fetchrow($s); |
|
1292 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1293 |
$db->free_result(); |
|
1294 |
} |
|
1295 |
$s = RenderMan::preprocess_text($subject); |
|
1296 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1297 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1298 |
$result = $db->sql_query($sql); |
1299 |
if($result) |
|
1300 |
return 'good'; |
|
1301 |
else return 'Enano encountered a problem whilst saving the comment. |
|
1302 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1303 |
' . $sql . ' |
1 | 1304 |
|
1305 |
Error returned by MySQL: '.mysql_error(); |
|
1306 |
} |
|
1307 |
||
1308 |
/** |
|
1309 |
* Deletes a comment. |
|
1310 |
* @param $page_id the page ID |
|
1311 |
* @param $namespace the namespace |
|
1312 |
* @param $name the name the user posted under |
|
1313 |
* @param $subj the subject of the comment to be deleted |
|
1314 |
* @param $text the text of the comment to be deleted |
|
1315 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1316 |
* @return string |
|
1317 |
*/ |
|
1318 |
||
1319 |
function deletecomment($page_id, $namespace, $name, $subj, $text, $id) |
|
1320 |
{ |
|
1321 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1322 |
||
1323 |
if(!$session->get_permissions('edit_comments')) |
|
1324 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1325 |
||
1326 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1327 |
$n = $db->escape($name); |
|
1328 |
$s = $db->escape($subj); |
|
1329 |
$t = $db->escape($text); |
|
1330 |
||
1331 |
// Safety check - username/login |
|
1332 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1333 |
{ |
|
1334 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1335 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1336 |
$s = $db->sql_query($q); |
1337 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1338 |
$r = $db->fetchrow($s); |
|
1339 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1340 |
$db->free_result(); |
|
1341 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1342 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 1343 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1344 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 1345 |
return('good'); |
1346 |
} |
|
1347 |
||
1348 |
/** |
|
1349 |
* Deletes a comment in a cleaner fashion. |
|
1350 |
* @param $page_id the page ID |
|
1351 |
* @param $namespace the namespace |
|
1352 |
* @param $id the comment ID (primary key) |
|
1353 |
* @return string |
|
1354 |
*/ |
|
1355 |
||
1356 |
function deletecomment_neater($page_id, $namespace, $id) |
|
1357 |
{ |
|
1358 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1359 |
||
1360 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1361 |
||
1362 |
if(!$session->get_permissions('edit_comments')) |
|
1363 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1364 |
||
1365 |
// Safety check - username/login |
|
1366 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1367 |
{ |
|
1368 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1369 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1370 |
$s = $db->sql_query($q); |
1371 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1372 |
$r = $db->fetchrow($s); |
|
1373 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1374 |
$db->free_result(); |
|
1375 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1376 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;'; |
1 | 1377 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1378 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 1379 |
return('good'); |
1380 |
} |
|
1381 |
||
1382 |
/** |
|
1383 |
* Renames a page. |
|
1384 |
* @param $page_id the page ID |
|
1385 |
* @param $namespace the namespace |
|
1386 |
* @param $name the new name for the page |
|
1387 |
* @return string error string or success message |
|
1388 |
*/ |
|
1389 |
||
1390 |
function rename($page_id, $namespace, $name) |
|
1391 |
{ |
|
1392 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1393 |
global $lang; |
1 | 1394 |
|
1395 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
1396 |
||
1397 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
1398 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
1399 |
||
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1400 |
if( empty($name)) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1401 |
{ |
214 | 1402 |
return($lang->get('ajax_rename_too_short')); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1403 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1404 |
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1405 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1406 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1407 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1408 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1409 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1410 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1411 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1412 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1413 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1414 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1415 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1416 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1417 |
{ |
214 | 1418 |
$subst = array( |
1419 |
'page_name_old' => $paths->pages[$pname]['name'], |
|
1420 |
'page_name_new' => $name |
|
1421 |
); |
|
1422 |
return $lang->get('ajax_rename_success', $subst); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1423 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1424 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1425 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1426 |
{ |
214 | 1427 |
return($lang->get('etc_access_denied')); |
1 | 1428 |
} |
1429 |
} |
|
1430 |
||
1431 |
/** |
|
1432 |
* Flushes (clears) the action logs for a given page |
|
1433 |
* @param $page_id the page ID |
|
1434 |
* @param $namespace the namespace |
|
1435 |
* @return string error/success string |
|
1436 |
*/ |
|
1437 |
||
1438 |
function flushlogs($page_id, $namespace) |
|
1439 |
{ |
|
1440 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1441 |
global $lang; |
240
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1442 |
if ( !is_object($lang) && defined('IN_ENANO_INSTALL') ) |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1443 |
{ |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1444 |
