1
+ − 1
<?php
166
+ − 2
1
+ − 3
/*
+ − 4
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
166
+ − 5
* Version 1.1.1
1
+ − 6
* Copyright (C) 2006-2007 Dan Fuhry
+ − 7
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts
+ − 8
*
+ − 9
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
+ − 10
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+ − 11
*
+ − 12
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ − 13
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
+ − 14
*/
+ − 15
+ − 16
class PageUtils {
+ − 17
+ − 18
/**
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 19
* Tell if a username is used or not.
1
+ − 20
* @param $name the name to check for
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 21
* @return string
1
+ − 22
*/
+ − 23
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 24
public static function checkusername($name)
1
+ − 25
{
+ − 26
global $db, $session, $paths, $template, $plugins; // Common objects
270
5bcdee999015
Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
Dan
diff
changeset
+ − 27
$name = str_replace('_', ' ', $name);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 28
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\'');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 29
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 30
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 31
die($db->get_error());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 32
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 33
if ( $db->numrows() < 1)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 34
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 35
$db->free_result(); return('good');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 36
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 37
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 38
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 39
$db->free_result(); return('bad');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 40
}
1
+ − 41
}
+ − 42
+ − 43
/**
+ − 44
* Get the wiki formatting source for a page
+ − 45
* @param $page the full page id (Namespace:Pagename)
+ − 46
* @return string
+ − 47
* @todo (DONE) Make it require a password (just for security purposes)
+ − 48
*/
+ − 49
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 50
public static function getsource($page, $password = false)
1
+ − 51
{
+ − 52
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 53
if(!isset($paths->pages[$page]))
+ − 54
{
+ − 55
return '';
+ − 56
}
+ − 57
+ − 58
if(strlen($paths->pages[$page]['password']) == 40)
+ − 59
{
+ − 60
if(!$password || ( $password != $paths->pages[$page]['password']))
+ − 61
{
+ − 62
return 'invalid_password';
+ − 63
}
+ − 64
}
+ − 65
+ − 66
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges
+ − 67
return 'access_denied';
+ − 68
$pid = RenderMan::strToPageID($page);
+ − 69
if($pid[1] == 'Special' || $pid[1] == 'Admin')
+ − 70
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 71
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.');
1
+ − 72
}
+ − 73
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 74
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\'');
1
+ − 75
if ( !$e )
+ − 76
{
+ − 77
$db->_die('The page text could not be selected.');
+ − 78
}
+ − 79
if( $db->numrows() < 1 )
+ − 80
{
+ − 81
return ''; //$db->_die('There were no rows in the text table that matched the page text query.');
+ − 82
}
+ − 83
+ − 84
$r = $db->fetchrow();
+ − 85
$db->free_result();
+ − 86
$message = $r['page_text'];
+ − 87
+ − 88
return htmlspecialchars($message);
+ − 89
}
+ − 90
+ − 91
/**
391
85f91037cd4f
Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
Dan
diff
changeset
+ − 92
* DEPRECATED. Previously returned the full rendered contents of a page.
1
+ − 93
* @param $page the full page id (Namespace:Pagename)
+ − 94
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise
+ − 95
* @return string
+ − 96
*/
+ − 97
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 98
public static function getpage($page, $send_headers = false, $hist_id = false)
1
+ − 99
{
+ − 100
die('PageUtils->getpage is deprecated.');
+ − 101
}
+ − 102
+ − 103
/**
+ − 104
* Writes page data to the database, after verifying permissions and running the XSS filter
+ − 105
* @param $page_id the page ID
+ − 106
* @param $namespace the namespace
+ − 107
* @param $message the text to save
+ − 108
* @return string
+ − 109
*/
+ − 110
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 111
public static function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false)
1
+ − 112
{
+ − 113
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 114
$uid = sha1(microtime());
+ − 115
$pname = $paths->nslist[$namespace] . $page_id;
+ − 116
+ − 117
if(!$session->get_permissions('edit_page'))
+ − 118
return 'Access to edit pages is denied.';
+ − 119
+ − 120
if(!isset($paths->pages[$pname]))
+ − 121
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 122
$create = PageUtils::createPage($page_id, $namespace);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 123
if ( $create != 'good' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 124
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create;
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 125
$paths->page_exists = true;
1
+ − 126
}
+ − 127
260
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 128
// Check page protection
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 129
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 130
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 131
$page_data =& $paths->pages[$pname];
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 132
// Is the protection semi?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 133
if ( $page_data['protected'] == 2 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 134
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 135
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 136
// Page is semi-protected. Has the user been here for at least 4 days?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 137
// 345600 seconds = 4 days
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 138
if ( $session->user_logged_in && ( $session->reg_time + 345600 ) <= time() )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 139
$is_protected = false;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 140
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 141
// Is the protection full?
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 142
else if ( $page_data['protected'] == 1 )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 143
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 144
$is_protected = true;
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 145
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 146
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 147
// If it's protected and we DON'T have even_when_protected rights, bail out
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 148
if ( $is_protected && !$session->get_permissions('even_when_protected') )
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 149
{
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 150
return 'You don\'t have the necessary permissions to edit this page.';
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 151
}
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 152
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 153
// We're skipping the wiki mode check here because by default edit_page pemissions are AUTH_WIKIMODE.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 154
// The exception here is the user's own userpage, which is overridden at the time of account creation.
661beb9b0fa3
Rewrote some security code in PageUtils::savepage to accommodate the ACL system better; there was an issue with non-admin users saving pages on which they have edit rights but wiki mode is turned off
Dan
diff
changeset
+ − 155
// At that point it's set to AUTH_ALLOW, but obviously only for the user's own userpage.
1
+ − 156
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 157
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings
1
+ − 158
$message = RenderMan::preprocess_text($message, false, false);
+ − 159
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 160
$msg = $db->escape($message);
1
+ − 161
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 162
$minor = $minor ? ENANO_SQL_BOOLEAN_TRUE : ENANO_SQL_BOOLEAN_FALSE;
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 163
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $paths->page_id . '\', \'' . $paths->namespace . '\', ' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');';
1
+ − 164
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
+ − 165
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 166
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=' . ENANO_SQL_MULTISTRING_PRFIX . '\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';';
1
+ − 167
$e = $db->sql_query($q);
+ − 168
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.');
+ − 169
+ − 170
$paths->rebuild_page_index($page_id, $namespace);
+ − 171
+ − 172
return 'good';
+ − 173
}
+ − 174
+ − 175
/**
+ − 176
* Creates a page, both in memory and in the database.
+ − 177
* @param string $page_id
+ − 178
* @param string $namespace
+ − 179
* @return bool true on success, false on failure
+ − 180
*/
+ − 181
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 182
public static function createPage($page_id, $namespace, $name = false, $visible = 1)
1
+ − 183
{
+ − 184
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 185
if(in_array($namespace, Array('Special', 'Admin')))
+ − 186
{
+ − 187
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 188
return 'You can\'t create a special page in the database';
1
+ − 189
}
+ − 190
+ − 191
if(!isset($paths->nslist[$namespace]))
+ − 192
{
+ − 193
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 194
return 'Couldn\'t look up the namespace';
1
+ − 195
}
+ − 196
+ − 197
$pname = $paths->nslist[$namespace] . $page_id;
+ − 198
if(isset($paths->pages[$pname]))
+ − 199
{
+ − 200
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 201
return 'Page already exists';
1
+ − 202
}
+ − 203
+ − 204
if(!$session->get_permissions('create_page'))
+ − 205
{
+ − 206
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 207
return 'Not authorized to create pages';
1
+ − 208
}
+ − 209
+ − 210
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System')
+ − 211
{
+ − 212
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 213
return 'Not authorized to create system messages';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 214
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 215
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 216
if ( substr($page_id, 0, 8) == 'Project:' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 217
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 218
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 219
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.';
1
+ − 220
}
+ − 221
361
+ − 222
/*
+ − 223
// Dunno why this was here. Enano can handle more flexible names than this...
1
+ − 224
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is';
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 225
if(!preg_match($regex, $name))
1
+ − 226
{
+ − 227
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 228
return 'Name contains invalid characters';
1
+ − 229
}
361
+ − 230
*/
+ − 231
+ − 232
$page_id = dirtify_page_id($page_id);
+ − 233
+ − 234
if ( !$name )
+ − 235
$name = str_replace('_', ' ', $page_id);
1
+ − 236
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 237
$page_id = sanitize_page_id( $page_id );
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 238
1
+ − 239
$prot = ( $namespace == 'System' ) ? 1 : 0;
+ − 240
112
+ − 241
$ips = array(
+ − 242
'ip' => array(),
+ − 243
'u' => array()
+ − 244
);
+ − 245
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 246
$page_data = Array(
1
+ − 247
'name'=>$name,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 248
'urlname'=>$page_id,
1
+ − 249
'namespace'=>$namespace,
112
+ − 250
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2,
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 251
);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 252
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 253
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>');
1
+ − 254
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 255
$paths->add_page($page_data);
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
diff
changeset
+ − 256
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 257
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 258
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 259
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');');
1
+ − 260
+ − 261
if($qa && $qb && $qc)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 262
return 'good';
1
+ − 263
else
+ − 264
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 265
return $db->get_error();
1
+ − 266
}
+ − 267
}
+ − 268
+ − 269
/**
+ − 270
* Sets the protection level on a page.
+ − 271
* @param $page_id string the page ID
+ − 272
* @param $namespace string the namespace
+ − 273
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi
+ − 274
* @param $reason string why the page is being (un)protected
+ − 275
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() )
+ − 276
*/
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 277
public static function protect($page_id, $namespace, $level, $reason)
1
+ − 278
{
+ − 279
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 280
+ − 281
$pname = $paths->nslist[$namespace] . $page_id;
+ − 282
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 283
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 284
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 285
if ( !$session->get_permissions('protect') )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 286
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 287
return('Insufficient access rights');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 288
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 289
if ( !$wiki )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 290
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 291
return('Page protection only has an effect when Wiki Mode is enabled.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 292
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 293
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 294
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 295
return('Invalid $level parameter.');
1
+ − 296
}
+ − 297
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 298
switch($level)
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 299
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 300
case 0:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 301
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 302
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 303
case 1:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 304
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 305
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 306
case 2:
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 307
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 308
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 309
default:
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 310
return 'PageUtils::protect(): Invalid value for $level';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 311
break;
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 312
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 313
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 314
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 315
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 316
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 317
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 318
$db->_die('The pages table was not updated.');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 319
}
1
+ − 320
+ − 321
return('good');
+ − 322
}
+ − 323
+ − 324
/**
+ − 325
* Generates an HTML table with history information in it.
