94 $db->free_result(); |
94 $db->free_result(); |
95 if(!$q) $db->_die('The message was not successfully moved.'); |
95 if(!$q) $db->_die('The message was not successfully moved.'); |
96 die_friendly('Message status', '<p>Your message has been moved to the folder "'.$fname.'".</p><p><a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">Return to inbox</a></p>'); |
96 die_friendly('Message status', '<p>Your message has been moved to the folder "'.$fname.'".</p><p><a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">Return to inbox</a></p>'); |
97 break; |
97 break; |
98 case 'Delete': |
98 case 'Delete': |
|
99 csrf_request_confirm(); |
99 $id = $argv[1]; |
100 $id = $argv[1]; |
100 if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', '<p>Invalid message ID</p>'); |
101 if(!preg_match('#^([0-9]+)$#', $id)) die_friendly('Message error', '<p>Invalid message ID</p>'); |
101 $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.''); |
102 $q = $db->sql_query('SELECT message_to FROM '.table_prefix.'privmsgs WHERE message_id='.$id.''); |
102 if(!$q) $db->_die('The message data could not be selected.'); |
103 if(!$q) $db->_die('The message data could not be selected.'); |
103 $r = $db->fetchrow(); |
104 $r = $db->fetchrow(); |
109 break; |
110 break; |
110 case 'Compose': |
111 case 'Compose': |
111 if($argv[1]=='Send' && isset($_POST['_send'])) |
112 if($argv[1]=='Send' && isset($_POST['_send'])) |
112 { |
113 { |
113 // Check each POST DATA parameter... |
114 // Check each POST DATA parameter... |
|
115 csrf_request_confirm(); |
114 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
116 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
115 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
117 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
116 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
118 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
117 $namelist = $_POST['to']; |
119 $namelist = $_POST['to']; |
118 $namelist = str_replace(', ', ',', $namelist); |
120 $namelist = str_replace(', ', ',', $namelist); |
131 if(!$result) $db->_die('The message could not be sent.'); |
133 if(!$result) $db->_die('The message could not be sent.'); |
132 else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>'); |
134 else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>'); |
133 return; |
135 return; |
134 } elseif($argv[1]=='Send' && isset($_POST['_savedraft'])) { |
136 } elseif($argv[1]=='Send' && isset($_POST['_savedraft'])) { |
135 // Check each POST DATA parameter... |
137 // Check each POST DATA parameter... |
|
138 csrf_request_confirm(); |
136 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
139 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
137 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
140 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
138 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
141 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
139 $namelist = $_POST['to']; |
142 $namelist = $_POST['to']; |
140 $namelist = str_replace(', ', ',', $namelist); |
143 $namelist = str_replace(', ', ',', $namelist); |
190 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Compose/Send').'" method="post" onsubmit="if(!submitAuthorized) return false;">'; |
193 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Compose/Send').'" method="post" onsubmit="if(!submitAuthorized) return false;">'; |
191 ?> |
194 ?> |
192 <br /> |
195 <br /> |
193 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
196 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
194 <tr><th colspan="2">Compose new private message</th></tr> |
197 <tr><th colspan="2">Compose new private message</th></tr> |
195 <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma; you<br />can send this message to up to <b><?php echo (string)MAX_PMS_PER_BATCH; ?></b> users.</small></td><td class="row1"><?php echo $template->username_field('to', (isset($_POST['_savedraft'])) ? $_POST['to'] : $to ); ?></td></tr> |
198 <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma; you<br />can send this message to up to <b><?php echo (string)MAX_PMS_PER_BATCH; ?></b> users.</small></td><td class="row1"><?php echo $template->username_field('to', (isset($_POST['_savedraft'])) ? htmlspecialchars($_POST['to']) : $to ); ?></td></tr> |
196 <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $subj; ?>" /></td></tr> |
199 <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo htmlspecialchars($_POST['subject']); else echo $subj; ?>" /></td></tr> |