// This is a special exception for the Enano installer, which doesn't init languages yet. |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1445 |
$lang = new Language('eng'); |
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
parents:
238
diff
changeset
|
1446 |
} |
214 | 1447 |
if(!$session->get_permissions('clear_logs')) |
1448 |
{ |
|
1449 |
return $lang->get('etc_access_denied'); |
|
1450 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1451 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
1 | 1452 |
if(!$e) $db->_die('The log entries could not be deleted.'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1453 |
|
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1454 |
// If the page exists, make a backup of it in case it gets spammed/vandalized |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1455 |
// If not, the admin's probably deleting a trash page |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1456 |
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1457 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1458 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1459 |
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1460 |
$row = $db->fetchrow(); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1461 |
$db->free_result(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1462 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1463 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1464 |
} |
214 | 1465 |
return $lang->get('ajax_clearlogs_success'); |
1 | 1466 |
} |
1467 |
||
1468 |
/** |
|
1469 |
* Deletes a page. |
|
28 | 1470 |
* @param string $page_id the condemned page ID |
1471 |
* @param string $namespace the condemned namespace |
|
1472 |
* @param string The reason for deleting the page in question |
|
1 | 1473 |
* @return string |
1474 |
*/ |
|
1475 |
||
28 | 1476 |
function deletepage($page_id, $namespace, $reason) |
1 | 1477 |
{ |
1478 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1479 |
global $lang; |
1 | 1480 |
$perms = $session->fetch_page_acl($page_id, $namespace); |
28 | 1481 |
$x = trim($reason); |
1482 |
if ( empty($x) ) |
|
1483 |
{ |
|
214 | 1484 |
return $lang->get('ajax_delete_need_reason'); |
28 | 1485 |
} |
1486 |
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1487 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); |
1 | 1488 |
if(!$e) $db->_die('The page log entry could not be inserted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1489 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1490 |
if(!$e) $db->_die('The page categorization entries could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1491 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1492 |
if(!$e) $db->_die('The page comments could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1493 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1494 |
if(!$e) $db->_die('The page text entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1495 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1496 |
if(!$e) $db->_die('The page entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1497 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\''); |
1 | 1498 |
if(!$e) $db->_die('The file entry could not be deleted.'); |
214 | 1499 |
return $lang->get('ajax_delete_success'); |
1 | 1500 |
} |
1501 |
||
1502 |
/** |
|
1503 |
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting |
|
1504 |
* @param $page_id the page ID |
|
1505 |
* @param $namespace the namespace |
|
1506 |
* @return string |
|
1507 |
*/ |
|
1508 |
||
1509 |
function delvote($page_id, $namespace) |
|
1510 |
{ |
|
1511 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1512 |
global $lang; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1513 |
if ( !$session->get_permissions('vote_delete') ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1514 |
{ |
214 | 1515 |
return $lang->get('etc_access_denied'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1516 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1517 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1518 |
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1519 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1520 |
return 'Special pages and system messages can\'t be voted for deletion.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1521 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1522 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1523 |
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1524 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1525 |
if ( !isset($paths->pages[$pname]) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1526 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1527 |
return 'The page does not exist.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1528 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1529 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1530 |
$cv =& $paths->pages[$pname]['delvotes']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1531 |
$ips = $paths->pages[$pname]['delvote_ips']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1532 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1533 |
if ( empty($ips) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1534 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1535 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1536 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1537 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1538 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1539 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1540 |
else |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1541 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1542 |
$ips = @unserialize($ips); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1543 |
if ( !$ips ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1544 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1545 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1546 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1547 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1548 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1549 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1550 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1551 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1552 |
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1553 |
{ |
214 | 1554 |