+ − 326
* @param $page_id the page ID
+ − 327
* @param $namespace the namespace
+ − 328
* @return string
+ − 329
*/
+ − 330
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 331
public static function histlist($page_id, $namespace)
1
+ − 332
{
+ − 333
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 334
global $lang;
1
+ − 335
+ − 336
if(!$session->get_permissions('history_view'))
+ − 337
return 'Access denied';
+ − 338
+ − 339
ob_start();
+ − 340
+ − 341
$pname = $paths->nslist[$namespace] . $page_id;
+ − 342
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 343
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 344
468
+ − 345
$q = 'SELECT log_id,time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND is_draft != 1 ORDER BY time_id DESC;';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 346
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.');
213
+ − 347
echo $lang->get('history_page_subtitle') . '
+ − 348
<h3>' . $lang->get('history_heading_edits') . '</h3>';
1
+ − 349
$numrows = $db->numrows();
213
+ − 350
if ( $numrows < 1 )
+ − 351
{
+ − 352
echo $lang->get('history_no_entries');
+ − 353
}
1
+ − 354
else
+ − 355
{
+ − 356
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get">
213
+ − 357
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 358
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 359
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . '
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
diff
changeset
+ − 360
<input type="hidden" name="do" value="diff" />
1
+ − 361
<br /><span> </span>
+ − 362
<div class="tblholder">
+ − 363
<table border="0" width="100%" cellspacing="1" cellpadding="4">
+ − 364
<tr>
213
+ − 365
<th colspan="2">' . $lang->get('history_col_diff') . '</th>
+ − 366
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 367
<th>' . $lang->get('history_col_user') . '</th>
+ − 368
<th>' . $lang->get('history_col_summary') . '</th>
+ − 369
<th>' . $lang->get('history_col_minor') . '</th>
+ − 370
<th colspan="3">' . $lang->get('history_col_actions') . '</th>
1
+ − 371
</tr>'."\n"."\n";
+ − 372
$cls = 'row2';
+ − 373
$ticker = 0;
+ − 374
213
+ − 375
while ( $r = $db->fetchrow() )
+ − 376
{
1
+ − 377
+ − 378
$ticker++;
+ − 379
+ − 380
if($cls == 'row2') $cls = 'row1';
+ − 381
else $cls = 'row2';
+ − 382
+ − 383
echo '<tr>'."\n";
+ − 384
+ − 385
// Diff selection
+ − 386
if($ticker == 1)
+ − 387
{
+ − 388
$s1 = '';
+ − 389
$s2 = 'checked="checked" ';
+ − 390
}
+ − 391
elseif($ticker == 2)
+ − 392
{
+ − 393
$s1 = 'checked="checked" ';
+ − 394
$s2 = '';
+ − 395
}
+ − 396
else
+ − 397
{
+ − 398
$s1 = '';
+ − 399
$s2 = '';
+ − 400
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 401
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 402
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>';
1
+ − 403
+ − 404
// Date and time
401
6ae6e387a0e3
Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
Dan
diff
changeset
+ − 405
echo '<td class="' . $cls . '" style="white-space: nowrap;">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">'."\n";
1
+ − 406
+ − 407
// User
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 408
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 409
{
213
+ − 410
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 411
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 412
else
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 413
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 414
$rc = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 415
}
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 416
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 417
if ( !isPage($paths->nslist['User'] . sanitize_page_id($r['author'])) )
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 418
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 419
echo 'class="wikilink-nonexistent"';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 420
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 421
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n";
1
+ − 422
+ − 423
// Edit summary
213
+ − 424
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' )
+ − 425
{
+ − 426
$r['edit_summary'] = $lang->get('history_summary_clearlogs');
+ − 427
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 428
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n";
1
+ − 429
+ − 430
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 431
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n";
1
+ − 432
+ − 433
// Actions!
468
+ − 434
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['log_id']) . '" onclick="ajaxHistView(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n";
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
diff
changeset
+ − 435
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n";
468
+ − 436
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=edit&revid=' . $r['log_id']) . '" onclick="ajaxEditor(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n";
1
+ − 437
+ − 438
echo '</tr>'."\n"."\n";
+ − 439
+ − 440
}
+ − 441
echo '</table>
+ − 442
</div>
+ − 443
<br />
+ − 444
<input type="hidden" name="do" value="diff" />
213
+ − 445
<input type="submit" value="' . $lang->get('history_btn_compare') . '" />
1
+ − 446
</form>
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
diff
changeset
+ − 447
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>';
1
+ − 448
}
+ − 449
$db->free_result();
213
+ − 450
echo '<h3>' . $lang->get('history_heading_other') . '</h3>';
468
+ − 451
$q = 'SELECT log_id,time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;';
213
+ − 452
if ( !$db->sql_query($q) )
+ − 453
{
+ − 454
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.');
+ − 455
}
+ − 456
if ( $db->numrows() < 1 )
+ − 457
{
+ − 458
echo $lang->get('history_no_entries');
+ − 459
}
+ − 460
else
+ − 461
{
1
+ − 462
213
+ − 463
echo '<div class="tblholder">
+ − 464
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr>
+ − 465
<th>' . $lang->get('history_col_datetime') . '</th>
+ − 466
<th>' . $lang->get('history_col_user') . '</th>
+ − 467
<th>' . $lang->get('history_col_minor') . '</th>
+ − 468
<th>' . $lang->get('history_col_action_taken') . '</th>
+ − 469
<th>' . $lang->get('history_col_extra') . '</th>
+ − 470
<th colspan="2"></th>
+ − 471
</tr>';
1
+ − 472
$cls = 'row2';
+ − 473
while($r = $db->fetchrow()) {
+ − 474
+ − 475
if($cls == 'row2') $cls = 'row1';
+ − 476
else $cls = 'row2';
+ − 477
+ − 478
echo '<tr>';
+ − 479
+ − 480
// Date and time
351
+ − 481
echo '<td class="' . $cls . '">' . enano_date('d M Y h:i a', intval($r['time_id'])) . '</td class="' . $cls . '">';
1
+ − 482
+ − 483
// User
285
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 484
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', sanitize_page_id($r['author'])).'" ';
7846d45bd250
Changed all urlname/page_id columns to varchar(255) because 63 characters just isn't long enough
Dan
diff
changeset
+ − 485
if(!isPage($paths->nslist['User'] . sanitize_page_id($r['author']))) echo 'class="wikilink-nonexistent"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 486
echo '>' . $r['author'] . '</a></td class="' . $cls . '">';
1
+ − 487
+ − 488
+ − 489
// Minor edit
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 490
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>';
1
+ − 491
+ − 492
// Action taken
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 493
echo '<td class="' . $cls . '">';
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
diff
changeset
+ − 494
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime.
468
+ − 495
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
+ − 496
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
+ − 497
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . ( $r['edit_summary'] === '__REVERSION__' ? $lang->get('history_extra_protection_reversion') : htmlspecialchars($r['edit_summary']) );
213
+ − 498
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']);
+ − 499
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">';
+ − 500
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary'];
+ − 501
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' '.htmlspecialchars($r['edit_summary']);
1
+ − 502
echo '</td>';
+ − 503
+ − 504
// Actions!
413
6607cd646d6d
Added autosave functionality and resurrected the old toolbar code that was added about a year ago but never uesd.
Dan
diff
changeset
+ − 505
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>';
468
+ − 506
echo '<td class="' . $cls . '" style="text-align: center;"><a rel="nofollow" href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['log_id']) . '" onclick="ajaxRollback(\'' . $r['log_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>';
1
+ − 507
+ − 508
echo '</tr>';
+ − 509
}
+ − 510
echo '</table></div>';
+ − 511
}
+ − 512
$db->free_result();
+ − 513
$ret = ob_get_contents();
+ − 514
ob_end_clean();
+ − 515
return $ret;
+ − 516
}
+ − 517
+ − 518
/**
+ − 519
* Rolls back a logged action
+ − 520
* @param $id the time ID, a.k.a. the primary key in the logs table
+ − 521
* @return string
+ − 522
*/
+ − 523
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 524
public static function rollback($id)
1
+ − 525
{
+ − 526
global $db, $session, $paths, $template, $plugins; // Common objects
408
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 527
global $lang;
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 528
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 529
// FIXME: l10n
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 530
158
+ − 531
if ( !$session->get_permissions('history_rollback') )
+ − 532
{
+ − 533
return('You are not authorized to perform rollbacks.');
+ − 534
}
+ − 535
if ( !preg_match('#^([0-9]+)$#', (string)$id) )
+ − 536
{
+ − 537
return('The value "id" on the query string must be an integer.');
+ − 538
}
468
+ − 539
$e = $db->sql_query('SELECT time_id,log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE log_id=' . $id . ';');
158
+ − 540
if ( !$e )
+ − 541
{
+ − 542
$db->_die('The rollback data could not be selected.');
+ − 543
}
1
+ − 544
$rb = $db->fetchrow();
+ − 545
$db->free_result();
158
+ − 546
+ − 547
if ( $rb['log_type'] == 'page' && $rb['action'] != 'delete' )
+ − 548
{
+ − 549
$pagekey = $paths->nslist[$rb['namespace']] . $rb['page_id'];
+ − 550
if ( !isset($paths->pages[$pagekey]) )
+ − 551
{
+ − 552
return "Page doesn't exist";
+ − 553
}
+ − 554
$pagedata =& $paths->pages[$pagekey];
+ − 555
$protected = false;
+ − 556
// Special case: is the page protected? if so, check for even_when_protected permissions
+ − 557
if($pagedata['protected'] == 2)
+ − 558
{
+ − 559
// The page is semi-protected, determine permissions
+ − 560
if($session->user_logged_in && $session->reg_time + 60*60*24*4 < time())
+ − 561
{
+ − 562
$protected = false;
+ − 563
}
+ − 564
else
+ − 565
{
+ − 566
$protected = true;
+ − 567
}
+ − 568
}
+ − 569
else
+ − 570
{
+ − 571
$protected = ( $pagedata['protected'] == 1 );
+ − 572
}
+ − 573
+ − 574
$perms = $session->fetch_page_acl($rb['page_id'], $rb['namespace']);
+ − 575
+ − 576
if ( $protected && !$perms->get_permissions('even_when_protected') )
+ − 577
{
+ − 578
return "Because this page is protected, you need moderator rights to roll back changes.";
+ − 579
}
+ − 580
}
+ − 581
else
+ − 582
{
+ − 583
$perms =& $session;
+ − 584
}
+ − 585
+ − 586
switch($rb['log_type'])
+ − 587
{
1
+ − 588
case "page":
158
+ − 589
switch($rb['action'])
+ − 590
{
408
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 591
// Support for rolling back edits removed in 1.1.2 - moved to page editor system
1
+ − 592
case "rename":
158
+ − 593
if ( !$perms->get_permissions('rename') )
+ − 594
return "You don't have permission to rename pages, so rolling back renames can't be allowed either.";
408
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 595
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 596
$t = $rb['edit_summary'];
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 597
// result prediction
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 598
$subst = array(
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 599
'page_name_old' => get_page_title_ns($rb['page_id'], $rb['namespace']),
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 600
'page_name_new' => $t
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 601
);
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 602
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 603
$e = PageUtils::rename($rb['page_id'], $rb['namespace'], $t);
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 604
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 605
$e = ( $e == $lang->get('ajax_rename_success', $subst) );
7ecbe721217c
Modified editor and rename functions to go through the API when rolling back. This causes rollbacks to be logged.
