source: trunk/include/functions_comment.inc.php @ 2299

Last change on this file since 2299 was 2299, checked in by plg, 16 years ago

Bug fixed: as rvelices notified me by email, my header replacement script was
bugged (r2297 was repeating new and old header).

By the way, I've also removed the replacement keywords. We were using them
because it was a common usage with CVS but it is advised not to use them with
Subversion. Personnaly, it is a problem when I search differences between 2
Piwigo installations outside Subversion.
  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 6.5 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008      Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24/**
25 * returns a "secret key" that is to be sent back when a user enters a comment
26 */
27function get_comment_post_key($image_id)
28{
29  global $conf;
30
31  $time = time();
32
33  return sprintf(
34    '%s:%s',
35    $time,
36    hash_hmac(
37      'md5',
38      $time.':'.$image_id,
39      $conf['secret_key']
40      )
41    );
42}
43
44//returns string action to perform on a new comment: validate, moderate, reject
45function user_comment_check($action, $comment)
46{
47  global $conf,$user;
48
49  if ($action=='reject')
50    return $action;
51
52  $my_action = $conf['comment_spam_reject'] ? 'reject':'moderate';
53
54  if ($action==$my_action)
55    return $action;
56
57  // we do here only BASIC spam check (plugins can do more)
58  if ( !is_a_guest() )
59    return $action;
60
61  $link_count = preg_match_all( '/https?:\/\//',
62    $comment['content'], $matches);
63
64  if ( strpos($comment['author'], 'http://')!==false )
65  {
66    $link_count++;
67  }
68
69  if ( $link_count>$conf['comment_spam_max_links'] )
70    return $my_action;
71
72  return $action;
73}
74
75
76add_event_handler('user_comment_check', 'user_comment_check',
77  EVENT_HANDLER_PRIORITY_NEUTRAL, 2);
78
79/**
80 * Tries to insert a user comment in the database and returns one of :
81 * validate, moderate, reject
82 * @param array comm contains author, content, image_id
83 * @param string key secret key sent back to the browser
84 * @param array infos out array of messages
85 */
86function insert_user_comment( &$comm, $key, &$infos )
87{
88  global $conf, $user;
89
90  $comm = array_merge( $comm,
91    array(
92      'ip' => $_SERVER['REMOTE_ADDR'],
93      'agent' => $_SERVER['HTTP_USER_AGENT']
94    )
95   );
96
97  $infos = array();
98  if (!$conf['comments_validation'] or is_admin())
99  {
100    $comment_action='validate'; //one of validate, moderate, reject
101  }
102  else
103  {
104    $comment_action='moderate'; //one of validate, moderate, reject
105  }
106
107  // display author field if the user status is guest or generic
108  if (!is_classic_user())
109  {
110    if ( empty($comm['author']) )
111    {
112      $comm['author'] = 'guest';
113    }
114    // if a guest try to use the name of an already existing user, he must be
115    // rejected
116    if ( $comm['author'] != 'guest' )
117    {
118      $query = '
119SELECT COUNT(*) AS user_exists
120  FROM '.USERS_TABLE.'
121  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
122      $row = mysql_fetch_assoc( pwg_query( $query ) );
123      if ( $row['user_exists'] == 1 )
124      {
125        array_push($infos, l10n('comment_user_exists') );
126        $comment_action='reject';
127      }
128    }
129  }
130  else
131  {
132    $comm['author'] = $user['username'];
133  }
134  if ( empty($comm['content']) )
135  { // empty comment content
136    $comment_action='reject';
137  }
138
139  $key = explode( ':', @$key );
140  if ( count($key)!=2
141        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
142        or $key[0]<time()-3600 // 60 minutes expiration
143        or hash_hmac(
144              'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
145            ) != $key[1]
146      )
147  {
148    $comment_action='reject';
149  }
150
151  if ($comment_action!='reject' and $conf['anti-flood_time']>0 )
152  { // anti-flood system
153    $reference_date = time() - $conf['anti-flood_time'];
154    $query = '
155SELECT id FROM '.COMMENTS_TABLE.'
156  WHERE date > FROM_UNIXTIME('.$reference_date.')
157    AND author = "'.addslashes($comm['author']).'"';
158    if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
159    {
160      array_push( $infos, l10n('comment_anti-flood') );
161      $comment_action='reject';
162    }
163  }
164
165  // perform more spam check
166  $comment_action = trigger_event('user_comment_check',
167      $comment_action, $comm
168    );
169
170  if ( $comment_action!='reject' )
171  {
172    $query = '
173INSERT INTO '.COMMENTS_TABLE.'
174  (author, content, date, validated, validation_date, image_id)
175  VALUES (
176    "'.addslashes($comm['author']).'",
177    "'.addslashes($comm['content']).'",
178    NOW(),
179    "'.($comment_action=='validate' ? 'true':'false').'",
180    '.($comment_action=='validate' ? 'NOW()':'NULL').',
181    '.$comm['image_id'].'
182  )
183';
184
185    pwg_query($query);
186
187    $comm['id'] = mysql_insert_id();
188
189    if
190      (
191        ($comment_action=='validate' and $conf['email_admin_on_comment'])
192        or 
193        ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
194      )
195    {
196      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
197
198      $del_url =
199          get_absolute_root_url().'comments.php?delete='.$comm['id'];
200
201      $keyargs_content = array
202      (
203        get_l10n_args('Author: %s', $comm['author']),
204        get_l10n_args('Comment: %s', $comm['content']),
205        get_l10n_args('', ''),
206        get_l10n_args('Delete: %s', $del_url)
207      );
208
209      if ($comment_action!='validate')
210      {
211        $keyargs_content[] =
212          get_l10n_args('', '');
213        $keyargs_content[] =
214          get_l10n_args('Validate: %s',
215            get_absolute_root_url().'comments.php?validate='.$comm['id']);
216      }
217
218      pwg_mail_notification_admins
219      (
220        get_l10n_args('Comment by %s', $comm['author']),
221        $keyargs_content
222      );
223    }
224  }
225  return $comment_action;
226}
227
228?>
Note: See TracBrowser for help on using the repository browser.