return $lang->get('ajax_delvote_already_voted'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1555 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1556 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1557 |
$ips['u'][] = $session->username; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1558 |
$ips['ip'][] = $_SERVER['REMOTE_ADDR']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1559 |
$ips = $db->escape( serialize($ips) ); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1560 |
|
1 | 1561 |
$cv++; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1562 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1563 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1564 |
$w = $db->sql_query($q); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1565 |
|
214 | 1566 |
return $lang->get('ajax_delvote_success'); |
1 | 1567 |
} |
1568 |
||
1569 |
/** |
|
1570 |
* Resets the number of votes against a page to 0. |
|
1571 |
* @param $page_id the page ID |
|
1572 |
* @param $namespace the namespace |
|
1573 |
* @return string |
|
1574 |
*/ |
|
1575 |
||
1576 |
function resetdelvotes($page_id, $namespace) |
|
1577 |
{ |
|
1578 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1579 |
global $lang; |
1580 |
if(!$session->get_permissions('vote_reset')) |
|
1581 |
{ |
|
1582 |
return $lang->get('etc_access_denied'); |
|
1583 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1584 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1585 |
$e = $db->sql_query($q); |
1586 |
if(!$e) $db->_die('The number of delete votes was not reset.'); |
|
214 | 1587 |
else |
1588 |
{ |
|
1589 |
return $lang->get('ajax_delvote_reset_success'); |
|
1590 |
} |
|
1 | 1591 |
} |
1592 |
||
1593 |
/** |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1594 |
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON. |
1 | 1595 |
* @param $id the name of the directory for the theme |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1596 |
* @return string JSON string with an array containing a list of themes |
1 | 1597 |
*/ |
1598 |
||
1599 |
function getstyles() |
|
1600 |
{ |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1601 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1602 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1603 |
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1604 |
return $json->encode(false); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1605 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1606 |
$dir = './themes/' . $_GET['id'] . '/css/'; |
1 | 1607 |
$list = Array(); |
1608 |
// Open a known directory, and proceed to read its contents |
|
1609 |
if (is_dir($dir)) { |
|
1610 |
if ($dh = opendir($dir)) { |
|
1611 |
while (($file = readdir($dh)) !== false) { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1612 |
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1613 |
{ // it should be a copy of the original style, but |
1 | 1614 |
// mostly black and white |
1615 |
// Note to self: document this |
|
1616 |
$list[] = substr($file, 0, strlen($file)-4); |
|
1617 |
} |
|
1618 |
} |
|
1619 |
closedir($dh); |
|
1620 |
} |
|
1621 |
} |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1622 |
else |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1623 |
{ |
39
c83ff194977a
Changed animation on flying message boxes; bugfix for "Array" response in theme changer; added diff CSS to enano-shared; allowed spaces in username during install
Dan
parents:
32
diff
changeset
|
1624 |
return($json->encode(Array('mode' => 'error', 'error' => $dir.' is not a dir'))); |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1625 |
} |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1626 |
|
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1627 |
return $json->encode($list); |
1 | 1628 |
} |
1629 |
||
1630 |
/** |
|
1631 |
* Assembles a Javascript app with category information |
|
1632 |
* @param $page_id the page ID |
|
1633 |
* @param $namespace the namespace |
|
1634 |
* @return string Javascript code |
|
1635 |
*/ |
|
1636 |
||
1637 |
function catedit($page_id, $namespace) |
|
1638 |
{ |
|
1639 |
$d = PageUtils::catedit_raw($page_id, $namespace); |
|
1640 |
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');'; |
|
1641 |
} |
|
1642 |
||
1643 |
/** |
|
1644 |
* Does the actual HTML/javascript generation for cat editing, but returns an array |
|
1645 |
* @access private |
|
1646 |
*/ |
|
1647 |
||
1648 |
function catedit_raw($page_id, $namespace) |
|
1649 |
{ |
|
1650 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1651 |
global $lang; |
1652 |
||
1 | 1653 |
ob_start(); |
1654 |
$_ob = ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1655 |
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\''); |
1 | 1656 |
if(!$e) jsdie('Error selecting category information for current page: '.mysql_error()); |
1657 |
$cat_current = Array(); |
|
1658 |
while($r = $db->fetchrow()) |
|
1659 |
{ |
|
1660 |
$cat_current[] = $r; |
|
1661 |
} |
|
1662 |
$db->free_result(); |
|
1663 |
$cat_all = Array(); |
|
1664 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1665 |
{ |
|
1666 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1667 |
} |
|
1668 |
||
1669 |
// Make $cat_all an associative array, like $paths->pages |
|
1670 |
$sz = sizeof($cat_all); |
|
1671 |
for($i=0;$i<$sz;$i++) |
|
1672 |
{ |
|
1673 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1674 |
} |
|
1675 |
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of |
|
1676 |
$cat_info = $cat_all; |
|
1677 |
for($i=0;$i<sizeof($cat_current);$i++) |
|
1678 |
{ |
|
1679 |
$un = $cat_current[$i]['category_id']; |
|
1680 |
$cat_info[$un]['member'] = true; |
|
1681 |
} |
|
1682 |
// Now copy the information we just set into the numerically named keys |
|
1683 |
for($i=0;$i<sizeof($cat_info)/2;$i++) |
|
1684 |
{ |
|
1685 |
$un = $cat_info[$i]['urlname_nons']; |
|
1686 |
$cat_info[$i] = $cat_info[$un]; |
|
1687 |
} |
|
1688 |
||
1689 |
echo 'catlist = new Array();'; // Initialize the client-side category list |
|
214 | 1690 |
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3> |
1 | 1691 |
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">'; |
1692 |
if ( sizeof($cat_info) < 1 ) |
|
1693 |
{ |
|
214 | 1694 |
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>'; |
1 | 1695 |
} |
1696 |
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ ) |
|
1697 |
{ |
|
1698 |
// Protection code added 1/3/07 |
|
1699 |
// Updated 3/4/07 |
|
1700 |
$is_prot = false; |
|
1701 |