Dan
diff
changeset
+ − 606
158
+ − 607
if ( !$e )
+ − 608
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 609
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 610
}
+ − 611
else
+ − 612
{
468
+ − 613
return 'The page "' . htmlspecialchars($paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name']) . '" has been rolled back to the name it had ("' . htmlspecialchars($rb['edit_summary']) . '") before ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
158
+ − 614
}
1
+ − 615
break;
+ − 616
case "prot":
158
+ − 617
if ( !$perms->get_permissions('protect') )
+ − 618
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 619
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 620
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 621
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 622
else
351
+ − 623
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 624
break;
+ − 625
case "semiprot":
158
+ − 626
if ( !$perms->get_permissions('protect') )
+ − 627
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 628
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 629
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 630
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 631
else
351
+ − 632
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 633
break;
+ − 634
case "unprot":
158
+ − 635
if ( !$perms->get_permissions('protect') )
+ − 636
return "You don't have permission to protect pages, so rolling back protection can't be allowed either.";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 637
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\'');
158
+ − 638
if ( !$e )
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 639
return "An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace();
158
+ − 640
else
351
+ − 641
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 642
break;
+ − 643
case "delete":
158
+ − 644
if ( !$perms->get_permissions('history_rollback_extra') )
+ − 645
return 'Administrative privileges are required for page undeletion.';
+ − 646
if ( isset($paths->pages[$paths->cpage['urlname']]) )
+ − 647
return 'You cannot raise a dead page that is alive.';
1
+ − 648
$name = str_replace('_', ' ', $rb['page_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 649
$e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 650
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
1
+ − 651
$r = $db->fetchrow();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 652
$e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".$db->get_error()."\n\nSQL backtrace:\n".$db->sql_backtrace());
351
+ − 653
return 'The page "' . $name . '" has been undeleted according to the log created at ' . enano_date('d M Y h:i a', intval($rb['time_id'])) . '.';
1
+ − 654
break;
+ − 655
case "reupload":
234
d5dff8148dfe
Renaming config.php and .htaccess to *.new to allow tarbombing an Enano installation with no adverse effects; first attempt, may not work right.
Dan
diff
changeset
+ − 656
if ( !$session->get_permissions('history_rollback_extra') )
158
+ − 657
{
+ − 658
return 'Administrative privileges are required for file rollbacks.';
+ − 659
}
1
+ − 660
$newtime = time();
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 661
$newdate = enano_date('d M Y h:i a');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 662
if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id))
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 663
return 'Error during query: '.$db->get_error();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 664
if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id))
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 665
return 'Error during query: '.$db->get_error();
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 666
return 'The file has been rolled back to the version uploaded on '.enano_date('d M Y h:i a', (int)$id).'.';
1
+ − 667
break;
+ − 668
default:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 669
return('Rollback of the action "' . $rb['action'] . '" is not yet supported.');
1
+ − 670
break;
+ − 671
}
+ − 672
break;
+ − 673
case "security":
+ − 674
case "login":
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 675
return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.');
1
+ − 676
break;
+ − 677
default:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 678
return('Unknown log entry type: "' . $rb['log_type'] . '"');
1
+ − 679
}
+ − 680
}
+ − 681
+ − 682
/**
+ − 683
* Posts a comment.
+ − 684
* @param $page_id the page ID
+ − 685
* @param $namespace the namespace
+ − 686
* @param $name the name of the person posting, defaults to current username/IP
+ − 687
* @param $subject the subject line of the comment
+ − 688
* @param $text the comment text
+ − 689
* @return string javascript code
+ − 690
*/
+ − 691
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 692
public static function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false)
1
+ − 693
{
+ − 694
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 695
$_ob = '';
+ − 696
if(!$session->get_permissions('post_comments'))
+ − 697
return 'Access denied';
+ − 698
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.');
+ − 699
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 700
{
+ − 701
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method');
+ − 702
$result = $session->get_captcha($captcha_id);
456
+ − 703
if(strtolower($captcha_code) != strtolower($result)) _die('The confirmation code you entered was incorrect.');
1
+ − 704
}
+ − 705
$text = RenderMan::preprocess_text($text);
+ − 706
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name);
+ − 707
$subj = RenderMan::preprocess_text($subject);
+ − 708
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 709
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')';
1
+ − 710
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 711
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'))');
1
+ − 712
else $_ob .= '<div class="info-box">Your comment has been posted.</div>';
+ − 713
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob);
+ − 714
}
+ − 715
+ − 716
/**
+ − 717
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments
+ − 718
* @param $page_id the page ID
+ − 719
* @param $namespace the namespace
+ − 720
* @param $action administrative action to perform, default is false
+ − 721
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 722
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 723
* @return array
+ − 724
* @access private
+ − 725
*/
+ − 726
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 727
public static function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '')
1
+ − 728
{
+ − 729
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 730
global $lang;
1
+ − 731
+ − 732
$pname = $paths->nslist[$namespace] . $page_id;
+ − 733
+ − 734
ob_start();
+ − 735
+ − 736
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud
+ − 737
{
+ − 738
switch($action) {
+ − 739
case "delete":
+ − 740
if(isset($flags['id']))
+ − 741
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 742
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;';
1
+ − 743
} else {
+ − 744
$n = $db->escape($flags['name']);
+ − 745
$s = $db->escape($flags['subj']);
+ − 746
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 747
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 748
}
+ − 749
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 750
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 751
break;
+ − 752
case "approve":
+ − 753
if(isset($flags['id']))
+ − 754
{
+ − 755
$where = 'comment_id='.intval($flags['id']);
+ − 756
} else {
+ − 757
$n = $db->escape($flags['name']);
+ − 758
$s = $db->escape($flags['subj']);
+ − 759
$t = $db->escape($flags['text']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 760
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\'';
1
+ − 761
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 762
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;';
1
+ − 763
$e = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 764
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 765
$r = $db->fetchrow();
+ − 766
$db->free_result();
+ − 767
$a = ( $r['approved'] ) ? '0' : '1';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 768
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';';
1
+ − 769
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 770
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
213
+ − 771
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove');
+ − 772
else $v = $lang->get('comment_btn_mod_approve');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 773
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";';
1
+ − 774
break;
+ − 775
}
+ − 776
}
+ − 777
+ − 778
if(!defined('ENANO_TEMPLATE_LOADED'))
+ − 779
{
+ − 780
$template->load_theme($session->theme, $session->style);
+ − 781
}
+ − 782
+ − 783
$tpl = $template->makeParser('comment.tpl');
+ − 784
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 785
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;');
1
+ − 786
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 787
$num_unapp = $db->numrows();
+ − 788
$db->free_result();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 789
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;');
1
+ − 790
if(!$e) $db->_die('The comment text data could not be selected.');
+ − 791
$num_app = $db->numrows();
+ − 792
$db->free_result();
360
+ − 793
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,c.ip_address,u.user_level,u.signature,u.user_has_avatar,u.avatar_type
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 794
FROM ' . table_prefix.'comments AS c
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 795
LEFT JOIN ' . table_prefix.'users AS u
1
+ − 796
ON c.user_id=u.user_id
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 797
WHERE page_id=\'' . $page_id . '\'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 798
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 799
if(!$lq) _die('The comment text data could not be selected. '.$db->get_error());
213
+ − 800
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>';
+ − 801
1
+ − 802
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app;
213
+ − 803
+ − 804
$subst = array(
+ − 805
'num_comments' => $n,
226
0e6478521004
Fixed the one FIXME in PageUtils regarding static HTML comment system's greeting line; fixed parsing of external links in template->tplWikiFormat
Dan
diff
changeset
+ − 806
'page_type' => $template->namespace_string
213
+ − 807
);
+ − 808
+ − 809
$_ob .= '<p>';
+ − 810
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) );
+ − 811
+ − 812
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 )
1
+ − 813
{
213
+ − 814
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 815
}
+ − 816
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 )
+ − 817
{
+ − 818
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural';
+ − 819
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>';
+ − 820
}
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
diff
changeset
+ − 821
$_ob .= '</p>';
1
+ − 822
$list = 'list = { ';
+ − 823
// _die(htmlspecialchars($ttext));
+ − 824
$i = -1;
213
+ − 825
while ( $row = $db->fetchrow($lq) )
1
+ − 826
{
+ − 827
$i++;
+ − 828
$strings = Array();
+ − 829
$bool = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 830
if ( $session->get_permissions('mod_comments') || $row['approved'] )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 831
{
1
+ − 832
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, ';
+ − 833
+ − 834
// Comment ID (used in the Javascript apps)
+ − 835
$strings['ID'] = (string)$i;
+ − 836
+ − 837
// Determine the name, and whether to link to the user page or not
+ − 838
$name = '';
304
+ − 839
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', sanitize_page_id(' ', '_', $row['name'])).'">';
1
+ − 840
$name .= $row['name'];
213
+ − 841
if($row['user_id'] > 1) $name .= '</a>';
1
+ − 842
$strings['NAME'] = $name; unset($name);
+ − 843
+ − 844
// Subject
+ − 845
$s = $row['subject'];
213
+ − 846
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>';
1
+ − 847
$strings['SUBJECT'] = $s;
+ − 848
+ − 849
// Date and time
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 850
$strings['DATETIME'] = enano_date('F d, Y h:i a', $row['time']);
1
+ − 851
+ − 852
// User level
+ − 853
switch($row['user_level'])
+ − 854
{
+ − 855
default:
+ − 856
case USER_LEVEL_GUEST:
213
+ − 857
$l = $lang->get('user_type_guest');
1
+ − 858
break;
+ − 859
case USER_LEVEL_MEMBER:
213
+ − 860
case USER_LEVEL_CHPREF:
+ − 861
$l = $lang->get('user_type_member');
1
+ − 862
break;
+ − 863
case USER_LEVEL_MOD:
213
+ − 864
$l = $lang->get('user_type_mod');
1
+ − 865
break;
+ − 866
case USER_LEVEL_ADMIN:
213
+ − 867
$l = $lang->get('user_type_admin');
1
+ − 868
break;
+ − 869
}
+ − 870
$strings['USER_LEVEL'] = $l; unset($l);
+ − 871
+ − 872
// The actual comment data
+ − 873
$strings['DATA'] = RenderMan::render($row['comment_data']);
+ − 874
+ − 875
if($session->get_permissions('edit_comments'))
+ − 876
{
+ − 877
// Edit link
213
+ − 878
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>';
1
+ − 879
+ − 880
// Delete link
213
+ − 881
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>';
1
+ − 882
}
+ − 883
else
+ − 884
{
+ − 885
// Edit link
+ − 886
$strings['EDIT_LINK'] = '';
+ − 887
+ − 888
// Delete link
+ − 889
$strings['DELETE_LINK'] = '';
+ − 890
}
+ − 891
+ − 892
// Send PM link
213
+ − 893
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : '';
1
+ − 894
+ − 895
// Add Buddy link
213
+ − 896
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : '';
1
+ − 897
+ − 898
// Mod links
+ − 899
$applink = '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 900
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">';
213
+ − 901
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove');
+ − 902
else $applink .= $lang->get('comment_btn_mod_approve');
1
+ − 903
$applink .= '</a>';
+ − 904
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink);
213
+ − 905
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>';
360
+ − 906
$strings['MOD_IP_LINK'] = '<span style="opacity: 0.5; filter: alpha(opacity=50);">' . ( ( empty($row['ip_address']) ) ? $lang->get('comment_btn_mod_ip_missing') : $lang->get('comment_btn_mod_ip_notimplemented') ) . '</span>';
1
+ − 907
+ − 908
// Signature
+ − 909
$strings['SIGNATURE'] = '';
+ − 910
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']);
+ − 911
328
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 912
// Avatar
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 913
if ( $row['user_has_avatar'] == 1 )
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 914
{
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 915
$bool['user_has_avatar'] = true;
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 916
$strings['AVATAR_ALT'] = $lang->get('usercp_avatar_image_alt', array('username' => $row['name']));
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 917
$strings['AVATAR_URL'] = make_avatar_url(intval($row['user_id']), $row['avatar_type']);
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 918
$strings['USERPAGE_LINK'] = makeUrlNS('User', $row['name']);
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 919
}
dc838fd61a06
Added initial avatar support. Currently rather feature complete except for admin controls for avatar.
