1
+ − 1
<?php
+ − 2
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
801
eb8b23f11744
Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
Dan
diff
changeset
+ − 5
* Version 1.1.6 (Caoineag beta 1)
536
+ − 6
* Copyright (C) 2006-2008 Dan Fuhry
1
+ − 7
*
+ − 8
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 9
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 10
*
+ − 11
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 12
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 13
*/
+ − 14
+ − 15
/**
+ − 16
* Class that handles comments. Has HTML/Javascript frontend support.
+ − 17
* @package Enano CMS
+ − 18
* @subpackage Comment manager
800
9cdfe82c56cd
Major underlying changes to namespace handling. Each namespace is handled by its own class which extends Namespace_Default. Much greater customization/pluggability potential, at the possible expense of some code reusing (though code reusing has been avoided thus far). Also a bit better handling of page passwords [SECURITY].
Dan
diff
changeset
+ − 19
* @license GNU General Public License <http://www.gnu.org/licenses/gpl-2.0.html>
1
+ − 20
*/
+ − 21
+ − 22
class Comments
+ − 23
{
+ − 24
#
+ − 25
# VARIABLES
+ − 26
#
+ − 27
+ − 28
/**
+ − 29
* Current list of comments.
+ − 30
* @var array
+ − 31
*/
+ − 32
+ − 33
var $comments = Array();
+ − 34
+ − 35
/**
+ − 36
* Object to track permissions.
+ − 37
* @var object
+ − 38
*/
+ − 39
+ − 40
var $perms;
+ − 41
+ − 42
#
+ − 43
# METHODS
+ − 44
#
+ − 45
+ − 46
/**
+ − 47
* Constructor.
+ − 48
* @param string Page ID of the page to load comments for
+ − 49
* @param string Namespace of the page to load comments for
+ − 50
*/
+ − 51
+ − 52
function __construct($page_id, $namespace)
+ − 53
{
+ − 54
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 55
+ − 56
// Initialize permissions
322
+ − 57
if ( $page_id == $paths->page_id && $namespace == $paths->namespace )
1
+ − 58
$this->perms =& $GLOBALS['session'];
+ − 59
else
+ − 60
$this->perms = $session->fetch_page_acl($page_id, $namespace);
+ − 61
+ − 62
$this->page_id = $db->escape($page_id);
+ − 63
$this->namespace = $db->escape($namespace);
+ − 64
}
+ − 65
+ − 66
/**
+ − 67
* Processes a command in JSON format.
+ − 68
* @param string The JSON-encoded input, probably something sent from the Javascript/AJAX frontend
+ − 69
*/
+ − 70
+ − 71
function process_json($json)
+ − 72
{
+ − 73
global $db, $session, $paths, $template, $plugins; // Common objects
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 74
global $lang;
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 75
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 76
$data = enano_json_decode($json);
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
diff
changeset
+ − 77
$data = decode_unicode_array($data);
1
+ − 78
if ( !isset($data['mode']) )
+ − 79
{
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 80
$ret = Array('mode'=>'error','error'=>'No mode defined!');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 81
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 82
return $ret;
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 83
}
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 84
if ( getConfig('enable_comments', '1') == '0' )
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 85
{
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 86
$ret = Array('mode'=>'error','error'=>'Comments are not enabled on this site.');
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 87
echo enano_json_encode($ret);
86
c162ca39db8f
Finished pagination code (was incomplete in previous revision) and added a few hacks for an upcoming theme
Dan
diff
changeset
+ − 88
return $ret;
1
+ − 89
}
+ − 90
$ret = Array();
+ − 91
$ret['mode'] = $data['mode'];
+ − 92
switch ( $data['mode'] )
+ − 93
{
+ − 94
case 'fetch':
+ − 95
if ( !$template->theme_loaded )
+ − 96
$template->load_theme();
+ − 97
if ( !isset($data['have_template']) )
+ − 98
{
+ − 99
$ret['template'] = file_get_contents(ENANO_ROOT . '/themes/' . $template->theme . '/comment.tpl');
+ − 100
}
621
+ − 101