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category'); |
|
1702 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1703 |
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ) |
|
1704 |
$is_prot = true; |
|
1705 |
$prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; |
|
1706 |
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1707 |
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1708 |
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"'; |
1 | 1709 |
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1710 |
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />'; |
1 | 1711 |
} |
1712 |
||
1713 |
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; |
|
1714 |
||
214 | 1715 |
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>'; |
1 | 1716 |
|
1717 |
$cont = ob_get_contents(); |
|
1718 |
ob_end_clean(); |
|
1719 |
return Array($cont, $_ob); |
|
1720 |
} |
|
1721 |
||
1722 |
/** |
|
1723 |
* Saves category information |
|
1724 |
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked! |
|
1725 |
* @param $page_id string the page ID |
|
1726 |
* @param $namespace string the namespace |
|
1727 |
* @param $which_cats array associative array of categories to put the page in |
|
1728 |
* @return string "GOOD" on success, error string on failure |
|
1729 |
*/ |
|
1730 |
||
1731 |
function catsave($page_id, $namespace, $which_cats) |
|
1732 |
{ |
|
1733 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1734 |
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information'); |
|
1735 |
||
1736 |
$page_perms = $session->fetch_page_acl($page_id, $namespace); |
|
1737 |
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id]; |
|
1738 |
||
1739 |
$cat_all = Array(); |
|
1740 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1741 |
{ |
|
1742 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1743 |
} |
|
1744 |
||
1745 |
// Make $cat_all an associative array, like $paths->pages |
|
1746 |
$sz = sizeof($cat_all); |
|
1747 |
for($i=0;$i<$sz;$i++) |
|
1748 |
{ |
|
1749 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1750 |
} |
|
1751 |
||
1752 |
$rowlist = Array(); |
|
1753 |
||
1754 |
for($i=0;$i<sizeof($cat_all)/2;$i++) |
|
1755 |
{ |
|
1756 |
$auth = true; |
|
1757 |
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category'); |
|
1758 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1759 |
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) || |
|
1760 |
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) ) |
|
1761 |
$auth = false; |
|
1762 |
if(!$auth) |
|
1763 |
{ |
|
1764 |
// Find out if the page is currently in the category |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1765 |
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1766 |
if(!$q) |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1767 |
return 'MySQL error: ' . $db->get_error(); |
1 | 1768 |
if($db->numrows() > 0) |
1769 |
{ |
|
1770 |
$auth = true; |
|
1771 |
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state |
|
1772 |
} |
|
1773 |
$db->free_result(); |
|
1774 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1775 |
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')'; |
1 | 1776 |
} |
1777 |
if(sizeof($rowlist) > 0) |
|
1778 |
{ |
|
1779 |
$val = implode(',', $rowlist); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1780 |
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1781 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1782 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1783 |
$e = $db->sql_query($q); |
|
1784 |
if(!$e) $db->_die('The new category data could not be inserted.'); |
|
1785 |
return('GOOD'); |
|
1786 |
} |
|
1787 |
else |
|
1788 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1789 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1790 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1791 |
return('GOOD'); |
|
1792 |
} |
|
1793 |
} |
|
1794 |
||
1795 |
/** |
|
1796 |
* Sets the wiki mode level for a page. |
|
1797 |
* @param $page_id string the page ID |
|
1798 |
* @param $namespace string the namespace |
|
1799 |
* @param $level int 0 for off, 1 for on, 2 for use global setting |
|
1800 |
* @return string "GOOD" on success, error string on failure |
|
1801 |
*/ |
|
1802 |
||
1803 |
function setwikimode($page_id, $namespace, $level) |
|
1804 |
{ |
|
1805 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1806 |
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1807 |
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1808 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1809 |
return('Invalid mode string'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1810 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1811 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1812 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1813 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1814 |
return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1815 |
} |
1 | 1816 |
return('GOOD'); |
1817 |
} |
|
1818 |
||
1819 |
/** |
|
1820 |
* Sets the access password for a page. |
|
1821 |
* @param $page_id string the page ID |
|
1822 |
* @param $namespace string the namespace |
|
1823 |
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed |
|
1824 |
* @return string |
|
1825 |
*/ |
|
1826 |
||
1827 |
function setpass($page_id, $namespace, $pass) |
|
1828 |
{ |
|
1829 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1830 |
global $lang; |
1 | 1831 |
// Determine permissions |
1832 |
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '') |
|
1833 |
$a = $session->get_permissions('password_reset'); |
|
1834 |
else |
|
1835 |
$a = $session->get_permissions('password_set'); |
|
1836 |
if(!$a) |
|
214 | 1837 |
return $lang->get('etc_access_denied'); |
1 | 1838 |
if(!isset($pass)) return('Password was not set on URL'); |
1839 |
$p = $pass; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1840 |
if ( !preg_match('#([0-9a-f]){40,40}#', $p) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1841 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1842 |
$p = sha1($p); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1843 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1844 |
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1845 |
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709 |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1846 |
$p = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1847 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1848 |