Dan
diff
changeset
+ − 920
1
+ − 921
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false;
+ − 922
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false;
+ − 923
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true;
+ − 924
+ − 925
// Done processing and compiling, now let's cook it into HTML
+ − 926
$tpl->assign_vars($strings);
+ − 927
$tpl->assign_bool($bool);
+ − 928
$_ob .= $tpl->run();
+ − 929
}
+ − 930
}
+ − 931
if(getConfig('comments_need_login') != '2' || $session->user_logged_in)
+ − 932
{
213
+ − 933
if($session->get_permissions('post_comments'))
1
+ − 934
{
213
+ − 935
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>';
+ − 936
$_ob .= $lang->get('comment_postform_blurb');
+ − 937
if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp');
+ − 938
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 939
{
+ − 940
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha');
+ − 941
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 942
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />';
213
+ − 943
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a>
1
+ − 944
<div id="mdgCommentForm">
+ − 945
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em">
+ − 946
<table border="0">
213
+ − 947
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr>
+ − 948
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>';
1
+ − 949
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in)
+ − 950
{
+ − 951
$session->kill_captcha();
+ − 952
$captcha = $session->make_captcha();
213
+ − 953
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>';
1
+ − 954
}
+ − 955
$_ob .= '
213
+ − 956
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr>
+ − 957
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr>
1
+ − 958
</table>
+ − 959
</form>
+ − 960
</div>';
+ − 961
}
+ − 962
} else {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 963
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>';
1
+ − 964
}
+ − 965
$list .= '};';
+ − 966
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\');
+ − 967
' . $list;
+ − 968
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";';
+ − 969
+ − 970
$ret = ob_get_contents();
+ − 971
ob_end_clean();
+ − 972
return Array($ret, $_ob);
+ − 973
+ − 974
}
+ − 975
+ − 976
/**
+ − 977
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments
+ − 978
* @param $page_id the page ID
+ − 979
* @param $namespace the namespace
+ − 980
* @param $action administrative action to perform, default is false
+ − 981
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 982
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 983
* @return string
+ − 984
*/
+ − 985
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 986
public static function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '')
1
+ − 987
{
+ − 988
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 989
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 990
return $r[0];
+ − 991
}
+ − 992
+ − 993
/**
+ − 994
* Generates HTML code for comments - used in browser compatibility mode
+ − 995
* @param $page_id the page ID
+ − 996
* @param $namespace the namespace
+ − 997
* @param $action administrative action to perform, default is false
+ − 998
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc.
+ − 999
* @param $_ob text to prepend to output, used by PageUtils::addcomment
+ − 1000
* @return string
+ − 1001
*/
+ − 1002
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1003
public static function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '')
1
+ − 1004
{
+ − 1005
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1006
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob);
+ − 1007
return $r[1];
+ − 1008
}
+ − 1009
+ − 1010
/**
+ − 1011
* Updates comment data.
+ − 1012
* @param $page_id the page ID
+ − 1013
* @param $namespace the namespace
+ − 1014
* @param $subject new subject
+ − 1015
* @param $text new text
+ − 1016
* @param $old_subject the old subject, unprocessed and identical to the value in the DB
+ − 1017
* @param $old_text the old text, unprocessed and identical to the value in the DB
+ − 1018
* @param $id the javascript list ID, used internally by the client-side app
+ − 1019
* @return string
+ − 1020
*/
+ − 1021
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1022
public static function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1)
1
+ − 1023
{
+ − 1024
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1025
if(!$session->get_permissions('edit_comments'))
+ − 1026
return 'result="BAD";error="Access denied"';
+ − 1027
// Avoid SQL injection
+ − 1028
$old_text = $db->escape($old_text);
+ − 1029
$old_subject = $db->escape($old_subject);
+ − 1030
// Safety check - username/login
+ − 1031
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 1032
{
+ − 1033
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1034
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1035
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1036
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1037
$r = $db->fetchrow($s);
+ − 1038
$db->free_result();
+ − 1039
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1040
}
+ − 1041
$s = RenderMan::preprocess_text($subject);
+ − 1042
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1043
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1044
$result = $db->sql_query($sql);
+ − 1045
if($result)
+ − 1046
{
+ − 1047
return 'result="GOOD";
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1048
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1049
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . ';
1
+ − 1050
s = unescape(\''.rawurlencode($s).'\');
+ − 1051
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');';
+ − 1052
}
+ − 1053
else
+ − 1054
{
+ − 1055
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment.
+ − 1056
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1057
' . $sql . '
1
+ − 1058
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1059
Error returned by MySQL: '.$db->get_error()).'");';
1
+ − 1060
}
+ − 1061
}
+ − 1062
+ − 1063
/**
+ − 1064
* Updates comment data using the comment_id column instead of the old, messy way
+ − 1065
* @param $page_id the page ID
+ − 1066
* @param $namespace the namespace
+ − 1067
* @param $subject new subject
+ − 1068
* @param $text new text
+ − 1069
* @param $id the comment ID (primary key in enano_comments table)
+ − 1070
* @return string
+ − 1071
*/
+ − 1072
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1073
public static function savecomment_neater($page_id, $namespace, $subject, $text, $id)
1
+ − 1074
{
+ − 1075
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1076
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety');
+ − 1077
if(!$session->get_permissions('edit_comments'))
+ − 1078
return 'Access denied';
+ − 1079
// Safety check - username/login
+ − 1080
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments
+ − 1081
{
+ − 1082
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1083
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1084
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1085
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1086
$r = $db->fetchrow($s);
+ − 1087
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1088
$db->free_result();
+ − 1089
}
+ − 1090
$s = RenderMan::preprocess_text($subject);
+ − 1091
$t = RenderMan::preprocess_text($text);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1092
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1093
$result = $db->sql_query($sql);
+ − 1094
if($result)
+ − 1095
return 'good';
+ − 1096
else return 'Enano encountered a problem whilst saving the comment.
+ − 1097
Performed SQL:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1098
' . $sql . '
1
+ − 1099
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1100
Error returned by MySQL: '.$db->get_error();
1
+ − 1101
}
+ − 1102
+ − 1103
/**
+ − 1104
* Deletes a comment.
+ − 1105
* @param $page_id the page ID
+ − 1106
* @param $namespace the namespace
+ − 1107
* @param $name the name the user posted under
+ − 1108
* @param $subj the subject of the comment to be deleted
+ − 1109
* @param $text the text of the comment to be deleted
+ − 1110
* @param $id the javascript list ID, used internally by the client-side app
+ − 1111
* @return string
+ − 1112
*/
+ − 1113
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1114
public static function deletecomment($page_id, $namespace, $name, $subj, $text, $id)
1
+ − 1115
{
+ − 1116
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1117
+ − 1118
if(!$session->get_permissions('edit_comments'))
+ − 1119
return 'alert("Access to delete/edit comments is denied");';
+ − 1120
+ − 1121
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 1122
$n = $db->escape($name);
+ − 1123
$s = $db->escape($subj);
+ − 1124
$t = $db->escape($text);
+ − 1125
+ − 1126
// Safety check - username/login
+ − 1127
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 1128
{
+ − 1129
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1130
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1131
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1132
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1133
$r = $db->fetchrow($s);
+ − 1134
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1135
$db->free_result();
+ − 1136
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1137
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;';
1
+ − 1138
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1139
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1140
return('good');
+ − 1141
}
+ − 1142
+ − 1143
/**
+ − 1144
* Deletes a comment in a cleaner fashion.
+ − 1145
* @param $page_id the page ID
+ − 1146
* @param $namespace the namespace
+ − 1147
* @param $id the comment ID (primary key)
+ − 1148
* @return string
+ − 1149
*/
+ − 1150
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1151
public static function deletecomment_neater($page_id, $namespace, $id)
1
+ − 1152
{
+ − 1153
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1154
+ − 1155
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.');
+ − 1156
+ − 1157
if(!$session->get_permissions('edit_comments'))
+ − 1158
return 'alert("Access to delete/edit comments is denied");';
+ − 1159
+ − 1160
// Safety check - username/login
+ − 1161
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments
+ − 1162
{
+ − 1163
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1164
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;';
1
+ − 1165
$s = $db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1166
if(!$s) _die('SQL error during safety check: '.$db->get_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>');
1
+ − 1167
$r = $db->fetchrow($s);
+ − 1168
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.');
+ − 1169
$db->free_result();
+ − 1170
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1171
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;';
1
+ − 1172
$e=$db->sql_query($q);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1173
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.$db->get_error().'\n\nQuery:\n' . $q) . '\'));');
1
+ − 1174
return('good');
+ − 1175
}
+ − 1176
+ − 1177
/**
+ − 1178
* Renames a page.
