source: trunk/comments.php @ 3452

Last change on this file since 3452 was 3452, checked in by nikrou, 15 years ago

Fix two problem with Feature 1026 :
use of $confuser_fieldsusername and $confuser_fieldsid instead of username and id
escape comment content before editing it.

  • Property svn:eol-style set to LF
File size: 13.5 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// +-----------------------------------------------------------------------+
25// |                           initialization                              |
26// +-----------------------------------------------------------------------+
27define('PHPWG_ROOT_PATH','./');
28include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
29include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
30
31// +-----------------------------------------------------------------------+
32// | Check Access and exit when user status is not ok                      |
33// +-----------------------------------------------------------------------+
34check_status(ACCESS_GUEST);
35
36$sort_order = array(
37  'DESC' => l10n('descending'),
38  'ASC'  => l10n('ascending')
39  );
40
41// sort_by : database fields proposed for sorting comments list
42$sort_by = array(
43  'date' => l10n('comment date'),
44  'image_id' => l10n('picture')
45  );
46
47// items_number : list of number of items to display per page
48$items_number = array(5,10,20,50,'all');
49
50// since when display comments ?
51//
52$since_options = array(
53  1 => array('label' => l10n('today'),
54             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 1 DAY)'),
55  2 => array('label' => sprintf(l10n('last %d days'), 7),
56             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 7 DAY)'),
57  3 => array('label' => sprintf(l10n('last %d days'), 30),
58             'clause' => 'date > SUBDATE(CURDATE(), INTERVAL 30 DAY)'),
59  4 => array('label' => l10n('the beginning'),
60             'clause' => '1=1') // stupid but generic
61  );
62
63$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
64
65// on which field sorting
66//
67$page['sort_by'] = 'date';
68// if the form was submitted, it overloads default behaviour
69if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
70{
71  $page['sort_by'] = $_GET['sort_by'];
72}
73
74// order to sort
75//
76$page['sort_order'] = 'DESC';
77// if the form was submitted, it overloads default behaviour
78if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
79{
80  $page['sort_order'] = $_GET['sort_order'];
81}
82
83// number of items to display
84//
85$page['items_number'] = 10;
86if (isset($_GET['items_number']))
87{
88  $page['items_number'] = $_GET['items_number'];
89}
90
91$page['where_clauses'] = array();
92
93// which category to filter on ?
94if (isset($_GET['cat']) and 0 != $_GET['cat'])
95{
96  $page['where_clauses'][] =
97    'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
98}
99
100// search a particular author
101if (isset($_GET['author']) and !empty($_GET['author']))
102{
103  $page['where_clauses'][] = 
104    'u.'.$conf['user_fields']['username'].' = \''.addslashes($_GET['author']).'\'
105     OR author = \''.addslashes($_GET['author']).'\'';   
106}
107
108// search a substring among comments content
109if (isset($_GET['keyword']) and !empty($_GET['keyword']))
110{
111  $page['where_clauses'][] =
112    '('.
113    implode(' AND ',
114            array_map(
115              create_function(
116                '$s',
117                'return "content LIKE \'%$s%\'";'
118                ),
119              preg_split('/[\s,;]+/', $_GET['keyword'] )
120              )
121      ).
122    ')';
123}
124
125$page['where_clauses'][] = $since_options[$page['since']]['clause'];
126
127// which status to filter on ?
128if ( !is_admin() )
129{
130  $page['where_clauses'][] = 'validated="true"';
131}
132
133$page['where_clauses'][] = get_sql_condition_FandF
134  (
135    array
136      (
137        'forbidden_categories' => 'category_id',
138        'visible_categories' => 'category_id',
139        'visible_images' => 'ic.image_id'
140      ),
141    '', true
142  );
143
144// +-----------------------------------------------------------------------+
145// |                         comments management                           |
146// +-----------------------------------------------------------------------+
147if (isset($_GET['delete']) and is_numeric($_GET['delete'])
148    and (is_admin() || $conf['user_can_delete_comment']))
149{// comments deletion
150  delete_user_comment($_GET['delete']);
151}
152
153if (isset($_GET['validate']) and is_numeric($_GET['validate'])
154      and !is_adviser() )
155{  // comments validation
156  check_status(ACCESS_ADMINISTRATOR);
157  $query = '
158UPDATE '.COMMENTS_TABLE.'
