aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornikrou <nikrou@piwigo.org>2009-06-23 21:18:16 +0000
committernikrou <nikrou@piwigo.org>2009-06-23 21:18:16 +0000
commit64c872a83e726ec4d298be479b57dae13fb2c0c6 (patch)
tree6478da0a8067f078905038c312767690b440487c
parent1ce50505e4b9a6b533146e70902a7e426fd872a7 (diff)
Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r--admin/comments.php14
-rw-r--r--comments.php31
-rw-r--r--include/functions_comment.inc.php42
-rw-r--r--include/functions_user.inc.php5
-rw-r--r--include/picture_comment.inc.php28
-rw-r--r--install/db/82-database.php44
6 files changed, 127 insertions, 37 deletions
diff --git a/admin/comments.php b/admin/comments.php
index bbd616982..d62b4aca3 100644
--- a/admin/comments.php
+++ b/admin/comments.php
@@ -134,10 +134,12 @@ $template->assign(
$list = array();
$query = '
-SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext
+SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext
FROM '.COMMENTS_TABLE.' AS c
INNER JOIN '.IMAGES_TABLE.' AS i
ON i.id = c.image_id
+ LEFT JOIN '.USERS_TABLE.' AS u
+ ON u.id = c.author_id
WHERE validated = \'false\'
ORDER BY c.date DESC
;';
@@ -151,6 +153,14 @@ while ($row = mysql_fetch_assoc($result))
'tn_ext'=>@$row['tn_ext']
)
);
+ if (empty($row['author_id']))
+ {
+ $author_name = $row['author'];
+ }
+ else
+ {
+ $author_name = $row['username'];
+ }
$template->append(
'comments',
array(
@@ -159,7 +169,7 @@ while ($row = mysql_fetch_assoc($result))
'&amp;image_id='.$row['image_id'],
'ID' => $row['id'],
'TN_SRC' => $thumb,
- 'AUTHOR' => trigger_event('render_comment_author', $row['author']),
+ 'AUTHOR' => trigger_event('render_comment_author', $author_name),
'DATE' => format_date($row['date'], true),
'CONTENT' => trigger_event('render_comment_content',$row['content'])
)
diff --git a/comments.php b/comments.php
index 048e8d692..f5147e1b4 100644
--- a/comments.php
+++ b/comments.php
@@ -100,7 +100,9 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
// search a particular author
if (isset($_GET['author']) and !empty($_GET['author']))
{
- $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
+ $page['where_clauses'][] =
+ 'u.username = \''.addslashes($_GET['author']).'\'
+ OR author = \''.addslashes($_GET['author']).'\'';
}
// search a substring among comments content
@@ -261,10 +263,12 @@ else
}
$query = '
-SELECT COUNT(DISTINCT(id))
+SELECT COUNT(DISTINCT(com.id))
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
INNER JOIN '.COMMENTS_TABLE.' AS com
ON ic.image_id = com.image_id
+ LEFT JOIN '.USERS_TABLE.' As u
+ ON u.id = com.author_id
WHERE '.implode('
AND ', $page['where_clauses']).'
;';
@@ -295,12 +299,16 @@ SELECT com.id AS comment_id
, com.image_id
, ic.category_id
, com.author
+ , com.author_id
+ , username
, com.date
, com.content
, com.validated
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
- INNER JOIN '.COMMENTS_TABLE.' AS com
+ INNER JOIN '.COMMENTS_TABLE.' AS com
ON ic.image_id = com.image_id
+ LEFT JOIN '.USERS_TABLE.' AS u
+ ON u.id = com.author_id
WHERE '.implode('
AND ', $page['where_clauses']).'
GROUP BY comment_id
@@ -366,10 +374,17 @@ SELECT id, name, permalink, uppercats
)
);
- $author = $comment['author'];
- if (empty($comment['author']))
+ if (!empty($comment['author']))
+ {
+ $author = $comment['author'];
+ if ($author == 'guest')
+ {
+ $author = l10n('guest');
+ }
+ }
+ else
{
- $author = l10n('guest');
+ $author = $comment['username'];
}
$tpl_comment =
@@ -382,7 +397,7 @@ SELECT id, name, permalink, uppercats
'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
);
- if (can_manage_comment('delete', $comment['author']))
+ if (can_manage_comment('delete', $comment['author_id']))
{
$url = get_root_url().'comments.php'
.get_query_string_diff(array('delete','validate','edit'));
@@ -391,7 +406,7 @@ SELECT id, name, permalink, uppercats
array('delete'=>$comment['comment_id'])
);
}
- if (can_manage_comment('edit', $comment['author']))
+ if (can_manage_comment('edit', $comment['author_id']))
{
$url = get_root_url().'comments.php'
.get_query_string_diff(array('edit', 'delete','validate'));
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index fb421d39b..9b1d323a1 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos )
{
$comm['author'] = 'guest';
}
+ $comm['author_id'] = $conf['guest_id'];
// if a guest try to use the name of an already existing user, he must be
// rejected
if ( $comm['author'] != 'guest' )
@@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists
}
else
{
- $comm['author'] = $user['username'];
+ $comm['author'] = '';
+ $comm['author_id'] = $user['id'];
}
+
if ( empty($comm['content']) )
{ // empty comment content
$comment_action='reject';
@@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists
$query = '
SELECT id FROM '.COMMENTS_TABLE.'
WHERE date > FROM_UNIXTIME('.$reference_date.')
- AND author = "'.addslashes($comm['author']).'"';
+ AND author_id = '.$comm['author_id'];
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
{
array_push( $infos, l10n('comment_anti-flood') );
@@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.'
{
$query = '
INSERT INTO '.COMMENTS_TABLE.'