+ − 1179
* @param $page_id the page ID
+ − 1180
* @param $namespace the namespace
+ − 1181
* @param $name the new name for the page
+ − 1182
* @return string error string or success message
+ − 1183
*/
+ − 1184
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1185
public static function rename($page_id, $namespace, $name)
1
+ − 1186
{
+ − 1187
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1188
global $lang;
1
+ − 1189
+ − 1190
$pname = $paths->nslist[$namespace] . $page_id;
+ − 1191
+ − 1192
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false;
+ − 1193
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false;
+ − 1194
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1195
if( empty($name))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1196
{
214
+ − 1197
return($lang->get('ajax_rename_too_short'));
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1198
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1199
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' ))
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1200
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1201
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->page_id) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1202
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1203
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1204
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1205
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1206
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1207
if ( !$e )
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1208
{
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1209
$db->_die('The page title could not be updated.');
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1210
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1211
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1212
{
214
+ − 1213
$subst = array(
+ − 1214
'page_name_old' => $paths->pages[$pname]['name'],
+ − 1215
'page_name_new' => $name
+ − 1216
);
+ − 1217
return $lang->get('ajax_rename_success', $subst);
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1218
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1219
}
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1220
else
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
diff
changeset
+ − 1221
{
214
+ − 1222
return($lang->get('etc_access_denied'));
1
+ − 1223
}
+ − 1224
}
+ − 1225
+ − 1226
/**
+ − 1227
* Flushes (clears) the action logs for a given page
+ − 1228
* @param $page_id the page ID
+ − 1229
* @param $namespace the namespace
+ − 1230
* @return string error/success string
+ − 1231
*/
+ − 1232
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1233
public static function flushlogs($page_id, $namespace)
1
+ − 1234
{
+ − 1235
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1236
global $lang;
240
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1237
if ( !is_object($lang) && defined('IN_ENANO_INSTALL') )
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1238
{
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1239
// This is a special exception for the Enano installer, which doesn't init languages yet.
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1240
$lang = new Language('eng');
f0149a27df5f
Localized default sidebar; installer should work now including the lang import; l10n in installer to follow
Dan
diff
changeset
+ − 1241
}
351
+ − 1242
if(!$session->get_permissions('clear_logs') && !defined('IN_ENANO_INSTALL'))
214
+ − 1243
{
+ − 1244
return $lang->get('etc_access_denied');
+ − 1245
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1246
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
1
+ − 1247
if(!$e) $db->_die('The log entries could not be deleted.');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1248
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1249
// If the page exists, make a backup of it in case it gets spammed/vandalized
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1250
// If not, the admin's probably deleting a trash page
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1251
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) )
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1252
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1253
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1254
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1255
$row = $db->fetchrow();
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1256
$db->free_result();
320
112debff64bd
SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
Dan
diff
changeset
+ − 1257
$minor_edit = ( ENANO_DBLAYER == 'MYSQL' ) ? 'false' : '0';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1258
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.$minor_edit.');';
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1259
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.');
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
diff
changeset
+ − 1260
}
214
+ − 1261
return $lang->get('ajax_clearlogs_success');
1
+ − 1262
}
+ − 1263
+ − 1264
/**
+ − 1265
* Deletes a page.
28
+ − 1266
* @param string $page_id the condemned page ID
+ − 1267
* @param string $namespace the condemned namespace
+ − 1268
* @param string The reason for deleting the page in question
1
+ − 1269
* @return string
+ − 1270
*/
+ − 1271
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1272
public static function deletepage($page_id, $namespace, $reason)
1
+ − 1273
{
+ − 1274
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1275
global $lang;
1
+ − 1276
$perms = $session->fetch_page_acl($page_id, $namespace);
28
+ − 1277
$x = trim($reason);
+ − 1278
if ( empty($x) )
+ − 1279
{
214
+ − 1280
return $lang->get('ajax_delete_need_reason');
28
+ − 1281
}
+ − 1282
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1283
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
1
+ − 1284
if(!$e) $db->_die('The page log entry could not be inserted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1285
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1286
if(!$e) $db->_die('The page categorization entries could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1287
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1288
if(!$e) $db->_die('The page comments could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1289
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1290
if(!$e) $db->_die('The page text entry could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1291
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
1
+ − 1292
if(!$e) $db->_die('The page entry could not be deleted.');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1293
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\'');
1
+ − 1294
if(!$e) $db->_die('The file entry could not be deleted.');
214
+ − 1295
return $lang->get('ajax_delete_success');
1
+ − 1296
}
+ − 1297
+ − 1298
/**
+ − 1299
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting
+ − 1300
* @param $page_id the page ID
+ − 1301
* @param $namespace the namespace
+ − 1302
* @return string
+ − 1303
*/
+ − 1304
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1305
public static function delvote($page_id, $namespace)
1
+ − 1306
{
+ − 1307
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1308
global $lang;
112
+ − 1309
if ( !$session->get_permissions('vote_delete') )
+ − 1310
{
214
+ − 1311
return $lang->get('etc_access_denied');
112
+ − 1312
}
+ − 1313
+ − 1314
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' )
+ − 1315
{
+ − 1316
return 'Special pages and system messages can\'t be voted for deletion.';
+ − 1317
}
+ − 1318
+ − 1319
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id);
+ − 1320
+ − 1321
if ( !isset($paths->pages[$pname]) )
+ − 1322
{
+ − 1323
return 'The page does not exist.';
+ − 1324
}
+ − 1325
+ − 1326
$cv =& $paths->pages[$pname]['delvotes'];
+ − 1327
$ips = $paths->pages[$pname]['delvote_ips'];
+ − 1328
+ − 1329
if ( empty($ips) )
+ − 1330
{
+ − 1331
$ips = array(
+ − 1332
'ip' => array(),
+ − 1333
'u' => array()
+ − 1334
);
+ − 1335
}
+ − 1336
else
+ − 1337
{
+ − 1338
$ips = @unserialize($ips);
+ − 1339
if ( !$ips )
+ − 1340
{
+ − 1341
$ips = array(
+ − 1342
'ip' => array(),
+ − 1343
'u' => array()
+ − 1344
);
+ − 1345
}
+ − 1346
}
+ − 1347
+ − 1348
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) )
+ − 1349
{
214
+ − 1350
return $lang->get('ajax_delvote_already_voted');
112
+ − 1351
}
+ − 1352
+ − 1353
$ips['u'][] = $session->username;
+ − 1354
$ips['ip'][] = $_SERVER['REMOTE_ADDR'];
+ − 1355
$ips = $db->escape( serialize($ips) );
+ − 1356
1
+ − 1357
$cv++;
112
+ − 1358
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1359
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1360
$w = $db->sql_query($q);
112
+ − 1361
214
+ − 1362
return $lang->get('ajax_delvote_success');
1
+ − 1363
}
+ − 1364
+ − 1365
/**
+ − 1366
* Resets the number of votes against a page to 0.
+ − 1367
* @param $page_id the page ID
+ − 1368
* @param $namespace the namespace
+ − 1369
* @return string
+ − 1370
*/
+ − 1371
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1372
public static function resetdelvotes($page_id, $namespace)
1
+ − 1373
{
+ − 1374
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1375
global $lang;
+ − 1376
if(!$session->get_permissions('vote_reset'))
+ − 1377
{
+ − 1378
return $lang->get('etc_access_denied');
+ − 1379
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1380
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'';
1
+ − 1381
$e = $db->sql_query($q);
+ − 1382
if(!$e) $db->_die('The number of delete votes was not reset.');
214
+ − 1383
else
+ − 1384
{
+ − 1385
return $lang->get('ajax_delvote_reset_success');
+ − 1386
}
1
+ − 1387
}
+ − 1388
+ − 1389
/**
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1390
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON.
1
+ − 1391
* @param $id the name of the directory for the theme
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1392
* @return string JSON string with an array containing a list of themes
1
+ − 1393
*/
+ − 1394
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1395
public static function getstyles()
1
+ − 1396
{
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1397
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1398
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) )
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1399
return enano_json_encode(false);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1400
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1401
$dir = './themes/' . $_GET['id'] . '/css/';
1
+ − 1402
$list = Array();
+ − 1403
// Open a known directory, and proceed to read its contents
+ − 1404
if (is_dir($dir)) {
+ − 1405
if ($dh = opendir($dir)) {
+ − 1406
while (($file = readdir($dh)) !== false) {
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1407
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1408
{ // it should be a copy of the original style, but
1
+ − 1409
// mostly black and white
+ − 1410
// Note to self: document this
+ − 1411
$list[] = substr($file, 0, strlen($file)-4);
+ − 1412
}
+ − 1413
}
+ − 1414
closedir($dh);
+ − 1415
}
+ − 1416
}
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1417
else
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1418
{
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1419
return(enano_json_encode(Array('mode' => 'error', 'error' => $dir.' is not a dir')));
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1420
}
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
diff
changeset
+ − 1421
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1422
return enano_json_encode($list);
1
+ − 1423
}
+ − 1424
+ − 1425
/**
+ − 1426
* Assembles a Javascript app with category information
+ − 1427
* @param $page_id the page ID
+ − 1428
* @param $namespace the namespace
+ − 1429
* @return string Javascript code
+ − 1430
*/
+ − 1431
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1432
public static function catedit($page_id, $namespace)
1
+ − 1433
{
+ − 1434
$d = PageUtils::catedit_raw($page_id, $namespace);
+ − 1435
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');';
+ − 1436
}
+ − 1437
+ − 1438
/**
+ − 1439
* Does the actual HTML/javascript generation for cat editing, but returns an array
+ − 1440
* @access private
+ − 1441
*/
+ − 1442
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1443
public static function catedit_raw($page_id, $namespace)
1
+ − 1444
{
+ − 1445
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1446
global $lang;
+ − 1447
1
+ − 1448
ob_start();
+ − 1449
$_ob = '';
322
+ − 1450
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->page_id . '\' AND namespace=\'' . $paths->namespace . '\'');
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1451
if(!$e) jsdie('Error selecting category information for current page: '.$db->get_error());
1
+ − 1452
$cat_current = Array();
+ − 1453
while($r = $db->fetchrow())
+ − 1454
{
+ − 1455
$cat_current[] = $r;
+ − 1456
}
+ − 1457
$db->free_result();
+ − 1458
$cat_all = Array();
+ − 1459
for($i=0;$i<sizeof($paths->pages)/2;$i++)
+ − 1460
{
+ − 1461
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1462
}
+ − 1463
+ − 1464
// Make $cat_all an associative array, like $paths->pages
+ − 1465
$sz = sizeof($cat_all);
+ − 1466
for($i=0;$i<$sz;$i++)
+ − 1467
{
+ − 1468
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1469
}
+ − 1470
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of
+ − 1471
$cat_info = $cat_all;
+ − 1472
for($i=0;$i<sizeof($cat_current);$i++)
+ − 1473
{
+ − 1474
$un = $cat_current[$i]['category_id'];
+ − 1475
$cat_info[$un]['member'] = true;
+ − 1476
}
+ − 1477
// Now copy the information we just set into the numerically named keys
+ − 1478
for($i=0;$i<sizeof($cat_info)/2;$i++)
+ − 1479
{
+ − 1480
$un = $cat_info[$i]['urlname_nons'];
+ − 1481
$cat_info[$i] = $cat_info[$un];
+ − 1482
}
+ − 1483
+ − 1484
echo 'catlist = new Array();'; // Initialize the client-side category list
214
+ − 1485
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3>
1
+ − 1486
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">';
+ − 1487
if ( sizeof($cat_info) < 1 )
+ − 1488
{
214
+ − 1489
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>';
1
+ − 1490
}
+ − 1491
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ )
+ − 1492
{
+ − 1493
// Protection code added 1/3/07
+ − 1494
// Updated 3/4/07
+ − 1495
$is_prot = false;
+ − 1496
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category');
+ − 1497
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1498
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) )
+ − 1499
$is_prot = true;
+ − 1500
$prot = ( $is_prot ) ? ' disabled="disabled" ' : '';
+ − 1501
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : '';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1502
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1503
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"';
1
+ − 1504
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1505
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />';
1
+ − 1506
}
+ − 1507
+ − 1508
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : '';
+ − 1509
214
+ − 1510
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>';
1
+ − 1511
+ − 1512
$cont = ob_get_contents();
+ − 1513
ob_end_clean();
+ − 1514
return Array($cont, $_ob);
+ − 1515
}
+ − 1516
+ − 1517
/**
+ − 1518
* Saves category information
+ − 1519
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked!