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,( c.ip_address IS NOT NULL ) AS have_ip,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type, b.buddy_id IS NOT NULL AS is_buddy, ( b.is_friend IS NOT NULL AND b.is_friend=1 ) AS is_friend FROM '.table_prefix.'comments AS c
1
+ − 102
LEFT JOIN '.table_prefix.'users AS u
+ − 103
ON (u.user_id=c.user_id)
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 104
LEFT JOIN '.table_prefix.'buddies AS b
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 105
ON ( ( b.user_id=' . $session->user_id.' AND b.buddy_user_id=c.user_id ) OR b.user_id IS NULL)
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 106
LEFT JOIN '.table_prefix.'ranks AS r
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 107
ON ( ( u.user_rank = r.rank_id ) )
1
+ − 108
WHERE page_id=\'' . $this->page_id . '\'
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 109
AND namespace=\'' . $this->namespace . '\'
621
+ − 110
GROUP BY c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,c.ip_address,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type,b.buddy_id,b.is_friend
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 111
ORDER BY c.time ASC;');
1
+ − 112
$count_appr = 0;
+ − 113
$count_total = 0;
+ − 114
$count_unappr = 0;
+ − 115
$ret['comments'] = Array();
+ − 116
if (!$q)
+ − 117
$db->die_json();
+ − 118
if ( $row = $db->fetchrow() )
+ − 119
{
+ − 120
do {
+ − 121
+ − 122
// Increment counters
+ − 123
$count_total++;
+ − 124
( $row['approved'] == 1 ) ? $count_appr++ : $count_unappr++;
+ − 125
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 126
if ( !$this->perms->get_permissions('mod_comments') && $row['approved'] != COMMENT_APPROVED )
1
+ − 127
continue;
+ − 128
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 129
// Localize the rank
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 130
$row = array_merge($row, $session->get_user_rank(intval($row['user_id'])));
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 131
1
+ − 132
// Send the source
+ − 133
$row['comment_source'] = $row['comment_data'];
+ − 134
+ − 135
// Format text
+ − 136
$row['comment_data'] = RenderMan::render($row['comment_data']);
+ − 137
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 138
if ( $row['is_buddy'] == 1 && $row['is_friend'] == 0 )
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 139
{
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 140
$seed = md5(sha1(mt_rand() . microtime()));
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 141
$wrapper = '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 142
<div id="posthide_'.$seed.'" style="display: none;">
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 143
' . $row['comment_data'] . '
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 144
</div>
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 145
<p><span style="opacity: 0.4; filter: alpha(opacity=40);">' . $lang->get('comment_msg_foe_comment_hidden') . '</span> <span style="text-align: right;"><a href="#showpost" onclick="document.getElementById(\'posthide_'.$seed.'\').style.display=\'block\'; this.parentNode.parentNode.parentNode.removeChild(this.parentNode.parentNode); return false;">' . $lang->get('comment_btn_display_foe_comment') . '</a></span></p>
108
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 146
';
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 147
$row['comment_data'] = $wrapper;
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 148
}
1c7f59df9474
Implemented some extra functionality for friends/foes in comments; fixed lack of table_prefix in stats.php line 63
Dan
diff
changeset
+ − 149
1
+ − 150
// Format date
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 151
$row['time'] = enano_date('F d, Y h:i a', $row['time']);
1
+ − 152
+ − 153
// Format signature
+ − 154
$row['signature'] = ( !empty($row['signature']) ) ? RenderMan::render($row['signature']) : '';
+ − 155
359
+ − 156
// Do we have the IP?
+ − 157
$row['have_ip'] = ( $row['have_ip'] == 1 );
+ − 158
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 159
// Avatar URL
621
+ − 160
$row['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 161
1
+ − 162
// Add the comment to the list
+ − 163
$ret['comments'][] = $row;
