includes/comment.php
changeset 359 e0787bb6285b
parent 345 4ccdfeee9a11
child 387 92664d2efab8
--- a/includes/comment.php	Sun Jan 20 22:34:02 2008 -0500
+++ b/includes/comment.php	Mon Jan 21 10:09:48 2008 -0500
@@ -97,14 +97,14 @@
         {
           $ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl');
         }
-        $q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c
+        $q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c
                                LEFT JOIN '.table_prefix.'users AS u
                                  ON (u.user_id=c.user_id)
                                LEFT JOIN '.table_prefix.'buddies AS b
                                  ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL)
                                WHERE page_id=\'' . $this->page_id . '\'
                                  AND namespace=\'' . $this->namespace . '\'
-                               GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend
+                               GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend
                                ORDER BY c.time ASC;');
         $count_appr = 0;
         $count_total = 0;
@@ -147,6 +147,9 @@
             // Format signature
             $row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : '';
             
+            // Do we have the IP?
+            $row['have_ip'] = ( $row['have_ip'] == 1 );
+            
             // Add the comment to the list
             $ret['comments'][] = $row;
             
@@ -285,10 +288,13 @@
           $appr = ( getConfig('approve_comments') == '1' ) ? '0' : '1';
           $time = time();
           $date = enano_date('F d, Y h:i a', $time);
+          $ip = $_SERVER['REMOTE_ADDR'];
+          if ( !is_valid_ip($ip) )
+            die('Hacking attempt');
           
           // Send it to the database
-          $q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id) VALUES' .
-                              "('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, $session->user_id);");
+          $q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n  " .
+                             "('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
           if(!$q)
             $db->die_json();
           
@@ -366,6 +372,45 @@
           );
         
         break;
+      case 'view_ip':
+        if ( !$session->get_permissions('mod_comments') )
+        {
+          return array(
+              'mode' => 'error',
+              'error' => 'Unauthorized'
+            );
+        }
+        // fetch comment info
+        if ( !is_int($data['id']) )
+        {
+          return array(
+              'mode' => 'error',
+              'error' => 'Unauthorized'
+            );
+        }
+        $id =& $data['id'];
+        $q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';');
+        if ( !$q || $db->numrows() < 1 )
+        {
+          $db->die_json();
+        }
+        list($ip_addr, $name) = $db->fetchrow_num($q);
+        $db->free_result();
+        $name = $db->escape($name);
+        $username = $db->escape($session->username);
+        // log this action
+        $q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n  "
+                            . "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );");
+        if ( !$q )
+          $db->die_json();
+        
+        // send packet
+        $ret = array(
+            'mode' => 'redraw',
+            'ip_addr' => $ip_addr,
+            'local_id' => $data['local_id']
+          );
+        break;
       default:
         $ret = Array(
           'mode' => 'error',