author | Dan |
Mon, 29 Oct 2007 21:27:11 -0400 | |
changeset 217 | 2b13497fe820 |
parent 214 | a6ed8b6cdbe1 |
child 218 | e878bcf0227e |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
2 |
|
1 | 3 |
/* |
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
166
d53cc29308f4
Rebrand as 1.1.1; everything should now be bumped to "unstable" status
Dan
parents:
158
diff
changeset
|
5 |
* Version 1.1.1 |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts |
|
8 |
* |
|
9 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
10 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
11 |
* |
|
12 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
13 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
14 |
*/ |
|
15 |
||
16 |
class PageUtils { |
|
17 |
||
18 |
/** |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
19 |
* Tell if a username is used or not. |
1 | 20 |
* @param $name the name to check for |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
21 |
* @return string |
1 | 22 |
*/ |
23 |
||
24 |
function checkusername($name) |
|
25 |
{ |
|
26 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
27 |
$q = $db->sql_query('SELECT username FROM ' . table_prefix.'users WHERE username=\'' . $db->escape(rawurldecode($name)) . '\''); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
28 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
29 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
30 |
die(mysql_error()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
31 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
32 |
if ( $db->numrows() < 1) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
33 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
34 |
$db->free_result(); return('good'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
35 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
36 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
37 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
38 |
$db->free_result(); return('bad'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
39 |
} |
1 | 40 |
} |
41 |
||
42 |
/** |
|
43 |
* Get the wiki formatting source for a page |
|
44 |
* @param $page the full page id (Namespace:Pagename) |
|
45 |
* @return string |
|
46 |
* @todo (DONE) Make it require a password (just for security purposes) |
|
47 |
*/ |
|
48 |
||
49 |
function getsource($page, $password = false) |
|
50 |
{ |
|
51 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
52 |
if(!isset($paths->pages[$page])) |
|
53 |
{ |
|
54 |
return ''; |
|
55 |
} |
|
56 |
||
57 |
if(strlen($paths->pages[$page]['password']) == 40) |
|
58 |
{ |
|
59 |
if(!$password || ( $password != $paths->pages[$page]['password'])) |
|
60 |
{ |
|
61 |
return 'invalid_password'; |
|
62 |
} |
|
63 |
} |
|
64 |
||
65 |
if(!$session->get_permissions('view_source')) // Dependencies handle this for us - this also checks for read privileges |
|
66 |
return 'access_denied'; |
|
67 |
$pid = RenderMan::strToPageID($page); |
|
68 |
if($pid[1] == 'Special' || $pid[1] == 'Admin') |
|
69 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
70 |
die('This type of page (' . $paths->nslist[$pid[1]] . ') cannot be edited because the page source code is not stored in the database.'); |
1 | 71 |
} |
72 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
73 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $pid[0] . '\' AND namespace=\'' . $pid[1] . '\''); |
1 | 74 |
if ( !$e ) |
75 |
{ |
|
76 |
$db->_die('The page text could not be selected.'); |
|
77 |
} |
|
78 |
if( $db->numrows() < 1 ) |
|
79 |
{ |
|
80 |
return ''; //$db->_die('There were no rows in the text table that matched the page text query.'); |
|
81 |
} |
|
82 |
||
83 |
$r = $db->fetchrow(); |
|
84 |
$db->free_result(); |
|
85 |
$message = $r['page_text']; |
|
86 |
||
87 |
return htmlspecialchars($message); |
|
88 |
} |
|
89 |
||
90 |
/** |
|
91 |
* Basically a frontend to RenderMan::getPage(), with the ability to send valid data for nonexistent pages |
|
92 |
* @param $page the full page id (Namespace:Pagename) |
|
93 |
* @param $send_headers true if the theme headers should be sent (still dependent on current page settings), false otherwise |
|
94 |
* @return string |
|
95 |
*/ |
|
96 |
||
97 |
function getpage($page, $send_headers = false, $hist_id = false) |
|
98 |
{ |
|
99 |
die('PageUtils->getpage is deprecated.'); |
|
100 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
101 |
ob_start(); |
|
102 |
$pid = RenderMan::strToPageID($page); |
|
103 |
//die('<pre>'.print_r($pid, true).'</pre>'); |
|
104 |
if(isset($paths->pages[$page]['password']) && strlen($paths->pages[$page]['password']) == 40) |
|
105 |
{ |
|
106 |
password_prompt($page); |
|
107 |
} |
|
108 |
if(isset($paths->pages[$page])) |
|
109 |
{ |
|
110 |
doStats($pid[0], $pid[1]); |
|
111 |
} |
|
112 |
if($paths->custom_page || $pid[1] == 'Special') |
|
113 |
{ |
|
114 |
// If we don't have access to the page, get out and quick! |
|
115 |
if(!$session->get_permissions('read') && $pid[0] != 'Login' && $pid[0] != 'Register') |
|
116 |
{ |
|
117 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
118 |
||
119 |
if ( $send_headers ) |
|
120 |
{ |
|
121 |
$template->header(); |
|
122 |
} |
|
123 |
||
124 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
125 |
||
126 |
if ( $send_headers ) |
|
127 |
{ |
|
128 |
$template->footer(); |
|
129 |
} |
|
130 |
||
131 |
$r = ob_get_contents(); |
|
132 |
ob_end_clean(); |
|
133 |
return $r; |
|
134 |
} |
|
135 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
136 |
$fname = 'page_' . $pid[1] . '_' . $paths->pages[$page]['urlname_nons']; |
1 | 137 |
@call_user_func($fname); |
138 |
||
139 |
} |
|
140 |
else if ( $pid[1] == 'Admin' ) |
|
141 |
{ |
|
142 |
// If we don't have access to the page, get out and quick! |
|
143 |
if(!$session->get_permissions('read')) |
|
144 |
{ |
|
145 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
146 |
if ( $send_headers ) |
|
147 |
{ |
|
148 |
$template->header(); |
|
149 |
} |
|
150 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
151 |
if ( $send_headers ) |
|
152 |
{ |
|
153 |
$template->footer(); |
|
154 |
} |
|
155 |
$r = ob_get_contents(); |
|
156 |
ob_end_clean(); |
|
157 |
return $r; |
|
158 |
} |
|
159 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
160 |
$fname = 'page_' . $pid[1] . '_' . $pid[0]; |
1 | 161 |
if ( !function_exists($fname) ) |
162 |
{ |
|
163 |
$title = 'Page backend not found'; |
|
164 |
$message = "The administration page you are looking for was properly registered using the page API, but the backend function |
|
165 |
(<tt>$fname</tt>) was not found. If this is a plugin page, then this is almost certainly a bug with the plugin."; |
|
166 |
if ( $send_headers ) |
|
167 |
{ |
|
168 |
die_friendly($title, "<p>$message</p>"); |
|
169 |
} |
|
170 |
else |
|
171 |
{ |
|
172 |
echo "<h2>$title</h2>\n<p>$message</p>"; |
|
173 |
} |
|
174 |
} |
|
175 |
@call_user_func($fname); |
|
176 |
} |
|
177 |
else if ( !isset( $paths->pages[$page] ) ) |
|
178 |
{ |
|
179 |
ob_start(); |
|
180 |
$code = $plugins->setHook('page_not_found'); |
|
181 |
foreach ( $code as $cmd ) |
|
182 |
{ |
|
183 |
eval($cmd); |
|
184 |
} |
|
185 |
$text = ob_get_contents(); |
|
186 |
if ( $text != '' ) |
|
187 |
{ |
|
188 |
ob_end_clean(); |
|
189 |
return $text; |
|
190 |
} |
|
191 |
$template->header(); |
|
192 |
if($m = $paths->sysmsg('Page_not_found')) |
|
193 |
{ |
|
194 |
eval('?>'.RenderMan::render($m)); |
|
195 |
} |
|
196 |
else |
|
197 |
{ |
|
198 |
header('HTTP/1.1 404 Not Found'); |
|
199 |
echo '<h3>There is no page with this title yet.</h3> |
|
200 |
<p>You have requested a page that doesn\'t exist yet.'; |
|
201 |
if($session->get_permissions('create_page')) echo ' You can <a href="'.makeUrl($paths->page, 'do=edit', true).'" onclick="ajaxEditor(); return false;">create this page</a>, or return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.'; |
|
202 |
else echo ' Return to the <a href="'.makeUrl(getConfig('main_page')).'">homepage</a>.</p>'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
203 |
if ( $session->get_permissions('history_rollback') ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
204 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
205 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'logs WHERE action=\'delete\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' ORDER BY time_id DESC;'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
206 |
if ( !$e ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
207 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
208 |
$db->_die('The deletion log could not be selected.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
209 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
210 |
if ($db->numrows() > 0 ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
211 |
{ |
1 | 212 |
$r = $db->fetchrow(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
213 |
echo '<p>This page also appears to have some log entries in the database - it seems that it was deleted on ' . $r['date_string'] . '. You can probably <a href="'.makeUrl($paths->page, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">roll back</a> the deletion.</p>'; |
1 | 214 |
} |
215 |
$db->free_result(); |
|
216 |
} |
|
217 |
echo '<p> |
|
218 |
HTTP Error: 404 Not Found |
|
219 |
</p>'; |
|
220 |
} |
|
221 |
$template->footer(); |
|
222 |
} |
|
223 |
else |
|
224 |
{ |
|
225 |
||
226 |
// If we don't have access to the page, get out and quick! |
|
227 |
if(!$session->get_permissions('read')) |
|
228 |
{ |
|
229 |
$template->tpl_strings['PAGE_NAME'] = 'Access denied'; |
|
230 |
if($send_headers) $template->header(); |
|
231 |
echo '<div class="error-box"><b>Access to this page is denied.</b><br />This may be because you are not logged in or you have not met certain criteria for viewing this page.</div>'; |
|
232 |
if($send_headers) $template->footer(); |
|
233 |
$r = ob_get_contents(); |
|
234 |
ob_end_clean(); |
|
235 |
return $r; |
|
236 |
} |
|
237 |
||
238 |
ob_start(); |
|
239 |
$code = $plugins->setHook('page_custom_handler'); |
|
240 |
foreach ( $code as $cmd ) |
|
241 |
{ |
|
242 |
eval($cmd); |
|
243 |
} |
|
244 |
$text = ob_get_contents(); |
|
245 |
if ( $text != '' ) |
|
246 |
{ |
|
247 |
ob_end_clean(); |
|
248 |
return $text; |
|
249 |
} |
|
250 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
251 |
if ( $hist_id ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
252 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
253 |
$e = $db->sql_query('SELECT page_text,date_string,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $paths->pages[$page]['urlname_nons'] . '\' AND namespace=\'' . $pid[1] . '\' AND log_type=\'page\' AND action=\'edit\' AND time_id=' . $db->escape($hist_id) . ''); |
1 | 254 |
if($db->numrows() < 1) |
255 |
{ |
|
256 |
$db->_die('There were no rows in the text table that matched the page text query.'); |
|
257 |
} |
|
258 |
$r = $db->fetchrow(); |
|
259 |
$db->free_result(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
260 |
$message = '<div class="info-box" style="margin-left: 0; margin-top: 5px;"><b>Notice:</b><br />The page you are viewing was archived on ' . $r['date_string'] . '.<br /><a href="'.makeUrl($page).'" onclick="ajaxReset(); return false;">View current version</a> | <a href="'.makeUrl($page, 'do=rollback&id=' . $hist_id) . '" onclick="ajaxRollback(\'' . $hist_id . '\')">Restore this version</a></div><br />'.RenderMan::render($r['page_text']); |
1 | 261 |
|
262 |
if( !$paths->pages[$page]['special'] ) |
|
263 |
{ |
|
264 |
if($send_headers) |
|
265 |
{ |
|
266 |
$template->header(); |
|
267 |
} |
|
268 |
display_page_headers(); |
|
269 |
} |
|
270 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
271 |
eval('?>' . $message); |
1 | 272 |
|
273 |
if( !$paths->pages[$page]['special'] ) |
|
274 |
{ |
|
275 |
display_page_footers(); |
|
276 |
if($send_headers) |
|
277 |
{ |
|
278 |
$template->footer(); |
|
279 |
} |
|
280 |
} |
|
281 |
||
282 |
} else { |
|
283 |
if(!$paths->pages[$page]['special']) |
|
284 |
{ |
|
285 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1]); |
|
286 |
} |
|
287 |
else |
|
288 |
{ |
|
289 |
$message = RenderMan::getPage($paths->pages[$page]['urlname_nons'], $pid[1], 0, false, false, false, false); |
|
290 |
} |
|
291 |
// This line is used to debug wikiformatted code |
|
292 |
// die('<pre>'.htmlspecialchars($message).'</pre>'); |
|
293 |
||
294 |
if( !$paths->pages[$page]['special'] ) |
|
295 |
{ |
|
296 |
if($send_headers) |
|
297 |
{ |
|
298 |
$template->header(); |
|
299 |
} |
|
300 |
display_page_headers(); |
|
301 |
} |
|
302 |
||
303 |
// This is it, this is what all of Enano has been working up to... |
|
304 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
305 |
eval('?>' . $message); |
1 | 306 |
|
307 |
if( !$paths->pages[$page]['special'] ) |
|
308 |
{ |
|
309 |
display_page_footers(); |
|
310 |
if($send_headers) |
|
311 |
{ |
|
312 |
$template->footer(); |
|
313 |
} |
|
314 |
} |
|
315 |
} |
|
316 |
} |
|
317 |
$ret = ob_get_contents(); |
|
318 |
ob_end_clean(); |
|
319 |
return $ret; |
|
320 |
} |
|
321 |
||
322 |
/** |
|
323 |
* Writes page data to the database, after verifying permissions and running the XSS filter |
|
324 |
* @param $page_id the page ID |
|
325 |
* @param $namespace the namespace |
|
326 |
* @param $message the text to save |
|
327 |
* @return string |
|
328 |
*/ |
|
329 |
||
330 |
function savepage($page_id, $namespace, $message, $summary = 'No edit summary given', $minor = false) |
|
331 |
{ |
|
332 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
333 |
$uid = sha1(microtime()); |
|
334 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
335 |
||
336 |
if(!$session->get_permissions('edit_page')) |
|
337 |
return 'Access to edit pages is denied.'; |
|
338 |
||
339 |
if(!isset($paths->pages[$pname])) |
|
340 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
341 |
$create = PageUtils::createPage($page_id, $namespace); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
342 |
if ( $create != 'good' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
343 |
return 'The page did not exist, and I was not able to create it. The reported error was: ' . $create; |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
344 |
$paths->page_exists = true; |
1 | 345 |
} |
346 |
||
347 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
348 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
349 |
if(($prot || !$wiki) && $session->user_level < USER_LEVEL_ADMIN ) return('You are not authorized to edit this page.'); |
|
350 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
351 |
// Strip potentially harmful tags and PHP from the message, dependent upon permissions settings |
1 | 352 |
$message = RenderMan::preprocess_text($message, false, false); |
353 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
354 |
$msg = $db->escape($message); |
1 | 355 |
|
356 |
$minor = $minor ? 'true' : 'false'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
357 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $paths->cpage['urlname_nons'] . '\', \'' . $paths->namespace . '\', \'' . $msg . '\', \'' . $uid . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($summary)) . '\', ' . $minor . ');'; |
1 | 358 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
359 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
360 |
$q = 'UPDATE ' . table_prefix.'page_text SET page_text=\'' . $msg . '\',char_tag=\'' . $uid . '\' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'; |
1 | 361 |
$e = $db->sql_query($q); |
362 |
if(!$e) $db->_die('Enano was unable to save the page contents. Your changes have been lost <tt>:\'(</tt>.'); |
|
363 |
||
364 |
$paths->rebuild_page_index($page_id, $namespace); |
|
365 |
||
366 |
return 'good'; |
|
367 |
} |
|
368 |
||
369 |
/** |
|
370 |
* Creates a page, both in memory and in the database. |
|
371 |
* @param string $page_id |
|
372 |
* @param string $namespace |
|
373 |
* @return bool true on success, false on failure |
|
374 |
*/ |
|
375 |
||
376 |
function createPage($page_id, $namespace, $name = false, $visible = 1) |
|
377 |
{ |
|
378 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
379 |
if(in_array($namespace, Array('Special', 'Admin'))) |
|
380 |
{ |
|
381 |
// echo '<b>Notice:</b> PageUtils::createPage: You can\'t create a special page in the database<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
382 |
return 'You can\'t create a special page in the database'; |
1 | 383 |
} |
384 |
||
385 |
if(!isset($paths->nslist[$namespace])) |
|
386 |
{ |
|
387 |
// echo '<b>Notice:</b> PageUtils::createPage: Couldn\'t look up the namespace<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
388 |