+ − 164
+ − 165
} while ( $row = $db->fetchrow() );
+ − 166
}
+ − 167
$db->free_result();
+ − 168
$ret['count_appr'] = $count_appr;
+ − 169
$ret['count_total'] = $count_total;
+ − 170
$ret['count_unappr'] = $count_unappr;
+ − 171
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 172
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 173
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
748
e39454295bbb
Added makeSwitchable Dynano method for textareas; enabled support for makeSwitchable in comment runtime
Dan
diff
changeset
+ − 174
$ret['auth_edit_wysiwyg'] = $this->perms->get_permissions('edit_wysiwyg');
1
+ − 175
$ret['user_id'] = $session->user_id;
+ − 176
$ret['username'] = $session->username;
+ − 177
$ret['logged_in'] = $session->user_logged_in;
+ − 178
+ − 179
$ret['user_level'] = Array();
+ − 180
$ret['user_level']['guest'] = USER_LEVEL_GUEST;
+ − 181
$ret['user_level']['member'] = USER_LEVEL_MEMBER;
+ − 182
$ret['user_level']['mod'] = USER_LEVEL_MOD;
+ − 183
$ret['user_level']['admin'] = USER_LEVEL_ADMIN;
+ − 184
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 185
$ret['approval_needed'] = ( getConfig('approve_comments', '0') == '1' );
1
+ − 186
$ret['guest_posting'] = getConfig('comments_need_login');
+ − 187
+ − 188
if ( $ret['guest_posting'] == '1' && !$session->user_logged_in )
+ − 189
{
+ − 190
$session->kill_captcha();
+ − 191
$ret['captcha'] = $session->make_captcha();
+ − 192
}
+ − 193
break;
+ − 194
case 'edit':
+ − 195
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 196
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 197
{
+ − 198
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 199
return false;
+ − 200
}
+ − 201
$cid = intval($cid);
+ − 202
$q = $db->sql_query('SELECT c.user_id,c.approved FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 203
if(!$q)
+ − 204
$db->die_json();
+ − 205
$row = $db->fetchrow();
+ − 206
$uid = intval($row['user_id']);
+ − 207
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 208
if(!$can_edit)
+ − 209
{
+ − 210
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 211
return false;
+ − 212
}
+ − 213
$data['data'] = str_replace("\r", '', $data['data']); // Windows compatibility
+ − 214
$text = RenderMan::preprocess_text($data['data'], true, false);
+ − 215
$text2 = $db->escape($text);
+ − 216
$subj = $db->escape(htmlspecialchars($data['subj']));
+ − 217
$q = $db->sql_query('UPDATE '.table_prefix.'comments SET subject=\'' . $subj . '\',comment_data=\'' . $text2 . '\' WHERE comment_id=' . $cid . ';');
+ − 218
if(!$q)
+ − 219
$db->die_json();
+ − 220
$ret = Array(
+ − 221
'mode' => 'redraw',
+ − 222
'id' => $data['local_id'],
+ − 223
'subj' => htmlspecialchars($data['subj']),
+ − 224
'text' => RenderMan::render($text),
+ − 225
'src' => $text,
+ − 226
'approved' => $row['approved']
+ − 227
);
+ − 228
break;
+ − 229
case 'delete':
+ − 230
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 231
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 232
{
+ − 233
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 234
return false;
+ − 235
}
+ − 236
$cid = intval($cid);
+ − 237
$q = $db->sql_query('SELECT c.user_id FROM '.table_prefix.'comments c LEFT JOIN '.table_prefix.'users u ON (u.user_id=c.user_id) WHERE comment_id='.$cid.';');
+ − 238
if(!$q)
+ − 239
$db->die_json();
+ − 240
$row = $db->fetchrow();
+ − 241
$uid = intval($row['user_id']);
+ − 242
$can_edit = ( ( $uid == $session->user_id && $uid != 1 && $this->perms->get_permissions('edit_comments') ) || ( $this->perms->get_permissions('mod_comments') ) );
+ − 243
if(!$can_edit)
+ − 244
{
+ − 245
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 246
return false;
+ − 247
}
+ − 248
$q = $db->sql_query('DELETE FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 249
if(!$q)
+ − 250
$db->die_json();
+ − 251
$ret = Array(
+ − 252
'mode' => 'annihilate',
+ − 253
'id' => $data['local_id']
+ − 254
);
+ − 255
break;
+ − 256
case 'submit':
+ − 257
+ − 258
// Now for a huge round of security checks...
+ − 259
+ − 260
$errors = Array();
+ − 261
+ − 262
// Authorization
+ − 263
// Like the rest of the ACL system, this call is a one-stop check for ALL ACL entries.