+ − 1520
* @param $page_id string the page ID
+ − 1521
* @param $namespace string the namespace
+ − 1522
* @param $which_cats array associative array of categories to put the page in
+ − 1523
* @return string "GOOD" on success, error string on failure
+ − 1524
*/
+ − 1525
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1526
public static function catsave($page_id, $namespace, $which_cats)
1
+ − 1527
{
+ − 1528
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1529
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information');
+ − 1530
+ − 1531
$page_perms = $session->fetch_page_acl($page_id, $namespace);
+ − 1532
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id];
+ − 1533
+ − 1534
$cat_all = Array();
+ − 1535
for($i=0;$i<sizeof($paths->pages)/2;$i++)
+ − 1536
{
+ − 1537
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i];
+ − 1538
}
+ − 1539
+ − 1540
// Make $cat_all an associative array, like $paths->pages
+ − 1541
$sz = sizeof($cat_all);
+ − 1542
for($i=0;$i<$sz;$i++)
+ − 1543
{
+ − 1544
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i];
+ − 1545
}
+ − 1546
+ − 1547
$rowlist = Array();
+ − 1548
+ − 1549
for($i=0;$i<sizeof($cat_all)/2;$i++)
+ − 1550
{
+ − 1551
$auth = true;
+ − 1552
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category');
+ − 1553
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') ||
+ − 1554
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ||
+ − 1555
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) )
+ − 1556
$auth = false;
+ − 1557
if(!$auth)
+ − 1558
{
+ − 1559
// Find out if the page is currently in the category
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1560
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1561
if(!$q)
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1562
return 'MySQL error: ' . $db->get_error();
1
+ − 1563
if($db->numrows() > 0)
+ − 1564
{
+ − 1565
$auth = true;
+ − 1566
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state
+ − 1567
}
+ − 1568
$db->free_result();
+ − 1569
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1570
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')';
1
+ − 1571
}
+ − 1572
if(sizeof($rowlist) > 0)
+ − 1573
{
+ − 1574
$val = implode(',', $rowlist);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1575
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1576
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1577
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1578
$e = $db->sql_query($q);
+ − 1579
if(!$e) $db->_die('The new category data could not be inserted.');
+ − 1580
return('GOOD');
+ − 1581
}
+ − 1582
else
+ − 1583
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1584
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
1
+ − 1585
if(!$e) $db->_die('The old category data could not be deleted.');
+ − 1586
return('GOOD');
+ − 1587
}
+ − 1588
}
+ − 1589
+ − 1590
/**
+ − 1591
* Sets the wiki mode level for a page.
+ − 1592
* @param $page_id string the page ID
+ − 1593
* @param $namespace string the namespace
+ − 1594
* @param $level int 0 for off, 1 for on, 2 for use global setting
+ − 1595
* @return string "GOOD" on success, error string on failure
+ − 1596
*/
+ − 1597
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1598
public static function setwikimode($page_id, $namespace, $level)
1
+ − 1599
{
+ − 1600
global $db, $session, $paths, $template, $plugins; // Common objects
+ − 1601
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1602
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1603
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1604
return('Invalid mode string');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1605
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1606
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1607
if ( !$q )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1608
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1609
return('Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1610
}
1
+ − 1611
return('GOOD');
+ − 1612
}
+ − 1613
+ − 1614
/**
+ − 1615
* Sets the access password for a page.
+ − 1616
* @param $page_id string the page ID
+ − 1617
* @param $namespace string the namespace
+ − 1618
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed
+ − 1619
* @return string
+ − 1620
*/
+ − 1621
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1622
public static function setpass($page_id, $namespace, $pass)
1
+ − 1623
{
+ − 1624
global $db, $session, $paths, $template, $plugins; // Common objects
214
+ − 1625
global $lang;
1
+ − 1626
// Determine permissions
+ − 1627
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '')
+ − 1628
$a = $session->get_permissions('password_reset');
+ − 1629
else
+ − 1630
$a = $session->get_permissions('password_set');
+ − 1631
if(!$a)
214
+ − 1632
return $lang->get('etc_access_denied');
1
+ − 1633
if(!isset($pass)) return('Password was not set on URL');
+ − 1634
$p = $pass;
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1635
if ( !preg_match('#([0-9a-f]){40,40}#', $p) )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1636
{
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1637
$p = sha1($p);
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1638
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1639
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1640
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1641
$p = '';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1642
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';');
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1643
if ( !$e )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1644
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1645
die('PageUtils::setpass(): Error during update query: '.$db->get_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace());
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1646
}
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1647
// Is the new password blank?
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1648
if ( $p == '' )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1649
{
214
+ − 1650
return $lang->get('ajax_password_disable_success');
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1651
}
214
+ − 1652
else
+ − 1653
{
+ − 1654
return $lang->get('ajax_password_success');
+ − 1655
}
1
+ − 1656
}
+ − 1657
+ − 1658
/**
+ − 1659
* Generates some preview HTML
+ − 1660
* @param $text string the wikitext to use
+ − 1661
* @return string
+ − 1662
*/
+ − 1663
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1664
public static function genPreview($text)
1
+ − 1665
{
214
+ − 1666
global $lang;
335
67bd3121a12e
Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
Dan
diff
changeset
+ − 1667
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 10px 0;">';
102
+ − 1668
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false));
+ − 1669
ob_start();
+ − 1670
eval('?>' . $text);
+ − 1671
$text = ob_get_contents();
+ − 1672
ob_end_clean();
+ − 1673
$ret .= $text;
+ − 1674
$ret .= '</div>';
+ − 1675
return $ret;
1
+ − 1676
}
+ − 1677
+ − 1678
/**
+ − 1679
* Makes a scrollable box
+ − 1680
* @param string $text the inner HTML
+ − 1681
* @param int $height Optional - the maximum height. Defaults to 250.
+ − 1682
* @return string
+ − 1683
*/
+ − 1684
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1685
public static function scrollBox($text, $height = 250)
1
+ − 1686
{
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1687
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>';
1
+ − 1688
}
+ − 1689
+ − 1690
/**
+ − 1691
* Generates a diff summary between two page revisions.
+ − 1692
* @param $page_id the page ID
+ − 1693
* @param $namespace the namespace
+ − 1694
* @param $id1 the time ID of the first revision
+ − 1695
* @param $id2 the time ID of the second revision
+ − 1696
* @return string XHTML-formatted diff
+ − 1697
*/
+ − 1698
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1699
public static function pagediff($page_id, $namespace, $id1, $id2)
1
+ − 1700
{
+ − 1701
global $db, $session, $paths, $template, $plugins; // Common objects
213
+ − 1702
global $lang;
1
+ − 1703
if(!$session->get_permissions('history_view'))
214
+ − 1704
return $lang->get('etc_access_denied');
1
+ − 1705
if(!preg_match('#^([0-9]+)$#', (string)$id1) ||
+ − 1706
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt';
+ − 1707
// OK we made it through security
+ − 1708
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1709
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error();
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1710
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.$db->get_error();
1
+ − 1711
$row1 = $db->fetchrow($q1);
+ − 1712
$db->free_result($q1);
+ − 1713
$row2 = $db->fetchrow($q2);
+ − 1714
$db->free_result($q2);
+ − 1715
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.';
+ − 1716
$text1 = $row1['page_text'];
+ − 1717
$text2 = $row2['page_text'];
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1718
$time1 = enano_date('F d, Y h:i a', $id1);
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1719
$time2 = enano_date('F d, Y h:i a', $id2);
1
+ − 1720
$_ob = "
213
+ − 1721
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p>
1
+ − 1722
";
+ − 1723
// Free some memory
+ − 1724
unset($row1, $row2, $q1, $q2);
+ − 1725
+ − 1726
$_ob .= RenderMan::diff($text1, $text2);
+ − 1727
return $_ob;
+ − 1728
}
+ − 1729
+ − 1730
/**
+ − 1731
* Gets ACL information about the selected page for target type X and target ID Y.
+ − 1732
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id.