if ( !$e ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1849 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1850 |
die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1851 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1852 |
// Is the new password blank? |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1853 |
if ( $p == '' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1854 |
{ |
214 | 1855 |
return $lang->get('ajax_password_disable_success'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1856 |
} |
214 | 1857 |
else |
1858 |
{ |
|
1859 |
return $lang->get('ajax_password_success'); |
|
1860 |
} |
|
1 | 1861 |
} |
1862 |
||
1863 |
/** |
|
1864 |
* Generates some preview HTML |
|
1865 |
* @param $text string the wikitext to use |
|
1866 |
* @return string |
|
1867 |
*/ |
|
1868 |
||
1869 |
function genPreview($text) |
|
1870 |
{ |
|
214 | 1871 |
global $lang; |
1872 |
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 1em 0 1em 1em;">'; |
|
102
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1873 |
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false)); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1874 |
ob_start(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1875 |
eval('?>' . $text); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1876 |
$text = ob_get_contents(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1877 |
ob_end_clean(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1878 |
$ret .= $text; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1879 |
$ret .= '</div>'; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1880 |
return $ret; |
1 | 1881 |
} |
1882 |
||
1883 |
/** |
|
1884 |
* Makes a scrollable box |
|
1885 |
* @param string $text the inner HTML |
|
1886 |
* @param int $height Optional - the maximum height. Defaults to 250. |
|
1887 |
* @return string |
|
1888 |
*/ |
|
1889 |
||
1890 |
function scrollBox($text, $height = 250) |
|
1891 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1892 |
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>'; |
1 | 1893 |
} |
1894 |
||
1895 |
/** |
|
1896 |
* Generates a diff summary between two page revisions. |
|
1897 |
* @param $page_id the page ID |
|
1898 |
* @param $namespace the namespace |
|
1899 |
* @param $id1 the time ID of the first revision |
|
1900 |
* @param $id2 the time ID of the second revision |
|
1901 |
* @return string XHTML-formatted diff |
|
1902 |
*/ |
|
1903 |
||
1904 |
function pagediff($page_id, $namespace, $id1, $id2) |
|
1905 |
{ |
|
1906 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1907 |
global $lang; |
1 | 1908 |
if(!$session->get_permissions('history_view')) |
214 | 1909 |
return $lang->get('etc_access_denied'); |
1 | 1910 |
if(!preg_match('#^([0-9]+)$#', (string)$id1) || |
1911 |
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; |
|
1912 |
// OK we made it through security |
|
1913 |
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1914 |
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1915 |
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); |
1 | 1916 |
$row1 = $db->fetchrow($q1); |
1917 |
$db->free_result($q1); |
|
1918 |
$row2 = $db->fetchrow($q2); |
|
1919 |
$db->free_result($q2); |
|
1920 |
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.'; |
|
1921 |
$text1 = $row1['page_text']; |
|
1922 |
$text2 = $row2['page_text']; |
|
1923 |
$time1 = date('F d, Y h:i a', $id1); |
|
1924 |
$time2 = date('F d, Y h:i a', $id2); |
|
1925 |
$_ob = " |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1926 |
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p> |
1 | 1927 |
"; |
1928 |
// Free some memory |
|
1929 |
unset($row1, $row2, $q1, $q2); |
|
1930 |
||
1931 |
$_ob .= RenderMan::diff($text1, $text2); |
|
1932 |
return $_ob; |
|
1933 |
} |
|
1934 |
||
1935 |
/** |
|
1936 |
* Gets ACL information about the selected page for target type X and target ID Y. |
|
1937 |
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id. |
|
1938 |
* @return array |
|
1939 |
*/ |
|
1940 |
||
1941 |
function acl_editor($parms = Array()) |
|
1942 |
{ |
|
1943 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
218 | 1944 |
global $lang; |
1945 |
||
1 | 1946 |
if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN) |
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1947 |
{ |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1948 |
return Array( |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1949 |
'mode' => 'error', |
218 | 1950 |
'error' => $lang->get('acl_err_access_denied') |
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1951 |
); |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1952 |
} |
1 | 1953 |
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; |
1954 |
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; |
|
1955 |
$page_id =& $parms['page_id']; |
|
1956 |
$namespace =& $parms['namespace']; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1957 |
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1958 |
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; |
1 | 1959 |
//die(print_r($page_id,true)); |
1960 |
$template->load_theme(); |
|
1961 |
// $perms_obj = $session->fetch_page_acl($page_id, $namespace); |
|
1962 |
$perms_obj =& $session; |
|
1963 |
$return = Array(); |
|
1964 |
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') ) |
|
1965 |
{ |
|
1966 |
return Array( |
|
1967 |
'mode' => 'error', |
|
218 | 1968 |
'error' => $lang->get('acl_err_missing_template'), |
1 | 1969 |
); |
1970 |
} |
|
1971 |
$return['template'] = $template->extract_vars('acledit.tpl'); |
|
1972 |
$return['page_id'] = $page_id; |
|
1973 |
$return['namespace'] = $namespace; |
|
1974 |
if(isset($parms['mode'])) |
|
1975 |
{ |
|
1976 |
switch($parms['mode']) |
|
1977 |
{ |
|
1978 |
case 'listgroups': |
|
1979 |
$return['groups'] = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1980 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;'); |
1 | 1981 |
while($row = $db->fetchrow()) |
1982 |
{ |
|
1983 |
$return['groups'][] = Array( |
|
1984 |
'id' => $row['group_id'], |
|
1985 |
'name' => $row['group_name'], |
|
1986 |
); |
|
1987 |
} |
|
1988 |
$db->free_result(); |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1989 |
$return['page_groups'] = Array(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1990 |
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;'); |
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1991 |
