Context Navigation

source: trunk/include/functions_comment.inc.php @ 16077

Last change on this file since 16077 was 15983, checked in by mistic100, 12 years ago
bug 2660: check guest IP on insert_user_comment (same system as rate_picture)
Property svn:eol-style set to `LF`
File size: 12.0 KB

Rev	Line
[1849]	1	<?php
	2	// +-----------------------------------------------------------------------+
[8728]	3	// \| Piwigo - a PHP based photo gallery \|
[2297]	4	// +-----------------------------------------------------------------------+
[12922]	5	// \| Copyright(C) 2008-2012 Piwigo Team http://piwigo.org \|
[2297]	6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
	7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
	8	// +-----------------------------------------------------------------------+
	9	// \| This program is free software; you can redistribute it and/or modify \|
	10	// \| it under the terms of the GNU General Public License as published by \|
	11	// \| the Free Software Foundation \|
	12	// \| \|
	13	// \| This program is distributed in the hope that it will be useful, but \|
	14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
	16	// \| General Public License for more details. \|
	17	// \| \|
	18	// \| You should have received a copy of the GNU General Public License \|
	19	// \| along with this program; if not, write to the Free Software \|
	20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
	21	// \| USA. \|
	22	// +-----------------------------------------------------------------------+
[1849]	23
	24	//returns string action to perform on a new comment: validate, moderate, reject
	25	function user_comment_check($action, $comment)
	26	{
	27	global $conf,$user;
	28
	29	if ($action=='reject')
	30	return $action;
	31
	32	$my_action = $conf['comment_spam_reject'] ? 'reject':'moderate';
	33
	34	if ($action==$my_action)
	35	return $action;
	36
	37	// we do here only BASIC spam check (plugins can do more)
[2029]	38	if ( !is_a_guest() )
[1849]	39	return $action;
	40
	41	$link_count = preg_match_all( '/https?:\/\//',
	42	$comment['content'], $matches);
	43
	44	if ( strpos($comment['author'], 'http://')!==false )
	45	{
	46	$link_count++;
	47	}
[2155]	48
[1849]	49	if ( $link_count>$conf['comment_spam_max_links'] )
[13800]	50	{
	51	$_POST['cr'][] = 'links';
[1849]	52	return $my_action;
[13800]	53	}
[1849]	54	return $action;
	55	}
	56
	57
	58	add_event_handler('user_comment_check', 'user_comment_check',
	59	EVENT_HANDLER_PRIORITY_NEUTRAL, 2);
	60
	61	/**
	62	* Tries to insert a user comment in the database and returns one of :
	63	* validate, moderate, reject
	64	* @param array comm contains author, content, image_id
	65	* @param string key secret key sent back to the browser
	66	* @param array infos out array of messages
	67	*/
	68	function insert_user_comment( &$comm, $key, &$infos )
	69	{
	70	global $conf, $user;
[2155]	71
	72	$comm = array_merge( $comm,
[1849]	73	array(
	74	'ip' => $_SERVER['REMOTE_ADDR'],
	75	'agent' => $_SERVER['HTTP_USER_AGENT']
	76	)
	77	);
	78
	79	$infos = array();
	80	if (!$conf['comments_validation'] or is_admin())
	81	{
	82	$comment_action='validate'; //one of validate, moderate, reject
	83	}
	84	else
	85	{
	86	$comment_action='moderate'; //one of validate, moderate, reject
	87	}
	88
[2029]	89	// display author field if the user status is guest or generic
	90	if (!is_classic_user())
[1849]	91	{
	92	if ( empty($comm['author']) )
	93	{
	94	$comm['author'] = 'guest';
	95	}
[3450]	96	$comm['author_id'] = $conf['guest_id'];
[1849]	97	// if a guest try to use the name of an already existing user, he must be
	98	// rejected
	99	if ( $comm['author'] != 'guest' )
	100	{
	101	$query = '