+ − 1733
* @return array
+ − 1734
*/
+ − 1735
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1736
public static function acl_editor($parms = Array())
1
+ − 1737
{
+ − 1738
global $db, $session, $paths, $template, $plugins; // Common objects
218
+ − 1739
global $lang;
+ − 1740
1
+ − 1741
if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
40
+ − 1742
{
+ − 1743
return Array(
+ − 1744
'mode' => 'error',
218
+ − 1745
'error' => $lang->get('acl_err_access_denied')
40
+ − 1746
);
+ − 1747
}
1
+ − 1748
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
+ − 1749
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
+ − 1750
$page_id =& $parms['page_id'];
+ − 1751
$namespace =& $parms['namespace'];
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1752
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\'';
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1753
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\'';
1
+ − 1754
//die(print_r($page_id,true));
+ − 1755
$template->load_theme();
+ − 1756
// $perms_obj = $session->fetch_page_acl($page_id, $namespace);
+ − 1757
$perms_obj =& $session;
+ − 1758
$return = Array();
+ − 1759
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') )
+ − 1760
{
+ − 1761
return Array(
+ − 1762
'mode' => 'error',
218
+ − 1763
'error' => $lang->get('acl_err_missing_template'),
1
+ − 1764
);
+ − 1765
}
+ − 1766
$return['template'] = $template->extract_vars('acledit.tpl');
+ − 1767
$return['page_id'] = $page_id;
+ − 1768
$return['namespace'] = $namespace;
+ − 1769
if(isset($parms['mode']))
+ − 1770
{
+ − 1771
switch($parms['mode'])
+ − 1772
{
+ − 1773
case 'listgroups':
+ − 1774
$return['groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1775
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;');
1
+ − 1776
while($row = $db->fetchrow())
+ − 1777
{
+ − 1778
$return['groups'][] = Array(
+ − 1779
'id' => $row['group_id'],
+ − 1780
'name' => $row['group_name'],
+ − 1781
);
+ − 1782
}
+ − 1783
$db->free_result();
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1784
$return['page_groups'] = Array();
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1785
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;');
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1786
if ( !$q )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1787
return Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1788
'mode' => 'error',
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1789
'error' => $db->get_error()
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1790
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1791
while ( $row = $db->fetchrow() )
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1792
{
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1793
$return['page_groups'][] = Array(
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1794
'id' => $row['pg_id'],
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1795
'name' => $row['pg_name']
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1796
);
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1797
}
1
+ − 1798
break;
+ − 1799
case 'seltarget':
+ − 1800
$return['mode'] = 'seltarget';
+ − 1801
$return['acl_types'] = $perms_obj->acl_types;
+ − 1802
$return['acl_deps'] = $perms_obj->acl_deps;
+ − 1803
$return['acl_descs'] = $perms_obj->acl_descs;
+ − 1804
$return['target_type'] = $parms['target_type'];
+ − 1805
$return['target_id'] = $parms['target_id'];
+ − 1806
switch($parms['target_type'])
+ − 1807
{
+ − 1808
case ACL_TYPE_USER:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1809
$q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1810
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 1811
ON a.target_id=u.user_id
+ − 1812
WHERE a.target_type='.ACL_TYPE_USER.'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1813
AND u.username=\'' . $db->escape($parms['target_id']) . '\'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1814
' . $page_where_clause . ';');
1
+ − 1815
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1816
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1817
if($db->numrows() < 1)
+ − 1818
{
+ − 1819
$return['type'] = 'new';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1820
$q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';');
1
+ − 1821
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1822
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1823
if($db->numrows() < 1)
218
+ − 1824
return Array('mode'=>'error','error'=>$lang->get('acl_err_user_not_found'));
1
+ − 1825
$row = $db->fetchrow();
+ − 1826
$return['target_name'] = $return['target_id'];
+ − 1827
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1828
$return['current_perms'] = array();
1
+ − 1829
}
+ − 1830
else
+ − 1831
{
+ − 1832
$return['type'] = 'edit';
+ − 1833
$row = $db->fetchrow();
+ − 1834
$return['target_name'] = $return['target_id'];
+ − 1835
$return['target_id'] = intval($row['user_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1836
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 1837
}
+ − 1838
$db->free_result();
+ − 1839
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1840
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 1841
{
+ − 1842
foreach ( $return['current_perms'] AS $i => $perm )
+ − 1843
{
+ − 1844
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 1845
{
+ − 1846
// echo "// SCOPE CONTROL: eliminating: $i\n";
+ − 1847
unset($return['current_perms'][$i]);
+ − 1848
unset($return['acl_types'][$i]);
+ − 1849
unset($return['acl_descs'][$i]);
+ − 1850
unset($return['acl_deps'][$i]);
+ − 1851
}
+ − 1852
}
+ − 1853
}
+ − 1854
break;
+ − 1855
case ACL_TYPE_GROUP:
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1856
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1857
LEFT JOIN ' . table_prefix.'acl AS a
1
+ − 1858
ON a.target_id=g.group_id
+ − 1859
WHERE a.target_type='.ACL_TYPE_GROUP.'
+ − 1860
AND g.group_id=\''.intval($parms['target_id']).'\'
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1861
' . $page_where_clause . ';');
1
+ − 1862
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1863
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1864
if($db->numrows() < 1)
+ − 1865
{
+ − 1866
$return['type'] = 'new';
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1867
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';');
1
+ − 1868
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1869
return(Array('mode'=>'error','error'=>$db->get_error()));
1
+ − 1870
if($db->numrows() < 1)
218
+ − 1871
return Array('mode'=>'error','error'=>$lang->get('acl_err_bad_group_id'));
1
+ − 1872
$row = $db->fetchrow();
+ − 1873
$return['target_name'] = $row['group_name'];
+ − 1874
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1875
$return['current_perms'] = array();
1
+ − 1876
}
+ − 1877
else
+ − 1878
{
+ − 1879
$return['type'] = 'edit';
+ − 1880
$row = $db->fetchrow();
+ − 1881
$return['target_name'] = $row['group_name'];
+ − 1882
$return['target_id'] = intval($row['group_id']);
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1883
$return['current_perms'] = $session->string_to_perm($row['rules']);
1
+ − 1884
}
+ − 1885
$db->free_result();
+ − 1886
// Eliminate types that don't apply to this namespace
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
diff
changeset
+ − 1887
if ( $namespace && $namespace != '__PageGroup' )
1
+ − 1888
{
+ − 1889
foreach ( $return['current_perms'] AS $i => $perm )
+ − 1890
{
+ − 1891
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) )
+ − 1892
{
+ − 1893
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n";
+ − 1894
unset($return['current_perms'][$i]);
+ − 1895
unset($return['acl_types'][$i]);
+ − 1896
unset($return['acl_descs'][$i]);
+ − 1897
unset($return['acl_deps'][$i]);
+ − 1898
}
+ − 1899
}
+ − 1900
}
+ − 1901
//return Array('mode'=>'debug','text'=>print_r($return, true));
+ − 1902
break;
+ − 1903
default:
+ − 1904
return Array('mode'=>'error','error','Invalid ACL type ID');
+ − 1905
break;
+ − 1906
}
+ − 1907
return $return;
+ − 1908
break;
+ − 1909
case 'save_new':
+ − 1910
case 'save_edit':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1911
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1912
{
218
+ − 1913
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1914
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1915
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1916
' . $page_where_clause_lite . ';');
1
+ − 1917
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1918
return Array('mode'=>'error','error'=>$db->get_error());
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1919
if ( sizeof ( $parms['perms'] ) < 1 )
1
+ − 1920
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1921
// As of 1.1.x, this returns success because the rule length is zero if the user selected "inherit" in all columns
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1922
return Array(
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1923
'mode' => 'success',
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1924
'target_type' => $parms['target_type'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1925
'target_id' => $parms['target_id'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1926
'target_name' => $parms['target_name'],
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1927
'page_id' => $page_id,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1928
'namespace' => $namespace,
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1929
);
1
+ − 1930
}
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1931
$rules = $session->perm_to_string($parms['perms']);
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1932
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1933
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' :
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1934
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules )
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1935
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )';
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1936
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 1937
return Array(
+ − 1938
'mode' => 'success',
+ − 1939
'target_type' => $parms['target_type'],
+ − 1940
'target_id' => $parms['target_id'],
+ − 1941
'target_name' => $parms['target_name'],
+ − 1942
'page_id' => $page_id,
+ − 1943
'namespace' => $namespace,
+ − 1944
);
+ − 1945
break;
+ − 1946
case 'delete':
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1947
if ( defined('ENANO_DEMO_MODE') )
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1948
{
218
+ − 1949
return Array('mode'=>'error','error'=>$lang->get('acl_err_demo'));
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
diff
changeset
+ − 1950
}
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1951
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).'
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
diff
changeset
+ − 1952
' . $page_where_clause_lite . ';');
1
+ − 1953
if(!$q)
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 1954
return Array('mode'=>'error','error'=>$db->get_error());
1
+ − 1955
return Array(
+ − 1956
'mode' => 'delete',
+ − 1957
'target_type' => $parms['target_type'],
+ − 1958
'target_id' => $parms['target_id'],
+ − 1959
'target_name' => $parms['target_name'],
+ − 1960
'page_id' => $page_id,
+ − 1961
'namespace' => $namespace,
+ − 1962
);
+ − 1963
break;
+ − 1964
default:
+ − 1965
return Array('mode'=>'error','error'=>'Hacking attempt');
+ − 1966
break;
+ − 1967
}
+ − 1968
}
+ − 1969
return $return;
+ − 1970
}
+ − 1971
+ − 1972
/**
+ − 1973
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string.
+ − 1974
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string.
+ − 1975
* @return string
+ − 1976
*/
+ − 1977
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1978
public static function acl_json($parms = '{ }')
1
+ − 1979
{
+ − 1980
global $db, $session, $paths, $template, $plugins; // Common objects
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1981
$parms = enano_json_decode($parms);
1
+ − 1982
$ret = PageUtils::acl_editor($parms);
334
c72b545f1304
More localization work. Resolved major issue with JSON parser not parsing files over ~50KB. Switched JSON parser to the one from the Zend Framework (BSD licensed). Forced to split enano.json into five different files.
Dan
diff
changeset
+ − 1983
$ret = enano_json_encode($ret);
1
+ − 1984
return $ret;
+ − 1985
}
+ − 1986
+ − 1987
/**
+ − 1988
* A non-Javascript frontend for the ACL API.