return 'Couldn\'t look up the namespace'; |
1 | 389 |
} |
390 |
||
391 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
392 |
if(isset($paths->pages[$pname])) |
|
393 |
{ |
|
394 |
// echo '<b>Notice:</b> PageUtils::createPage: Page already exists<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
395 |
return 'Page already exists'; |
1 | 396 |
} |
397 |
||
398 |
if(!$session->get_permissions('create_page')) |
|
399 |
{ |
|
400 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create pages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
401 |
return 'Not authorized to create pages'; |
1 | 402 |
} |
403 |
||
404 |
if($session->user_level < USER_LEVEL_ADMIN && $namespace == 'System') |
|
405 |
{ |
|
406 |
// echo '<b>Notice:</b> PageUtils::createPage: Not authorized to create system messages<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
407 |
return 'Not authorized to create system messages'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
408 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
409 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
410 |
if ( substr($page_id, 0, 8) == 'Project:' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
411 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
412 |
// echo '<b>Notice:</b> PageUtils::createPage: Prefix "Project:" is reserved<br />'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
413 |
return 'The prefix "Project:" is reserved for a parser shortcut; if a page was created using this prefix, it would not be possible to link to it.'; |
1 | 414 |
} |
415 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
416 |
$page_id = dirtify_page_id($page_id); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
417 |
|
1 | 418 |
if ( !$name ) |
419 |
$name = str_replace('_', ' ', $page_id); |
|
420 |
$regex = '#^([A-z0-9 _\-\.\/\!\@\(\)]*)$#is'; |
|
421 |
if(!preg_match($regex, $page)) |
|
422 |
{ |
|
423 |
//echo '<b>Notice:</b> PageUtils::createPage: Name contains invalid characters<br />'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
424 |
return 'Name contains invalid characters'; |
1 | 425 |
} |
426 |
||
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
427 |
$page_id = sanitize_page_id( $page_id ); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
428 |
|
1 | 429 |
$prot = ( $namespace == 'System' ) ? 1 : 0; |
430 |
||
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
431 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
432 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
433 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
434 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
435 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
436 |
$page_data = Array( |
1 | 437 |
'name'=>$name, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
438 |
'urlname'=>$page_id, |
1 | 439 |
'namespace'=>$namespace, |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
440 |
'special'=>0,'visible'=>1,'comments_on'=>0,'protected'=>$prot,'delvotes'=>0,'delvote_ips'=>serialize($ips),'wiki_mode'=>2, |
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
441 |
); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
442 |
|
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
443 |
// die('PageUtils::createpage: Creating page with this data:<pre>' . print_r($page_data, true) . '</pre>'); |
1 | 444 |
|
21
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
445 |
$paths->add_page($page_data); |
663fcf528726
Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
Dan
parents:
19
diff
changeset
|
446 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
447 |
$qa = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace,visible,protected,delvote_ips) VALUES(\'' . $db->escape($name) . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\', '. ( $visible ? '1' : '0' ) .', ' . $prot . ', \'' . $db->escape(serialize($ips)) . '\');'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
448 |
$qb = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace) VALUES(\'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
449 |
$qc = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'create\', \'' . $session->username . '\', \'' . $db->escape($page_id) . '\', \'' . $namespace . '\');'); |
1 | 450 |
|
451 |
if($qa && $qb && $qc) |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
452 |
return 'good'; |
1 | 453 |
else |
454 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
455 |
return $db->get_error(); |
1 | 456 |
} |
457 |
} |
|
458 |
||
459 |
/** |
|
460 |
* Sets the protection level on a page. |
|
461 |
* @param $page_id string the page ID |
|
462 |
* @param $namespace string the namespace |
|
463 |
* @param $level int level of protection - 0 is off, 1 is full, 2 is semi |
|
464 |
* @param $reason string why the page is being (un)protected |
|
465 |
* @return string - "good" on success, in all other cases, an error string (on query failure, calls $db->_die() ) |
|
466 |
*/ |
|
467 |
function protect($page_id, $namespace, $level, $reason) |
|
468 |
{ |
|
469 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
470 |
||
471 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
472 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
473 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
474 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
475 |
if ( !$session->get_permissions('protect') ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
476 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
477 |
return('Insufficient access rights'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
478 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
479 |
if ( !$wiki ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
480 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
481 |
return('Page protection only has an effect when Wiki Mode is enabled.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
482 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
483 |
if ( !preg_match('#^([0-9]+){1}$#', (string)$level) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
484 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
485 |
return('Invalid $level parameter.'); |
1 | 486 |
} |
487 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
488 |
switch($level) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
489 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
490 |
case 0: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
491 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'unprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
492 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
493 |
case 1: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
494 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'prot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
495 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
496 |
case 2: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
497 |
$q = 'INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'semiprot\', \'' . $session->username . '\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\');'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
498 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
499 |
default: |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
500 |
return 'PageUtils::protect(): Invalid value for $level'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
501 |
break; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
502 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
503 |
if(!$db->sql_query($q)) $db->_die('The log entry for the page protection could not be inserted.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
504 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
505 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
506 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
507 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
508 |
$db->_die('The pages table was not updated.'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
509 |
} |
1 | 510 |
|
511 |
return('good'); |
|
512 |
} |
|
513 |
||
514 |
/** |
|
515 |
* Generates an HTML table with history information in it. |
|
516 |
* @param $page_id the page ID |
|
517 |
* @param $namespace the namespace |
|
518 |
* @return string |
|
519 |
*/ |
|
520 |
||
521 |
function histlist($page_id, $namespace) |
|
522 |
{ |
|
523 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
524 |
global $lang; |
1 | 525 |
|
526 |
if(!$session->get_permissions('history_view')) |
|
527 |
return 'Access denied'; |
|
528 |
||
529 |
ob_start(); |
|
530 |
||
531 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
532 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
533 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
534 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
535 |
$q = 'SELECT time_id,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' ORDER BY time_id DESC;'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
536 |
if(!$db->sql_query($q)) $db->_die('The history data for the page "' . $paths->cpage['name'] . '" could not be selected.'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
537 |
echo $lang->get('history_page_subtitle') . ' |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
538 |
<h3>' . $lang->get('history_heading_edits') . '</h3>'; |
1 | 539 |
$numrows = $db->numrows(); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
540 |
if ( $numrows < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
541 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
542 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
543 |
} |
1 | 544 |
else |
545 |
{ |
|
546 |
echo '<form action="'.makeUrlNS($namespace, $page_id, 'do=diff').'" onsubmit="ajaxHistDiff(); return false;" method="get"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
547 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
115
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
548 |
' . ( urlSeparator == '&' ? '<input type="hidden" name="title" value="' . htmlspecialchars($paths->nslist[$namespace] . $page_id) . '" />' : '' ) . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
549 |
' . ( $session->sid_super ? '<input type="hidden" name="auth" value="' . $session->sid_super . '" />' : '') . ' |
261f367623af
Fixed the obnoxious issue with forms using GET and index.php?title=Foo URL scheme (this works a whole lot better than MediaWiki now
Dan
parents:
112
diff
changeset
|
550 |
<input type="hidden" name="do" value="diff" /> |
1 | 551 |
<br /><span> </span> |
552 |
<div class="tblholder"> |
|
553 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"> |
|
554 |
<tr> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
555 |
<th colspan="2">' . $lang->get('history_col_diff') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
556 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
557 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
558 |
<th>' . $lang->get('history_col_summary') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
559 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
560 |
<th colspan="3">' . $lang->get('history_col_actions') . '</th> |
1 | 561 |
</tr>'."\n"."\n"; |
562 |
$cls = 'row2'; |
|
563 |
$ticker = 0; |
|
564 |
||
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
565 |
while ( $r = $db->fetchrow() ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
566 |
{ |
1 | 567 |
|
568 |
$ticker++; |
|
569 |
||
570 |
if($cls == 'row2') $cls = 'row1'; |
|
571 |
else $cls = 'row2'; |
|
572 |
||
573 |
echo '<tr>'."\n"; |
|
574 |
||
575 |
// Diff selection |
|
576 |
if($ticker == 1) |
|
577 |
{ |
|
578 |
$s1 = ''; |
|
579 |
$s2 = 'checked="checked" '; |
|
580 |
} |
|
581 |
elseif($ticker == 2) |
|
582 |
{ |
|
583 |
$s1 = 'checked="checked" '; |
|
584 |
$s2 = ''; |
|
585 |
} |
|
586 |
else |
|
587 |
{ |
|
588 |
$s1 = ''; |
|
589 |
$s2 = ''; |
|
590 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
591 |
if($ticker > 1) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s1 . 'name="diff1" type="radio" value="' . $r['time_id'] . '" id="diff1_' . $r['time_id'] . '" class="clsDiff1Radio" onclick="selectDiff1Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
592 |
if($ticker < $numrows) echo '<td class="' . $cls . '" style="padding: 0;"><input ' . $s2 . 'name="diff2" type="radio" value="' . $r['time_id'] . '" id="diff2_' . $r['time_id'] . '" class="clsDiff2Radio" onclick="selectDiff2Button(this);" /></td>'."\n"; else echo '<td class="' . $cls . '"></td>'; |
1 | 593 |
|
594 |
// Date and time |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
595 |
echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">'."\n"; |
1 | 596 |
|
597 |
// User |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
598 |
if ( $session->get_permissions('mod_misc') && is_valid_ip($r['author']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
599 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
600 |
$rc = ' style="cursor: pointer;" title="' . $lang->get('history_tip_rdns') . '" onclick="ajaxReverseDNS(this, \'' . $r['author'] . '\');"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
601 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
602 |
else |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
603 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
604 |
$rc = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
605 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
606 |
echo '<td class="' . $cls . '"' . $rc . '><a href="'.makeUrlNS('User', $r['author']).'" '; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
607 |
if ( !isPage($paths->nslist['User'] . $r['author']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
608 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
609 |
echo 'class="wikilink-nonexistent"'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
610 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
611 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'."\n"; |
1 | 612 |
|
613 |
// Edit summary |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
614 |
if ( $r['edit_summary'] == 'Automatic backup created when logs were purged' ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
615 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
616 |
$r['edit_summary'] = $lang->get('history_summary_clearlogs'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
617 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
618 |
echo '<td class="' . $cls . '">' . $r['edit_summary'] . '</td>'."\n"; |
1 | 619 |
|
620 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
621 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'."\n"; |
1 | 622 |
|
623 |
// Actions! |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
624 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'oldid=' . $r['time_id']) . '" onclick="ajaxHistView(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_view') . '</a></td>'."\n"; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
625 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'."\n"; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
626 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_restore') . '</a></td>'."\n"; |
1 | 627 |
|
628 |
echo '</tr>'."\n"."\n"; |
|
629 |
||
630 |
} |
|
631 |
echo '</table> |
|
632 |
</div> |
|
633 |
<br /> |
|
634 |
<input type="hidden" name="do" value="diff" /> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
635 |
<input type="submit" value="' . $lang->get('history_btn_compare') . '" /> |
1 | 636 |
</form> |
57
b354deeaa4c4
Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
Dan
parents:
40
diff
changeset
|
637 |
<script type="text/javascript">if ( !KILL_SWITCH ) { buildDiffList(); }</script>'; |
1 | 638 |
} |
639 |
$db->free_result(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
640 |
echo '<h3>' . $lang->get('history_heading_other') . '</h3>'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
641 |
$q = 'SELECT time_id,action,date_string,page_id,namespace,author,edit_summary,minor_edit FROM ' . table_prefix.'logs WHERE log_type=\'page\' AND action!=\'edit\' AND page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\' ORDER BY time_id DESC;'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
642 |
if ( !$db->sql_query($q) ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
643 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
644 |
$db->_die('The history data for the page "' . htmlspecialchars($paths->cpage['name']) . '" could not be selected.'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
645 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
646 |
if ( $db->numrows() < 1 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
647 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
648 |
