Feature 1026 step 2 :

add author_id column so that guest cannot modify old users comments git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
author: nikrou <nikrou@piwigo.org> 2009-06-23 21:18:16 +0000
committer: nikrou <nikrou@piwigo.org> 2009-06-23 21:18:16 +0000
commit: 64c872a83e726ec4d298be479b57dae13fb2c0c6 (patch)
tree: 6478da0a8067f078905038c312767690b440487c /include
parent: 1ce50505e4b9a6b533146e70902a7e426fd872a7 (diff)
3 files changed, 48 insertions, 27 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index fb421d39b..9b1d323a1 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos )
     {
       $comm['author'] = 'guest';
     }
+    $comm['author_id'] = $conf['guest_id'];
     // if a guest try to use the name of an already existing user, he must be
     // rejected
     if ( $comm['author'] != 'guest' )
@@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists
   }
   else
   {
-    $comm['author'] = $user['username'];
+    $comm['author'] = '';
+    $comm['author_id'] = $user['id'];
   }
+
   if ( empty($comm['content']) )
   { // empty comment content
     $comment_action='reject';
@@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists
     $query = '
 SELECT id FROM '.COMMENTS_TABLE.'
   WHERE date > FROM_UNIXTIME('.$reference_date.')
-    AND author = "'.addslashes($comm['author']).'"';
+    AND author_id = '.$comm['author_id'];
     if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
     {
       array_push( $infos, l10n('comment_anti-flood') );
@@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.'
   {
     $query = '
 INSERT INTO '.COMMENTS_TABLE.'
-  (author, content, date, validated, validation_date, image_id)
+  (author, author_id, content, date, validated, validation_date, image_id)
   VALUES (
     "'.addslashes($comm['author']).'",
+    '.$comm['author_id'].',
     "'.addslashes($comm['content']).'",
     NOW(),
     "'.($comment_action=='validate' ? 'true':'false').'",
@@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
 
     $comm['id'] = mysql_insert_id();
 
-    if
-      (
-        ($comment_action=='validate' and $conf['email_admin_on_comment'])
-        or
-        ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
-      )
+    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
+	($comment_action!='validate' 
+	 and $conf['email_admin_on_comment_validation']))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
-      $del_url =
-          get_absolute_root_url().'comments.php?delete='.$comm['id'];
+      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
 
+      if (empty($comm['author'])) 
+      {
+	$author_name = $user['username'];
+      }
+      else
+      {
+	$author_name = $comm['author'];
+      }
       $keyargs_content = array
       (
-        get_l10n_args('Author: %s', $comm['author']),
+        get_l10n_args('Author: %s', $author_name),
         get_l10n_args('Comment: %s', $comm['content']),
         get_l10n_args('', ''),
         get_l10n_args('Delete: %s', $del_url)
@@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.'
 
       pwg_mail_notification_admins
       (
-        get_l10n_args('Comment by %s', $comm['author']),
+        get_l10n_args('Comment by %s', $author_name),
         $keyargs_content
       );
     }
@@ -218,7 +226,7 @@ function delete_user_comment($comment_id) {
   $user_where_clause = '';
   if (!is_admin())
   {
-    $user_where_clause = '   AND author = \''.$GLOBALS['user']['username'].'\'';
+    $user_where_clause = '   AND author_id = \''.$GLOBALS['user']['id'].'\'';
   }
   $query = '
 DELETE FROM '.COMMENTS_TABLE.'
@@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) {
     $query = '
 SELECT id FROM '.COMMENTS_TABLE.'
   WHERE date > FROM_UNIXTIME('.$reference_date.')
-    AND author = "'.$GLOBALS['user']['username'].'"';
+    AND author_id = '.$comm['author_id'];
     if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
     {
       array_push( $infos, l10n('comment_anti-flood') );
@@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.'
     $user_where_clause = '';
     if (!is_admin())
     {
-      $user_where_clause = '   AND author = \''.
-	$GLOBALS['user']['username'].'\'';
+      $user_where_clause = '   AND author_id = \''.
+	$GLOBALS['user']['id'].'\'';
     }
     $query = '
 UPDATE '.COMMENTS_TABLE.'
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index d7aa81f24..02c1e7e13 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1202,13 +1202,14 @@ function is_adviser()
  * @param action edit/delete
  * @return bool
  */
-function can_manage_comment($action, $comment_author) 
+function can_manage_comment($action, $comment_author_id) 
 {
   if (!in_array($action, array('delete','edit'))) {
     return false;
   }
   return (is_admin() || 
-	  (($GLOBALS['user']['username'] == $comment_author) 
+	  (($GLOBALS['user']['id'] == $comment_author_id) 
+	   && !is_a_guest()
 	   && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
 }
 
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index 1e30fa2d9..8845ee47a 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments
     }
 
     $query = '
-SELECT id,author,date,image_id,content,validated
-  FROM '.COMMENTS_TABLE.'
+SELECT com.id,author,author_id,username,date,image_id,content,validated
+  FROM '.COMMENTS_TABLE.' AS com
+  LEFT JOIN '.USERS_TABLE.' AS u
+    ON u.id = author_id
   WHERE image_id = '.$page['image_id'].
 $validated_clause.'
   ORDER BY date ASC
@@ -139,19 +141,29 @@ $validated_clause.'
 
     while ($row = mysql_fetch_array($result))
     {
+      if (!empty($row['author'])) 
+      {
+	$author = $row['author'];
+	if ($author == 'guest')
+	{
+	  $author = l10n('guest');
+	}
+      }
+      else
+      {
+	$author = $row['username'];
+      }
+
       $tpl_comment =
         array(
-          'AUTHOR' => trigger_event('render_comment_author',
-            empty($row['author'])
-            ? l10n('guest')
-            : $row['author']),
+          'AUTHOR' => trigger_event('render_comment_author', $author),
 
           'DATE' => format_date( $row['date'], true),
 
           'CONTENT' => trigger_event('render_comment_content',$row['content']),
         );
 
-      if (can_manage_comment('delete', $row['author']))
+      if (can_manage_comment('delete', $row['author_id']))
       {
         $tpl_comment['U_DELETE'] =
 	  add_url_params($url_self,
@@ -161,7 +173,7 @@ $validated_clause.'
 			       )
 			 );
       }
-      if (can_manage_comment('edit', $row['author']))
+      if (can_manage_comment('edit', $row['author_id']))
       {
 	$tpl_comment['U_EDIT'] =
 	  add_url_params($url_self,
author	nikrou <nikrou@piwigo.org>	2009-06-23 21:18:16 +0000
committer	nikrou <nikrou@piwigo.org>	2009-06-23 21:18:16 +0000
commit	64c872a83e726ec4d298be479b57dae13fb2c0c6 (patch)
tree	6478da0a8067f078905038c312767690b440487c /include
parent	1ce50505e4b9a6b533146e70902a7e426fd872a7 (diff)