159  SET validated = \'true\'
160  , validation_date = NOW()
161  WHERE id='.$_GET['validate'].'
162;';
163  pwg_query($query);
164}
165
166if (isset($_GET['edit']) and is_numeric($_GET['edit'])
167    and (is_admin() || $conf['user_can_edit_comment']))
168{
169  if (!empty($_POST['content'])) 
170  {
171    update_user_comment(array('comment_id' => $_GET['edit'], 
172                              'image_id' => $_POST['image_id'],
173                              'content' => $_POST['content']),
174                        $_POST['key']
175                        ); 
176
177    $edit_comment = null;
178  }
179  else 
180  {
181    $edit_comment = $_GET['edit'];
182  }
183}
184
185// +-----------------------------------------------------------------------+
186// |                       page header and options                         |
187// +-----------------------------------------------------------------------+
188
189$title= l10n('User comments');
190$page['body_id'] = 'theCommentsPage';
191
192$template->set_filenames(array('comments'=>'comments.tpl'));
193$template->assign(
194  array(
195    'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
196    'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
197    'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
198    )
199  );
200
201// +-----------------------------------------------------------------------+
202// |                          form construction                            |
203// +-----------------------------------------------------------------------+
204
205// Search in a particular category
206$blockname = 'categories';
207
208$query = '
209SELECT id, name, uppercats, global_rank
210  FROM '.CATEGORIES_TABLE.'
211'.get_sql_condition_FandF
212  (
213    array
214      (
215        'forbidden_categories' => 'id',
216        'visible_categories' => 'id'
217      ),
218    'WHERE'
219  ).'
220;';
221display_select_cat_wrapper($query, array(@$_GET['cat']), $blockname, true);
222
223// Filter on recent comments...
224$tpl_var=array();
225foreach ($since_options as $id => $option)
226{
227  $tpl_var[ $id ] = $option['label'];
228}
229$template->assign( 'since_options', $tpl_var);
230$template->assign( 'since_options_selected', $page['since']);
231
232// Sort by
233$template->assign( 'sort_by_options', $sort_by);
234$template->assign( 'sort_by_options_selected', $page['sort_by']);
235
236// Sorting order
237$template->assign( 'sort_order_options', $sort_order);
238$template->assign( 'sort_order_options_selected', $page['sort_order']);
239
240
241// Number of items
242$blockname = 'items_number_option';
243$tpl_var=array();
244foreach ($items_number as $option)
245{
246  $tpl_var[ $option ] = is_numeric($option) ? $option : l10n($option);
247}
248$template->assign( 'item_number_options', $tpl_var);
249$template->assign( 'item_number_options_selected', $page['items_number']);
250
251
252// +-----------------------------------------------------------------------+
253// |                            navigation bar                             |
254// +-----------------------------------------------------------------------+
255
256if (isset($_GET['start']) and is_numeric($_GET['start']))
257{
258  $start = $_GET['start'];
259}
260else
261{
262  $start = 0;
263}
264
265$query = '
266SELECT COUNT(DISTINCT(com.id))
267  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
268    INNER JOIN '.COMMENTS_TABLE.' AS com
269    ON ic.image_id = com.image_id
270    LEFT JOIN '.USERS_TABLE.' As u
271    ON u.'.$conf['user_fields']['id'].' = com.author_id
272  WHERE '.implode('
273    AND ', $page['where_clauses']).'
274;';
275list($counter) = mysql_fetch_row(pwg_query($query));
276
277$url = PHPWG_ROOT_PATH
278    .'comments.php'
279    .get_query_string_diff(array('start','delete','validate'));
280
281$navbar = create_navigation_bar($url,
282                                $counter,
283                                $start,
284                                $page['items_number'],
285                                '');
286
287$template->assign('navbar', $navbar);
288
289// +-----------------------------------------------------------------------+
290// |                        last comments display                          |
291// +-----------------------------------------------------------------------+
292
293$comments = array();
294$element_ids = array();
295$category_ids = array();
296
297$query = '