+ − 1989
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor()
+ − 1990
*/
+ − 1991
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 1992
public static function aclmanager($parms)
1
+ − 1993
{
+ − 1994
global $db, $session, $paths, $template, $plugins; // Common objects
219
+ − 1995
global $lang;
1
+ − 1996
ob_start();
+ − 1997
// Convenience
+ − 1998
$formstart = '<form
+ − 1999
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '"
+ − 2000
method="post" enctype="multipart/form-data"
+ − 2001
onsubmit="if(!submitAuthorized) return false;"
+ − 2002
>';
+ − 2003
$formend = '</form>';
+ − 2004
$parms = PageUtils::acl_preprocess($parms);
+ − 2005
$response = PageUtils::acl_editor($parms);
+ − 2006
$response = PageUtils::acl_postprocess($response);
+ − 2007
+ − 2008
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>');
+ − 2009
+ − 2010
switch($response['mode'])
+ − 2011
{
+ − 2012
case 'debug':
+ − 2013
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>';
+ − 2014
break;
+ − 2015
case 'stage1':
219
+ − 2016
echo '<h3>' . $lang->get('acl_lbl_welcome_title') . '</h3>
+ − 2017
<p>' . $lang->get('acl_lbl_welcome_body') . '</p>';
1
+ − 2018
echo $formstart;
219
+ − 2019
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> ' . $lang->get('acl_radio_usergroup') . '</label></p>
1
+ − 2020
<p><select name="data[target_id_grp]">';
+ − 2021
foreach ( $response['groups'] as $group )
+ − 2022
{
+ − 2023
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>';
+ − 2024
}
219
+ − 2025
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2026
// page group selector
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2027
$groupsel = '';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2028
if ( count($response['page_groups']) > 0 )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2029
{
219
+ − 2030
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> ' . $lang->get('acl_radio_scope_pagegroup') . '</label></p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2031
<p><select name="data[pg_id]">';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2032
foreach ( $response['page_groups'] as $grp )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2033
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2034
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2035
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2036
$groupsel .= '</select></p>';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2037
}
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2038
1
+ − 2039
echo '</select></p>
219
+ − 2040
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> ' . $lang->get('acl_radio_user') . '</label></p>
1
+ − 2041
<p>' . $template->username_field('data[target_id_user]') . '</p>
219
+ − 2042
<p>' . $lang->get('acl_lbl_scope') . '</p>
+ − 2043
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> ' . $lang->get('acl_radio_scope_thispage') . '</p>
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2044
' . $groupsel . '
219
+ − 2045
<p><label><input name="data[scope]" value="entire_site" type="radio" /> ' . $lang->get('acl_radio_scope_wholesite') . '</p>
1
+ − 2046
<div style="margin: 0 auto 0 0; text-align: right;">
+ − 2047
<input name="data[mode]" value="seltarget" type="hidden" />
322
+ − 2048
<input type="hidden" name="data[page_id]" value="' . $paths->page_id . '" />
1
+ − 2049
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" />
219
+ − 2050
<input type="submit" value="' . htmlspecialchars($lang->get('etc_wizard_next')) . '" />
1
+ − 2051
</div>';
+ − 2052
echo $formend;
+ − 2053
break;
+ − 2054
case 'success':
+ − 2055
echo '<div class="info-box">
219
+ − 2056
<b>' . $lang->get('acl_lbl_save_success_title') . '</b><br />
+ − 2057
' . $lang->get('acl_lbl_save_success_body', array( 'target_name' => $response['target_name'] )) . '<br />
1
+ − 2058
' . $formstart . '
+ − 2059
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2060
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2061
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2062
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2063
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2064
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2065
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2066
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2067
' . $formend . '
+ − 2068
</div>';
+ − 2069
break;
+ − 2070
case 'delete':
+ − 2071
echo '<div class="info-box">
219
+ − 2072
<b>' . $lang->get('acl_lbl_delete_success_title') . '</b><br />
+ − 2073
' . $lang->get('acl_lbl_delete_success_body', array('target_name' => $response['target_name'])) . '<br />
1
+ − 2074
' . $formstart . '
+ − 2075
<input type="hidden" name="data[mode]" value="seltarget" />
+ − 2076
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2077
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2078
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" />
+ − 2079
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" />
+ − 2080
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" />
+ − 2081
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" />
219
+ − 2082
<input type="submit" value="' . $lang->get('acl_btn_returnto_editor') . '" /> <input type="submit" name="data[act_go_stage1]" value="' . $lang->get('acl_btn_returnto_userscope') . '" />
1
+ − 2083
' . $formend . '
+ − 2084
</div>';
+ − 2085
break;
+ − 2086
case 'seltarget':
+ − 2087
if ( $response['type'] == 'edit' )
+ − 2088
{
219
+ − 2089
echo '<h3>' . $lang->get('acl_lbl_editwin_title_edit') . '</h3>';
1
+ − 2090
}
+ − 2091
else
+ − 2092
{
219
+ − 2093
echo '<h3>' . $lang->get('acl_lbl_editwin_title_create') . '</h3>';
1
+ − 2094
}
219
+ − 2095
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? $lang->get('acl_target_type_group') : $lang->get('acl_target_type_user');
+ − 2096
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? $lang->get('acl_scope_type_pagegroup') : $lang->get('acl_scope_type_thispage') ) : $lang->get('acl_scope_type_wholesite');
+ − 2097
$subs = array(
+ − 2098
'target_type' => $type,
+ − 2099
'target' => $response['target_name'],
+ − 2100
'scope_type' => $scope
+ − 2101
);
+ − 2102
echo $lang->get('acl_lbl_editwin_body', $subs);
1
+ − 2103
echo $formstart;
+ − 2104
$parser = $template->makeParserText( $response['template']['acl_field_begin'] );
+ − 2105
echo $parser->run();
+ − 2106
$parser = $template->makeParserText( $response['template']['acl_field_item'] );
+ − 2107
$cls = 'row2';
+ − 2108
foreach ( $response['acl_types'] as $acl_type => $value )
+ − 2109
{
+ − 2110
$vars = Array(
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2111
'FIELD_INHERIT_CHECKED' => '',
1
+ − 2112
'FIELD_DENY_CHECKED' => '',
+ − 2113
'FIELD_DISALLOW_CHECKED' => '',
+ − 2114
'FIELD_WIKIMODE_CHECKED' => '',
+ − 2115
'FIELD_ALLOW_CHECKED' => '',
+ − 2116
);
+ − 2117
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1';
+ − 2118
$vars['ROW_CLASS'] = $cls;
+ − 2119
+ − 2120
switch ( $response['current_perms'][$acl_type] )
+ − 2121
{
345
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2122
case 'i':
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2123
default:
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2124
$vars['FIELD_INHERIT_CHECKED'] = 'checked="checked"';
4ccdfeee9a11
WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
Dan
diff
changeset
+ − 2125
break;
1
+ − 2126
case AUTH_ALLOW:
+ − 2127
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"';
+ − 2128
break;
+ − 2129
case AUTH_WIKIMODE:
+ − 2130
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"';
+ − 2131
break;
+ − 2132
case AUTH_DISALLOW:
+ − 2133
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"';
+ − 2134
break;
+ − 2135
case AUTH_DENY:
+ − 2136
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"';
+ − 2137
break;
+ − 2138
}
+ − 2139
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']';
219
+ − 2140
if ( preg_match('/^([a-z0-9_]+)$/', $response['acl_descs'][$acl_type]) )
+ − 2141
{
+ − 2142
$vars['FIELD_DESC'] = $lang->get($response['acl_descs'][$acl_type]);
+ − 2143
}
+ − 2144
else
+ − 2145
{
+ − 2146
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type];
+ − 2147
}
1
+ − 2148
$parser->assign_vars($vars);
+ − 2149
echo $parser->run();
+ − 2150
}
+ − 2151
$parser = $template->makeParserText( $response['template']['acl_field_end'] );
+ − 2152
echo $parser->run();
+ − 2153
echo '<div style="margin: 10px auto 0 0; text-align: right;">
+ − 2154
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" />
+ − 2155
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" />
+ − 2156
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" />
+ − 2157
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" />
+ − 2158
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" />
+ − 2159
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" />
219
+ − 2160
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="' . $lang->get('etc_save_changes') . '" /> <input type="submit" name="data[act_delete_rule]" value="' . $lang->get('acl_btn_deleterule') . '" style="color: #AA0000;" onclick="return confirm(\'' . addslashes($lang->get('acl_msg_deleterule_confirm')) . '\');" />' : '<input type="submit" value="' . $lang->get('acl_btn_createrule') . '" />' ) . '
1
+ − 2161
</div>';
+ − 2162
echo $formend;
+ − 2163
break;
+ − 2164
case 'error':
+ − 2165
ob_end_clean();
+ − 2166
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>');
+ − 2167
break;
+ − 2168
}
+ − 2169
$ret = ob_get_contents();
+ − 2170
ob_end_clean();
+ − 2171
echo
+ − 2172
$template->getHeader() .
+ − 2173
$ret .
+ − 2174
$template->getFooter();
+ − 2175
}
+ − 2176
+ − 2177
/**
+ − 2178
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle
+ − 2179
* @param array The posted data
+ − 2180
* @return array
+ − 2181
* @access private
+ − 2182
*/
+ − 2183
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2184
public static function acl_preprocess($parms)
1
+ − 2185
{
+ − 2186
if ( !isset($parms['mode']) )
+ − 2187
// Nothing to do
+ − 2188
return $parms;
+ − 2189
switch ( $parms['mode'] )
+ − 2190
{
+ − 2191
case 'seltarget':
+ − 2192
+ − 2193
// Who's affected?
+ − 2194
$parms['target_type'] = intval( $parms['target_type'] );
+ − 2195
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user'];
+ − 2196
+ − 2197
case 'save_edit':
+ − 2198
case 'save_new':
+ − 2199
if ( isset($parms['act_delete_rule']) )
+ − 2200
{
+ − 2201
$parms['mode'] = 'delete';
+ − 2202
}
+ − 2203
+ − 2204
// Scope (just this page or entire site?)
+ − 2205
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) )
+ − 2206
{
+ − 2207
$parms['page_id'] = false;
+ − 2208
$parms['namespace'] = false;
+ − 2209
}
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2210
else if ( $parms['scope'] == 'page_group' )
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2211
{
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2212
$parms['page_id'] = $parms['pg_id'];
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2213
$parms['namespace'] = '__PageGroup';
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
diff
changeset
+ − 2214
}
1
+ − 2215
+ − 2216
break;
+ − 2217
}
+ − 2218
+ − 2219
if ( isset($parms['act_go_stage1']) )
+ − 2220
{
+ − 2221
$parms = array(
+ − 2222
'mode' => 'listgroups'
+ − 2223
);
+ − 2224
}
+ − 2225
+ − 2226
return $parms;
+ − 2227
}
+ − 2228
372
5bd429428101
A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
Dan
diff
changeset
+ − 2229
public static function acl_postprocess($response)
1
+ − 2230
{
+ − 2231
if(!isset($response['mode']))
+ − 2232
{
+ − 2233
if ( isset($response['groups']) )
+ − 2234
$response['mode'] = 'stage1';
+ − 2235
else
+ − 2236
$response = Array(
+ − 2237
'mode' => 'error',
+ − 2238
'error' => 'Invalid action passed by API backend.',
+ − 2239
);
+ − 2240
}
+ − 2241
return $response;
+ − 2242
}
+ − 2243
+ − 2244
}
+ − 2245
+ − 2246
?>