echo $lang->get('history_no_entries'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
649 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
650 |
else |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
651 |
{ |
1 | 652 |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
653 |
echo '<div class="tblholder"> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
654 |
<table border="0" width="100%" cellspacing="1" cellpadding="4"><tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
655 |
<th>' . $lang->get('history_col_datetime') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
656 |
<th>' . $lang->get('history_col_user') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
657 |
<th>' . $lang->get('history_col_minor') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
658 |
<th>' . $lang->get('history_col_action_taken') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
659 |
<th>' . $lang->get('history_col_extra') . '</th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
660 |
<th colspan="2"></th> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
661 |
</tr>'; |
1 | 662 |
$cls = 'row2'; |
663 |
while($r = $db->fetchrow()) { |
|
664 |
||
665 |
if($cls == 'row2') $cls = 'row1'; |
|
666 |
else $cls = 'row2'; |
|
667 |
||
668 |
echo '<tr>'; |
|
669 |
||
670 |
// Date and time |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
671 |
echo '<td class="' . $cls . '">' . $r['date_string'] . '</td class="' . $cls . '">'; |
1 | 672 |
|
673 |
// User |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
674 |
echo '<td class="' . $cls . '"><a href="'.makeUrlNS('User', $r['author']).'" '; |
1 | 675 |
if(!isPage($paths->nslist['User'] . $r['author'])) echo 'class="wikilink-nonexistent"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
676 |
echo '>' . $r['author'] . '</a></td class="' . $cls . '">'; |
1 | 677 |
|
678 |
||
679 |
// Minor edit |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
680 |
echo '<td class="' . $cls . '" style="text-align: center;">'. (( $r['minor_edit'] ) ? 'M' : '' ) .'</td>'; |
1 | 681 |
|
682 |
// Action taken |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
683 |
echo '<td class="' . $cls . '">'; |
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
78
diff
changeset
|
684 |
// Some of these are sanitized at insert-time. Others follow the newer Enano policy of stripping HTML at runtime. |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
685 |
if ($r['action']=='prot') echo $lang->get('history_log_protect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
686 |
elseif($r['action']=='unprot') echo $lang->get('history_log_unprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
687 |
elseif($r['action']=='semiprot') echo $lang->get('history_log_semiprotect') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
688 |
elseif($r['action']=='rename') echo $lang->get('history_log_rename') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_oldtitle') . ' '.htmlspecialchars($r['edit_summary']); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
689 |
elseif($r['action']=='create') echo $lang->get('history_log_create') . '</td><td class="' . $cls . '">'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
690 |
elseif($r['action']=='delete') echo $lang->get('history_log_delete') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' ' . $r['edit_summary']; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
691 |
elseif($r['action']=='reupload') echo $lang->get('history_log_uploadnew') . '</td><td class="' . $cls . '">' . $lang->get('history_extra_reason') . ' '.htmlspecialchars($r['edit_summary']); |
1 | 692 |
echo '</td>'; |
693 |
||
694 |
// Actions! |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
695 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrl($paths->nslist['Special'].'Contributions/' . $r['author']) . '">' . $lang->get('history_action_contrib') . '</a></td>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
696 |
echo '<td class="' . $cls . '" style="text-align: center;"><a href="'.makeUrlNS($namespace, $page_id, 'do=rollback&id=' . $r['time_id']) . '" onclick="ajaxRollback(\'' . $r['time_id'] . '\'); return false;">' . $lang->get('history_action_revert') . '</a></td>'; |
1 | 697 |
|
698 |
echo '</tr>'; |
|
699 |
} |
|
700 |
echo '</table></div>'; |
|
701 |
} |
|
702 |
$db->free_result(); |
|
703 |
$ret = ob_get_contents(); |
|
704 |
ob_end_clean(); |
|
705 |
return $ret; |
|
706 |
} |
|
707 |
||
708 |
/** |
|
709 |
* Rolls back a logged action |
|
710 |
* @param $id the time ID, a.k.a. the primary key in the logs table |
|
711 |
* @return string |
|
712 |
*/ |
|
713 |
||
714 |
function rollback($id) |
|
715 |
{ |
|
716 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
158 | 717 |
if ( !$session->get_permissions('history_rollback') ) |
718 |
{ |
|
719 |
return('You are not authorized to perform rollbacks.'); |
|
720 |
} |
|
721 |
if ( !preg_match('#^([0-9]+)$#', (string)$id) ) |
|
722 |
{ |
|
723 |
return('The value "id" on the query string must be an integer.'); |
|
724 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
725 |
$e = $db->sql_query('SELECT log_type,action,date_string,page_id,namespace,page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id . ';'); |
158 | 726 |
if ( !$e ) |
727 |
{ |
|
728 |
$db->_die('The rollback data could not be selected.'); |
|
729 |
} |
|
1 | 730 |
$rb = $db->fetchrow(); |
731 |
$db->free_result(); |
|
158 | 732 |
|
733 |
if ( $rb['log_type'] == 'page' && $rb['action'] != 'delete' ) |
|
734 |
{ |
|
735 |
$pagekey = $paths->nslist[$rb['namespace']] . $rb['page_id']; |
|
736 |
if ( !isset($paths->pages[$pagekey]) ) |
|
737 |
{ |
|
738 |
return "Page doesn't exist"; |
|
739 |
} |
|
740 |
$pagedata =& $paths->pages[$pagekey]; |
|
741 |
$protected = false; |
|
742 |
// Special case: is the page protected? if so, check for even_when_protected permissions |
|
743 |
if($pagedata['protected'] == 2) |
|
744 |
{ |
|
745 |
// The page is semi-protected, determine permissions |
|
746 |
if($session->user_logged_in && $session->reg_time + 60*60*24*4 < time()) |
|
747 |
{ |
|
748 |
$protected = false; |
|
749 |
} |
|
750 |
else |
|
751 |
{ |
|
752 |
$protected = true; |
|
753 |
} |
|
754 |
} |
|
755 |
else |
|
756 |
{ |
|
757 |
$protected = ( $pagedata['protected'] == 1 ); |
|
758 |
} |
|
759 |
||
760 |
$perms = $session->fetch_page_acl($rb['page_id'], $rb['namespace']); |
|
761 |
||
762 |
if ( $protected && !$perms->get_permissions('even_when_protected') ) |
|
763 |
{ |
|
764 |
return "Because this page is protected, you need moderator rights to roll back changes."; |
|
765 |
} |
|
766 |
} |
|
767 |
else |
|
768 |
{ |
|
769 |
$perms =& $session; |
|
770 |
} |
|
771 |
||
772 |
switch($rb['log_type']) |
|
773 |
{ |
|
1 | 774 |
case "page": |
158 | 775 |
switch($rb['action']) |
776 |
{ |
|
1 | 777 |
case "edit": |
158 | 778 |
if ( !$perms->get_permissions('edit_page') ) |
779 |
return "You don't have permission to edit pages, so rolling back edits can't be allowed either."; |
|
1 | 780 |
$t = $db->escape($rb['page_text']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
781 |
$e = $db->sql_query('UPDATE ' . table_prefix.'page_text SET page_text=\'' . $t . '\',char_tag=\'' . $rb['char_tag'] . '\' WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 782 |
if ( !$e ) |
783 |
{ |
|
784 |
return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
|
785 |
} |
|
786 |
else |
|
787 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
788 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the state it was in on ' . $rb['date_string'] . '.'; |
158 | 789 |
} |
1 | 790 |
break; |
791 |
case "rename": |
|
158 | 792 |
if ( !$perms->get_permissions('rename') ) |
793 |
return "You don't have permission to rename pages, so rolling back renames can't be allowed either."; |
|
1 | 794 |
$t = $db->escape($rb['edit_summary']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
795 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $t . '\' WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 796 |
if ( !$e ) |
797 |
{ |
|
798 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
799 |
} |
|
800 |
else |
|
801 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
802 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been rolled back to the name it had ("' . $rb['edit_summary'] . '") before ' . $rb['date_string'] . '.'; |
158 | 803 |
} |
1 | 804 |
break; |
805 |
case "prot": |
|
158 | 806 |
if ( !$perms->get_permissions('protect') ) |
807 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
808 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 809 |
if ( !$e ) |
810 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
811 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
812 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 813 |
break; |
814 |
case "semiprot": |
|
158 | 815 |
if ( !$perms->get_permissions('protect') ) |
816 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
817 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=0 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 818 |
if ( !$e ) |
819 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
820 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
821 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been unprotected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 822 |
break; |
823 |
case "unprot": |
|
158 | 824 |
if ( !$perms->get_permissions('protect') ) |
825 |
return "You don't have permission to protect pages, so rolling back protection can't be allowed either."; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
826 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET protected=1 WHERE urlname=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\''); |
158 | 827 |
if ( !$e ) |
828 |
return "An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace(); |
|
829 |
else |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
830 |
return 'The page "' . $paths->pages[$paths->nslist[$rb['namespace']].$rb['page_id']]['name'].'" has been protected according to the log created at ' . $rb['date_string'] . '.'; |
1 | 831 |
break; |
832 |
case "delete": |
|
158 | 833 |
if ( !$perms->get_permissions('history_rollback_extra') ) |
834 |
return 'Administrative privileges are required for page undeletion.'; |
|
835 |
if ( isset($paths->pages[$paths->cpage['urlname']]) ) |
|
836 |
return 'You cannot raise a dead page that is alive.'; |
|
1 | 837 |
$name = str_replace('_', ' ', $rb['page_id']); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
838 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'pages(name,urlname,namespace) VALUES( \'' . $name . '\', \'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\' )');if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
839 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'logs WHERE page_id=\'' . $rb['page_id'] . '\' AND namespace=\'' . $rb['namespace'] . '\' AND log_type=\'page\' AND action=\'edit\' ORDER BY time_id DESC;'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
1 | 840 |
$r = $db->fetchrow(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
841 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\'' . $rb['page_id'] . '\',\'' . $rb['namespace'] . '\',\'' . $db->escape($r['page_text']) . '\',\'' . $r['char_tag'] . '\')'); if(!$e) return("An error occurred during the rollback operation.\nMySQL said: ".mysql_error()."\n\nSQL backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
842 |
return 'The page "' . $name . '" has been undeleted according to the log created at ' . $rb['date_string'] . '.'; |
1 | 843 |
break; |
844 |
case "reupload": |
|
158 | 845 |
if ( !$session->get_permissions('history_rollbacks_extra') ) |
846 |
{ |
|
847 |
return 'Administrative privileges are required for file rollbacks.'; |
|
848 |
} |
|
1 | 849 |
$newtime = time(); |
850 |
$newdate = date('d M Y h:i a'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
851 |
if(!$db->sql_query('UPDATE ' . table_prefix.'logs SET time_id=' . $newtime . ',date_string=\'' . $newdate . '\' WHERE time_id=' . $id)) |
158 | 852 |
return 'Error during query: '.mysql_error(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
853 |
if(!$db->sql_query('UPDATE ' . table_prefix.'files SET time_id=' . $newtime . ' WHERE time_id=' . $id)) |
158 | 854 |
return 'Error during query: '.mysql_error(); |
855 |
return 'The file has been rolled back to the version uploaded on '.date('d M Y h:i a', (int)$id).'.'; |
|
1 | 856 |
break; |
857 |
default: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
858 |
return('Rollback of the action "' . $rb['action'] . '" is not yet supported.'); |
1 | 859 |
break; |
860 |
} |
|
861 |
break; |
|
862 |
case "security": |
|
863 |
case "login": |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
864 |
return('A ' . $rb['log_type'] . '-related log entry cannot be rolled back.'); |
1 | 865 |
break; |
866 |
default: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
867 |
return('Unknown log entry type: "' . $rb['log_type'] . '"'); |
1 | 868 |
} |
869 |
} |
|
870 |
||
871 |
/** |
|
872 |
* Posts a comment. |
|
873 |
* @param $page_id the page ID |
|
874 |
* @param $namespace the namespace |
|
875 |
* @param $name the name of the person posting, defaults to current username/IP |
|
876 |
* @param $subject the subject line of the comment |
|
877 |
* @param $text the comment text |
|
878 |
* @return string javascript code |
|
879 |
*/ |
|
880 |
||
881 |
function addcomment($page_id, $namespace, $name, $subject, $text, $captcha_code = false, $captcha_id = false) |
|
882 |
{ |
|
883 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
884 |
$_ob = ''; |
|
885 |
if(!$session->get_permissions('post_comments')) |
|
886 |
return 'Access denied'; |
|
887 |
if(getConfig('comments_need_login') == '2' && !$session->user_logged_in) _die('Access denied to post comments: you need to be logged in first.'); |
|
888 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
|
889 |
{ |
|
890 |
if(!$captcha_code || !$captcha_id) _die('BUG: PageUtils::addcomment: no CAPTCHA data passed to method'); |
|
891 |
$result = $session->get_captcha($captcha_id); |
|
892 |
if($captcha_code != $result) _die('The confirmation code you entered was incorrect.'); |
|
893 |
} |
|
894 |
$text = RenderMan::preprocess_text($text); |
|
895 |
$name = $session->user_logged_in ? RenderMan::preprocess_text($session->username) : RenderMan::preprocess_text($name); |
|
896 |
$subj = RenderMan::preprocess_text($subject); |
|
897 |
if(getConfig('approve_comments')=='1') $appr = '0'; else $appr = '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
898 |
$q = 'INSERT INTO ' . table_prefix.'comments(page_id,namespace,subject,comment_data,name,user_id,approved,time) VALUES(\'' . $page_id . '\',\'' . $namespace . '\',\'' . $subj . '\',\'' . $text . '\',\'' . $name . '\',' . $session->user_id . ',' . $appr . ','.time().')'; |
1 | 899 |
$e = $db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
900 |
if(!$e) die('alert(unescape(\''.rawurlencode('Error inserting comment data: '.mysql_error().'\n\nQuery:\n' . $q) . '\'))'); |
1 | 901 |
else $_ob .= '<div class="info-box">Your comment has been posted.</div>'; |
902 |
return PageUtils::comments($page_id, $namespace, false, Array(), $_ob); |
|
903 |
} |
|
904 |
||
905 |
/** |
|
906 |
* Generates partly-compiled HTML/Javascript code to be eval'ed by the user's browser to display comments |
|
907 |
* @param $page_id the page ID |
|
908 |
* @param $namespace the namespace |
|
909 |
* @param $action administrative action to perform, default is false |
|
910 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
911 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
912 |
* @return array |
|
913 |
* @access private |
|
914 |
*/ |
|
915 |
||
916 |
function comments_raw($page_id, $namespace, $action = false, $flags = Array(), $_ob = '') |
|
917 |
{ |
|
918 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
919 |
global $lang; |
1 | 920 |
|
921 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
922 |
||
923 |
ob_start(); |
|
924 |
||
925 |
if($action && $session->get_permissions('mod_comments')) // Nip hacking attempts in the bud |
|
926 |
{ |
|
927 |
switch($action) { |
|
928 |
case "delete": |
|
929 |
if(isset($flags['id'])) |
|
930 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
931 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id='.intval($flags['id']).' LIMIT 1;'; |
1 | 932 |
} else { |
933 |
$n = $db->escape($flags['name']); |
|
934 |
$s = $db->escape($flags['subj']); |
|
935 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
936 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 937 |
} |
938 |
$e=$db->sql_query($q); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