298SELECT com.id AS comment_id
299     , com.image_id
300     , ic.category_id
301     , com.author
302     , com.author_id
303     , '.$conf['user_fields']['username'].' AS username
304     , com.date
305     , com.content
306     , com.validated
307  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
308    INNER JOIN '.COMMENTS_TABLE.' AS com   
309    ON ic.image_id = com.image_id
310    LEFT JOIN '.USERS_TABLE.' AS u
311    ON u.'.$conf['user_fields']['id'].' = com.author_id
312  WHERE '.implode('
313    AND ', $page['where_clauses']).'
314  GROUP BY comment_id
315  ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
316if ('all' != $page['items_number'])
317{
318  $query.= '
319  LIMIT '.$start.','.$page['items_number'];
320}
321$query.= '
322;';
323$result = pwg_query($query);
324while ($row = mysql_fetch_assoc($result))
325{
326  array_push($comments, $row);
327  array_push($element_ids, $row['image_id']);
328  array_push($category_ids, $row['category_id']);
329}
330
331if (count($comments) > 0)
332{
333  // retrieving element informations
334  $elements = array();
335  $query = '
336SELECT id, name, file, path, tn_ext
337  FROM '.IMAGES_TABLE.'
338  WHERE id IN ('.implode(',', $element_ids).')
339;';
340  $result = pwg_query($query);
341  while ($row = mysql_fetch_assoc($result))
342  {
343    $elements[$row['id']] = $row;
344  }
345
346  // retrieving category informations
347  $query = '
348SELECT id, name, permalink, uppercats
349  FROM '.CATEGORIES_TABLE.'
350  WHERE id IN ('.implode(',', $category_ids).')
351;';
352  $categories = hash_from_query($query, 'id');
353
354  foreach ($comments as $comment)
355  {
356    if (!empty($elements[$comment['image_id']]['name']))
357    {
358      $name=$elements[$comment['image_id']]['name'];
359    }
360    else
361    {
362      $name=get_name_from_file($elements[$comment['image_id']]['file']);
363    }
364
365    // source of the thumbnail picture
366    $thumbnail_src = get_thumbnail_url( $elements[$comment['image_id']] );
367
368    // link to the full size picture
369    $url = make_picture_url(
370            array(
371              'category' => $categories[ $comment['category_id'] ],
372              'image_id' => $comment['image_id'],
373              'image_file' => $elements[$comment['image_id']]['file'],
374            )
375          );
376
377    if (!empty($comment['author'])) 
378    {
379      $author = $comment['author'];
380      if ($author == 'guest')
381      {
382        $author = l10n('guest');
383      }
384    }
385    else
386    {
387      $author = $comment['username'];
388    }
389
390    $tpl_comment =
391      array(
392        'U_PICTURE' => $url,
393        'TN_SRC' => $thumbnail_src,
394        'ALT' => $name,
395        'AUTHOR' => trigger_event('render_comment_author', $author),
396        'DATE'=>format_date($comment['date'], true),
397        'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
398        );
399
400    if (can_manage_comment('delete', $comment['author_id'])) 
401    {
402      $url = get_root_url().'comments.php'
403        .get_query_string_diff(array('delete','validate','edit'));
404      $tpl_comment['U_DELETE'] = 
405        add_url_params($url,
406                       array('delete'=>$comment['comment_id'])
407                       );
408    }
409    if (can_manage_comment('edit', $comment['author_id']))
410    {
411      $url = get_root_url().'comments.php'
412        .get_query_string_diff(array('edit', 'delete','validate'));
413      $tpl_comment['U_EDIT'] = 
414        add_url_params($url,
415                       array('edit'=>$comment['comment_id'])
416                       );
417      if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment)) 
418      {
419        $tpl_comment['IN_EDIT'] = true;
420        $key = get_comment_post_key($comment['image_id']);
421        $tpl_comment['KEY'] = $key;
422        $tpl_comment['IMAGE_ID'] = $comment['image_id'];
423        $tpl_comment['CONTENT'] = $comment['content'];
424      }
425    }
426
427    if ( is_admin() && $comment['validated'] != 'true')
428    {
429      $tpl_comment['U_VALIDATE'] = 
430        add_url_params($url,
431                       array('validate'=>$comment['comment_id'])
432                       );
433    }
434    $template->append('comments', $tpl_comment);
435  }
436}
437// +-----------------------------------------------------------------------+
438// |                           html code display                           |
439// +-----------------------------------------------------------------------+
440include(PHPWG_ROOT_PATH.'include/page_header.php');
441$template->pparse('comments');
442include(PHPWG_ROOT_PATH.'include/page_tail.php');
443?>
Note: See TracBrowser for help on using the repository browser.