diff options
author | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
commit | c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch) | |
tree | efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /picture.php | |
parent | ff7e537e2b4bceaef241096a377d12af4b917c43 (diff) |
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk
feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).
git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'picture.php')
-rw-r--r-- | picture.php | 61 |
1 files changed, 39 insertions, 22 deletions
diff --git a/picture.php b/picture.php index 4dd3d4fad..8191dd8ee 100644 --- a/picture.php +++ b/picture.php @@ -311,20 +311,31 @@ UPDATE '.CATEGORIES_TABLE.' } case 'edit_comment' : { + check_pwg_token(); + include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php'); - if (isset($_GET['comment_to_edit']) - and is_numeric($_GET['comment_to_edit']) - and (is_admin() || $conf['user_can_edit_comment'])) + + check_input_parameter('comment_to_edit', $_GET, false, PATTERN_ID); + + $author_id = get_comment_author_id($_GET['comment_to_edit']); + + if (can_manage_comment('edit', $author_id)) { if (!empty($_POST['content'])) { - update_user_comment(array('comment_id' => $_GET['comment_to_edit'], - 'image_id' => $page['image_id'], - 'content' => $_POST['content']), - $_POST['key'] - ); + update_user_comment( + array( + 'comment_id' => $_GET['comment_to_edit'], + 'image_id' => $page['image_id'], + 'content' => $_POST['content'] + ), + $_POST['key'] + ); + redirect($url_self); - } else { + } + else + { $edit_comment = $_GET['comment_to_edit']; break; } @@ -332,30 +343,36 @@ UPDATE '.CATEGORIES_TABLE.' } case 'delete_comment' : { + check_pwg_token(); + include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php'); - if (isset($_GET['comment_to_delete']) - and is_numeric($_GET['comment_to_delete']) - and (is_admin() || $conf['user_can_delete_comment'])) + + check_input_parameter('comment_to_delete', $_GET, false, PATTERN_ID); + + $author_id = get_comment_author_id($_GET['comment_to_delete']); + + if (can_manage_comment('delete', $author_id)) { delete_user_comment($_GET['comment_to_delete']); } + redirect($url_self); } case 'validate_comment' : { + check_pwg_token(); + include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php'); - if (isset($_GET['comment_to_validate']) - and is_numeric($_GET['comment_to_validate']) - and is_admin() and !is_adviser() ) + + check_input_parameter('comment_to_validate', $_GET, false, PATTERN_ID); + + $author_id = get_comment_author_id($_GET['comment_to_delete']); + + if (can_manage_comment('validate', $author_id)) { - $query = ' -UPDATE '.COMMENTS_TABLE.' - SET validated = \'true\' - , validation_date = NOW() - WHERE id='.$_GET['comment_to_validate'].' -;'; - pwg_query( $query ); + validate_user_comment($_GET['comment_to_validate']); } + redirect($url_self); } |