if ( !$q ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1992 |
return Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1993 |
'mode' => 'error', |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1994 |
'error' => $db->get_error() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1995 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1996 |
while ( $row = $db->fetchrow() ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1997 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1998 |
$return['page_groups'][] = Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1999 |
'id' => $row['pg_id'], |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2000 |
'name' => $row['pg_name'] |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2001 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2002 |
} |
1 | 2003 |
break; |
2004 |
case 'seltarget': |
|
2005 |
$return['mode'] = 'seltarget'; |
|
2006 |
$return['acl_types'] = $perms_obj->acl_types; |
|
2007 |
$return['acl_deps'] = $perms_obj->acl_deps; |
|
2008 |
$return['acl_descs'] = $perms_obj->acl_descs; |
|
2009 |
$return['target_type'] = $parms['target_type']; |
|
2010 |
$return['target_id'] = $parms['target_id']; |
|
2011 |
switch($parms['target_type']) |
|
2012 |
{ |
|
2013 |
case ACL_TYPE_USER: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2014 |
$q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2015 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 2016 |
ON a.target_id=u.user_id |
2017 |
WHERE a.target_type='.ACL_TYPE_USER.' |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2018 |
AND u.username=\'' . $db->escape($parms['target_id']) . '\' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2019 |
' . $page_where_clause . ';'); |
1 | 2020 |
if(!$q) |
2021 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2022 |
if($db->numrows() < 1) |
|
2023 |
{ |
|
2024 |
$return['type'] = 'new'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2025 |
$q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';'); |
1 | 2026 |
if(!$q) |
2027 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2028 |
if($db->numrows() < 1) |
|
218 | 2029 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found')); |
1 | 2030 |
$row = $db->fetchrow(); |
2031 |
$return['target_name'] = $return['target_id']; |
|
2032 |
$return['target_id'] = intval($row['user_id']); |
|
2033 |
$return['current_perms'] = $session->acl_types; |
|
2034 |
} |
|
2035 |
else |
|
2036 |
{ |
|
2037 |
$return['type'] = 'edit'; |
|
2038 |
$row = $db->fetchrow(); |
|
2039 |
$return['target_name'] = $return['target_id']; |
|
2040 |
$return['target_id'] = intval($row['user_id']); |
|
2041 |
$return['current_perms'] = $session->acl_merge($perms_obj->acl_types, $session->string_to_perm($row['rules'])); |
|
2042 |
} |
|
2043 |
$db->free_result(); |
|
2044 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2045 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 2046 |
{ |
2047 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
2048 |
{ |
|
2049 |
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
2050 |
{ |
|
2051 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; |
|
2052 |
unset($return['current_perms'][$i]); |
|
2053 |
unset($return['acl_types'][$i]); |
|
2054 |
unset($return['acl_descs'][$i]); |
|
2055 |
unset($return['acl_deps'][$i]); |
|
2056 |
} |
|
2057 |
} |
|
2058 |
} |
|
2059 |
break; |
|
2060 |
case ACL_TYPE_GROUP: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2061 |
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2062 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 2063 |
ON a.target_id=g.group_id |
2064 |
WHERE a.target_type='.ACL_TYPE_GROUP.' |
|
2065 |
AND g.group_id=\''.intval($parms['target_id']).'\' |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2066 |
' . $page_where_clause . ';'); |
1 | 2067 |
if(!$q) |
2068 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2069 |
if($db->numrows() < 1) |
|
2070 |
{ |
|
2071 |
$return['type'] = 'new'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2072 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); |
1 | 2073 |
if(!$q) |
2074 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2075 |
if($db->numrows() < 1) |
|
218 | 2076 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id')); |
1 | 2077 |
$row = $db->fetchrow(); |
2078 |
$return['target_name'] = $row['group_name']; |
|
2079 |
$return['target_id'] = intval($row['group_id']); |
|
2080 |
$return['current_perms'] = $session->acl_types; |
|
2081 |
} |
|
2082 |
else |
|
2083 |
{ |
|
2084 |
$return['type'] = 'edit'; |
|
2085 |
$row = $db->fetchrow(); |
|
2086 |
$return['target_name'] = $row['group_name']; |
|
2087 |
$return['target_id'] = intval($row['group_id']); |
|
2088 |
$return['current_perms'] = $session->acl_merge($session->acl_types, $session->string_to_perm($row['rules'])); |
|
2089 |
} |
|
2090 |
$db->free_result(); |
|
2091 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2092 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 2093 |
{ |
2094 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
2095 |
{ |
|
2096 |
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
2097 |
{ |
|
2098 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n"; |
|
2099 |
unset($return['current_perms'][$i]); |
|
2100 |
unset($return['acl_types'][$i]); |
|
2101 |
unset($return['acl_descs'][$i]); |
|
2102 |
unset($return['acl_deps'][$i]); |
|
2103 |
} |
|
2104 |
} |
|
2105 |
} |
|
2106 |
//return Array('mode'=>'debug','text'=>print_r($return, true)); |
|
2107 |
break; |
|
2108 |
default: |
|
2109 |
return Array('mode'=>'error','error','Invalid ACL type ID'); |
|
2110 |
break; |
|
2111 |
} |
|
2112 |
return $return; |
|
2113 |
break; |
|
2114 |
case 'save_new': |
|
2115 |
case 'save_edit': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2116 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2117 |
{ |
218 | 2118 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo')); |
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2119 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2120 |
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2121 |
' . $page_where_clause_lite . ';'); |
1 | 2122 |
if(!$q) |
2123 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
2124 |
$rules = $session->perm_to_string($parms['perms']); |
|
2125 |
if ( sizeof ( $rules ) < 1 ) |
|
2126 |
{ |
|
2127 |
return array( |
|
2128 |
'mode' => 'error', |
|
218 | 2129 |