197 <tr><td class="row1">Message:</td><td class="row1" style="min-width: 80%;"><textarea rows="20" cols="40" name="message" style="width: 100%;"><?php if(isset($_POST['_savedraft'])) echo $_POST['message']; else echo $text; ?></textarea></td></tr> |
200 <tr><td class="row1">Message:</td><td class="row1" style="min-width: 80%;"><textarea rows="20" cols="40" name="message" style="width: 100%;"><?php if(isset($_POST['_savedraft'])) echo htmlspecialchars($_POST['message']); else echo $text; ?></textarea></td></tr> |
198 <tr><th colspan="2"><input type="submit" name="_send" value="Send message" /> <input type="submit" name="_savedraft" value="Save as draft" /> <input type="submit" name="_inbox" value="Back to Inbox" /></th></tr> |
201 <tr><th colspan="2"><input type="submit" name="_send" value="Send message" /> <input type="submit" name="_savedraft" value="Save as draft" /> <input type="submit" name="_inbox" value="Back to Inbox" /></th></tr> |
199 </table></div> |
202 </table></div> |
|
203 <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /> |
200 <?php |
204 <?php |
201 echo '</form>'; |
205 echo '</form>'; |
202 $template->footer(); |
206 $template->footer(); |
203 break; |
207 break; |
204 case 'Edit': |
208 case 'Edit': |
212 $fname = $argv[2]; |
216 $fname = $argv[2]; |
213 |
217 |
214 if(isset($_POST['_send'])) |
218 if(isset($_POST['_send'])) |
215 { |
219 { |
216 // Check each POST DATA parameter... |
220 // Check each POST DATA parameter... |
|
221 csrf_request_confirm(); |
217 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
222 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
218 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
223 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
219 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
224 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
220 $namelist = $_POST['to']; |
225 $namelist = $_POST['to']; |
221 $namelist = str_replace(', ', ',', $namelist); |
226 $namelist = str_replace(', ', ',', $namelist); |
229 if(!$result) $db->_die('The message could not be sent.'); |
234 if(!$result) $db->_die('The message could not be sent.'); |
230 else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>'); |
235 else die_friendly('Message status', '<p>Your message has been sent. You may edit the message if you wish; one copy for each recipient will be in your outbox until each recipient has read it. Return to your <a href="'.makeUrlNS('Special', 'PrivateMessages/Folder/Inbox').'">inbox</a>.</p>'); |
231 return; |
236 return; |
232 } elseif(isset($_POST['_savedraft'])) { |
237 } elseif(isset($_POST['_savedraft'])) { |
233 // Check each POST DATA parameter... |
238 // Check each POST DATA parameter... |
|
239 csrf_request_confirm(); |
234 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
240 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) die_friendly('Sending of message failed', '<p>Please enter the username to which you want to send your message.</p>'); |
235 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
241 if(!isset($_POST['subject']) || ( isset($_POST['subject']) && $_POST['subject'] == '')) die_friendly('Sending of message failed', '<p>Please enter a subject for your message.</p>'); |
236 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
242 if(!isset($_POST['message']) || ( isset($_POST['message']) && $_POST['message'] == '')) die_friendly('Sending of message failed', '<p>Please enter a message to send.</p>'); |
237 $namelist = $_POST['to']; |
243 $namelist = $_POST['to']; |
238 $namelist = str_replace(', ', ',', $namelist); |
244 $namelist = str_replace(', ', ',', $namelist); |
249 else $to = ''; |
255 else $to = ''; |
250 $template->header(); |
256 $template->header(); |
251 userprefs_show_menu(); |
257 userprefs_show_menu(); |
252 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Edit/'.$id).'" method="post">'; |
258 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/Edit/'.$id).'" method="post">'; |
253 ?> |
259 ?> |
|
260 <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /> |
254 <br /> |
261 <br /> |
255 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
262 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
256 <tr><th colspan="2">Edit draft</th></tr> |
263 <tr><th colspan="2">Edit draft</th></tr> |
257 <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma</small></td><td class="row1"><input name="to" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['to']; else echo $r['message_to']; ?>" /></td></tr> |
