[geeklog-cvs] geeklog-1.3/public_html article.php,1.36,1.37 comment.php,1.46,1.47
dhaun at geeklog.net
dhaun at geeklog.net
Sun Nov 16 13:22:35 EST 2003
Update of /usr/cvs/geeklog/geeklog-1.3/public_html
In directory geeklog_prod:/tmp/cvs-serv22849
Modified Files:
article.php comment.php
Log Message:
Changed to use COM_applyFilter (also applied some additional checks).
Index: article.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/article.php,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** article.php 14 Oct 2003 18:38:26 -0000 1.36
--- article.php 16 Nov 2003 18:22:33 -0000 1.37
***************
*** 55,60 ****
// MAIN
// First see if we have a plugin that may be trying to use the Geeklog comment engine
! if (PLG_supportsComments($type)) {
// Yes, this is a plugin wanting to be commented on...do it
$display .= PLG_callCommentForm($type,$story,$mode,$order,$reply);
--- 55,75 ----
// MAIN
+ if (isset ($HTTP_POST_VARS['story'])) {
+ $story = COM_applyFilter($HTTP_POST_VARS['story']);
+ } else {
+ $story = COM_applyFilter($HTTP_GET_VARS['story']);
+ }
+ if (empty ($story)) {
+ echo COM_refresh ($_CONF['site_url'] . '/index.php');
+ exit();
+ }
+
// First see if we have a plugin that may be trying to use the Geeklog comment engine
! if (isset ($HTTP_POST_VARS['type'])) {
! $type = COM_applyFilter ($HTTP_POST_VARS['type']);
! } else {
! $type = COM_applyFilter ($HTTP_GET_VARS['type']);
! }
! if (!empty ($type) && PLG_supportsComments ($type)) {
// Yes, this is a plugin wanting to be commented on...do it
$display .= PLG_callCommentForm($type,$story,$mode,$order,$reply);
Index: comment.php
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.46
retrieving revision 1.47
diff -C2 -d -r1.46 -r1.47
*** comment.php 14 Sep 2003 09:07:54 -0000 1.46
--- comment.php 16 Nov 2003 18:22:33 -0000 1.47
***************
*** 61,65 ****
* @param string $comment Text of comment
* @param string $sid ID of object comment belongs to
! * @param string $pid ID of parent comment
* @param string $type Type of object comment is posted to
* @param string $mode Mode, e.g. 'preview'
--- 61,65 ----
* @param string $comment Text of comment
* @param string $sid ID of object comment belongs to
! * @param int $pid ID of parent comment
* @param string $type Type of object comment is posted to
* @param string $mode Mode, e.g. 'preview'
***************
*** 70,86 ****
function commentform($uid,$title,$comment,$sid,$pid='0',$type,$mode,$postmode)
{
! global $_TABLES, $HTTP_POST_VARS, $REMOTE_ADDR, $_CONF, $LANG03, $LANG12, $LANG_LOGIN, $_USER;
$retval = '';
- if (empty ($postmode)) {
- $postmode = $_CONF['postmode'];
- }
-
- $sig = '';
- if ($uid > 1) {
- $sig = DB_getItem ($_TABLES['users'], 'sig', "uid = '$uid'");
- }
-
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
--- 70,77 ----
function commentform($uid,$title,$comment,$sid,$pid='0',$type,$mode,$postmode)
{
! global $_CONF, $_TABLES, $_USER, $HTTP_POST_VARS, $LANG03, $LANG12, $LANG_LOGIN;
$retval = '';
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
***************
*** 110,113 ****
--- 101,114 ----
. COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
} else {
+
+ if (empty ($postmode)) {
+ $postmode = $_CONF['postmode'];
+ }
+
+ $sig = '';
+ if ($uid > 1) {
+ $sig = DB_getItem ($_TABLES['users'], 'sig', "uid = '$uid'");
+ }
+
if ($postmode == 'html') {
$commenttext = stripslashes($comment);
***************
*** 144,147 ****
--- 145,152 ----
$start->set_var( 'layout_url', $_CONF['layout_url'] );
+ if (empty ($HTTP_POST_VARS['username'])) {
+ $HTTP_POST_VARS['username'] = DB_getItem ($_TABLES['users'],
+ 'username', "uid = {$HTTP_POST_VARS['uid']}");
+ }
$thecomments = COM_getComment ($HTTP_POST_VARS, 'flat', $type,
'ASC', false, true );
***************
*** 219,223 ****
* @param string $comment Text of comment
* @param string $sid ID of object receiving comment