'error' => $lang->get('acl_err_zero_list') |
1 | 2130 |
); |
2131 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2132 |
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2133 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' : |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2134 |
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2135 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )'; |
1 | 2136 |
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error()); |
2137 |
return Array( |
|
2138 |
'mode' => 'success', |
|
2139 |
'target_type' => $parms['target_type'], |
|
2140 |
'target_id' => $parms['target_id'], |
|
2141 |
'target_name' => $parms['target_name'], |
|
2142 |
'page_id' => $page_id, |
|
2143 |
'namespace' => $namespace, |
|
2144 |
); |
|
2145 |
break; |
|
2146 |
case 'delete': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2147 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2148 |
{ |
218 | 2149 |
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo')); |
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2150 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2151 |
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2152 |
' . $page_where_clause_lite . ';'); |
1 | 2153 |
if(!$q) |
2154 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
2155 |
return Array( |
|
2156 |
'mode' => 'delete', |
|
2157 |
'target_type' => $parms['target_type'], |
|
2158 |
'target_id' => $parms['target_id'], |
|
2159 |
'target_name' => $parms['target_name'], |
|
2160 |
'page_id' => $page_id, |
|
2161 |
'namespace' => $namespace, |
|
2162 |
); |
|
2163 |
break; |
|
2164 |
default: |
|
2165 |
return Array('mode'=>'error','error'=>'Hacking attempt'); |
|
2166 |
break; |
|
2167 |
} |
|
2168 |
} |
|
2169 |
return $return; |
|
2170 |
} |
|
2171 |
||
2172 |
/** |
|
2173 |
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string. |
|
2174 |
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string. |
|
2175 |
* @return string |
|
2176 |
*/ |
|
2177 |
||
2178 |
function acl_json($parms = '{ }') |
|
2179 |
{ |
|
2180 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
2181 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
|
2182 |
$parms = $json->decode($parms); |
|
2183 |
$ret = PageUtils::acl_editor($parms); |
|
2184 |
$ret = $json->encode($ret); |
|
2185 |
return $ret; |
|
2186 |
} |
|
2187 |
||
2188 |
/** |
|
2189 |
* A non-Javascript frontend for the ACL API. |
|
2190 |
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor() |
|
2191 |
*/ |
|
2192 |
||
2193 |
function aclmanager($parms) |
|
2194 |
{ |
|
2195 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
219 | 2196 |
global $lang; |
1 | 2197 |
ob_start(); |
2198 |
// Convenience |
|
2199 |
$formstart = '<form |
|
2200 |
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '" |
|
2201 |
method="post" enctype="multipart/form-data" |
|
2202 |
onsubmit="if(!submitAuthorized) return false;" |
|
2203 |
>'; |
|
2204 |
$formend = '</form>'; |
|
2205 |
$parms = PageUtils::acl_preprocess($parms); |
|
2206 |
$response = PageUtils::acl_editor($parms); |
|
2207 |
$response = PageUtils::acl_postprocess($response); |
|
2208 |
||
2209 |
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>'); |
|
2210 |
||
2211 |
switch($response['mode']) |
|
2212 |
{ |
|
2213 |
case 'debug': |
|
2214 |
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>'; |
|
2215 |
break; |
|
2216 |
case 'stage1': |
|
219 | 2217 |
echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3> |
2218 |
<p>' . $lang->get('acl_lbl_welcome_body') . '</p>'; |
|
1 | 2219 |
echo $formstart; |
219 | 2220 |
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p> |
1 | 2221 |
<p><select name="data[target_id_grp]">'; |
2222 |
foreach ( $response['groups'] as $group ) |
|
2223 |
{ |
|
2224 |
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>'; |
|
2225 |
} |
|
219 | 2226 |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2227 |
// page group selector |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2228 |
$groupsel = ''; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2229 |
if ( count($response['page_groups']) > 0 ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2230 |
{ |
219 | 2231 |
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p> |
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2232 |
<p><select name="data[pg_id]">'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2233 |
foreach ( $response['page_groups'] as $grp ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2234 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2235 |
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2236 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2237 |
$groupsel .= '</select></p>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2238 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2239 |
|
1 | 2240 |
echo '</select></p> |
219 | 2241 |
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p> |
1 | 2242 |
<p>' . $template->username_field('data[target_id_user]') . '</p> |
219 | 2243 |
<p>' . $lang->get('acl_lbl_scope') . '</p> |
2244 |
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2245 |
' . $groupsel . ' |
219 | 2246 |
<p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p> |
1 | 2247 |
<div style="margin: 0 auto 0 0; text-align: right;"> |
2248 |
<input name="data[mode]" value="seltarget" type="hidden" /> |
|
2249 |
<input type="hidden" name="data[page_id]" value="' . $paths->cpage['urlname_nons'] . '" /> |
|
2250 |
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" /> |
|
219 | 2251 |
<input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" /> |
1 | 2252 |
</div>'; |
2253 |
echo $formend; |
|
2254 |
break; |
|
2255 |
case 'success': |
|
2256 |
echo '<div class="info-box"> |
|
219 | 2257 |
<b>' . $lang->get('acl_lbl_save_success_title') . '</b><br /> |
2258 |
' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br /> |
|
1 | 2259 |
' . $formstart . ' |
2260 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2261 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2262 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2263 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2264 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2265 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2266 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
219 | 2267 |
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" /> |
1 | 2268 |
' . $formend . ' |