+ − 264
if ( !$this->perms->get_permissions('post_comments') )
74
68469a95658d
Various bugfixes and cleanups, too much to remember... see the diffs for what got changed :-)
Dan
diff
changeset
+ − 265
$errors[] = 'The site security policy prevents your user account from posting comments;';
1
+ − 266
+ − 267
// Guest authorization
+ − 268
if ( getConfig('comments_need_login') == '2' && !$session->user_logged_in )
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 269
$errors[] = $lang->get('comment_err_need_login');
1
+ − 270
+ − 271
// CAPTCHA code
+ − 272
if ( getConfig('comments_need_login') == '1' && !$session->user_logged_in )
+ − 273
{
+ − 274
$real_code = $session->get_captcha($data['captcha_id']);
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 275
if ( strtolower($real_code) !== strtolower($data['captcha_code']) )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 276
$errors[] = $lang->get('comment_err_captcha_wrong');
263
d57af0b0302e
Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
Dan
diff
changeset
+ − 277
$session->kill_captcha();
1
+ − 278
}
+ − 279
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 280
// Spam check
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 281
$spam_policy = getConfig('comment_spam_policy', 'moderate');
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 282
$sc_name = ( $session->user_logged_in ) ? $session->username : $data['name'];
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 283
$sc_mail = ( $session->user_logged_in ) ? $session->email : false;
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 284
$sc_url = ( $session->user_logged_in ) ? $session->user_extra['user_homepage'] : false;
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 285
$spamcheck = $spam_policy === 'accept' ? true : spamalyze($data['text'], $sc_name, $sc_mail, $sc_url);
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 286
if ( !$spamcheck && $spam_policy === 'reject' )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 287
{
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 288
$errors[] = $lang->get('comment_err_spamcheck_failed_rejected');
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 289
}
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 290
1
+ − 291
if ( count($errors) > 0 )
+ − 292
{
+ − 293
$ret = Array(
+ − 294
'mode' => 'error',
+ − 295
'error' => implode("\n", $errors)
+ − 296
);
+ − 297
}
+ − 298
else
+ − 299
{
+ − 300
// We're authorized!
+ − 301
+ − 302
// Preprocess
+ − 303
$name = ( $session->user_logged_in ) ? htmlspecialchars($session->username) : htmlspecialchars($data['name']);
+ − 304
$subj = htmlspecialchars($data['subj']);
+ − 305
$text = RenderMan::preprocess_text($data['text'], true, false);
+ − 306
$src = $text;
+ − 307
$sql_text = $db->escape($text);
+ − 308
$text = RenderMan::render($text);
832
7152ca0a0ce9
Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
Dan
diff
changeset
+ − 309
$appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED;
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 310
if ( $appr === COMMENT_APPROVED && $spam_policy === 'moderate' && !$spamcheck )
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 311
$appr = COMMENT_SPAM;
1
+ − 312
$time = time();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 313
$date = enano_date('F d, Y h:i a', $time);
359
+ − 314
$ip = $_SERVER['REMOTE_ADDR'];
+ − 315
if ( !is_valid_ip($ip) )
+ − 316
die('Hacking attempt');
1
+ − 317
+ − 318
// Send it to the database
359
+ − 319
$q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n " .
+ − 320
"('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
1
+ − 321
if(!$q)
+ − 322
$db->die_json();
+ − 323
+ − 324
// Re-fetch
621
+ − 325
$q = $db->sql_query('SELECT c.comment_id,c.name,c.subject,c.comment_data,c.time,c.approved,u.user_level,u.user_id,u.email,u.signature,u.user_has_avatar,u.avatar_type FROM '.table_prefix.'comments AS c
1
+ − 326
LEFT JOIN '.table_prefix.'users AS u
+ − 327
ON (u.user_id=c.user_id)
+ − 328
WHERE page_id=\'' . $this->page_id . '\'
+ − 329
AND namespace=\'' . $this->namespace . '\'
+ − 330
AND time='.$time.' ORDER BY comment_id DESC LIMIT 1;');
+ − 331
if(!$q)
+ − 332
$db->die_json();
+ − 333
+ − 334
$row = $db->fetchrow();
+ − 335
$db->free_result();
+ − 336
$row['time'] = $date;
+ − 337
$row['comment_data'] = $text;
+ − 338
$row['comment_source'] = $src;
+ − 339
$ret = Array(
+ − 340
'mode' => 'materialize'
+ − 341
);
+ − 342
$ret = enano_safe_array_merge($ret, $row);
+ − 343
+ − 344
$ret['auth_mod_comments'] = $this->perms->get_permissions('mod_comments');
+ − 345
$ret['auth_post_comments'] = $this->perms->get_permissions('post_comments');
+ − 346
$ret['auth_edit_comments'] = $this->perms->get_permissions('edit_comments');
+ − 347
$ret['user_id'] = $session->user_id;
541
acb7e23b6ffa
Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
Dan
diff
changeset
+ − 348
$ret['rank_data'] = $session->get_user_rank($session->user_id);
1
+ − 349
$ret['username'] = $session->username;
+ − 350
$ret['logged_in'] = $session->user_logged_in;
+ − 351
$ret['signature'] = RenderMan::render($row['signature']);
+ − 352
+ − 353
$ret['user_level_list'] = Array();
+ − 354
$ret['user_level_list']['guest'] = USER_LEVEL_GUEST;
+ − 355
$ret['user_level_list']['member'] = USER_LEVEL_MEMBER;
+ − 356
$ret['user_level_list']['mod'] = USER_LEVEL_MOD;
+ − 357
$ret['user_level_list']['admin'] = USER_LEVEL_ADMIN;
621
+ − 358
$ret['avatar_path'] = make_avatar_url($row['user_id'], $row['avatar_type'], $row['email']);
1
+ − 359
}
+ − 360
+ − 361
break;
+ − 362
case 'approve':
+ − 363
if ( !$this->perms->get_permissions('mod_comments') )
+ − 364
{
+ − 365
$ret = Array(
+ − 366
'mode' => 'error',
+ − 367
'error' => 'You are not authorized to moderate comments.'
