diff options
| author | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
| commit | c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch) | |
| tree | efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /comments.php | |
| parent | ff7e537e2b4bceaef241096a377d12af4b917c43 (diff) | |
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk
feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).
git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'comments.php')
| -rw-r--r-- | comments.php | 196 |
1 files changed, 134 insertions, 62 deletions
diff --git a/comments.php b/comments.php index c020a84ce..8127bd191 100644 --- a/comments.php +++ b/comments.php @@ -116,6 +116,26 @@ if (!empty($_GET['author'])) OR author = \''.$_GET['author'].'\''; } +// search a specific comment (if you're coming directly from an admin +// notification email) +if (!empty($_GET['comment_id'])) +{ + check_input_parameter('comment_id', $_GET, false, PATTERN_ID); + + // currently, the $_GET['comment_id'] is only used by admins from email + // for management purpose (validate/delete) + if (!is_admin()) + { + $login_url = + get_root_url().'identification.php?redirect=' + .urlencode(urlencode($_SERVER['REQUEST_URI'])) + ; + redirect($login_url); + } + + $page['where_clauses'][] = 'com.id = '.$_GET['comment_id']; +} + // search a substring among comments content if (!empty($_GET['keyword'])) { @@ -155,41 +175,74 @@ $page['where_clauses'][] = get_sql_condition_FandF // +-----------------------------------------------------------------------+ // | comments management | // +-----------------------------------------------------------------------+ -if (isset($_GET['delete']) and is_numeric($_GET['delete']) - and (is_admin() || $conf['user_can_delete_comment'])) -{// comments deletion - delete_user_comment($_GET['delete']); -} -if (isset($_GET['validate']) and is_numeric($_GET['validate']) - and !is_adviser() ) -{ // comments validation - check_status(ACCESS_ADMINISTRATOR); - $query = ' -UPDATE '.COMMENTS_TABLE.' - SET validated = \'true\' - , validation_date = NOW() - WHERE id='.$_GET['validate'].' -;'; - pwg_query($query); -} +$comment_id = null; +$action = null; -if (isset($_GET['edit']) and is_numeric($_GET['edit']) - and (is_admin() || $conf['user_can_edit_comment'])) +$actions = array('delete', 'validate', 'edit'); +foreach ($actions as $loop_action) { - if (!empty($_POST['content'])) + if (isset($_GET[$loop_action])) { - update_user_comment(array('comment_id' => $_GET['edit'], - 'image_id' => $_POST['image_id'], - 'content' => $_POST['content']), - $_POST['key'] - ); - - $edit_comment = null; + $action = $loop_action; + check_input_parameter($action, $_GET, false, PATTERN_ID); + $comment_id = $_GET[$action]; + break; } - else +} + +if (isset($action)) +{ + check_pwg_token(); + + $comment_author_id = get_comment_author_id($comment_id); + + if (can_manage_comment($action, $comment_author_id)) { - $edit_comment = $_GET['edit']; + $perform_redirect = false; + + if ('delete' == $action) + { + delete_user_comment($comment_id); + $perform_redirect = true; + } + + if ('validate' == $action) + { + validate_user_comment($comment_id); + $perform_redirect = true; + } + + if ('edit' == $action) + { + if (!empty($_POST['content'])) + { + update_user_comment( + array( + 'comment_id' => $_GET['edit'], + 'image_id' => $_POST['image_id'], + 'content' => $_POST['content'] + ), + $_POST['key'] + ); + + $edit_comment = null; + } + else + { + $edit_comment = $_GET['edit']; + } + } + + if ($perform_redirect) + { + $redirect_url = + PHPWG_ROOT_PATH + .'comments.php' + .get_query_string_diff(array('delete','validate','pwg_token')); + + redirect($redirect_url); + } } } @@ -287,7 +340,7 @@ list($counter) = pwg_db_fetch_row(pwg_query($query)); $url = PHPWG_ROOT_PATH .'comments.php' - .get_query_string_diff(array('start','delete','validate')); + .get_query_string_diff(array('start','delete','validate','pwg_token')); $navbar = create_navigation_bar($url, $counter, @@ -378,40 +431,53 @@ SELECT id, name, permalink, uppercats // link to the full size picture $url = make_picture_url( - array( - 'category' => $categories[ $comment['category_id'] ], - 'image_id' => $comment['image_id'], - 'image_file' => $elements[$comment['image_id']]['file'], - ) - ); - - $tpl_comment = array( - 'U_PICTURE' => $url, - 'TN_SRC' => $thumbnail_src, - 'ALT' => $name, - 'AUTHOR' => trigger_event('render_comment_author', $comment['author']), - 'DATE'=>format_date($comment['date'], true), - 'CONTENT'=>trigger_event('render_comment_content',$comment['content']), - ); + 'category' => $categories[ $comment['category_id'] ], + 'image_id' => $comment['image_id'], + 'image_file' => $elements[$comment['image_id']]['file'], + ) + ); + + $tpl_comment = array( + 'U_PICTURE' => $url, + 'TN_SRC' => $thumbnail_src, + 'ALT' => $name, + 'AUTHOR' => trigger_event('render_comment_author', $comment['author']), + 'DATE'=>format_date($comment['date'], true), + 'CONTENT'=>trigger_event('render_comment_content',$comment['content']), + ); if (can_manage_comment('delete', $comment['author_id'])) { - $url = get_root_url().'comments.php' - .get_query_string_diff(array('delete','validate','edit')); - $tpl_comment['U_DELETE'] = - add_url_params($url, - array('delete'=>$comment['comment_id']) - ); + $url = + get_root_url() + .'comments.php' + .get_query_string_diff(array('delete','validate','edit', 'pwg_token')); + + $tpl_comment['U_DELETE'] = add_url_params( + $url, + array( + 'delete' => $comment['comment_id'], + 'pwg_token' => get_pwg_token(), + ) + ); } + if (can_manage_comment('edit', $comment['author_id'])) { - $url = get_root_url().'comments.php' - .get_query_string_diff(array('edit', 'delete','validate')); - $tpl_comment['U_EDIT'] = - add_url_params($url, - array('edit'=>$comment['comment_id']) - ); + $url = + get_root_url() + .'comments.php' + .get_query_string_diff(array('edit', 'delete','validate', 'pwg_token')); + + $tpl_comment['U_EDIT'] = add_url_params( + $url, + array( + 'edit' => $comment['comment_id'], + 'pwg_token' => get_pwg_token(), + ) + ); + if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment)) { $tpl_comment['IN_EDIT'] = true; @@ -422,12 +488,18 @@ SELECT id, name, permalink, uppercats } } - if ( is_admin() && $comment['validated'] != 'true') + if (can_manage_comment('validate', $comment['author_id'])) { - $tpl_comment['U_VALIDATE'] = - add_url_params($url, - array('validate'=>$comment['comment_id']) - ); + if ('true' != $comment['validated']) + { + $tpl_comment['U_VALIDATE'] = add_url_params( + $url, + array( + 'validate'=> $comment['comment_id'], + 'pwg_token' => get_pwg_token(), + ) + ); + } } $template->append('comments', $tpl_comment); } |