	102	SELECT COUNT(*) AS user_exists
	103	FROM '.USERS_TABLE.'
[4304]	104	WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
[4325]	105	$row = pwg_db_fetch_assoc( pwg_query( $query ) );
[1849]	106	if ( $row['user_exists'] == 1 )
	107	{
[5021]	108	array_push($infos, l10n('This login is already used by another user') );
[1849]	109	$comment_action='reject';
	110	}
	111	}
	112	}
	113	else
	114	{
[3600]	115	$comm['author'] = addslashes($user['username']);
[3450]	116	$comm['author_id'] = $user['id'];
[1849]	117	}
[3450]	118
[1849]	119	if ( empty($comm['content']) )
	120	{ // empty comment content
	121	$comment_action='reject';
	122	}
	123
[7495]	124	if ( !verify_ephemeral_key(@$key, $comm['image_id']) )
[1849]	125	{
	126	$comment_action='reject';
[13800]	127	$_POST['cr'][] = 'key'; // rvelices: I use this outside to see how spam robots work
[1849]	128	}
[15983]	129
	130	// anonymous id = ip address
	131	$ip_components = explode('.', $comm['ip']);
	132	if (count($ip_components) > 3)
	133	{
	134	array_pop($ip_components);
	135	}
	136	$comm['anonymous_id'] = implode('.', $ip_components);
[2155]	137
[7784]	138	if ($comment_action!='reject' and $conf['anti-flood_time']>0 and !is_admin())
[1849]	139	{ // anti-flood system
[6604]	140	$reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
	141
[1849]	142	$query = '
[6604]	143	SELECT count(1) FROM '.COMMENTS_TABLE.'
	144	WHERE date > '.$reference_date.'
[3450]	145	AND author_id = '.$comm['author_id'];
[15983]	146	if (!is_classic_user())
	147	{
	148	$query.= '
	149	AND anonymous_id = "'.$comm['anonymous_id'].'"';
	150	}
	151	$query.= '
	152	;';
	153
[6604]	154	list($counter) = pwg_db_fetch_row(pwg_query($query));
	155	if ( $counter > 0 )
[1849]	156	{
[5021]	157	array_push( $infos, l10n('Anti-flood system : please wait for a moment before trying to post another comment') );
[1849]	158	$comment_action='reject';
	159	}
	160	}
	161
	162	// perform more spam check
	163	$comment_action = trigger_event('user_comment_check',
	164	$comment_action, $comm
	165	);
	166
	167	if ( $comment_action!='reject' )
	168	{
	169	$query = '
	170	INSERT INTO '.COMMENTS_TABLE.'
[15983]	171	(author, author_id, anonymous_id, content, date, validated, validation_date, image_id)
[1849]	172	VALUES (
[6589]	173	\''.$comm['author'].'\',
[3450]	174	'.$comm['author_id'].',
[15983]	175	\''.$comm['anonymous_id'].'\',
[6589]	176	\''.$comm['content'].'\',
[1849]	177	NOW(),
[6589]	178	\''.($comment_action=='validate' ? 'true':'false').'\',
[1849]	179	'.($comment_action=='validate' ? 'NOW()':'NULL').',
[2155]	180	'.$comm['image_id'].'
