diff options
author | nikrou <nikrou@piwigo.org> | 2009-06-23 21:18:16 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2009-06-23 21:18:16 +0000 |
commit | 64c872a83e726ec4d298be479b57dae13fb2c0c6 (patch) | |
tree | 6478da0a8067f078905038c312767690b440487c /include | |
parent | 1ce50505e4b9a6b533146e70902a7e426fd872a7 (diff) |
Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments
git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r-- | include/functions_comment.inc.php | 42 | ||||
-rw-r--r-- | include/functions_user.inc.php | 5 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 28 |
3 files changed, 48 insertions, 27 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index fb421d39b..9b1d323a1 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos ) { $comm['author'] = 'guest'; } + $comm['author_id'] = $conf['guest_id']; // if a guest try to use the name of an already existing user, he must be // rejected if ( $comm['author'] != 'guest' ) @@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists } else { - $comm['author'] = $user['username']; + $comm['author'] = ''; + $comm['author_id'] = $user['id']; } + if ( empty($comm['content']) ) { // empty comment content $comment_action='reject'; @@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists $query = ' SELECT id FROM '.COMMENTS_TABLE.' WHERE date > FROM_UNIXTIME('.$reference_date.') - AND author = "'.addslashes($comm['author']).'"'; + AND author_id = '.$comm['author_id']; if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) { array_push( $infos, l10n('comment_anti-flood') ); @@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.' { $query = ' INSERT INTO '.COMMENTS_TABLE.' - (author, content, date, validated, validation_date, image_id) + (author, author_id, content, date, validated, validation_date, image_id) VALUES ( "'.addslashes($comm['author']).'", + '.$comm['author_id'].', "'.addslashes($comm['content']).'", NOW(), "'.($comment_action=='validate' ? 'true':'false').'", @@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = mysql_insert_id(); - if - ( - ($comment_action=='validate' and $conf['email_admin_on_comment']) - or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) - ) + if (($comment_action=='validate' and $conf['email_admin_on_comment']) or + ($comment_action!='validate' + and $conf['email_admin_on_comment_validation'])) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = - get_absolute_root_url().'comments.php?delete='.$comm['id']; + $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id']; + if (empty($comm['author'])) + { + $author_name = $user['username']; + } + else + { + $author_name = $comm['author']; + } $keyargs_content = array ( - get_l10n_args('Author: %s', $comm['author']), + get_l10n_args('Author: %s', $author_name), get_l10n_args('Comment: %s', $comm['content']), get_l10n_args('', ''), get_l10n_args('Delete: %s', $del_url) @@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.' pwg_mail_notification_admins ( - get_l10n_args('Comment by %s', $comm['author']), + get_l10n_args('Comment by %s', $author_name), $keyargs_content ); } @@ -218,7 +226,7 @@ function delete_user_comment($comment_id) { $user_where_clause = ''; if (!is_admin()) { - $user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\''; + $user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\''; } $query = ' DELETE FROM '.COMMENTS_TABLE.' @@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) { $query = ' SELECT id FROM '.COMMENTS_TABLE.' WHERE date > FROM_UNIXTIME('.$reference_date.') - AND author = "'.$GLOBALS['user']['username'].'"'; + AND author_id = '.$comm['author_id']; if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) { array_push( $infos, l10n('comment_anti-flood') ); @@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.' $user_where_clause = ''; if (!is_admin()) { - $user_where_clause = ' AND author = \''. - $GLOBALS['user']['username'].'\''; + $user_where_clause = ' AND author_id = \''. + $GLOBALS['user']['id'].'\''; } $query = ' UPDATE '.COMMENTS_TABLE.' diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index d7aa81f24..02c1e7e13 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1202,13 +1202,14 @@ function is_adviser() * @param action edit/delete * @return bool */ -function can_manage_comment($action, $comment_author) +function can_manage_comment($action, $comment_author_id) { if (!in_array($action, array('delete','edit'))) { return false; } return (is_admin() || - (($GLOBALS['user']['username'] == $comment_author) + (($GLOBALS['user']['id'] == $comment_author_id) + && !is_a_guest() && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)])); } diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 1e30fa2d9..8845ee47a 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments } $query = ' -SELECT id,author,date,image_id,content,validated - FROM '.COMMENTS_TABLE.' +SELECT com.id,author,author_id,username,date,image_id,content,validated + FROM '.COMMENTS_TABLE.' AS com + LEFT JOIN '.USERS_TABLE.' AS u + ON u.id = author_id WHERE image_id = '.$page['image_id']. $validated_clause.' ORDER BY date ASC @@ -139,19 +141,29 @@ $validated_clause.' while ($row = mysql_fetch_array($result)) { + if (!empty($row['author'])) + { + $author = $row['author']; + if ($author == 'guest') + { + $author = l10n('guest'); + } + } + else + { + $author = $row['username']; + } + $tpl_comment = array( - 'AUTHOR' => trigger_event('render_comment_author', - empty($row['author']) - ? l10n('guest') - : $row['author']), + 'AUTHOR' => trigger_event('render_comment_author', $author), 'DATE' => format_date( $row['date'], true), 'CONTENT' => trigger_event('render_comment_content',$row['content']), ); - if (can_manage_comment('delete', $row['author'])) + if (can_manage_comment('delete', $row['author_id'])) { $tpl_comment['U_DELETE'] = add_url_params($url_self, @@ -161,7 +173,7 @@ $validated_clause.' ) ); } - if (can_manage_comment('edit', $row['author'])) + if (can_manage_comment('edit', $row['author_id'])) { $tpl_comment['U_EDIT'] = add_url_params($url_self, |