264 <tr><td class="row1">To:<br /><small>Separate multiple names with a single comma</small></td><td class="row1"><input name="to" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['to']; else echo $r['message_to']; ?>" /></td></tr> |
258 <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $r['subject']; ?>" /></td></tr> |
265 <tr><td class="row2">Subject:</td><td class="row2"><input name="subject" type="text" size="30" value="<?php if(isset($_POST['_savedraft'])) echo $_POST['subject']; else echo $r['subject']; ?>" /></td></tr> |
315 if($argv[1] == 'Drafts' || $argv[1] == 'Outbox') $act = 'Edit'; |
322 if($argv[1] == 'Drafts' || $argv[1] == 'Outbox') $act = 'Edit'; |
316 else $act = 'View'; |
323 else $act = 'View'; |
317 if(!$q) $db->_die('The private message data could not be selected.'); |
324 if(!$q) $db->_die('The private message data could not be selected.'); |
318 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/PostHandler').'" method="post"><div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"><tr><th colspan="4" style="text-align: left;">Folder: '.$argv[1].'</th></tr><tr><th class="subhead">'; |
325 echo '<form action="'.makeUrlNS('Special', 'PrivateMessages/PostHandler').'" method="post"><div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"><tr><th colspan="4" style="text-align: left;">Folder: '.$argv[1].'</th></tr><tr><th class="subhead">'; |
319 if($fname == 'drafts' || $fname == 'Outbox') echo 'To'; else echo 'From'; |
326 if($fname == 'drafts' || $fname == 'Outbox') echo 'To'; else echo 'From'; |
|
327 ?><input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /><?php |
320 echo '</th><th class="subhead">Subject</th><th class="subhead">Date</th><th class="subhead">Mark</th></tr>'; |
328 echo '</th><th class="subhead">Subject</th><th class="subhead">Date</th><th class="subhead">Mark</th></tr>'; |
321 if($db->numrows() < 1) |
329 if($db->numrows() < 1) |
322 echo '<tr><td style="text-align: center;" class="row1" colspan="4">No messages in this folder.</td></tr>'; |
330 echo '<tr><td style="text-align: center;" class="row1" colspan="4">No messages in this folder.</td></tr>'; |
323 else { |
331 else { |
324 $cls = 'row2'; |
332 $cls = 'row2'; |
349 break; |
357 break; |
350 case 'PostHandler': |
358 case 'PostHandler': |
351 $fname = $db->escape(strtolower($_POST['folder'])); |
359 $fname = $db->escape(strtolower($_POST['folder'])); |
352 if($fname=='drafts' || $fname=='outbox') |
360 if($fname=='drafts' || $fname=='outbox') |
353 { |
361 { |
354 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\' ORDER BY date DESC;'); |
362 $fname = $fname == 'outbox' ? 'inbox' : $fname; |
|
363 $readsnip = $fname == 'inbox' ? ' AND message_read = 0' : ''; |
|
364 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\'' . $readsnip . ' ORDER BY date DESC;'); |
355 } else { |
365 } else { |
356 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_to=\''.$session->username.'\' ORDER BY date DESC;'); |
366 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_to=\''.$session->username.'\' ORDER BY date DESC;'); |
357 } |
367 } |
358 if(!$q) $db->_die('The private message data could not be selected.'); |
368 if(!$q) $db->_die('The private message data could not be selected.'); |
359 |
369 |
|
370 csrf_request_confirm(); |
|
371 |
360 if(isset($_POST['archive'])) { |
372 if(isset($_POST['archive'])) { |
361 while($row = $db->fetchrow($q)) |
373 while($row = $db->fetchrow($q)) |
362 { |
374 { |
363 if(isset($_POST['marked_'.$row['message_id']])) |
375 if(isset($_POST['marked_'.$row['message_id']])) |
364 { |
376 { |
371 while($row = $db->fetchrow($q)) |
383 while($row = $db->fetchrow($q)) |
372 { |
384 { |
373 if(isset($_POST['marked_'.$row['message_id']])) |
385 if(isset($_POST['marked_'.$row['message_id']])) |
374 { |
386 { |
375 $e = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$row['message_id'].';'); |
387 $e = $db->sql_query('DELETE FROM '.table_prefix.'privmsgs WHERE message_id='.$row['message_id'].';'); |
376 if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully moved.'); |
388 if(!$e) $db->_die('Message '.$row['message_id'].' was not successfully removed.'); |
377 $db->free_result(); |
389 $db->free_result(); |
378 } |
390 } |
379 } |
391 } |
380 } elseif(isset($_POST['deleteall'])) { |
392 } elseif(isset($_POST['deleteall'])) { |
381 while($row = $db->fetchrow($q)) |
393 while($row = $db->fetchrow($q)) |