[1849]	181	)
	182	';
	183
	184	pwg_query($query);
	185
[4892]	186	$comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
[1849]	187
[13800]	188	if ( ($conf['email_admin_on_comment'] && 'validate' == $comment_action)
[5195]	189	or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
[1849]	190	{
	191	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
	192
[5195]	193	$comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
[1849]	194
[1908]	195	$keyargs_content = array
	196	(
[3600]	197	get_l10n_args('Author: %s', stripslashes($comm['author']) ),
[3488]	198	get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
[1908]	199	get_l10n_args('', ''),
[5195]	200	get_l10n_args('Manage this user comment: %s', $comment_url)
[1908]	201	);
[1849]	202
[5195]	203	if ('moderate' == $comment_action)
[1849]	204	{
[5195]	205	$keyargs_content[] = get_l10n_args('', '');
	206	$keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
[1849]	207	}
	208
[1908]	209	pwg_mail_notification_admins
[1849]	210	(
[3600]	211	get_l10n_args('Comment by %s', stripslashes($comm['author']) ),
[1908]	212	$keyargs_content
[1849]	213	);
	214	}
	215	}
	216	return $comment_action;
	217	}
	218
[3445]	219	/**
	220	* Tries to delete a user comment in the database
	221	* only admin can delete all comments
[3488]	222	* other users can delete their own comments
[3445]	223	* so to avoid a new sql request we add author in where clause
	224	*
[12596]	225	* @param int or array of int comment_id
[3445]	226	*/
[12596]	227	function delete_user_comment($comment_id)
	228	{
[3445]	229	$user_where_clause = '';
	230	if (!is_admin())
	231	{
[3450]	232	$user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\'';
[3445]	233	}
[12596]	234
	235	if (is_array($comment_id))
	236	$where_clause = 'id IN('.implode(',', $comment_id).')';
	237	else
	238	$where_clause = 'id = '.$comment_id;
	239
[3445]	240	$query = '
	241	DELETE FROM '.COMMENTS_TABLE.'
[12596]	242	WHERE '.$where_clause.
[3445]	243	$user_where_clause.'
	244	;';
	245	$result = pwg_query($query);
[12596]	246
	247	if ($result)
	248	{
[5707]	249	email_admin('delete',
	250	array('author' => $GLOBALS['user']['username'],
	251	'comment_id' => $comment_id
	252	));
[3445]	253	}
[12556]	254
	255	trigger_action('user_comment_deletion', $comment_id);
[3445]	256	}
	257
	258	/**
	259	* Tries to update a user comment in the database
	260	* only admin can update all comments
	261	* users can edit their own comments if admin allow them
	262	* so to avoid a new sql request we add author in where clause
	263	*
[3488]	264	* @param comment_id
[3445]	265	* @param post_key
	266	* @param content
	267	*/
	268
[3488]	269	function update_user_comment($comment, $post_key)
	270	{
[3445]	271	global $conf;
	272
	273	$comment_action = 'validate';
	274
[7495]	275	if ( !verify_ephemeral_key($post_key, $comment['image_id']) )
[3445]	276	{
	277	$comment_action='reject';
	278	}
[11253]	279	elseif (!$conf['comments_validation'] or is_admin()) // should the updated comment must be validated
	280	{
	281	$comment_action='validate'; //one of validate, moderate, reject
	282	}
	283	else
	284	{
	285	$comment_action='moderate'; //one of validate, moderate, reject
	286	}
[3445]	287
	288	// perform more spam check
[3488]	289	$comment_action =
[3445]	290	trigger_event('user_comment_check',
[3488]	291	$comment_action,
	292	array_merge($comment,
[3445]	293	array('author' => $GLOBALS['user']['username'])
	294	)
	295	);
	296
	297	if ( $comment_action!='reject' )
	298	{
	299	$user_where_clause = '';
	300	if (!is_admin())
	301	{
[3450]	302	$user_where_clause = ' AND author_id = \''.
	303	$GLOBALS['user']['id'].'\'';
[3445]	304	}
[10097]	305
[3445]	306	$query = '
	307	UPDATE '.COMMENTS_TABLE.'
	308	SET content = \''.$comment['content'].'\',
[10097]	309	validated = \''.($comment_action=='validate' ? 'true':'false').'\',
	310	validation_date = '.($comment_action=='validate' ? 'NOW()':'NULL').'
[3445]	311	WHERE id = '.$comment['comment_id'].
	312	$user_where_clause.'
