aboutsummaryrefslogtreecommitdiffstats
path: root/picture.php
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2010-03-19 22:25:39 +0000
committerplegall <plg@piwigo.org>2010-03-19 22:25:39 +0000
commitc695136e4d75695178a9fc848a7cf6bfa2b9346c (patch)
treeefba21de4995d7bd6b2f792e6d118a8e6e6bd405 /picture.php
parentff7e537e2b4bceaef241096a377d12af4b917c43 (diff)
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring on this feature to make the code simpler and easier to maintain (I hope). git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'picture.php')
-rw-r--r--picture.php61
1 files changed, 39 insertions, 22 deletions
diff --git a/picture.php b/picture.php
index 4dd3d4fad..8191dd8ee 100644
--- a/picture.php
+++ b/picture.php
@@ -311,20 +311,31 @@ UPDATE '.CATEGORIES_TABLE.'
}
case 'edit_comment' :
{
+ check_pwg_token();
+
include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
- if (isset($_GET['comment_to_edit'])
- and is_numeric($_GET['comment_to_edit'])
- and (is_admin() || $conf['user_can_edit_comment']))
+
+ check_input_parameter('comment_to_edit', $_GET, false, PATTERN_ID);
+
+ $author_id = get_comment_author_id($_GET['comment_to_edit']);
+
+ if (can_manage_comment('edit', $author_id))
{
if (!empty($_POST['content']))
{
- update_user_comment(array('comment_id' => $_GET['comment_to_edit'],
- 'image_id' => $page['image_id'],
- 'content' => $_POST['content']),
- $_POST['key']
- );
+ update_user_comment(
+ array(
+ 'comment_id' => $_GET['comment_to_edit'],
+ 'image_id' => $page['image_id'],
+ 'content' => $_POST['content']
+ ),
+ $_POST['key']
+ );
+
redirect($url_self);
- } else {
+ }
+ else
+ {
$edit_comment = $_GET['comment_to_edit'];
break;
}
@@ -332,30 +343,36 @@ UPDATE '.CATEGORIES_TABLE.'
}
case 'delete_comment' :
{
+ check_pwg_token();
+
include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
- if (isset($_GET['comment_to_delete'])
- and is_numeric($_GET['comment_to_delete'])
- and (is_admin() || $conf['user_can_delete_comment']))
+
+ check_input_parameter('comment_to_delete', $_GET, false, PATTERN_ID);
+
+ $author_id = get_comment_author_id($_GET['comment_to_delete']);
+
+ if (can_manage_comment('delete', $author_id))
{
delete_user_comment($_GET['comment_to_delete']);
}
+
redirect($url_self);
}
case 'validate_comment' :
{
+ check_pwg_token();
+
include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
- if (isset($_GET['comment_to_validate'])
- and is_numeric($_GET['comment_to_validate'])
- and is_admin() and !is_adviser() )
+
+ check_input_parameter('comment_to_validate', $_GET, false, PATTERN_ID);
+
+ $author_id = get_comment_author_id($_GET['comment_to_delete']);
+
+ if (can_manage_comment('validate', $author_id))
{
- $query = '
-UPDATE '.COMMENTS_TABLE.'
- SET validated = \'true\'
- , validation_date = NOW()
- WHERE id='.$_GET['comment_to_validate'].'
-;';
- pwg_query( $query );
+ validate_user_comment($_GET['comment_to_validate']);
}
+
redirect($url_self);
}