+ − 368
);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 369
echo enano_json_encode($ret);
1
+ − 370
return $ret;
+ − 371
}
+ − 372
+ − 373
$cid = (string)$data['id'];
825
9d5c04c1414f
Added (very basic) spam filtering plugin support. Plugins can mark a message as spam by hooking into the spam check API, which is documented in functions.php. No spam checking functionality is built-in.
Dan
diff
changeset
+ − 374
if ( !ctype_digit($cid) || intval($cid) < 1 )
1
+ − 375
{
+ − 376
echo '{"mode":"error","error":"HACKING ATTEMPT"}';
+ − 377
return false;
+ − 378
}
+ − 379
$cid = intval($cid);
+ − 380
$q = $db->sql_query('SELECT subject,approved FROM '.table_prefix.'comments WHERE comment_id='.$cid.';');
+ − 381
if(!$q || $db->numrows() < 1)
+ − 382
$db->die_json();
+ − 383
$row = $db->fetchrow();
+ − 384
$db->free_result();
+ − 385
$appr = ( $row['approved'] == '1' ) ? '0' : '1';
+ − 386
$q = $db->sql_query('UPDATE '.table_prefix."comments SET approved=$appr WHERE comment_id=$cid;");
+ − 387
if (!$q)
+ − 388
$db->die_json();
+ − 389
+ − 390
$ret = Array(
+ − 391
'mode' => 'redraw',
+ − 392
'approved' => $appr,
+ − 393
'subj' => $row['subject'],
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 394
'id' => $data['local_id'],
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 395
'approve_updated' => 'yes'
1
+ − 396
);
+ − 397
+ − 398
break;
359
+ − 399
case 'view_ip':
+ − 400
if ( !$session->get_permissions('mod_comments') )
+ − 401
{
+ − 402
return array(
+ − 403
'mode' => 'error',
+ − 404
'error' => 'Unauthorized'
+ − 405
);
+ − 406
}
+ − 407
// fetch comment info
+ − 408
if ( !is_int($data['id']) )
+ − 409
{
+ − 410
return array(
+ − 411
'mode' => 'error',
+ − 412
'error' => 'Unauthorized'
+ − 413
);
+ − 414
}
+ − 415
$id =& $data['id'];
+ − 416
$q = $db->sql_query('SELECT ip_address, name FROM ' . table_prefix . 'comments WHERE comment_id = ' . $id . ';');
+ − 417
if ( !$q || $db->numrows() < 1 )
+ − 418
{
+ − 419
$db->die_json();
+ − 420
}
+ − 421
list($ip_addr, $name) = $db->fetchrow_num($q);
+ − 422
$db->free_result();
+ − 423
$name = $db->escape($name);
+ − 424
$username = $db->escape($session->username);
+ − 425
// log this action
+ − 426
$q = $db->sql_query('INSERT INTO ' . table_prefix . "logs(time_id, log_type, action, page_text, author, edit_summary) VALUES\n "
+ − 427
. "( " . time() . ", 'security', 'view_comment_ip', '$name', '$username', '{$_SERVER['REMOTE_ADDR']}' );");
+ − 428
if ( !$q )
+ − 429
$db->die_json();
+ − 430
+ − 431
// send packet
+ − 432
$ret = array(
+ − 433
'mode' => 'redraw',
+ − 434
'ip_addr' => $ip_addr,
+ − 435
'local_id' => $data['local_id']
+ − 436
);
+ − 437
break;
1
+ − 438
default:
+ − 439
$ret = Array(
+ − 440
'mode' => 'error',
+ − 441
'error' => $data['mode'] . ' is not a valid request mode'
+ − 442
);
+ − 443
break;
+ − 444
}
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 445
echo enano_json_encode($ret);
1
+ − 446
return $ret;
+ − 447
}
+ − 448
+ − 449
} // class Comments
+ − 450