939 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 940 |
break; |
941 |
case "approve": |
|
942 |
if(isset($flags['id'])) |
|
943 |
{ |
|
944 |
$where = 'comment_id='.intval($flags['id']); |
|
945 |
} else { |
|
946 |
$n = $db->escape($flags['name']); |
|
947 |
$s = $db->escape($flags['subj']); |
|
948 |
$t = $db->escape($flags['text']); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
949 |
$where = 'name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\''; |
1 | 950 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
951 |
$q = 'SELECT approved FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ' LIMIT 1;'; |
1 | 952 |
$e = $db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
953 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error selecting approval status: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 954 |
$r = $db->fetchrow(); |
955 |
$db->free_result(); |
|
956 |
$a = ( $r['approved'] ) ? '0' : '1'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
957 |
$q = 'UPDATE ' . table_prefix.'comments SET approved=' . $a . ' WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND ' . $where . ';'; |
1 | 958 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
959 |
if(!$e) die('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
960 |
if($a=='1') $v = $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
961 |
else $v = $lang->get('comment_btn_mod_approve'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
962 |
echo 'document.getElementById("mdgApproveLink'.intval($_GET['id']).'").innerHTML="' . $v . '";'; |
1 | 963 |
break; |
964 |
} |
|
965 |
} |
|
966 |
||
967 |
if(!defined('ENANO_TEMPLATE_LOADED')) |
|
968 |
{ |
|
969 |
$template->load_theme($session->theme, $session->style); |
|
970 |
} |
|
971 |
||
972 |
$tpl = $template->makeParser('comment.tpl'); |
|
973 |
||
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
974 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=0;'); |
1 | 975 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
976 |
$num_unapp = $db->numrows(); |
|
977 |
$db->free_result(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
978 |
$e = $db->sql_query('SELECT * FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND approved=1;'); |
1 | 979 |
if(!$e) $db->_die('The comment text data could not be selected.'); |
980 |
$num_app = $db->numrows(); |
|
981 |
$db->free_result(); |
|
982 |
$lq = $db->sql_query('SELECT c.comment_id,c.subject,c.name,c.comment_data,c.approved,c.time,c.user_id,u.user_level,u.signature |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
983 |
FROM ' . table_prefix.'comments AS c |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
984 |
LEFT JOIN ' . table_prefix.'users AS u |
1 | 985 |
ON c.user_id=u.user_id |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
986 |
WHERE page_id=\'' . $page_id . '\' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
987 |
AND namespace=\'' . $namespace . '\' ORDER BY c.time ASC;'); |
1 | 988 |
if(!$lq) _die('The comment text data could not be selected. '.mysql_error()); |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
989 |
$_ob .= '<h3>' . $lang->get('comment_heading') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
990 |
|
1 | 991 |
$n = ( $session->get_permissions('mod_comments')) ? $db->numrows() : $num_app; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
992 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
993 |
$subst = array( |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
994 |
'num_comments' => $n, |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
995 |
'page_type' => '<FIXME> whatever' |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
996 |
); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
997 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
998 |
$_ob .= '<p>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
999 |
$_ob .= ( $n == 0 ) ? $lang->get('comment_msg_count_zero', $subst) : ( $n == 1 ? $lang->get('comment_msg_count_one', $subst) : $lang->get('comment_msg_count_plural', $subst) ); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1000 |
|
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1001 |
if ( $session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1 | 1002 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1003 |
$_ob .= ' <span style="color: #D84308">' . $lang->get('comment_msg_count_unapp_mod', array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1004 |
} |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1005 |
else if ( !$session->get_permissions('mod_comments') && $num_unapp > 0 ) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1006 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1007 |
$ls = ( $num_unapp == 1 ) ? 'comment_msg_count_unapp_one' : 'comment_msg_count_unapp_plural'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1008 |
$_ob .= ' <span>' . $lang->get($ls, array( 'num_unapp' => $num_unapp )) . '</span>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1009 |
} |
78
4df25dfdde63
Modified Text_Wiki parser to fully support UTF-8 strings; several other UTF-8 fixes, international characters seem to work reasonably well now
Dan
parents:
73
diff
changeset
|
1010 |
$_ob .= '</p>'; |
1 | 1011 |
$list = 'list = { '; |
1012 |
// _die(htmlspecialchars($ttext)); |
|
1013 |
$i = -1; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1014 |
while ( $row = $db->fetchrow($lq) ) |
1 | 1015 |
{ |
1016 |
$i++; |
|
1017 |
$strings = Array(); |
|
1018 |
$bool = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1019 |
if ( $session->get_permissions('mod_comments') || $row['approved'] ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1020 |
{ |
1 | 1021 |
$list .= $i . ' : { \'comment\' : unescape(\''.rawurlencode($row['comment_data']).'\'), \'name\' : unescape(\''.rawurlencode($row['name']).'\'), \'subject\' : unescape(\''.rawurlencode($row['subject']).'\'), }, '; |
1022 |
||
1023 |
// Comment ID (used in the Javascript apps) |
|
1024 |
$strings['ID'] = (string)$i; |
|
1025 |
||
1026 |
// Determine the name, and whether to link to the user page or not |
|
1027 |
$name = ''; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1028 |
if($row['user_id'] > 1) $name .= '<a href="'.makeUrlNS('User', str_replace(' ', '_', $row['name'])).'">'; |
1 | 1029 |
$name .= $row['name']; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1030 |
if($row['user_id'] > 1) $name .= '</a>'; |
1 | 1031 |
$strings['NAME'] = $name; unset($name); |
1032 |
||
1033 |
// Subject |
|
1034 |
$s = $row['subject']; |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1035 |
if(!$row['approved']) $s .= ' <span style="color: #D84308">' . $lang->get('comment_msg_note_unapp') . '</span>'; |
1 | 1036 |
$strings['SUBJECT'] = $s; |
1037 |
||
1038 |
// Date and time |
|
1039 |
$strings['DATETIME'] = date('F d, Y h:i a', $row['time']); |
|
1040 |
||
1041 |
// User level |
|
1042 |
switch($row['user_level']) |
|
1043 |
{ |
|
1044 |
default: |
|
1045 |
case USER_LEVEL_GUEST: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1046 |
$l = $lang->get('user_type_guest'); |
1 | 1047 |
break; |
1048 |
case USER_LEVEL_MEMBER: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1049 |
case USER_LEVEL_CHPREF: |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1050 |
$l = $lang->get('user_type_member'); |
1 | 1051 |
break; |
1052 |
case USER_LEVEL_MOD: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1053 |
$l = $lang->get('user_type_mod'); |
1 | 1054 |
break; |
1055 |
case USER_LEVEL_ADMIN: |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1056 |
$l = $lang->get('user_type_admin'); |
1 | 1057 |
break; |
1058 |
} |
|
1059 |
$strings['USER_LEVEL'] = $l; unset($l); |
|
1060 |
||
1061 |
// The actual comment data |
|
1062 |
$strings['DATA'] = RenderMan::render($row['comment_data']); |
|
1063 |
||
1064 |
if($session->get_permissions('edit_comments')) |
|
1065 |
{ |
|
1066 |
// Edit link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1067 |
$strings['EDIT_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=editcomment&id=' . $row['comment_id']) . '" id="editbtn_' . $i . '">' . $lang->get('comment_btn_edit') . '</a>'; |
1 | 1068 |
|
1069 |
// Delete link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1070 |
$strings['DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=deletecomment&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_delete') . '</a>'; |
1 | 1071 |
} |
1072 |
else |
|
1073 |
{ |
|
1074 |
// Edit link |
|
1075 |
$strings['EDIT_LINK'] = ''; |
|
1076 |
||
1077 |
// Delete link |
|
1078 |
$strings['DELETE_LINK'] = ''; |
|
1079 |
} |
|
1080 |
||
1081 |
// Send PM link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1082 |
$strings['SEND_PM_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/To/' . $row['name']) . '">' . $lang->get('comment_btn_send_privmsg') . '</a><br />' : ''; |
1 | 1083 |
|
1084 |
// Add Buddy link |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1085 |
$strings['ADD_BUDDY_LINK'] = ( $session->user_logged_in && $row['user_id'] > 1 ) ? '<a href="'.makeUrlNS('Special', 'PrivateMessages/FriendList/Add/' . $row['name']) . '">' . $lang->get('comment_btn_add_buddy') . '</a>' : ''; |
1 | 1086 |
|
1087 |
// Mod links |
|
1088 |
$applink = ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1089 |
$applink .= '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=approve&id=' . $row['comment_id']) . '" id="mdgApproveLink' . $i . '">'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1090 |
if($row['approved']) $applink .= $lang->get('comment_btn_mod_unapprove'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1091 |
else $applink .= $lang->get('comment_btn_mod_approve'); |
1 | 1092 |
$applink .= '</a>'; |
1093 |
$strings['MOD_APPROVE_LINK'] = $applink; unset($applink); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1094 |
$strings['MOD_DELETE_LINK'] = '<a href="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=admin&action=delete&id=' . $row['comment_id']) . '">' . $lang->get('comment_btn_mod_delete') . '</a>'; |
1 | 1095 |
|
1096 |
// Signature |
|
1097 |
$strings['SIGNATURE'] = ''; |
|
1098 |
if($row['signature'] != '') $strings['SIGNATURE'] = RenderMan::render($row['signature']); |
|
1099 |
||
1100 |
$bool['auth_mod'] = ($session->get_permissions('mod_comments')) ? true : false; |
|
1101 |
$bool['can_edit'] = ( ( $session->user_logged_in && $row['name'] == $session->username && $session->get_permissions('edit_comments') ) || $session->get_permissions('mod_comments') ) ? true : false; |
|
1102 |
$bool['signature'] = ( $strings['SIGNATURE'] == '' ) ? false : true; |
|
1103 |
||
1104 |
// Done processing and compiling, now let's cook it into HTML |
|
1105 |
$tpl->assign_vars($strings); |
|
1106 |
$tpl->assign_bool($bool); |
|
1107 |
$_ob .= $tpl->run(); |
|
1108 |
} |
|
1109 |
} |
|
1110 |
if(getConfig('comments_need_login') != '2' || $session->user_logged_in) |
|
1111 |
{ |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1112 |
if($session->get_permissions('post_comments')) |
1 | 1113 |
{ |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1114 |
$_ob .= '<h3>' . $lang->get('comment_postform_title') . '</h3>'; |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1115 |
$_ob .= $lang->get('comment_postform_blurb'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1116 |
if(getConfig('approve_comments')=='1') $_ob .= ' ' . $lang->get('comment_postform_blurb_unapp'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1117 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1118 |
{ |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1119 |
$_ob .= ' ' . $lang->get('comment_postform_blurb_captcha'); |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1120 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1121 |
$sn = $session->user_logged_in ? $session->username . '<input name="name" id="mdgScreenName" type="hidden" value="' . $session->username . '" />' : '<input name="name" id="mdgScreenName" type="text" size="35" />'; |
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1122 |
$_ob .= ' <a href="#" id="mdgCommentFormLink" style="display: none;" onclick="document.getElementById(\'mdgCommentForm\').style.display=\'block\';this.style.display=\'none\';return false;">' . $lang->get('comment_postform_blurb_link') . '</a> |
1 | 1123 |
<div id="mdgCommentForm"> |
1124 |
<form action="'.makeUrlNS($namespace, $page_id, 'do=comments&sub=postcomment').'" method="post" style="margin-left: 1em"> |
|
1125 |
<table border="0"> |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1126 |
<tr><td>' . $lang->get('comment_postform_field_name') . '</td><td>' . $sn . '</td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1127 |
<tr><td>' . $lang->get('comment_postform_field_subject') . '</td><td><input name="subj" id="mdgSubject" type="text" size="35" /></td></tr>'; |
1 | 1128 |
if(getConfig('comments_need_login') == '1' && !$session->user_logged_in) |
1129 |
{ |
|
1130 |
$session->kill_captcha(); |
|
1131 |
$captcha = $session->make_captcha(); |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1132 |
$_ob .= '<tr><td>' . $lang->get('comment_postform_field_captcha_title') . '<br /><small>' . $lang->get('comment_postform_field_captcha_blurb') . '</small></td><td><img src="'.makeUrlNS('Special', 'Captcha/' . $captcha) . '" alt="Visual confirmation" style="cursor: pointer;" onclick="this.src = \''.makeUrlNS("Special", "Captcha/".$captcha).'/\'+Math.floor(Math.random() * 100000);" /><input name="captcha_id" id="mdgCaptchaID" type="hidden" value="' . $captcha . '" /><br />' . $lang->get('comment_postform_field_captcha_label') . ' <input name="captcha_input" id="mdgCaptchaInput" type="text" size="10" /><br /><small><script type="text/javascript">document.write("' . $lang->get('comment_postform_field_captcha_cantread_js') . '");</script><noscript>' . $lang->get('comment_postform_field_captcha_cantread_nojs') . '</noscript></small></td></tr>'; |
1 | 1133 |
} |
1134 |
$_ob .= ' |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1135 |
<tr><td valign="top">' . $lang->get('comment_postform_field_comment') . '</td><td><textarea name="text" id="mdgCommentArea" rows="10" cols="40"></textarea></td></tr> |
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1136 |
<tr><td colspan="2" style="text-align: center;"><input type="submit" value="' . $lang->get('comment_postform_btn_submit') . '" /></td></tr> |
1 | 1137 |
</table> |
1138 |
</form> |
|
1139 |
</div>'; |
|
1140 |
} |
|
1141 |
} else { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1142 |
$_ob .= '<h3>Got something to say?</h3><p>You need to be logged in to post comments. <a href="'.makeUrlNS('Special', 'Login/' . $pname . '%2523comments').'">Log in</a></p>'; |
1 | 1143 |
} |
1144 |
$list .= '};'; |
|
1145 |
echo 'document.getElementById(\'ajaxEditContainer\').innerHTML = unescape(\''. rawurlencode($_ob) .'\'); |
|
1146 |
' . $list; |
|
1147 |
echo 'Fat.fade_all(); document.getElementById(\'mdgCommentForm\').style.display = \'none\'; document.getElementById(\'mdgCommentFormLink\').style.display="inline";'; |
|
1148 |
||
1149 |
$ret = ob_get_contents(); |
|
1150 |
ob_end_clean(); |
|
1151 |
return Array($ret, $_ob); |
|
1152 |
||
1153 |
} |
|
1154 |
||
1155 |
/** |
|
1156 |
* Generates ready-to-execute Javascript code to be eval'ed by the user's browser to display comments |
|
1157 |
* @param $page_id the page ID |
|
1158 |
* @param $namespace the namespace |
|
1159 |
* @param $action administrative action to perform, default is false |
|
1160 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
1161 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
1162 |
* @return string |
|
1163 |
*/ |
|
1164 |
||
1165 |
function comments($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1166 |
{ |
|
1167 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1168 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1169 |
return $r[0]; |
|
1170 |
} |
|
1171 |
||
1172 |
/** |
|
1173 |
* Generates HTML code for comments - used in browser compatibility mode |
|
1174 |
* @param $page_id the page ID |
|
1175 |
* @param $namespace the namespace |
|
1176 |
* @param $action administrative action to perform, default is false |
|
1177 |
* @param $flags additional info for $action, shouldn't be used except when deleting/approving comments, etc. |
|
1178 |
* @param $_ob text to prepend to output, used by PageUtils::addcomment |
|
1179 |
* @return string |
|
1180 |
*/ |
|
1181 |
||
1182 |
function comments_html($page_id, $namespace, $action = false, $id = -1, $_ob = '') |
|
1183 |
{ |
|
1184 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1185 |
$r = PageUtils::comments_raw($page_id, $namespace, $action, $id, $_ob); |
|
1186 |
return $r[1]; |
|
1187 |
} |
|
1188 |
||
1189 |
/** |
|
1190 |
* Updates comment data. |
|
1191 |
* @param $page_id the page ID |
|
1192 |
* @param $namespace the namespace |
|
1193 |
* @param $subject new subject |
|
1194 |
* @param $text new text |
|
1195 |
* @param $old_subject the old subject, unprocessed and identical to the value in the DB |
|
1196 |
* @param $old_text the old text, unprocessed and identical to the value in the DB |
|
1197 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1198 |
* @return string |
|
1199 |
*/ |
|
1200 |
||
1201 |
function savecomment($page_id, $namespace, $subject, $text, $old_subject, $old_text, $id = -1) |
|
1202 |
{ |
|
1203 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1204 |
if(!$session->get_permissions('edit_comments')) |
|
1205 |
return 'result="BAD";error="Access denied"'; |
|
1206 |
// Avoid SQL injection |
|
1207 |
$old_text = $db->escape($old_text); |
|
1208 |
$old_subject = $db->escape($old_subject); |
|
1209 |
// Safety check - username/login |
|
1210 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1211 |
{ |
|
1212 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1213 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1214 |
$s = $db->sql_query($q); |
1215 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1216 |
$r = $db->fetchrow($s); |
|
1217 |
$db->free_result(); |
|
1218 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1219 |
} |
|
1220 |
$s = RenderMan::preprocess_text($subject); |
|
1221 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1222 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_data=\'' . $old_text . '\' AND subject=\'' . $old_subject . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1223 |
$result = $db->sql_query($sql); |
1224 |
if($result) |
|
1225 |
{ |
|
1226 |
return 'result="GOOD"; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1227 |
list[' . $id . '][\'subject\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $s))))).'\'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1228 |
list[' . $id . '][\'comment\'] = unescape(\''.str_replace('%5Cn', '%0A', rawurlencode(str_replace('{{EnAnO:Newline}}', '\\n', stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t))))).'\'); id = ' . $id . '; |
1 | 1229 |
s = unescape(\''.rawurlencode($s).'\'); |
1230 |
t = unescape(\''.str_replace('%5Cn', '<br \\/>', rawurlencode(RenderMan::render(str_replace('{{EnAnO:Newline}}', "\n", stripslashes(str_replace('\\n', '{{EnAnO:Newline}}', $t)))))).'\');'; |
|
1231 |
} |
|
1232 |
else |
|
1233 |
{ |
|
1234 |
return 'result="BAD"; error=unescape("'.rawurlencode('Enano encountered a problem whilst saving the comment. |
|
1235 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1236 |
' . $sql . ' |
1 | 1237 |
|
1238 |
Error returned by MySQL: '.mysql_error()).'");'; |
|
1239 |
} |
|
1240 |
} |
|
1241 |
||
1242 |
/** |
|
1243 |
* Updates comment data using the comment_id column instead of the old, messy way |
|
1244 |
* @param $page_id the page ID |
|
1245 |
* @param $namespace the namespace |
|
1246 |
* @param $subject new subject |
|
1247 |
* @param $text new text |
|
1248 |
* @param $id the comment ID (primary key in enano_comments table) |
|
1249 |
* @return string |
|
1250 |
*/ |
|
1251 |
||
1252 |
function savecomment_neater($page_id, $namespace, $subject, $text, $id) |
|
1253 |
{ |
|
1254 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1255 |
if(!is_int($id)) die('PageUtils::savecomment: $id is not an integer, aborting for safety'); |
|
1256 |
if(!$session->get_permissions('edit_comments')) |
|
1257 |
return 'Access denied'; |
|
1258 |
// Safety check - username/login |
|
1259 |
if(!$session->get_permissions('mod_comments')) // allow mods to edit comments |
|
1260 |
{ |
|
1261 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1262 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1263 |
$s = $db->sql_query($q); |
1264 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1265 |
$r = $db->fetchrow($s); |
|
1266 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1267 |
$db->free_result(); |
|
1268 |
} |
|
1269 |
$s = RenderMan::preprocess_text($subject); |
|
1270 |
$t = RenderMan::preprocess_text($text); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1271 |
$sql = 'UPDATE ' . table_prefix.'comments SET subject=\'' . $s . '\',comment_data=\'' . $t . '\' WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1272 |
$result = $db->sql_query($sql); |
1273 |
if($result) |
|
1274 |
return 'good'; |
|
1275 |
else return 'Enano encountered a problem whilst saving the comment. |
|
1276 |
Performed SQL: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1277 |
' . $sql . ' |
1 | 1278 |
|
1279 |
Error returned by MySQL: '.mysql_error(); |
|
1280 |
} |
|
1281 |
||
1282 |
/** |
|
1283 |
* Deletes a comment. |
|
1284 |
* @param $page_id the page ID |
|
1285 |
* @param $namespace the namespace |
|
1286 |
* @param $name the name the user posted under |
|
1287 |
* @param $subj the subject of the comment to be deleted |
|
1288 |
* @param $text the text of the comment to be deleted |
|
1289 |
* @param $id the javascript list ID, used internally by the client-side app |
|
1290 |
* @return string |
|
1291 |
*/ |
|
1292 |
||
1293 |
function deletecomment($page_id, $namespace, $name, $subj, $text, $id) |
|
1294 |
{ |
|
1295 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1296 |
||
1297 |
if(!$session->get_permissions('edit_comments')) |
|
1298 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1299 |
||
1300 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1301 |
$n = $db->escape($name); |
|
1302 |
$s = $db->escape($subj); |
|
1303 |
$t = $db->escape($text); |
|
1304 |
||
1305 |
// Safety check - username/login |
|
1306 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1307 |
{ |
|
1308 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1309 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_data=\'' . $t . '\' AND subject=\'' . $s . '\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1310 |
$s = $db->sql_query($q); |
1311 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1312 |
$r = $db->fetchrow($s); |
|
1313 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1314 |
$db->free_result(); |
|
1315 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1316 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND name=\'' . $n . '\' AND subject=\'' . $s . '\' AND comment_data=\'' . $t . '\' LIMIT 1;'; |
1 | 1317 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1318 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 1319 |
return('good'); |
1320 |
} |
|
1321 |
||
1322 |
/** |
|
1323 |
* Deletes a comment in a cleaner fashion. |
|
1324 |
* @param $page_id the page ID |
|
1325 |
* @param $namespace the namespace |
|
1326 |
* @param $id the comment ID (primary key) |
|
1327 |
* @return string |
|
1328 |
*/ |
|
1329 |
||
1330 |
function deletecomment_neater($page_id, $namespace, $id) |
|
1331 |
{ |
|
1332 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1333 |
||
1334 |
if(!preg_match('#^([0-9]+)$#', (string)$id)) die('$_GET[id] is improperly formed.'); |
|
1335 |
||
1336 |
if(!$session->get_permissions('edit_comments')) |
|
1337 |
return 'alert("Access to delete/edit comments is denied");'; |
|
1338 |
||
1339 |
// Safety check - username/login |
|
1340 |
if(!$session->get_permissions('mod_comments')) // allows mods to delete comments |
|
1341 |
{ |
|
1342 |
if(!$session->user_logged_in) _die('AJAX comment save safety check failed because you are not logged in. Sometimes this can happen because you are using a browser that does not send cookies as part of AJAX requests.<br /><br />Please log in and try again.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1343 |
$q = 'SELECT c.name FROM ' . table_prefix.'comments c, ' . table_prefix.'users u WHERE comment_id=' . $id . ' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND u.user_id=c.user_id;'; |
1 | 1344 |
$s = $db->sql_query($q); |
1345 |
if(!$s) _die('SQL error during safety check: '.mysql_error().'<br /><br />Attempted SQL:<br /><pre>'.htmlspecialchars($q).'</pre>'); |
|
1346 |
$r = $db->fetchrow($s); |
|
1347 |
if($db->numrows() < 1 || $r['name'] != $session->username) _die('Safety check failed, probably due to a hacking attempt.'); |
|
1348 |
$db->free_result(); |
|
1349 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1350 |
$q = 'DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\' AND comment_id=' . $id . ' LIMIT 1;'; |
1 | 1351 |
$e=$db->sql_query($q); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1352 |
if(!$e) return('alert(unesape(\''.rawurlencode('Error during query: '.mysql_error().'\n\nQuery:\n' . $q) . '\'));'); |
1 | 1353 |
return('good'); |
1354 |
} |
|
1355 |
||
1356 |
/** |
|
1357 |
* Renames a page. |
|
1358 |
* @param $page_id the page ID |
|
1359 |
* @param $namespace the namespace |
|
1360 |
* @param $name the new name for the page |
|
1361 |
* @return string error string or success message |
|
1362 |
*/ |
|
1363 |
||
1364 |
function rename($page_id, $namespace, $name) |
|
1365 |
{ |
|
1366 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1367 |
global $lang; |
1 | 1368 |
|
1369 |
$pname = $paths->nslist[$namespace] . $page_id; |
|
1370 |
||
1371 |
$prot = ( ( $paths->pages[$pname]['protected'] == 2 && $session->user_logged_in && $session->reg_time + 60*60*24*4 < time() ) || $paths->pages[$pname]['protected'] == 1) ? true : false; |
|
1372 |
$wiki = ( ( $paths->pages[$pname]['wiki_mode'] == 2 && getConfig('wiki_mode') == '1') || $paths->pages[$pname]['wiki_mode'] == 1) ? true : false; |
|
1373 |
||
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1374 |
if( empty($name)) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1375 |
{ |
214 | 1376 |
return($lang->get('ajax_rename_too_short')); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1377 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1378 |
if( ( $session->get_permissions('rename') && ( ( $prot && $session->get_permissions('even_when_protected') ) || !$prot ) ) && ( $paths->namespace != 'Special' && $paths->namespace != 'Admin' )) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1379 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1380 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'rename\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $paths->namespace . '\', \'' . $db->escape($session->username) . '\', \'' . $db->escape($paths->cpage['name']) . '\')'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1381 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1382 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1383 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1384 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1385 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET name=\'' . $db->escape($name) . '\' WHERE urlname=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1386 |
if ( !$e ) |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1387 |
{ |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1388 |
$db->_die('The page title could not be updated.'); |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1389 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1390 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1391 |
{ |
214 | 1392 |
$subst = array( |
1393 |
'page_name_old' => $paths->pages[$pname]['name'], |
|
1394 |
'page_name_new' => $name |
|
1395 |
); |
|
1396 |
return $lang->get('ajax_rename_success', $subst); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1397 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1398 |
} |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1399 |
else |
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
1400 |
{ |
214 | 1401 |
return($lang->get('etc_access_denied')); |
1 | 1402 |
} |
1403 |
} |
|
1404 |
||
1405 |
/** |
|
1406 |
* Flushes (clears) the action logs for a given page |
|
1407 |
* @param $page_id the page ID |
|
1408 |
* @param $namespace the namespace |
|
1409 |
* @return string error/success string |
|
1410 |
*/ |
|
1411 |
||
1412 |
function flushlogs($page_id, $namespace) |
|
1413 |
{ |
|
1414 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1415 |
global $lang; |
1416 |
if(!$session->get_permissions('clear_logs')) |
|
1417 |
{ |
|
1418 |
return $lang->get('etc_access_denied'); |
|
1419 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1420 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); |
1 | 1421 |
if(!$e) $db->_die('The log entries could not be deleted.'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1422 |
|
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1423 |
// If the page exists, make a backup of it in case it gets spammed/vandalized |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1424 |
// If not, the admin's probably deleting a trash page |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1425 |
if ( isset($paths->pages[ $paths->nslist[$namespace] . $page_id ]) ) |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1426 |
{ |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1427 |
$e = $db->sql_query('SELECT page_text,char_tag FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1428 |
if(!$e) $db->_die('The current page text could not be selected; as a result, creating the backup of the page failed. Please make a backup copy of the page by clicking Edit this page and then clicking Save Changes.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1429 |
$row = $db->fetchrow(); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1430 |
$db->free_result(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1431 |
$q='INSERT INTO ' . table_prefix.'logs(log_type,action,time_id,date_string,page_id,namespace,page_text,char_tag,author,edit_summary,minor_edit) VALUES(\'page\', \'edit\', '.time().', \''.date('d M Y h:i a').'\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $db->escape($row['page_text']) . '\', \'' . $row['char_tag'] . '\', \'' . $session->username . '\', \''."Automatic backup created when logs were purged".'\', '.'false'.');'; |
32
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1432 |
if(!$db->sql_query($q)) $db->_die('The history (log) entry could not be inserted into the logs table.'); |
4d87aad3c4c0
Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
Dan
parents:
29
diff
changeset
|
1433 |
} |
214 | 1434 |
return $lang->get('ajax_clearlogs_success'); |
1 | 1435 |
} |
1436 |
||
1437 |
/** |
|
1438 |
* Deletes a page. |
|
28 | 1439 |
* @param string $page_id the condemned page ID |
1440 |
* @param string $namespace the condemned namespace |
|
1441 |
* @param string The reason for deleting the page in question |
|
1 | 1442 |
* @return string |
1443 |
*/ |
|
1444 |
||
28 | 1445 |
function deletepage($page_id, $namespace, $reason) |
1 | 1446 |
{ |
1447 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1448 |
global $lang; |
1 | 1449 |
$perms = $session->fetch_page_acl($page_id, $namespace); |
28 | 1450 |
$x = trim($reason); |
1451 |
if ( empty($x) ) |
|
1452 |
{ |
|
214 | 1453 |
return $lang->get('ajax_delete_need_reason'); |
28 | 1454 |
} |
1455 |
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1456 |
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); |
1 | 1457 |
if(!$e) $db->_die('The page log entry could not be inserted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1458 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1459 |
if(!$e) $db->_die('The page categorization entries could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1460 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'comments WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1461 |
if(!$e) $db->_die('The page comments could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1462 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'page_text WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1463 |
if(!$e) $db->_die('The page text entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1464 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'pages WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); |
1 | 1465 |
if(!$e) $db->_die('The page entry could not be deleted.'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1466 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'files WHERE page_id=\'' . $page_id . '\''); |
1 | 1467 |
if(!$e) $db->_die('The file entry could not be deleted.'); |
214 | 1468 |
return $lang->get('ajax_delete_success'); |
1 | 1469 |
} |
1470 |
||
1471 |
/** |
|
1472 |
* Increments the deletion votes for a page by 1, and adds the current username/IP to the list of users that have voted for the page to prevent dual-voting |
|
1473 |
* @param $page_id the page ID |
|
1474 |
* @param $namespace the namespace |
|
1475 |
* @return string |
|
1476 |
*/ |
|
1477 |
||
1478 |
function delvote($page_id, $namespace) |
|
1479 |
{ |
|
1480 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1481 |
global $lang; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1482 |
if ( !$session->get_permissions('vote_delete') ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1483 |
{ |
214 | 1484 |
return $lang->get('etc_access_denied'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1485 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1486 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1487 |
if ( $namespace == 'Admin' || $namespace == 'Special' || $namespace == 'System' ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1488 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1489 |
return 'Special pages and system messages can\'t be voted for deletion.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1490 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1491 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1492 |
$pname = $paths->nslist[$namespace] . sanitize_page_id($page_id); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1493 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1494 |
if ( !isset($paths->pages[$pname]) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1495 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1496 |
return 'The page does not exist.'; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1497 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1498 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1499 |
$cv =& $paths->pages[$pname]['delvotes']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1500 |
$ips = $paths->pages[$pname]['delvote_ips']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1501 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1502 |
if ( empty($ips) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1503 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1504 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1505 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1506 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1507 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1508 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1509 |
else |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1510 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1511 |
$ips = @unserialize($ips); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1512 |
if ( !$ips ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1513 |
{ |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1514 |
$ips = array( |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1515 |
'ip' => array(), |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1516 |
'u' => array() |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1517 |
); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1518 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1519 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1520 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1521 |
if ( in_array($session->username, $ips['u']) || in_array($_SERVER['REMOTE_ADDR'], $ips['ip']) ) |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1522 |
{ |
214 | 1523 |
return $lang->get('ajax_delvote_already_voted'); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1524 |
} |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1525 |
|
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1526 |
$ips['u'][] = $session->username; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1527 |
$ips['ip'][] = $_SERVER['REMOTE_ADDR']; |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1528 |
$ips = $db->escape( serialize($ips) ); |
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1529 |
|
1 | 1530 |
$cv++; |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1531 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1532 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=' . $cv . ',delvote_ips=\'' . $ips . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1533 |
$w = $db->sql_query($q); |
112
008b1c42be72
Rewrote all code related to delvote_ips column to use serialize()
Dan
parents:
103
diff
changeset
|
1534 |
|
214 | 1535 |
return $lang->get('ajax_delvote_success'); |
1 | 1536 |
} |
1537 |
||
1538 |
/** |
|
1539 |
* Resets the number of votes against a page to 0. |
|
1540 |
* @param $page_id the page ID |
|
1541 |
* @param $namespace the namespace |
|
1542 |
* @return string |
|
1543 |
*/ |
|
1544 |
||
1545 |
function resetdelvotes($page_id, $namespace) |
|
1546 |
{ |
|
1547 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1548 |
global $lang; |
1549 |
if(!$session->get_permissions('vote_reset')) |
|
1550 |
{ |
|
1551 |
return $lang->get('etc_access_denied'); |
|
1552 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1553 |
$q = 'UPDATE ' . table_prefix.'pages SET delvotes=0,delvote_ips=\'' . $db->escape(serialize(array('ip'=>array(),'u'=>array()))) . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''; |
1 | 1554 |
$e = $db->sql_query($q); |
1555 |
if(!$e) $db->_die('The number of delete votes was not reset.'); |
|
214 | 1556 |
else |
1557 |
{ |
|
1558 |
return $lang->get('ajax_delvote_reset_success'); |
|
1559 |
} |
|
1 | 1560 |
} |
1561 |
||
1562 |
/** |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1563 |
* Gets a list of styles for a given theme name. As of Banshee, this returns JSON. |
1 | 1564 |
* @param $id the name of the directory for the theme |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1565 |
* @return string JSON string with an array containing a list of themes |
1 | 1566 |
*/ |
1567 |
||
1568 |
function getstyles() |
|
1569 |
{ |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1570 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1571 |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1572 |
if ( !preg_match('/^([a-z0-9_-]+)$/', $_GET['id']) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1573 |
return $json->encode(false); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1574 |
|
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1575 |
$dir = './themes/' . $_GET['id'] . '/css/'; |
1 | 1576 |
$list = Array(); |
1577 |
// Open a known directory, and proceed to read its contents |
|
1578 |
if (is_dir($dir)) { |
|
1579 |
if ($dh = opendir($dir)) { |
|
1580 |
while (($file = readdir($dh)) !== false) { |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1581 |
if ( preg_match('#^(.*?)\.css$#is', $file) && $file != '_printable.css' ) // _printable.css should be included with every theme |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1582 |
{ // it should be a copy of the original style, but |
1 | 1583 |
// mostly black and white |
1584 |
// Note to self: document this |
|
1585 |
$list[] = substr($file, 0, strlen($file)-4); |
|
1586 |
} |
|
1587 |
} |
|
1588 |
closedir($dh); |
|
1589 |
} |
|
1590 |
} |
|
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1591 |
else |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1592 |
{ |
39
c83ff194977a
Changed animation on flying message boxes; bugfix for "Array" response in theme changer; added diff CSS to enano-shared; allowed spaces in username during install
Dan
parents:
32
diff
changeset
|
1593 |
return($json->encode(Array('mode' => 'error', 'error' => $dir.' is not a dir'))); |
29
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1594 |
} |
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1595 |
|
e5484a9e0818
Rewrote change theme dialog; a few minor stability fixes here and there; fixed IE + St Patty background image
Dan
parents:
28
diff
changeset
|
1596 |
return $json->encode($list); |
1 | 1597 |
} |
1598 |
||
1599 |
/** |
|
1600 |
* Assembles a Javascript app with category information |
|
1601 |
* @param $page_id the page ID |
|
1602 |
* @param $namespace the namespace |
|
1603 |
* @return string Javascript code |
|
1604 |
*/ |
|
1605 |
||
1606 |
function catedit($page_id, $namespace) |
|
1607 |
{ |
|
1608 |
$d = PageUtils::catedit_raw($page_id, $namespace); |
|
1609 |
return $d[0] . ' /* BEGIN CONTENT */ document.getElementById("ajaxEditContainer").innerHTML = unescape(\''.rawurlencode($d[1]).'\');'; |
|
1610 |
} |
|
1611 |
||
1612 |
/** |
|
1613 |
* Does the actual HTML/javascript generation for cat editing, but returns an array |
|
1614 |
* @access private |
|
1615 |
*/ |
|
1616 |
||
1617 |
function catedit_raw($page_id, $namespace) |
|
1618 |
{ |
|
1619 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1620 |
global $lang; |
1621 |
||
1 | 1622 |
ob_start(); |
1623 |
$_ob = ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1624 |
$e = $db->sql_query('SELECT category_id FROM ' . table_prefix.'categories WHERE page_id=\'' . $paths->cpage['urlname_nons'] . '\' AND namespace=\'' . $paths->namespace . '\''); |
1 | 1625 |
if(!$e) jsdie('Error selecting category information for current page: '.mysql_error()); |
1626 |
$cat_current = Array(); |
|
1627 |
while($r = $db->fetchrow()) |
|
1628 |
{ |
|
1629 |
$cat_current[] = $r; |
|
1630 |
} |
|
1631 |
$db->free_result(); |
|
1632 |
$cat_all = Array(); |
|
1633 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1634 |
{ |
|
1635 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1636 |
} |
|
1637 |
||
1638 |
// Make $cat_all an associative array, like $paths->pages |
|
1639 |
$sz = sizeof($cat_all); |
|
1640 |
for($i=0;$i<$sz;$i++) |
|
1641 |
{ |
|
1642 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1643 |
} |
|
1644 |
// Now, the "zipper" function - join the list of categories with the list of cats that this page is a part of |
|
1645 |
$cat_info = $cat_all; |
|
1646 |
for($i=0;$i<sizeof($cat_current);$i++) |
|
1647 |
{ |
|
1648 |
$un = $cat_current[$i]['category_id']; |
|
1649 |
$cat_info[$un]['member'] = true; |
|
1650 |
} |
|
1651 |
// Now copy the information we just set into the numerically named keys |
|
1652 |
for($i=0;$i<sizeof($cat_info)/2;$i++) |
|
1653 |
{ |
|
1654 |
$un = $cat_info[$i]['urlname_nons']; |
|
1655 |
$cat_info[$i] = $cat_info[$un]; |
|
1656 |
} |
|
1657 |
||
1658 |
echo 'catlist = new Array();'; // Initialize the client-side category list |
|
214 | 1659 |
$_ob .= '<h3>' . $lang->get('catedit_title') . '</h3> |
1 | 1660 |
<form name="mdgCatForm" action="'.makeUrlNS($namespace, $page_id, 'do=catedit').'" method="post">'; |
1661 |
if ( sizeof($cat_info) < 1 ) |
|
1662 |
{ |
|
214 | 1663 |
$_ob .= '<p>' . $lang->get('catedit_no_categories') . '</p>'; |
1 | 1664 |
} |
1665 |
for ( $i = 0; $i < sizeof($cat_info) / 2; $i++ ) |
|
1666 |
{ |
|
1667 |
// Protection code added 1/3/07 |
|
1668 |
// Updated 3/4/07 |
|
1669 |
$is_prot = false; |
|
1670 |
$perms = $session->fetch_page_acl($cat_info[$i]['urlname_nons'], 'Category'); |
|
1671 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1672 |
( $cat_info[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) ) |
|
1673 |
$is_prot = true; |
|
1674 |
$prot = ( $is_prot ) ? ' disabled="disabled" ' : ''; |
|
1675 |
$prottext = ( $is_prot ) ? ' <img alt="(protected)" width="16" height="16" src="'.scriptPath.'/images/lock16.png" />' : ''; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1676 |
echo 'catlist[' . $i . '] = \'' . $cat_info[$i]['urlname_nons'] . '\';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1677 |
$_ob .= '<span class="catCheck"><input ' . $prot . ' name="' . $cat_info[$i]['urlname_nons'] . '" id="mdgCat_' . $cat_info[$i]['urlname_nons'] . '" type="checkbox"'; |
1 | 1678 |
if(isset($cat_info[$i]['member'])) $_ob .= ' checked="checked"'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1679 |
$_ob .= '/> <label for="mdgCat_' . $cat_info[$i]['urlname_nons'] . '">' . $cat_info[$i]['name'].$prottext.'</label></span><br />'; |
1 | 1680 |
} |
1681 |
||
1682 |
$disabled = ( sizeof($cat_info) < 1 ) ? 'disabled="disabled"' : ''; |
|
1683 |
||
214 | 1684 |
$_ob .= '<div style="border-top: 1px solid #CCC; padding-top: 5px; margin-top: 10px;"><input name="__enanoSaveButton" ' . $disabled . ' style="font-weight: bold;" type="submit" onclick="ajaxCatSave(); return false;" value="' . $lang->get('etc_save_changes') . '" /> <input name="__enanoCatCancel" type="submit" onclick="ajaxReset(); return false;" value="' . $lang->get('etc_cancel') . '" /></div></form>'; |
1 | 1685 |
|
1686 |
$cont = ob_get_contents(); |
|
1687 |
ob_end_clean(); |
|
1688 |
return Array($cont, $_ob); |
|
1689 |
} |
|
1690 |
||
1691 |
/** |
|
1692 |
* Saves category information |
|
1693 |
* WARNING: If $which_cats is empty, all the category information for the selected page will be nuked! |
|
1694 |
* @param $page_id string the page ID |
|
1695 |
* @param $namespace string the namespace |
|
1696 |
* @param $which_cats array associative array of categories to put the page in |
|
1697 |
* @return string "GOOD" on success, error string on failure |
|
1698 |
*/ |
|
1699 |
||
1700 |
function catsave($page_id, $namespace, $which_cats) |
|
1701 |
{ |
|
1702 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1703 |
if(!$session->get_permissions('edit_cat')) return('Insufficient privileges to change category information'); |
|
1704 |
||
1705 |
$page_perms = $session->fetch_page_acl($page_id, $namespace); |
|
1706 |
$page_data =& $paths->pages[$paths->nslist[$namespace].$page_id]; |
|
1707 |
||
1708 |
$cat_all = Array(); |
|
1709 |
for($i=0;$i<sizeof($paths->pages)/2;$i++) |
|
1710 |
{ |
|
1711 |
if($paths->pages[$i]['namespace']=='Category') $cat_all[] = $paths->pages[$i]; |
|
1712 |
} |
|
1713 |
||
1714 |
// Make $cat_all an associative array, like $paths->pages |
|
1715 |
$sz = sizeof($cat_all); |
|
1716 |
for($i=0;$i<$sz;$i++) |
|
1717 |
{ |
|
1718 |
$cat_all[$cat_all[$i]['urlname_nons']] = $cat_all[$i]; |
|
1719 |
} |
|
1720 |
||
1721 |
$rowlist = Array(); |
|
1722 |
||
1723 |
for($i=0;$i<sizeof($cat_all)/2;$i++) |
|
1724 |
{ |
|
1725 |
$auth = true; |
|
1726 |
$perms = $session->fetch_page_acl($cat_all[$i]['urlname_nons'], 'Category'); |
|
1727 |
if ( !$session->get_permissions('edit_cat') || !$perms->get_permissions('edit_cat') || |
|
1728 |
( $cat_all[$i]['really_protected'] && !$perms->get_permissions('even_when_protected') ) || |
|
1729 |
( !$page_perms->get_permissions('even_when_protected') && $page_data['protected'] == '1' ) ) |
|
1730 |
$auth = false; |
|
1731 |
if(!$auth) |
|
1732 |
{ |
|
1733 |
// Find out if the page is currently in the category |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1734 |
$q = $db->sql_query('SELECT * FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1735 |
if(!$q) |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1736 |
return 'MySQL error: ' . $db->get_error(); |
1 | 1737 |
if($db->numrows() > 0) |
1738 |
{ |
|
1739 |
$auth = true; |
|
1740 |
$which_cats[$cat_all[$i]['urlname_nons']] = true; // Force the category to stay in its current state |
|
1741 |
} |
|
1742 |
$db->free_result(); |
|
1743 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1744 |
if(isset($which_cats[$cat_all[$i]['urlname_nons']]) && $which_cats[$cat_all[$i]['urlname_nons']] == true /* for clarity ;-) */ && $auth ) $rowlist[] = '(\'' . $page_id . '\', \'' . $namespace . '\', \'' . $cat_all[$i]['urlname_nons'] . '\')'; |
1 | 1745 |
} |
1746 |
if(sizeof($rowlist) > 0) |
|
1747 |
{ |
|
1748 |
$val = implode(',', $rowlist); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1749 |
$q = 'INSERT INTO ' . table_prefix.'categories(page_id,namespace,category_id) VALUES' . $val . ';'; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1750 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1751 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1752 |
$e = $db->sql_query($q); |
|
1753 |
if(!$e) $db->_die('The new category data could not be inserted.'); |
|
1754 |
return('GOOD'); |
|
1755 |
} |
|
1756 |
else |
|
1757 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1758 |
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
1 | 1759 |
if(!$e) $db->_die('The old category data could not be deleted.'); |
1760 |
return('GOOD'); |
|
1761 |
} |
|
1762 |
} |
|
1763 |
||
1764 |
/** |
|
1765 |
* Sets the wiki mode level for a page. |
|
1766 |
* @param $page_id string the page ID |
|
1767 |
* @param $namespace string the namespace |
|
1768 |
* @param $level int 0 for off, 1 for on, 2 for use global setting |
|
1769 |
* @return string "GOOD" on success, error string on failure |
|
1770 |
*/ |
|
1771 |
||
1772 |
function setwikimode($page_id, $namespace, $level) |
|
1773 |
{ |
|
1774 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1775 |
if(!$session->get_permissions('set_wiki_mode')) return('Insufficient access rights'); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1776 |
if ( !isset($level) || ( isset($level) && !preg_match('#^([0-2]){1}$#', (string)$level) ) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1777 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1778 |
return('Invalid mode string'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1779 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1780 |
$q = $db->sql_query('UPDATE ' . table_prefix.'pages SET wiki_mode=' . $level . ' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1781 |
if ( !$q ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1782 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1783 |
return('Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1784 |
} |
1 | 1785 |
return('GOOD'); |
1786 |
} |
|
1787 |
||
1788 |
/** |
|
1789 |
* Sets the access password for a page. |
|
1790 |
* @param $page_id string the page ID |
|
1791 |
* @param $namespace string the namespace |
|
1792 |
* @param $pass string the SHA1 hash of the password - if the password doesn't match the regex ^([0-9a-f]*){40,40}$ it will be sha1'ed |
|
1793 |
* @return string |
|
1794 |
*/ |
|
1795 |
||
1796 |
function setpass($page_id, $namespace, $pass) |
|
1797 |
{ |
|
1798 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
214 | 1799 |
global $lang; |
1 | 1800 |
// Determine permissions |
1801 |
if($paths->pages[$paths->nslist[$namespace].$page_id]['password'] != '') |
|
1802 |
$a = $session->get_permissions('password_reset'); |
|
1803 |
else |
|
1804 |
$a = $session->get_permissions('password_set'); |
|
1805 |
if(!$a) |
|
214 | 1806 |
return $lang->get('etc_access_denied'); |
1 | 1807 |
if(!isset($pass)) return('Password was not set on URL'); |
1808 |
$p = $pass; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1809 |
if ( !preg_match('#([0-9a-f]){40,40}#', $p) ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1810 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1811 |
$p = sha1($p); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1812 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1813 |
if ( $p == 'da39a3ee5e6b4b0d3255bfef95601890afd80709' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1814 |
// sha1('') = da39a3ee5e6b4b0d3255bfef95601890afd80709 |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1815 |
$p = ''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1816 |
$e = $db->sql_query('UPDATE ' . table_prefix.'pages SET password=\'' . $p . '\' WHERE urlname=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';'); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1817 |
if ( !$e ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1818 |
{ |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1819 |
die('PageUtils::setpass(): Error during update query: '.mysql_error()."\n\nSQL Backtrace:\n".$db->sql_backtrace()); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1820 |
} |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1821 |
// Is the new password blank? |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1822 |
if ( $p == '' ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1823 |
{ |
214 | 1824 |
return $lang->get('ajax_password_disable_success'); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1825 |
} |
214 | 1826 |
else |
1827 |
{ |
|
1828 |
return $lang->get('ajax_password_success'); |
|
1829 |
} |
|
1 | 1830 |
} |
1831 |
||
1832 |
/** |
|
1833 |
* Generates some preview HTML |
|
1834 |
* @param $text string the wikitext to use |
|
1835 |
* @return string |
|
1836 |
*/ |
|
1837 |
||
1838 |
function genPreview($text) |
|
1839 |
{ |
|
214 | 1840 |
global $lang; |
1841 |
$ret = '<div class="info-box">' . $lang->get('editor_preview_blurb') . '</div><div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: 250px; overflow: auto; margin: 1em 0 1em 1em;">'; |
|
102
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1842 |
$text = RenderMan::render(RenderMan::preprocess_text($text, false, false)); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1843 |
ob_start(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1844 |
eval('?>' . $text); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1845 |
$text = ob_get_contents(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1846 |
ob_end_clean(); |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1847 |
$ret .= $text; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1848 |
$ret .= '</div>'; |
d807dcd7aed7
[comments] fixed edit button (source wasn't getting filled)
Dan
parents:
81
diff
changeset
|
1849 |
return $ret; |
1 | 1850 |
} |
1851 |
||
1852 |
/** |
|
1853 |
* Makes a scrollable box |
|
1854 |
* @param string $text the inner HTML |
|
1855 |
* @param int $height Optional - the maximum height. Defaults to 250. |
|
1856 |
* @return string |
|
1857 |
*/ |
|
1858 |
||
1859 |
function scrollBox($text, $height = 250) |
|
1860 |
{ |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1861 |
return '<div style="background-color: #F8F8F8; padding: 10px; border: 1px dashed #406080; max-height: '.(string)intval($height).'px; overflow: auto; margin: 1em 0 1em 1em;">' . $text . '</div>'; |
1 | 1862 |
} |
1863 |
||
1864 |
/** |
|
1865 |
* Generates a diff summary between two page revisions. |
|
1866 |
* @param $page_id the page ID |
|
1867 |
* @param $namespace the namespace |
|
1868 |
* @param $id1 the time ID of the first revision |
|
1869 |
* @param $id2 the time ID of the second revision |
|
1870 |
* @return string XHTML-formatted diff |
|
1871 |
*/ |
|
1872 |
||
1873 |
function pagediff($page_id, $namespace, $id1, $id2) |
|
1874 |
{ |
|
1875 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1876 |
global $lang; |
1 | 1877 |
if(!$session->get_permissions('history_view')) |
214 | 1878 |
return $lang->get('etc_access_denied'); |
1 | 1879 |
if(!preg_match('#^([0-9]+)$#', (string)$id1) || |
1880 |
!preg_match('#^([0-9]+)$#', (string)$id2 )) return 'SQL injection attempt'; |
|
1881 |
// OK we made it through security |
|
1882 |
// Safest way to make sure we don't end up with the revisions in wrong columns is to make 2 queries |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1883 |
if(!$q1 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id1 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1884 |
if(!$q2 = $db->sql_query('SELECT page_text,char_tag,author,edit_summary FROM ' . table_prefix.'logs WHERE time_id=' . $id2 . ' AND log_type=\'page\' AND action=\'edit\' AND page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\';')) return 'MySQL error: '.mysql_error(); |
1 | 1885 |
$row1 = $db->fetchrow($q1); |
1886 |
$db->free_result($q1); |
|
1887 |
$row2 = $db->fetchrow($q2); |
|
1888 |
$db->free_result($q2); |
|
1889 |
if(sizeof($row1) < 1 || sizeof($row2) < 2) return 'Couldn\'t find any rows that matched the query. The time ID probably doesn\'t exist in the logs table.'; |
|
1890 |
$text1 = $row1['page_text']; |
|
1891 |
$text2 = $row2['page_text']; |
|
1892 |
$time1 = date('F d, Y h:i a', $id1); |
|
1893 |
$time2 = date('F d, Y h:i a', $id2); |
|
1894 |
$_ob = " |
|
213
1316404e4ea8
Localized history page and static HTML comment interface
Dan
parents:
204
diff
changeset
|
1895 |
<p>" . $lang->get('history_lbl_comparingrevisions') . " {$time1} → {$time2}</p> |
1 | 1896 |
"; |
1897 |
// Free some memory |
|
1898 |
unset($row1, $row2, $q1, $q2); |
|
1899 |
||
1900 |
$_ob .= RenderMan::diff($text1, $text2); |
|
1901 |
return $_ob; |
|
1902 |
} |
|
1903 |
||
1904 |
/** |
|
1905 |
* Gets ACL information about the selected page for target type X and target ID Y. |
|
1906 |
* @param array $parms What to select. This is an array purely for JSON compatibility. It should be an associative array with keys target_type and target_id. |
|
1907 |
* @return array |
|
1908 |
*/ |
|
1909 |
||
1910 |
function acl_editor($parms = Array()) |
|
1911 |
{ |
|
1912 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
1913 |
if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN) |
|
40
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1914 |
{ |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1915 |
return Array( |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1916 |
'mode' => 'error', |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1917 |
'error' => 'You are not authorized to view or edit access control lists.' |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1918 |
); |
723bb7acf914
Fixed a lot of bugs with Safari and Konqueror; improved Opera compatibility
Dan
parents:
39
diff
changeset
|
1919 |
} |
1 | 1920 |
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; |
1921 |
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; |
|
1922 |
$page_id =& $parms['page_id']; |
|
1923 |
$namespace =& $parms['namespace']; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1924 |
$page_where_clause = ( empty($page_id) || empty($namespace) ) ? 'AND a.page_id IS NULL AND a.namespace IS NULL' : 'AND a.page_id=\'' . $db->escape($page_id) . '\' AND a.namespace=\'' . $db->escape($namespace) . '\''; |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1925 |
$page_where_clause_lite = ( empty($page_id) || empty($namespace) ) ? 'AND page_id IS NULL AND namespace IS NULL' : 'AND page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\''; |
1 | 1926 |
//die(print_r($page_id,true)); |
1927 |
$template->load_theme(); |
|
1928 |
// $perms_obj = $session->fetch_page_acl($page_id, $namespace); |
|
1929 |
$perms_obj =& $session; |
|
1930 |
$return = Array(); |
|
1931 |
if ( !file_exists(ENANO_ROOT . '/themes/' . $session->theme . '/acledit.tpl') ) |
|
1932 |
{ |
|
1933 |
return Array( |
|
1934 |
'mode' => 'error', |
|
214 | 1935 |
'error' => 'It seems that (a) the file acledit.tpl is missing from this theme, and (b) the JSON response is working.', |
1 | 1936 |
); |
1937 |
} |
|
1938 |
$return['template'] = $template->extract_vars('acledit.tpl'); |
|
1939 |
$return['page_id'] = $page_id; |
|
1940 |
$return['namespace'] = $namespace; |
|
1941 |
if(isset($parms['mode'])) |
|
1942 |
{ |
|
1943 |
switch($parms['mode']) |
|
1944 |
{ |
|
1945 |
case 'listgroups': |
|
1946 |
$return['groups'] = Array(); |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1947 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups ORDER BY group_name ASC;'); |
1 | 1948 |
while($row = $db->fetchrow()) |
1949 |
{ |
|
1950 |
$return['groups'][] = Array( |
|
1951 |
'id' => $row['group_id'], |
|
1952 |
'name' => $row['group_name'], |
|
1953 |
); |
|
1954 |
} |
|
1955 |
$db->free_result(); |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1956 |
$return['page_groups'] = Array(); |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1957 |
$q = $db->sql_query('SELECT pg_id,pg_name FROM ' . table_prefix.'page_groups ORDER BY pg_name ASC;'); |
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1958 |
if ( !$q ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1959 |
return Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1960 |
'mode' => 'error', |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1961 |
'error' => $db->get_error() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1962 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1963 |
while ( $row = $db->fetchrow() ) |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1964 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1965 |
$return['page_groups'][] = Array( |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1966 |
'id' => $row['pg_id'], |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1967 |
'name' => $row['pg_name'] |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1968 |
); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
1969 |
} |
1 | 1970 |
break; |
1971 |
case 'seltarget': |
|
1972 |
$return['mode'] = 'seltarget'; |
|
1973 |
$return['acl_types'] = $perms_obj->acl_types; |
|
1974 |
$return['acl_deps'] = $perms_obj->acl_deps; |
|
1975 |
$return['acl_descs'] = $perms_obj->acl_descs; |
|
1976 |
$return['target_type'] = $parms['target_type']; |
|
1977 |
$return['target_id'] = $parms['target_id']; |
|
1978 |
switch($parms['target_type']) |
|
1979 |
{ |
|
1980 |
case ACL_TYPE_USER: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1981 |
$q = $db->sql_query('SELECT a.rules,u.user_id FROM ' . table_prefix.'users AS u |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1982 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 1983 |
ON a.target_id=u.user_id |
1984 |
WHERE a.target_type='.ACL_TYPE_USER.' |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1985 |
AND u.username=\'' . $db->escape($parms['target_id']) . '\' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1986 |
' . $page_where_clause . ';'); |
1 | 1987 |
if(!$q) |
1988 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1989 |
if($db->numrows() < 1) |
|
1990 |
{ |
|
1991 |
$return['type'] = 'new'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
1992 |
$q = $db->sql_query('SELECT user_id FROM ' . table_prefix.'users WHERE username=\'' . $db->escape($parms['target_id']) . '\';'); |
1 | 1993 |
if(!$q) |
1994 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
1995 |
if($db->numrows() < 1) |
|
1996 |
return Array('mode'=>'error','error'=>'The username you entered was not found.'); |
|
1997 |
$row = $db->fetchrow(); |
|
1998 |
$return['target_name'] = $return['target_id']; |
|
1999 |
$return['target_id'] = intval($row['user_id']); |
|
2000 |
$return['current_perms'] = $session->acl_types; |
|
2001 |
} |
|
2002 |
else |
|
2003 |
{ |
|
2004 |
$return['type'] = 'edit'; |
|
2005 |
$row = $db->fetchrow(); |
|
2006 |
$return['target_name'] = $return['target_id']; |
|
2007 |
$return['target_id'] = intval($row['user_id']); |
|
2008 |
$return['current_perms'] = $session->acl_merge($perms_obj->acl_types, $session->string_to_perm($row['rules'])); |
|
2009 |
} |
|
2010 |
$db->free_result(); |
|
2011 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2012 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 2013 |
{ |
2014 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
2015 |
{ |
|
2016 |
if ( ( $page_id != null && $namespace != null ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
2017 |
{ |
|
2018 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; |
|
2019 |
unset($return['current_perms'][$i]); |
|
2020 |
unset($return['acl_types'][$i]); |
|
2021 |
unset($return['acl_descs'][$i]); |
|
2022 |
unset($return['acl_deps'][$i]); |
|
2023 |
} |
|
2024 |
} |
|
2025 |
} |
|
2026 |
break; |
|
2027 |
case ACL_TYPE_GROUP: |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2028 |
$q = $db->sql_query('SELECT a.rules,g.group_name,g.group_id FROM ' . table_prefix.'groups AS g |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2029 |
LEFT JOIN ' . table_prefix.'acl AS a |
1 | 2030 |
ON a.target_id=g.group_id |
2031 |
WHERE a.target_type='.ACL_TYPE_GROUP.' |
|
2032 |
AND g.group_id=\''.intval($parms['target_id']).'\' |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2033 |
' . $page_where_clause . ';'); |
1 | 2034 |
if(!$q) |
2035 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2036 |
if($db->numrows() < 1) |
|
2037 |
{ |
|
2038 |
$return['type'] = 'new'; |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2039 |
$q = $db->sql_query('SELECT group_id,group_name FROM ' . table_prefix.'groups WHERE group_id=\''.intval($parms['target_id']).'\';'); |
1 | 2040 |
if(!$q) |
2041 |
return(Array('mode'=>'error','error'=>mysql_error())); |
|
2042 |
if($db->numrows() < 1) |
|
2043 |
return Array('mode'=>'error','error'=>'The group ID you submitted is not valid.'); |
|
2044 |
$row = $db->fetchrow(); |
|
2045 |
$return['target_name'] = $row['group_name']; |
|
2046 |
$return['target_id'] = intval($row['group_id']); |
|
2047 |
$return['current_perms'] = $session->acl_types; |
|
2048 |
} |
|
2049 |
else |
|
2050 |
{ |
|
2051 |
$return['type'] = 'edit'; |
|
2052 |
$row = $db->fetchrow(); |
|
2053 |
$return['target_name'] = $row['group_name']; |
|
2054 |
$return['target_id'] = intval($row['group_id']); |
|
2055 |
$return['current_perms'] = $session->acl_merge($session->acl_types, $session->string_to_perm($row['rules'])); |
|
2056 |
} |
|
2057 |
$db->free_result(); |
|
2058 |
// Eliminate types that don't apply to this namespace |
|
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
57
diff
changeset
|
2059 |
if ( $namespace && $namespace != '__PageGroup' ) |
1 | 2060 |
{ |
2061 |
foreach ( $return['current_perms'] AS $i => $perm ) |
|
2062 |
{ |
|
2063 |
if ( ( $page_id != false && $namespace != false ) && ( !in_array ( $namespace, $session->acl_scope[$i] ) && !in_array('All', $session->acl_scope[$i]) ) ) |
|
2064 |
{ |
|
2065 |
// echo "// SCOPE CONTROL: eliminating: $i\n"; //; ".print_r($namespace,true).":".print_r($page_id,true)."\n"; |
|
2066 |
unset($return['current_perms'][$i]); |
|
2067 |
unset($return['acl_types'][$i]); |
|
2068 |
unset($return['acl_descs'][$i]); |
|
2069 |
unset($return['acl_deps'][$i]); |
|
2070 |
} |
|
2071 |
} |
|
2072 |
} |
|
2073 |
