[geeklog-cvs] geeklog-1.3/public_html comment.php,1.37,1.38
dhaun at geeklog.net
dhaun at geeklog.net
Mon Jan 13 13:54:47 EST 2003
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory internal.geeklog.net:/tmp/cvs-serv24868
Modified Files:
comment.php
Log Message:
Added a check for proper permissions before deleting a comment. Also added
some HTML filtering.
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.37
retrieving revision 1.38
diff -C2 -d -r1.37 -r1.38
*** comment.php 3 Dec 2002 03:11:00 -0000 1.37
--- comment.php 13 Jan 2003 18:54:45 -0000 1.38
***************
*** 286,316 ****
function deletecomment($cid,$sid,$type)
{
! global $_TABLES, $_CONF;
! if (!empty($cid) && !empty($sid)) {
! $result = DB_query("SELECT pid FROM {$_TABLES['comments']} WHERE cid = $cid");
! $A = DB_fetchArray($result);
! DB_change($_TABLES['comments'],'pid',$A['pid'],'pid',$cid);
! DB_delete($_TABLES['comments'],'cid',$cid);
!
! // See if plugin will handle this to update it's records
! PLG_handlePluginComment($type,$sid,'delete');
! $comments = DB_count($_TABLES['comments'],'sid',$sid);
! if ($type == 1) {
! if ($comments > 0) {
DB_change($_TABLES['stories'],'comments',$comments,'sid',$sid);
! }
! $retval .= COM_refresh("{$_CONF['site_url']}/pollbooth.php?qid=$sid");
} else {
! DB_change($_TABLES['stories'],'comments',$comments,'sid',$sid);
! $retval .= COM_refresh("{$_CONF['site_url']}/article.php?story=$sid");
}
}
!
return $retval;
}
// MAIN
$title = strip_tags ($title);
--- 286,328 ----
function deletecomment($cid,$sid,$type)
{
! global $_TABLES, $_CONF, $_USER, $REMOTE_ADDR;
! if (!empty ($sid) && !empty ($cid) && is_numeric ($cid)) {
! $result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['stories']} WHERE sid = '{$sid}'");
! $P = DB_fetchArray ($result);
! if (SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'], $A['perm_group'], $A['perm_members'], $A['perm_anon']) == 3) {
! $result = DB_query("SELECT pid FROM {$_TABLES['comments']} WHERE cid = $cid");
! $A = DB_fetchArray($result);
! DB_change($_TABLES['comments'],'pid',$A['pid'],'pid',$cid);
! DB_delete($_TABLES['comments'],'cid',$cid);
! // See if plugin will handle this to update it's records
! PLG_handlePluginComment($type,$sid,'delete');
! $comments = DB_count($_TABLES['comments'],'sid',$sid);
!
! if ($type == 1) {
! if ($comments > 0) {
! DB_change($_TABLES['stories'],'comments',$comments,'sid',$sid);
! }
! $retval .= COM_refresh("{$_CONF['site_url']}/pollbooth.php?qid=$sid");
! } else {
DB_change($_TABLES['stories'],'comments',$comments,'sid',$sid);
! $retval .= COM_refresh("{$_CONF['site_url']}/article.php?story=$sid");
! }
} else {
! COM_errorLog ('User ' . $_USER['username'] . ' (IP: ' . $REMOTE_ADDR
! . ') tried to illegally delete comment ' . $cid
! . ' from story ' . $sid);
! $retval .= COM_refresh ($_CONF['site_url'] . '/article.php?story=' . $sid);
}
+ } else {
+ $retval .= COM_refresh ($_CONF['site_url'] . '/index.php');
}
!
return $retval;
}
+
// MAIN
$title = strip_tags ($title);
***************
*** 325,329 ****
break;
case $LANG01[28]: //Delete
! $display .= deletecomment($cid,$sid,$type);
break;
case display:
--- 337,341 ----
break;
case $LANG01[28]: //Delete
! $display .= deletecomment (strip_tags ($cid), strip_tags ($sid), $type);
break;
case display:
More information about the geeklog-cvs
mailing list