diff options
Diffstat (limited to '')
-rw-r--r-- | include/functions_comment.inc.php | 130 | ||||
-rw-r--r-- | include/functions_user.inc.php | 15 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 38 |
3 files changed, 174 insertions, 9 deletions
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index c8dd6f3e0..fb421d39b 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -205,4 +205,134 @@ INSERT INTO '.COMMENTS_TABLE.' return $comment_action; } +/** + * Tries to delete a user comment in the database + * only admin can delete all comments + * other users can delete their own comments + * so to avoid a new sql request we add author in where clause + * + * @param comment_id + */ + +function delete_user_comment($comment_id) { + $user_where_clause = ''; + if (!is_admin()) + { + $user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\''; + } + $query = ' +DELETE FROM '.COMMENTS_TABLE.' + WHERE id = '.$comment_id. +$user_where_clause.' +;'; + $result = pwg_query($query); + if ($result) { + email_admin('delete', array('author' => $GLOBALS['user']['username'])); + } +} + +/** + * Tries to update a user comment in the database + * only admin can update all comments + * users can edit their own comments if admin allow them + * so to avoid a new sql request we add author in where clause + * + * @param comment_id + * @param post_key + * @param content + */ + +function update_user_comment($comment, $post_key) { + global $conf; + + $comment_action = 'validate'; + + $key = explode( ':', $post_key ); + if ( count($key)!=2 + or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago + or $key[0]<time()-3600 // 60 minutes expiration + or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key'] + ) != $key[1] + ) + { + $comment_action='reject'; + } + + if ($comment_action!='reject' and $conf['anti-flood_time']>0 ) + { // anti-flood system + $reference_date = time() - $conf['anti-flood_time']; + $query = ' +SELECT id FROM '.COMMENTS_TABLE.' + WHERE date > FROM_UNIXTIME('.$reference_date.') + AND author = "'.$GLOBALS['user']['username'].'"'; + if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) + { + array_push( $infos, l10n('comment_anti-flood') ); + $comment_action='reject'; + } + } + + // perform more spam check + $comment_action = + trigger_event('user_comment_check', + $comment_action, + array_merge($comment, + array('author' => $GLOBALS['user']['username']) + ) + ); + + if ( $comment_action!='reject' ) + { + $user_where_clause = ''; + if (!is_admin()) + { + $user_where_clause = ' AND author = \''. + $GLOBALS['user']['username'].'\''; + } + $query = ' +UPDATE '.COMMENTS_TABLE.' + SET content = \''.$comment['content'].'\', + validation_date = now() + WHERE id = '.$comment['comment_id']. +$user_where_clause.' +;'; + $result = pwg_query($query); + if ($result) { + email_admin('edit', array('author' => $GLOBALS['user']['username'], + 'content' => $comment['content'])); + } + } +} + +function email_admin($action, $comment) { + global $conf; + + if (!in_array($action, array('edit', 'delete')) + or (($action=='edit') and !$conf['email_admin_on_comment_edition']) + or (($action=='delete') and !$conf['email_admin_on_comment_deletion'])) + { + return; + } + + include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); + + $keyargs_content = array(); + $keyargs_content[] = get_l10n_args('Author: %s', $comment['author']); + if ($action=='delete') + { + $keyargs_content[] = get_l10n_args('This author remove comment with id %d', + $comment['comment_id'] + ); + } + else + { + $keyargs_content[] = get_l10n_args('This author modified following comment:', ''); + $keyargs_content[] = get_l10n_args('Comment: %s', $comment['content']); + } + + pwg_mail_notification_admins(get_l10n_args('Comment by %s', + $comment['author']), + $keyargs_content + ); +} ?>
\ No newline at end of file diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index d7ef88992..d7aa81f24 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1198,6 +1198,21 @@ function is_adviser() } /* + * Return if current user can edit/delete a comment + * @param action edit/delete + * @return bool + */ +function can_manage_comment($action, $comment_author) +{ + if (!in_array($action, array('delete','edit'))) { + return false; + } + return (is_admin() || + (($GLOBALS['user']['username'] == $comment_author) + && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)])); +} + +/* * Return mail address as display text * @return string */ diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 9a120e355..5dd4c6033 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -151,16 +151,35 @@ $validated_clause.' 'CONTENT' => trigger_event('render_comment_content',$row['content']), ); - if (is_admin()) + if (can_manage_comment('delete', $row['author'])) { $tpl_comment['U_DELETE'] = - add_url_params( - $url_self, - array( - 'action'=>'delete_comment', - 'comment_to_delete'=>$row['id'] - ) - ); + add_url_params($url_self, + array( + 'action'=>'delete_comment', + 'comment_to_delete'=>$row['id'] + ) + ); + } + if (can_manage_comment('edit', $row['author'])) + { + $tpl_comment['U_EDIT'] = + add_url_params($url_self, + array( + 'action'=>'edit_comment', + 'comment_to_edit'=>$row['id'] + ) + ); + if (isset($edit_comment) and ($row['id'] == $edit_comment)) + { + $tpl_comment['IN_EDIT'] = true; + $key = get_comment_post_key($page['image_id']); + $tpl_comment['KEY'] = $key; + $tpl_comment['CONTENT'] = $row['content']; + } + } + if (is_admin()) + { if ($row['validated'] != 'true') { $tpl_comment['U_VALIDATE'] = @@ -176,7 +195,8 @@ $validated_clause.' } if (!is_a_guest() - or (is_a_guest() and $conf['comments_forall'])) + or (is_a_guest() and $conf['comments_forall']) + and (isset($edit_comment) and ($edit_comment != null))) { $key = get_comment_post_key($page['image_id']); $content = ''; |