	313	;';
	314	$result = pwg_query($query);
[10097]	315
	316	// mail admin and ask to validate the comment
	317	if ($result and $conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action)
	318	{
	319	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
	320
	321	$comment_url = get_absolute_root_url().'comments.php?comment_id='.$comment['comment_id'];
	322
	323	$keyargs_content = array
	324	(
	325	get_l10n_args('Author: %s', stripslashes($GLOBALS['user']['username']) ),
	326	get_l10n_args('Comment: %s', stripslashes($comment['content']) ),
	327	get_l10n_args('', ''),
	328	get_l10n_args('Manage this user comment: %s', $comment_url),
	329	get_l10n_args('', ''),
	330	get_l10n_args('(!) This comment requires validation', ''),
	331	);
	332
	333	pwg_mail_notification_admins
	334	(
	335	get_l10n_args('Comment by %s', stripslashes($GLOBALS['user']['username']) ),
	336	$keyargs_content
	337	);
	338	}
	339	// just mail admin
	340	else if ($result)
	341	{
[3445]	342	email_admin('edit', array('author' => $GLOBALS['user']['username'],
[3488]	343	'content' => stripslashes($comment['content'])) );
[3445]	344	}
	345	}
[10097]	346
	347	return $comment_action;
[3445]	348	}
	349
[3488]	350	function email_admin($action, $comment)
	351	{
[3445]	352	global $conf;
	353
	354	if (!in_array($action, array('edit', 'delete'))
	355	or (($action=='edit') and !$conf['email_admin_on_comment_edition'])
	356	or (($action=='delete') and !$conf['email_admin_on_comment_deletion']))
	357	{
	358	return;
	359	}
	360
	361	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
[3488]	362
[3445]	363	$keyargs_content = array();
	364	$keyargs_content[] = get_l10n_args('Author: %s', $comment['author']);
[3488]	365	if ($action=='delete')
[3445]	366	{
[3488]	367	$keyargs_content[] = get_l10n_args('This author removed the comment with id %d',
[3445]	368	$comment['comment_id']
	369	);
	370	}
	371	else
	372	{
	373	$keyargs_content[] = get_l10n_args('This author modified following comment:', '');
	374	$keyargs_content[] = get_l10n_args('Comment: %s', $comment['content']);
	375	}
[3488]	376
	377	pwg_mail_notification_admins(get_l10n_args('Comment by %s',
[3445]	378	$comment['author']),
	379	$keyargs_content
	380	);
	381	}
[5195]	382
	383	function get_comment_author_id($comment_id, $die_on_error=true)
	384	{
	385	$query = '
	386	SELECT
	387	author_id
	388	FROM '.COMMENTS_TABLE.'
	389	WHERE id = '.$comment_id.'
	390	;';
	391	$result = pwg_query($query);
	392	if (pwg_db_num_rows($result) == 0)
	393	{
	394	if ($die_on_error)
	395	{
	396	fatal_error('Unknown comment identifier');
	397	}
	398	else
	399	{
	400	return false;
	401	}
	402	}
	403
	404	list($author_id) = pwg_db_fetch_row($result);
	405
	406	return $author_id;
	407	}
	408
[12596]	409	/**
	410	* Tries to validate a user comment in the database
	411	* @param int or array of int comment_id
	412	*/
[5195]	413	function validate_user_comment($comment_id)
	414	{
[12596]	415	if (is_array($comment_id))
	416	$where_clause = 'id IN('.implode(',', $comment_id).')';
	417	else
	418	$where_clause = 'id = '.$comment_id;
	419
[5195]	420	$query = '
	421	UPDATE '.COMMENTS_TABLE.'
[6589]	422	SET validated = \'true\'
[5195]	423	, validation_date = NOW()
[12596]	424	WHERE '.$where_clause.'
[5195]	425	;';
	426	pwg_query($query);
[12556]	427
	428	trigger_action('user_comment_validation', $comment_id);
[5195]	429	}
[1849]	430	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: