diff options
| author | nikrou <nikrou@piwigo.org> | 2009-06-23 21:18:16 +0000 |
|---|---|---|
| committer | nikrou <nikrou@piwigo.org> | 2009-06-23 21:18:16 +0000 |
| commit | 64c872a83e726ec4d298be479b57dae13fb2c0c6 (patch) | |
| tree | 6478da0a8067f078905038c312767690b440487c | |
| parent | 1ce50505e4b9a6b533146e70902a7e426fd872a7 (diff) | |
Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments
git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | admin/comments.php | 14 | ||||
| -rw-r--r-- | comments.php | 31 | ||||
| -rw-r--r-- | include/functions_comment.inc.php | 42 | ||||
| -rw-r--r-- | include/functions_user.inc.php | 5 | ||||
| -rw-r--r-- | include/picture_comment.inc.php | 28 | ||||
| -rw-r--r-- | install/db/82-database.php | 44 |
6 files changed, 127 insertions, 37 deletions
diff --git a/admin/comments.php b/admin/comments.php index bbd616982..d62b4aca3 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -134,10 +134,12 @@ $template->assign( $list = array(); $query = ' -SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext +SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext FROM '.COMMENTS_TABLE.' AS c INNER JOIN '.IMAGES_TABLE.' AS i ON i.id = c.image_id + LEFT JOIN '.USERS_TABLE.' AS u + ON u.id = c.author_id WHERE validated = \'false\' ORDER BY c.date DESC ;'; @@ -151,6 +153,14 @@ while ($row = mysql_fetch_assoc($result)) 'tn_ext'=>@$row['tn_ext'] ) ); + if (empty($row['author_id'])) + { + $author_name = $row['author']; + } + else + { + $author_name = $row['username']; + } $template->append( 'comments', array( @@ -159,7 +169,7 @@ while ($row = mysql_fetch_assoc($result)) '&image_id='.$row['image_id'], 'ID' => $row['id'], 'TN_SRC' => $thumb, - 'AUTHOR' => trigger_event('render_comment_author', $row['author']), + 'AUTHOR' => trigger_event('render_comment_author', $author_name), 'DATE' => format_date($row['date'], true), 'CONTENT' => trigger_event('render_comment_content',$row['content']) ) diff --git a/comments.php b/comments.php index 048e8d692..f5147e1b4 100644 --- a/comments.php +++ b/comments.php @@ -100,7 +100,9 @@ if (isset($_GET['cat']) and 0 != $_GET['cat']) // search a particular author if (isset($_GET['author']) and !empty($_GET['author'])) { - $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\''; + $page['where_clauses'][] = + 'u.username = \''.addslashes($_GET['author']).'\' + OR author = \''.addslashes($_GET['author']).'\''; } // search a substring among comments content @@ -261,10 +263,12 @@ else } $query = ' -SELECT COUNT(DISTINCT(id)) +SELECT COUNT(DISTINCT(com.id)) FROM '.IMAGE_CATEGORY_TABLE.' AS ic INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id + LEFT JOIN '.USERS_TABLE.' As u + ON u.id = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' ;'; @@ -295,12 +299,16 @@ SELECT com.id AS comment_id , com.image_id , ic.category_id , com.author + , com.author_id + , username , com.date , com.content , com.validated FROM '.IMAGE_CATEGORY_TABLE.' AS ic - INNER JOIN '.COMMENTS_TABLE.' AS com + INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id + LEFT JOIN '.USERS_TABLE.' AS u + ON u.id = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' GROUP BY comment_id @@ -366,10 +374,17 @@ SELECT id, name, permalink, uppercats ) ); - $author = $comment['author']; - if (empty($comment['author'])) + if (!empty($comment['author'])) + { + $author = $comment['author']; + if ($author == 'guest') + { + $author = l10n('guest'); + } + } + else { - $author = l10n('guest'); + $author = $comment['username']; } $tpl_comment = @@ -382,7 +397,7 @@ SELECT id, name, permalink, uppercats 'CONTENT'=>trigger_event('render_comment_content',$comment['content']), ); - if (can_manage_comment('delete', $comment['author'])) + if (can_manage_comment('delete', $comment['author_id'])) { $url = get_root_url().'comments.php' .get_query_string_diff(array('delete','validate','edit')); @@ -391,7 +406,7 @@ SELECT id, name, permalink, uppercats array('delete'=>$comment['comment_id']) ); } - if (can_manage_comment('edit', $comment['author'])) + if (can_manage_comment('edit', $comment['author_id'])) { $url = get_root_url().'comments.php' .get_query_string_diff(array('edit', 'delete','validate')); diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index fb421d39b..9b1d323a1 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos ) { $comm['author'] = 'guest'; } + $comm['author_id'] = $conf['guest_id']; // if a guest try to use the name of an already existing user, he must be // rejected if ( $comm['author'] != 'guest' ) @@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists } else { - $comm['author'] = $user['username']; + $comm['author'] = ''; + $comm['author_id'] = $user['id']; } + if ( empty($comm['content']) ) { // empty comment content $comment_action='reject'; @@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists $query = ' SELECT id FROM '.COMMENTS_TABLE.' WHERE date > FROM_UNIXTIME('.$reference_date.') - AND author = "'.addslashes($comm['author']).'"'; + AND author_id = '.$comm['author_id']; if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) { array_push( $infos, l10n('comment_anti-flood') ); @@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.' { $query = ' INSERT INTO '.COMMENTS_TABLE.' - (author, content, date, validated, validation_date, image_id) + (author, author_id, content, date, validated, validation_date, image_id) VALUES ( "'.addslashes($comm['author']).'", + '.$comm['author_id'].', "'.addslashes($comm['content']).'", NOW(), "'.($comment_action=='validate' ? 'true':'false').'", @@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = mysql_insert_id(); - if - ( - ($comment_action=='validate' and $conf['email_admin_on_comment']) - or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) - ) + if (($comment_action=='validate' and $conf['email_admin_on_comment']) or + ($comment_action!='validate' + and $conf['email_admin_on_comment_validation'])) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = - get_absolute_root_url().'comments.php?delete='.$comm['id']; + $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id']; + if (empty($comm['author'])) + { + $author_name = $user['username']; + } + else + { + $author_name = $comm['author']; + } $keyargs_content = array ( - get_l10n_args('Author: %s', $comm['author']), + get_l10n_args('Author: %s', $author_name), get_l10n_args('Comment: %s', $comm['content']), get_l10n_args('', ''), get_l10n_args('Delete: %s', $del_url) @@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.' pwg_mail_notification_admins ( - get_l10n_args('Comment by %s', $comm['author']), + get_l10n_args('Comment by %s', $author_name), $keyargs_content ); } @@ -218,7 +226,7 @@ function delete_user_comment($comment_id) { $user_where_clause = ''; if (!is_admin()) { - $user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\''; + $user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\''; } $query = ' DELETE FROM '.COMMENTS_TABLE.' @@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) { $query = ' SELECT id FROM '.COMMENTS_TABLE.' WHERE date > FROM_UNIXTIME('.$reference_date.') - AND author = "'.$GLOBALS['user']['username'].'"'; + AND author_id = '.$comm['author_id']; if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) { array_push( $infos, l10n('comment_anti-flood') ); @@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.' $user_where_clause = ''; if (!is_admin()) { - $user_where_clause = ' AND author = \''. - $GLOBALS['user']['username'].'\''; + $user_where_clause = ' AND author_id = \''. + $GLOBALS['user']['id'].'\''; } $query = ' UPDATE '.COMMENTS_TABLE.' diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index d7aa81f24..02c1e7e13 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1202,13 +1202,14 @@ function is_adviser() * @param action edit/delete * @return bool */ -function can_manage_comment($action, $comment_author) +function can_manage_comment($action, $comment_author_id) { if (!in_array($action, array('delete','edit'))) { return false; } return (is_admin() || - (($GLOBALS['user']['username'] == $comment_author) + (($GLOBALS['user']['id'] == $comment_author_id) + && !is_a_guest() && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)])); } diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 1e30fa2d9..8845ee47a 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments } $query = ' -SELECT id,author,date,image_id,content,validated - FROM '.COMMENTS_TABLE.' +SELECT com.id,author,author_id,username,date,image_id,content,validated + FROM '.COMMENTS_TABLE.' AS com + LEFT JOIN '.USERS_TABLE.' AS u + ON u.id = author_id WHERE image_id = '.$page['image_id']. $validated_clause.' ORDER BY date ASC @@ -139,19 +141,29 @@ $validated_clause.' while ($row = mysql_fetch_array($result)) { + if (!empty($row['author'])) + { + $author = $row['author']; + if ($author == 'guest') + { + $author = l10n('guest'); + } + } + else + { + $author = $row['username']; + } + $tpl_comment = array( - 'AUTHOR' => trigger_event('render_comment_author', - empty($row['author']) - ? l10n('guest') - : $row['author']), + 'AUTHOR' => trigger_event('render_comment_author', $author), 'DATE' => format_date( $row['date'], true), 'CONTENT' => trigger_event('render_comment_content',$row['content']), ); - if (can_manage_comment('delete', $row['author'])) + if (can_manage_comment('delete', $row['author_id'])) { $tpl_comment['U_DELETE'] = add_url_params($url_self, @@ -161,7 +173,7 @@ $validated_clause.' ) ); } - if (can_manage_comment('edit', $row['author'])) + if (can_manage_comment('edit', $row['author_id'])) { $tpl_comment['U_EDIT'] = add_url_params($url_self, diff --git a/install/db/82-database.php b/install/db/82-database.php new file mode 100644 index 000000000..5a3302184 --- /dev/null +++ b/install/db/82-database.php @@ -0,0 +1,44 @@ +<?php +// +-----------------------------------------------------------------------+ +// | Piwigo - a PHP based picture gallery | +// +-----------------------------------------------------------------------+ +// | Copyright(C) 2008-2009 Piwigo Team http://piwigo.org | +// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net | +// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick | +// +-----------------------------------------------------------------------+ +// | This program is free software; you can redistribute it and/or modify | +// | it under the terms of the GNU General Public License as published by | +// | the Free Software Foundation | +// | | +// | This program is distributed in the hope that it will be useful, but | +// | WITHOUT ANY WARRANTY; without even the implied warranty of | +// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | +// | General Public License for more details. | +// | | +// | You should have received a copy of the GNU General Public License | +// | along with this program; if not, write to the Free Software | +// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | +// | USA. | +// +-----------------------------------------------------------------------+ + +if (!defined('PHPWG_ROOT_PATH')) +{ + die('Hacking attempt!'); +} + +$upgrade_description = 'add new column to save author_id. +Guest users names are saved in author column'; + +$query = ' +ALTER TABLE '.PREFIX_TABLE.'comments + ADD COLUMN author_id smallint(5) DEFAULT NULL +;'; + +pwg_query($query); + +echo +"\n" +. $upgrade_description +."\n" +; +?> |