- (author, content, date, validated, validation_date, image_id)
+ (author, author_id, content, date, validated, validation_date, image_id)
VALUES (
"'.addslashes($comm['author']).'",
+ '.$comm['author_id'].',
"'.addslashes($comm['content']).'",
NOW(),
"'.($comment_action=='validate' ? 'true':'false').'",
@@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
$comm['id'] = mysql_insert_id();
- if
- (
- ($comment_action=='validate' and $conf['email_admin_on_comment'])
- or
- ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
- )
+ if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
+ ($comment_action!='validate'
+ and $conf['email_admin_on_comment_validation']))
{
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
- $del_url =
- get_absolute_root_url().'comments.php?delete='.$comm['id'];
+ $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
+ if (empty($comm['author']))
+ {
+ $author_name = $user['username'];
+ }
+ else
+ {
+ $author_name = $comm['author'];
+ }
$keyargs_content = array
(
- get_l10n_args('Author: %s', $comm['author']),
+ get_l10n_args('Author: %s', $author_name),
get_l10n_args('Comment: %s', $comm['content']),
get_l10n_args('', ''),
get_l10n_args('Delete: %s', $del_url)
@@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.'
pwg_mail_notification_admins
(
- get_l10n_args('Comment by %s', $comm['author']),
+ get_l10n_args('Comment by %s', $author_name),
$keyargs_content
);
}
@@ -218,7 +226,7 @@ function delete_user_comment($comment_id) {
$user_where_clause = '';
if (!is_admin())
{
- $user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\'';
+ $user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\'';
}
$query = '
DELETE FROM '.COMMENTS_TABLE.'
@@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) {
$query = '
SELECT id FROM '.COMMENTS_TABLE.'
WHERE date > FROM_UNIXTIME('.$reference_date.')
- AND author = "'.$GLOBALS['user']['username'].'"';
+ AND author_id = '.$comm['author_id'];
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
{
array_push( $infos, l10n('comment_anti-flood') );
@@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.'
$user_where_clause = '';
if (!is_admin())
{
- $user_where_clause = ' AND author = \''.
- $GLOBALS['user']['username'].'\'';
+ $user_where_clause = ' AND author_id = \''.
+ $GLOBALS['user']['id'].'\'';
}
$query = '
UPDATE '.COMMENTS_TABLE.'
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index d7aa81f24..02c1e7e13 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1202,13 +1202,14 @@ function is_adviser()
* @param action edit/delete
* @return bool
*/
-function can_manage_comment($action, $comment_author)
+function can_manage_comment($action, $comment_author_id)
{
if (!in_array($action, array('delete','edit'))) {
return false;
}
return (is_admin() ||
- (($GLOBALS['user']['username'] == $comment_author)
+ (($GLOBALS['user']['id'] == $comment_author_id)
+ && !is_a_guest()
&& $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
}
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index 1e30fa2d9..8845ee47a 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments
}
$query = '
-SELECT id,author,date,image_id,content,validated
- FROM '.COMMENTS_TABLE.'
+SELECT com.id,author,author_id,username,date,image_id,content,validated
+ FROM '.COMMENTS_TABLE.' AS com
+ LEFT JOIN '.USERS_TABLE.' AS u
+ ON u.id = author_id
WHERE image_id = '.$page['image_id'].
$validated_clause.'
ORDER BY date ASC
@@ -139,19 +141,29 @@ $validated_clause.'
while ($row = mysql_fetch_array($result))
{
+ if (!empty($row['author']))
+ {
+ $author = $row['author'];
+ if ($author == 'guest')
+ {
+ $author = l10n('guest');
+ }
+ }
+ else
+ {
+ $author = $row['username'];
+ }
+
$tpl_comment =
array(
- 'AUTHOR' => trigger_event('render_comment_author',
- empty($row['author'])
- ? l10n('guest')
- : $row['author']),
+ 'AUTHOR' => trigger_event('render_comment_author', $author),
'DATE' => format_date( $row['date'], true),
'CONTENT' => trigger_event('render_comment_content',$row['content']),
);
- if (can_manage_comment('delete', $row['author']))
+ if (can_manage_comment('delete', $row['author_id']))
{
$tpl_comment['U_DELETE'] =
add_url_params($url_self,
@@ -161,7 +173,7 @@ $validated_clause.'
)
);
}
- if (can_manage_comment('edit', $row['author']))
+ if (can_manage_comment('edit', $row['author_id']))
{
$tpl_comment['U_EDIT'] =
add_url_params($url_self,
diff --git a/install/db/82-database.php b/install/db/82-database.php
new file mode 100644
index 000000000..5a3302184
--- /dev/null
+++ b/install/db/82-database.php
@@ -0,0 +1,44 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | Piwigo - a PHP based picture gallery |
+// +-----------------------------------------------------------------------+
+// | Copyright(C) 2008-2009 Piwigo Team http://piwigo.org |
+// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net |
+// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick |
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify |
+// | it under the terms of the GNU General Public License as published by |
+// | the Free Software Foundation |
+// | |
+// | This program is distributed in the hope that it will be useful, but |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
+// | General Public License for more details. |
+// | |
+// | You should have received a copy of the GNU General Public License |
+// | along with this program; if not, write to the Free Software |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA. |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+ die('Hacking attempt!');
+}
+
+$upgrade_description = 'add new column to save author_id.
+Guest users names are saved in author column';
+
+$query = '
+ALTER TABLE '.PREFIX_TABLE.'comments
+ ADD COLUMN author_id smallint(5) DEFAULT NULL
+;';
+
+pwg_query($query);
+
+echo
+"\n"
+. $upgrade_description
+."\n"
+;
+?>