! * @param string $pid ID of parent comment
* @param string $type Type of comment this is (article, poll, etc)
* @param string $postmode Indicates if text is HTML or plain text
--- 224,228 ----
* @param string $comment Text of comment
* @param string $sid ID of object receiving comment
! * @param int $pid ID of parent comment
* @param string $type Type of comment this is (article, poll, etc)
* @param string $postmode Indicates if text is HTML or plain text
***************
*** 225,234 ****
*
*/
! function savecomment($uid,$title,$comment,$sid,$pid,$type,$postmode)
{
! global $_TABLES, $_CONF, $LANG03, $REMOTE_ADDR;
$retval = '';
// Get signature
$sig = '';
--- 230,247 ----
*
*/
! function savecomment ($uid, $title, $comment, $sid, $pid, $type, $postmode)
{
! global $_CONF, $_TABLES, $_USER, $LANG03;
$retval = '';
+ if (empty ($sid) || empty ($title) || empty ($comment) || empty ($type) ||
+ ($uid == 0) || ($uid != $_USER['uid']) ||
+ (empty ($_USER['username']) && (($_CONF['loginrequired'] == 1) ||
+ ($_CONF['commentsloginrequired'] == 1)))) {
+ $retval .= COM_refresh ($_CONF['site_url'] . '/index.php');
+ return $retval;
+ }
+
// Get signature
$sig = '';
***************
*** 292,296 ****
* Deletes a given comment
*
! * @param string $cid Comment ID
* @param string $sid ID of object comment belongs to
* @param string $type Comment type (e.g. article, poll, etc)
--- 305,309 ----
* Deletes a given comment
*
! * @param int $cid Comment ID
* @param string $sid ID of object comment belongs to
* @param string $type Comment type (e.g. article, poll, etc)
***************
*** 298,308 ****
*
*/
! function deletecomment($cid,$sid,$type)
{
! global $_TABLES, $_CONF, $_USER, $REMOTE_ADDR;
$retval = '';
! if (!empty ($sid) && !empty ($cid) && is_numeric ($cid)) {
// only comments of type 'article' and 'poll' are handled by Geeklog
--- 311,321 ----
*
*/
! function deletecomment ($cid, $sid, $type)
{
! global $_CONF, $_TABLES, $_USER, $REMOTE_ADDR;
$retval = '';
! if (is_numeric ($cid) && ($cid > 0) && !empty ($sid) && !empty ($type)) {
// only comments of type 'article' and 'poll' are handled by Geeklog
***************
*** 312,323 ****
$table = $_TABLES['stories'];
$idname = 'sid';
} else {
$table = $_TABLES['pollquestions'];
$idname = 'qid';
}
$result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$table} WHERE {$idname} = '{$sid}'");
$A = DB_fetchArray ($result);
! if (SEC_hasAccess ($A['owner_id'], $A['group_id'], $A['perm_owner'],
! $A['perm_group'], $A['perm_members'], $A['perm_anon']) == 3) {
$pid = DB_getItem ($_TABLES['comments'], 'pid', "cid = '$cid'");
--- 325,340 ----
$table = $_TABLES['stories'];
$idname = 'sid';
+ $has_editPermissions = SEC_hasRights ('story.edit');
} else {
$table = $_TABLES['pollquestions'];
$idname = 'qid';
+ $has_editPermissions = SEC_hasRights ('poll.edit');
}
$result = DB_query ("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$table} WHERE {$idname} = '{$sid}'");
$A = DB_fetchArray ($result);
!
! if ($has_editPermissions && SEC_hasAccess ($A['owner_id'],
! $A['group_id'], $A['perm_owner'], $A['perm_group'],
! $A['perm_members'], $A['perm_anon']) == 3) {
$pid = DB_getItem ($_TABLES['comments'], 'pid', "cid = '$cid'");
***************
*** 333,337 ****
'sid', $sid);
$retval .= COM_refresh ($_CONF['site_url']
! . '/article.php?story=' . $sid);
}
} else {
--- 350,354 ----
'sid', $sid);
$retval .= COM_refresh ($_CONF['site_url']
! . '/article.php?story=' . $sid . '#comments');
}
} else {
***************
*** 356,379 ****
// MAIN
- $title = strip_tags ($title);
switch ($mode) {
! case $LANG03[14]: //Preview
$display .= COM_siteHeader()
! . commentform($uid,$title,$comment,$sid,$pid,$type,$mode,$postmode)
. COM_siteFooter();
break;
! case $LANG03[11]: //Submit Comment
! $display .= savecomment($uid,$title,$comment,$sid,$pid,$type,$postmode);
break;
! case $LANG01[28]: //Delete