2269 |
</div>'; |
|
2270 |
break; |
|
2271 |
case 'delete': |
|
2272 |
echo '<div class="info-box"> |
|
219 | 2273 |
<b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br /> |
2274 |
' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br /> |
|
1 | 2275 |
' . $formstart . ' |
2276 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2277 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2278 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2279 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2280 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2281 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2282 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
219 | 2283 |
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" /> |
1 | 2284 |
' . $formend . ' |
2285 |
</div>'; |
|
2286 |
break; |
|
2287 |
case 'seltarget': |
|
2288 |
if ( $response['type'] == 'edit' ) |
|
2289 |
{ |
|
219 | 2290 |
echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>'; |
1 | 2291 |
} |
2292 |
else |
|
2293 |
{ |
|
219 | 2294 |
echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>'; |
1 | 2295 |
} |
219 | 2296 |
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user'); |
2297 |
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite'); |
|
2298 |
$subs = array( |
|
2299 |
'target_type' => $type, |
|
2300 |
'target' => $response['target_name'], |
|
2301 |
'scope_type' => $scope |
|
2302 |
); |
|
2303 |
echo $lang->get('acl_lbl_editwin_body', $subs); |
|
1 | 2304 |
echo $formstart; |
2305 |
$parser = $template->makeParserText( $response['template']['acl_field_begin'] ); |
|
2306 |
echo $parser->run(); |
|
2307 |
$parser = $template->makeParserText( $response['template']['acl_field_item'] ); |
|
2308 |
$cls = 'row2'; |
|
2309 |
foreach ( $response['acl_types'] as $acl_type => $value ) |
|
2310 |
{ |
|
2311 |
$vars = Array( |
|
2312 |
'FIELD_DENY_CHECKED' => '', |
|
2313 |
'FIELD_DISALLOW_CHECKED' => '', |
|
2314 |
'FIELD_WIKIMODE_CHECKED' => '', |
|
2315 |
'FIELD_ALLOW_CHECKED' => '', |
|
2316 |
); |
|
2317 |
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1'; |
|
2318 |
$vars['ROW_CLASS'] = $cls; |
|
2319 |
||
2320 |
switch ( $response['current_perms'][$acl_type] ) |
|
2321 |
{ |
|
2322 |
case AUTH_ALLOW: |
|
2323 |
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"'; |
|
2324 |
break; |
|
2325 |
case AUTH_WIKIMODE: |
|
2326 |
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"'; |
|
2327 |
break; |
|
2328 |
case AUTH_DISALLOW: |
|
2329 |
default: |
|
2330 |
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"'; |
|
2331 |
break; |
|
2332 |
case AUTH_DENY: |
|
2333 |
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"'; |
|
2334 |
break; |
|
2335 |
} |
|
2336 |
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']'; |
|
219 | 2337 |
if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) ) |
2338 |
{ |
|
2339 |
$vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]); |
|
2340 |
} |
|
2341 |
else |
|
2342 |
{ |
|
2343 |
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type]; |
|
2344 |
} |
|
1 | 2345 |
$parser->assign_vars($vars); |
2346 |
echo $parser->run(); |
|
2347 |
} |
|
2348 |
$parser = $template->makeParserText( $response['template']['acl_field_end'] ); |
|
2349 |
echo $parser->run(); |
|
2350 |
echo '<div style="margin: 10px auto 0 0; text-align: right;"> |
|
2351 |
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" /> |
|
2352 |
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" /> |
|
2353 |
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" /> |
|
2354 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2355 |
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" /> |
|
2356 |
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" /> |
|
219 | 2357 |
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" /> <input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . ' |
1 | 2358 |
</div>'; |
2359 |
echo $formend; |
|
2360 |
break; |
|
2361 |
case 'error': |
|
2362 |
ob_end_clean(); |
|
2363 |
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>'); |
|
2364 |
break; |
|
2365 |
} |
|
2366 |
$ret = ob_get_contents(); |
|
2367 |
ob_end_clean(); |
|
2368 |
echo |
|
2369 |
$template->getHeader() . |
|
2370 |
$ret . |
|
2371 |
$template->getFooter(); |
|
2372 |
} |
|
2373 |
||
2374 |
/** |
|
2375 |
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle |
|
2376 |
* @param array The posted data |
|
2377 |
* @return array |
|
2378 |
* @access private |
|
2379 |
*/ |
|
2380 |
||
2381 |
function acl_preprocess($parms) |
|
2382 |
{ |
|
2383 |
if ( !isset($parms['mode']) ) |
|
2384 |
// Nothing to do |
|
2385 |
return $parms; |
|
2386 |
switch ( $parms['mode'] ) |
|
2387 |
{ |
|
2388 |
case 'seltarget': |
|
2389 |
||
2390 |
// Who's affected? |
|
2391 |
$parms['target_type'] = intval( $parms['target_type'] ); |
|
2392 |
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user']; |
|
2393 |
||
2394 |
case 'save_edit': |
|
2395 |
case 'save_new': |
|
2396 |
if ( isset($parms['act_delete_rule']) ) |
|
2397 |
{ |
|
2398 |
$parms['mode'] = 'delete'; |
|
2399 |
} |
|
2400 |
||
2401 |
// Scope (just this page or entire site?) |
|
2402 |
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) ) |
|
2403 |
{ |
|
2404 |
$parms['page_id'] = false; |
|
2405 |
$parms['namespace'] = false; |
|
2406 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2407 |
else if ( $parms['scope'] == 'page_group' ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2408 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2409 |
$parms['page_id'] = $parms['pg_id']; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2410 |
$parms['namespace'] = '__PageGroup'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2411 |
} |
1 | 2412 |
|
2413 |
break; |
|
2414 |
} |
|
2415 |
||
2416 |
if ( isset($parms['act_go_stage1']) ) |
|
2417 |
{ |
|
2418 |
$parms = array( |
|
2419 |
'mode' => 'listgroups' |
|
2420 |
); |
|
2421 |
} |
|
2422 |
||
2423 |
return $parms; |
|
2424 |
} |
|
2425 |
||
2426 |
function acl_postprocess($response) |
|
2427 |
{ |
|
2428 |
if(!isset($response['mode'])) |
|
2429 |
{ |
|
2430 |
if ( isset($response['groups']) ) |
|
2431 |
$response['mode'] = 'stage1'; |
|
2432 |
else |
|
2433 |
$response = Array( |
|
2434 |
'mode' => 'error', |
|
2435 |
'error' => 'Invalid action passed by API backend.', |
|
2436 |
); |
|
2437 |
} |
|
2438 |
return $response; |
|
2439 |
} |
|
2440 |
||
2441 |
} |
|
2442 |
||
2443 |
?> |