//return Array('mode'=>'debug','text'=>print_r($return, true)); |
|
2074 |
break; |
|
2075 |
default: |
|
2076 |
return Array('mode'=>'error','error','Invalid ACL type ID'); |
|
2077 |
break; |
|
2078 |
} |
|
2079 |
return $return; |
|
2080 |
break; |
|
2081 |
case 'save_new': |
|
2082 |
case 'save_edit': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2083 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2084 |
{ |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2085 |
return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2086 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2087 |
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2088 |
' . $page_where_clause_lite . ';'); |
1 | 2089 |
if(!$q) |
2090 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
2091 |
$rules = $session->perm_to_string($parms['perms']); |
|
2092 |
if ( sizeof ( $rules ) < 1 ) |
|
2093 |
{ |
|
2094 |
return array( |
|
2095 |
'mode' => 'error', |
|
2096 |
'error' => 'Supplied rule list has a length of zero' |
|
2097 |
); |
|
2098 |
} |
|
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2099 |
$q = ($page_id && $namespace) ? 'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, page_id, namespace, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2100 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($page_id) . '\', \'' . $db->escape($namespace) . '\', \'' . $db->escape($rules) . '\' )' : |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2101 |
'INSERT INTO ' . table_prefix.'acl ( target_type, target_id, rules ) |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2102 |
VALUES( '.intval($parms['target_type']).', '.intval($parms['target_id']).', \'' . $db->escape($rules) . '\' )'; |
1 | 2103 |
if(!$db->sql_query($q)) return Array('mode'=>'error','error'=>mysql_error()); |
2104 |
return Array( |
|
2105 |
'mode' => 'success', |
|
2106 |
'target_type' => $parms['target_type'], |
|
2107 |
'target_id' => $parms['target_id'], |
|
2108 |
'target_name' => $parms['target_name'], |
|
2109 |
'page_id' => $page_id, |
|
2110 |
'namespace' => $namespace, |
|
2111 |
); |
|
2112 |
break; |
|
2113 |
case 'delete': |
|
19
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2114 |
if ( defined('ENANO_DEMO_MODE') ) |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2115 |
{ |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2116 |
return Array('mode'=>'error','error'=>'Editing access control lists is disabled in the administration demo.'); |
5d003b6c9e89
Added demo mode functionality to various parts of Enano (unlocked only with a plugin) and fixed groups table
Dan
parents:
16
diff
changeset
|
2117 |
} |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2118 |
$q = $db->sql_query('DELETE FROM ' . table_prefix.'acl WHERE target_type='.intval($parms['target_type']).' AND target_id='.intval($parms['target_id']).' |
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2119 |
' . $page_where_clause_lite . ';'); |
1 | 2120 |
if(!$q) |
2121 |
return Array('mode'=>'error','error'=>mysql_error()); |
|
2122 |
return Array( |
|
2123 |
'mode' => 'delete', |
|
2124 |
'target_type' => $parms['target_type'], |
|
2125 |
'target_id' => $parms['target_id'], |
|
2126 |
'target_name' => $parms['target_name'], |
|
2127 |
'page_id' => $page_id, |
|
2128 |
'namespace' => $namespace, |
|
2129 |
); |
|
2130 |
break; |
|
2131 |
default: |
|
2132 |
return Array('mode'=>'error','error'=>'Hacking attempt'); |
|
2133 |
break; |
|
2134 |
} |
|
2135 |
} |
|
2136 |
return $return; |
|
2137 |
} |
|
2138 |
||
2139 |
/** |
|
2140 |
* Same as PageUtils::acl_editor(), but the parms are a JSON string instead of an array. This also returns a JSON string. |
|
2141 |
* @param string $parms Same as PageUtils::acl_editor/$parms, but should be a valid JSON string. |
|
2142 |
* @return string |
|
2143 |
*/ |
|
2144 |
||
2145 |
function acl_json($parms = '{ }') |
|
2146 |
{ |
|
2147 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
2148 |
$json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); |
|
2149 |
$parms = $json->decode($parms); |
|
2150 |
$ret = PageUtils::acl_editor($parms); |
|
2151 |
$ret = $json->encode($ret); |
|
2152 |
return $ret; |
|
2153 |
} |
|
2154 |
||
2155 |
/** |
|
2156 |
* A non-Javascript frontend for the ACL API. |
|
2157 |
* @param array The request data, if any, this should be in the format required by PageUtils::acl_editor() |
|
2158 |
*/ |
|
2159 |
||
2160 |
function aclmanager($parms) |
|
2161 |
{ |
|
2162 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
2163 |
ob_start(); |
|
2164 |
// Convenience |
|
2165 |
$formstart = '<form |
|
2166 |
action="' . makeUrl($paths->page, 'do=aclmanager', true) . '" |
|
2167 |
method="post" enctype="multipart/form-data" |
|
2168 |
onsubmit="if(!submitAuthorized) return false;" |
|
2169 |
>'; |
|
2170 |
$formend = '</form>'; |
|
2171 |
$parms = PageUtils::acl_preprocess($parms); |
|
2172 |
$response = PageUtils::acl_editor($parms); |
|
2173 |
$response = PageUtils::acl_postprocess($response); |
|
2174 |
||
2175 |
//die('<pre>' . htmlspecialchars(print_r($response, true)) . '</pre>'); |
|
2176 |
||
2177 |
switch($response['mode']) |
|
2178 |
{ |
|
2179 |
case 'debug': |
|
2180 |
echo '<pre>' . htmlspecialchars($response['text']) . '</pre>'; |
|
2181 |
break; |
|
2182 |
case 'stage1': |
|
2183 |
echo '<h3>Manage page access</h3> |
|
2184 |
<p>Please select who should be affected by this access rule.</p>'; |
|
2185 |
echo $formstart; |
|
2186 |
echo '<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_GROUP . '" checked="checked" /> A usergroup</label></p> |
|
2187 |
<p><select name="data[target_id_grp]">'; |
|
2188 |
foreach ( $response['groups'] as $group ) |
|
2189 |
{ |
|
2190 |
echo '<option value="' . $group['id'] . '">' . $group['name'] . '</option>'; |
|
2191 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2192 |
// page group selector |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2193 |
$groupsel = ''; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2194 |
if ( count($response['page_groups']) > 0 ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2195 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2196 |
$groupsel = '<p><label><input type="radio" name="data[scope]" value="page_group" /> A group of pages</label></p> |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2197 |
<p><select name="data[pg_id]">'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2198 |
foreach ( $response['page_groups'] as $grp ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2199 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2200 |
$groupsel .= '<option value="' . $grp['id'] . '">' . htmlspecialchars($grp['name']) . '</option>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2201 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2202 |
$groupsel .= '</select></p>'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2203 |
} |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2204 |
|
1 | 2205 |
echo '</select></p> |
2206 |
<p><label><input type="radio" name="data[target_type]" value="' . ACL_TYPE_USER . '" /> A specific user</label></p> |
|
2207 |
<p>' . $template->username_field('data[target_id_user]') . '</p> |
|
2208 |
<p>What should this access rule control?</p> |
|
2209 |
<p><label><input name="data[scope]" value="only_this" type="radio" checked="checked" /> Only this page</p> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2210 |
' . $groupsel . ' |
1 | 2211 |
<p><label><input name="data[scope]" value="entire_site" type="radio" /> The entire site</p> |
2212 |
<div style="margin: 0 auto 0 0; text-align: right;"> |
|
2213 |
<input name="data[mode]" value="seltarget" type="hidden" /> |
|
2214 |
<input type="hidden" name="data[page_id]" value="' . $paths->cpage['urlname_nons'] . '" /> |
|
2215 |
<input type="hidden" name="data[namespace]" value="' . $paths->namespace . '" /> |
|
2216 |
<input type="submit" value="Next >" /> |
|
2217 |
</div>'; |
|
2218 |
echo $formend; |
|
2219 |
break; |
|
2220 |
case 'success': |
|
2221 |
echo '<div class="info-box"> |
|
2222 |
<b>Permissions updated</b><br /> |
|
2223 |
The permissions for ' . $response['target_name'] . ' on this page have been updated successfully.<br /> |
|
2224 |
' . $formstart . ' |
|
2225 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2226 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2227 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2228 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2229 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2230 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2231 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
2232 |
<input type="submit" value="Return to ACL editor" /> <input type="submit" name="data[act_go_stage1]" value="Return to user/scope selection" /> |
|
2233 |
' . $formend . ' |
|
2234 |
</div>'; |
|
2235 |
break; |
|
2236 |
case 'delete': |
|
2237 |
echo '<div class="info-box"> |
|
2238 |
<b>Rule deleted</b><br /> |
|
2239 |
The selected access rule has been successfully deleted.<br /> |
|
2240 |
' . $formstart . ' |
|
2241 |
<input type="hidden" name="data[mode]" value="seltarget" /> |
|
2242 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2243 |
<input type="hidden" name="data[target_id_user]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2244 |
<input type="hidden" name="data[target_id_grp]" value="' . ( ( intval($response['target_type']) == ACL_TYPE_USER ) ? $response['target_name'] : $response['target_id'] ) .'" /> |
|
2245 |
<input type="hidden" name="data[scope]" value="' . ( ( $response['page_id'] ) ? 'only_this' : 'entire_site' ) . '" /> |
|
2246 |
<input type="hidden" name="data[page_id]" value="' . ( ( $response['page_id'] ) ? $response['page_id'] : 'false' ) . '" /> |
|
2247 |
<input type="hidden" name="data[namespace]" value="' . ( ( $response['namespace'] ) ? $response['namespace'] : 'false' ) . '" /> |
|
2248 |
<input type="submit" value="Return to ACL editor" /> <input type="submit" name="data[act_go_stage1]" value="Return to user/scope selection" /> |
|
2249 |
' . $formend . ' |
|
2250 |
</div>'; |
|
2251 |
break; |
|
2252 |
case 'seltarget': |
|
2253 |
if ( $response['type'] == 'edit' ) |
|
2254 |
{ |
|
2255 |
echo '<h3>Editing permissions</h3>'; |
|
2256 |
} |
|
2257 |
else |
|
2258 |
{ |
|
2259 |
echo '<h3>Create new rule</h3>'; |
|
2260 |
} |
|
2261 |
$type = ( $response['target_type'] == ACL_TYPE_GROUP ) ? 'group' : 'user'; |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2262 |
$scope = ( $response['page_id'] ) ? ( $response['namespace'] == '__PageGroup' ? 'this group of pages' : 'this page' ) : 'this entire site'; |
194
bf0fdec102e9
SECURITY: Fixed possible SQL injection in PageUtils page protection; general cleanup of PageUtils; blocked using Project: prefix for page URL strings
Dan
parents:
158
diff
changeset
|
2263 |
echo 'This panel allows you to edit what the ' . $type . ' "' . $response['target_name'] . '" can do on <b>' . $scope . '</b>. Unless you set a permission to "Deny", these permissions may be overridden by other rules.'; |
1 | 2264 |
echo $formstart; |
2265 |
$parser = $template->makeParserText( $response['template']['acl_field_begin'] ); |
|
2266 |
echo $parser->run(); |
|
2267 |
$parser = $template->makeParserText( $response['template']['acl_field_item'] ); |
|
2268 |
$cls = 'row2'; |
|
2269 |
foreach ( $response['acl_types'] as $acl_type => $value ) |
|
2270 |
{ |
|
2271 |
$vars = Array( |
|
2272 |
'FIELD_DENY_CHECKED' => '', |
|
2273 |
'FIELD_DISALLOW_CHECKED' => '', |
|
2274 |
'FIELD_WIKIMODE_CHECKED' => '', |
|
2275 |
'FIELD_ALLOW_CHECKED' => '', |
|
2276 |
); |
|
2277 |
$cls = ( $cls == 'row1' ) ? 'row2' : 'row1'; |
|
2278 |
$vars['ROW_CLASS'] = $cls; |
|
2279 |
||
2280 |
switch ( $response['current_perms'][$acl_type] ) |
|
2281 |
{ |
|
2282 |
case AUTH_ALLOW: |
|
2283 |
$vars['FIELD_ALLOW_CHECKED'] = 'checked="checked"'; |
|
2284 |
break; |
|
2285 |
case AUTH_WIKIMODE: |
|
2286 |
$vars['FIELD_WIKIMODE_CHECKED'] = 'checked="checked"'; |
|
2287 |
break; |
|
2288 |
case AUTH_DISALLOW: |
|
2289 |
default: |
|
2290 |
$vars['FIELD_DISALLOW_CHECKED'] = 'checked="checked"'; |
|
2291 |
break; |
|
2292 |
case AUTH_DENY: |
|
2293 |
$vars['FIELD_DENY_CHECKED'] = 'checked="checked"'; |
|
2294 |
break; |
|
2295 |
} |
|
2296 |
$vars['FIELD_NAME'] = 'data[perms][' . $acl_type . ']'; |
|
2297 |
$vars['FIELD_DESC'] = $response['acl_descs'][$acl_type]; |
|
2298 |
$parser->assign_vars($vars); |
|
2299 |
echo $parser->run(); |
|
2300 |
} |
|
2301 |
$parser = $template->makeParserText( $response['template']['acl_field_end'] ); |
|
2302 |
echo $parser->run(); |
|
2303 |
echo '<div style="margin: 10px auto 0 0; text-align: right;"> |
|
2304 |
<input name="data[mode]" value="save_' . $response['type'] . '" type="hidden" /> |
|
2305 |
<input type="hidden" name="data[page_id]" value="' . (( $response['page_id'] ) ? $response['page_id'] : 'false') . '" /> |
|
2306 |
<input type="hidden" name="data[namespace]" value="' . (( $response['namespace'] ) ? $response['namespace'] : 'false') . '" /> |
|
2307 |
<input type="hidden" name="data[target_type]" value="' . $response['target_type'] . '" /> |
|
2308 |
<input type="hidden" name="data[target_id]" value="' . $response['target_id'] . '" /> |
|
2309 |
<input type="hidden" name="data[target_name]" value="' . $response['target_name'] . '" /> |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2310 |
' . ( ( $response['type'] == 'edit' ) ? '<input type="submit" value="Save changes" /> <input type="submit" name="data[act_delete_rule]" value="Delete rule" style="color: #AA0000;" onclick="return confirm(\'Do you really want to delete this ACL rule?\');" />' : '<input type="submit" value="Create rule" />' ) . ' |
1 | 2311 |
</div>'; |
2312 |
echo $formend; |
|
2313 |
break; |
|
2314 |
case 'error': |
|
2315 |
ob_end_clean(); |
|
2316 |
die_friendly('Error occurred', '<p>Error returned by permissions API:</p><pre>' . htmlspecialchars($response['error']) . '</pre>'); |
|
2317 |
break; |
|
2318 |
} |
|
2319 |
$ret = ob_get_contents(); |
|
2320 |
ob_end_clean(); |
|
2321 |
echo |
|
2322 |
$template->getHeader() . |
|
2323 |
$ret . |
|
2324 |
$template->getFooter(); |
|
2325 |
} |
|
2326 |
||
2327 |
/** |
|
2328 |
* Preprocessor to turn the form-submitted data from the ACL editor into something the backend can handle |
|
2329 |
* @param array The posted data |
|
2330 |
* @return array |
|
2331 |
* @access private |
|
2332 |
*/ |
|
2333 |
||
2334 |
function acl_preprocess($parms) |
|
2335 |
{ |
|
2336 |
if ( !isset($parms['mode']) ) |
|
2337 |
// Nothing to do |
|
2338 |
return $parms; |
|
2339 |
switch ( $parms['mode'] ) |
|
2340 |
{ |
|
2341 |
case 'seltarget': |
|
2342 |
||
2343 |
// Who's affected? |
|
2344 |
$parms['target_type'] = intval( $parms['target_type'] ); |
|
2345 |
$parms['target_id'] = ( $parms['target_type'] == ACL_TYPE_GROUP ) ? $parms['target_id_grp'] : $parms['target_id_user']; |
|
2346 |
||
2347 |
case 'save_edit': |
|
2348 |
case 'save_new': |
|
2349 |
if ( isset($parms['act_delete_rule']) ) |
|
2350 |
{ |
|
2351 |
$parms['mode'] = 'delete'; |
|
2352 |
} |
|
2353 |
||
2354 |
// Scope (just this page or entire site?) |
|
2355 |
if ( $parms['scope'] == 'entire_site' || ( $parms['page_id'] == 'false' && $parms['namespace'] == 'false' ) ) |
|
2356 |
{ |
|
2357 |
$parms['page_id'] = false; |
|
2358 |
$parms['namespace'] = false; |
|
2359 |
} |
|
103
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2360 |
else if ( $parms['scope'] == 'page_group' ) |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2361 |
{ |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2362 |
$parms['page_id'] = $parms['pg_id']; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2363 |
$parms['namespace'] = '__PageGroup'; |
a8891e108c95
Several major improvements: Memberlist page added (planned since about beta 2), page group support added for non-JS ACL editor (oops!), and attempting to view a page for which you lack read permissions will get you logged.
Dan
parents:
102
diff
changeset
|
2364 |
} |
1 | 2365 |
|
2366 |
break; |
|
2367 |
} |
|
2368 |
||
2369 |
if ( isset($parms['act_go_stage1']) ) |
|
2370 |
{ |
|
2371 |
$parms = array( |
|
2372 |
'mode' => 'listgroups' |
|
2373 |
); |
|
2374 |
} |
|
2375 |
||
2376 |
return $parms; |
|
2377 |
} |
|
2378 |
||
2379 |
function acl_postprocess($response) |
|
2380 |
{ |
|
2381 |
if(!isset($response['mode'])) |
|
2382 |
{ |
|
2383 |
if ( isset($response['groups']) ) |
|
2384 |
$response['mode'] = 'stage1'; |
|
2385 |
else |
|
2386 |
$response = Array( |
|
2387 |
'mode' => 'error', |
|
2388 |
'error' => 'Invalid action passed by API backend.', |
|
2389 |
); |
|
2390 |
} |
|
2391 |
return $response; |
|
2392 |
} |
|
2393 |
||
2394 |
} |
|
2395 |
||
2396 |
?> |