! $display .= deletecomment (strip_tags ($cid), strip_tags ($sid), $type);
break;
case 'display':
$display .= COM_siteHeader()
! . COM_userComments($sid,$title,$type,$order,'threaded',$pid)
. COM_siteFooter();
break;
default:
! if (!empty($sid)) {
if (empty ($title)) {
if ($type == 'article') {
--- 373,435 ----
// MAIN
switch ($mode) {
! case $LANG03[14]: // Preview
$display .= COM_siteHeader()
! . commentform (COM_applyFilter ($HTTP_POST_VARS['uid'], true),
! strip_tags ($HTTP_POST_VARS['title']), $HTTP_POST_VARS['comment'],
! COM_applyFilter ($HTTP_POST_VARS['sid']),
! COM_applyFilter ($HTTP_POST_VARS['pid'], true),
! COM_applyFilter ($HTTP_POST_VARS['type']),
! COM_applyFilter ($HTTP_POST_VARS['mode']),
! COM_applyFilter ($HTTP_POST_VARS['postmode']))
. COM_siteFooter();
break;
! case $LANG03[11]: // Submit Comment
! $display .= savecomment (COM_applyFilter ($HTTP_POST_VARS['uid'], true),
! strip_tags ($HTTP_POST_VARS['title']), $HTTP_POST_VARS['comment'],
! COM_applyFilter ($HTTP_POST_VARS['sid']),
! COM_applyFilter ($HTTP_POST_VARS['pid'], true),
! COM_applyFilter ($HTTP_POST_VARS['type']),
! COM_applyFilter ($HTTP_POST_VARS['postmode']));
break;
! case $LANG01[28]: // Delete
! $display .= deletecomment (COM_applyFilter ($cid, true),
! COM_applyFilter ($sid), COM_applyFilter ($type));
break;
case 'display':
+ if ($_USER['uid'] > 1) {
+ $commentmode = DB_getItem ($_TABLES['usercomment'], 'commentmode',
+ "uid = {$_USER['uid']}");
+ } else {
+ $commentmode = $_CONF['comment_mode'];
+ }
$display .= COM_siteHeader()
! . COM_userComments (COM_applyFilter ($HTTP_GET_VARS['sid']),
! strip_tags ($HTTP_GET_VARS['title']),
! COM_applyFilter ($HTTP_GET_VARS['type']),
! COM_applyFilter ($HTTP_GET_VARS['order']), $commentmode,
! COM_applyFilter ($HTTP_GET_VARS['pid'], true))
. COM_siteFooter();
break;
default:
! if (isset ($HTTP_POST_VARS['sid'])) {
! $sid = COM_applyFilter ($HTTP_POST_VARS['sid']);
! $type = COM_applyFilter ($HTTP_POST_VARS['type']);
! } else {
! $sid = COM_applyFilter ($HTTP_GET_VARS['sid']);
! $type = COM_applyFilter ($HTTP_GET_VARS['type']);
! }
! if (!empty ($sid)) {
! if (isset ($HTTP_POST_VARS['title'])) {
! $title = COM_applyFilter ($HTTP_POST_VARS['title']);
! $pid = COM_applyFilter ($HTTP_POST_VARS['pid'], true);
! $mode = COM_applyFilter ($HTTP_POST_VARS['mode']);
! $postmode = COM_applyFilter ($HTTP_POST_VARS['postmode']);
! } else {
! $title = COM_applyFilter ($HTTP_GET_VARS['title']);
! $pid = COM_applyFilter ($HTTP_GET_VARS['pid'], true);
! $mode = COM_applyFilter ($HTTP_GET_VARS['mode']);
! $postmode = COM_applyFilter ($HTTP_GET_VARS['postmode']);
! }
if (empty ($title)) {
if ($type == 'article') {
***************
*** 386,399 ****
$title = str_replace ('$', '$', $title);
}
! $display .= COM_siteHeader()
! . commentform('',$title,'',$sid,$pid,$type,$mode,$postmode)
! . COM_siteFooter();
} else {
// This could still be a plugin wanting comments
! if (strlen($type) > 0) {
! $display .= PLG_callCommentForm($type,$cid);
} else {
// must be a mistake at this point
! $display .= COM_refresh("{$_CONF['site_url']}/index.php");
}
}
--- 442,465 ----
$title = str_replace ('$', '$', $title);
}
! if (!empty ($type)) {
! $display .= COM_siteHeader()
! . commentform ($_USER['uid'], $title, '', $sid, $pid, $type,
! $mode, $postmode)
! . COM_siteFooter();
! } else {
! $display .= COM_refresh($_CONF['site_url'] . '/index.php');
! }
} else {
// This could still be a plugin wanting comments
! if (isset ($HTTP_POST_VARS['cid'])) {
! $cid = COM_applyFilter ($HTTP_POST_VARS['cid'], true);
! } else {
! $cid = COM_applyFilter ($HTTP_GET_VARS['cid'], true);
! }
! if (!empty ($type) && ($cid > 0)) {
! $display .= PLG_callCommentForm ($type, $cid);
} else {
// must be a mistake at this point
! $display .= COM_refresh($_CONF['site_url'] . '/index.php');
}
}
More information about the geeklog-cvs
mailing list