source: trunk/include/picture_comment.inc.php @ 4304

Last change on this file since 4304 was 4304, checked in by Eric, 14 years ago

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)
  • Property svn:eol-style set to LF
File size: 6.3 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24/**
25 * This file is included by the picture page to manage user comments
26 *
27 */
28
29// the picture is commentable if it belongs at least to one category which
30// is commentable
31$page['show_comments'] = false;
32foreach ($related_categories as $category)
33{
34  if ($category['commentable'] == 'true')
35  {
36    $page['show_comments'] = true;
37    break;
38  }
39}
40
41if ( $page['show_comments'] and isset( $_POST['content'] ) )
42{
43  if ( is_a_guest() and !$conf['comments_forall'] )
44  {
45    die ('Session expired');
46  }
47
48  $comm = array(
49    'author' => trim( stripslashes(@$_POST['author']) ),
50    'content' => trim( stripslashes($_POST['content']) ),
51    'image_id' => $page['image_id'],
52   );
53
54  include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
55
56  $comment_action = insert_user_comment($comm, @$_POST['key'], $infos );
57
58  switch ($comment_action)
59  {
60    case 'moderate':
61      array_push( $infos, l10n('comment_to_validate') );
62    case 'validate':
63      array_push( $infos, l10n('comment_added'));
64      break;
65    case 'reject':
66      set_status_header(403);
67      array_push($infos, l10n('comment_not_added') );
68      break;
69    default:
70      trigger_error('Invalid comment action '.$comment_action, E_USER_WARNING);
71  }
72
73  $template->assign(
74      ($comment_action=='reject') ? 'errors' : 'infos',
75      $infos
76    );
77
78  // allow plugins to notify what's going on
79  trigger_action( 'user_comment_insertion',
80      array_merge($comm, array('action'=>$comment_action) )
81    );
82}
83elseif ( isset($_POST['content']) )
84{
85  set_status_header(403);
86  die('ugly spammer');
87}
88
89if ($page['show_comments'])
90{
91  // number of comments for this picture
92  $query = '
93SELECT COUNT(*) AS nb_comments
94  FROM '.COMMENTS_TABLE.'
95  WHERE image_id='.$page['image_id']." AND validated = 'true'";
96  $row = mysql_fetch_assoc( pwg_query( $query ) );
97
98  // navigation bar creation
99  if (!isset($page['start']))
100  {
101    $page['start'] = 0;
102  }
103
104  $navigation_bar = create_navigation_bar(
105    duplicate_picture_url(array(), array('start')),
106    $row['nb_comments'],
107    $page['start'],
108    $conf['nb_comment_page'],
109    true // We want a clean URL
110    );
111
112  $template->assign(
113    array(
114      'COMMENT_COUNT' => $row['nb_comments'],
115      'navbar' => $navigation_bar,
116      )
117    );
118
119  if ($row['nb_comments'] > 0)
120  {
121    if ( !is_admin() )
122    {
123      $validated_clause = '  AND validated = \'true\'';
124    }
125    else
126    {
127      $validated_clause = '';
128    }
129
130    $query = '
131SELECT com.id,author,author_id,'.$conf['user_fields']['username'].' AS username,
132  date,image_id,content,validated
133  FROM '.COMMENTS_TABLE.' AS com
134  LEFT JOIN '.USERS_TABLE.' AS u
135    ON u.'.$conf['user_fields']['id'].' = author_id
136  WHERE image_id = '.$page['image_id'].
137$validated_clause.'
138  ORDER BY date ASC
139  LIMIT '.$page['start'].', '.$conf['nb_comment_page'].'
140;';
141    $result = pwg_query( $query );
142
143    while ($row = mysql_fetch_assoc($result))
144    {
145      if (!empty($row['author']))
146      {
147        $author = $row['author'];
148        if ($author == 'guest')
149        {
150          $author = l10n('guest');
151        }
152      }
153      else
154      {
155        $author = stripslashes($row['username']);
156      }
157
158      $tpl_comment =
159        array(
160          'AUTHOR' => trigger_event('render_comment_author', $author),
161
162          'DATE' => format_date( $row['date'], true),
163
164          'CONTENT' => trigger_event('render_comment_content',$row['content']),
165        );
166
167      if (can_manage_comment('delete', $row['author_id']))
168      {
169        $tpl_comment['U_DELETE'] =
170          add_url_params($url_self,
171                         array(
172                           'action'=>'delete_comment',
173                           'comment_to_delete'=>$row['id']
174                               )
175                         );
176      }
177      if (can_manage_comment('edit', $row['author_id']))
178      {
179        $tpl_comment['U_EDIT'] =
180          add_url_params($url_self,
181                         array(
182                           'action'=>'edit_comment',
183                           'comment_to_edit'=>$row['id']
184                               )
185                         );
186        if (isset($edit_comment) and ($row['id'] == $edit_comment))
187        {
188          $tpl_comment['IN_EDIT'] = true;
189          $key = get_comment_post_key($page['image_id']);
190          $tpl_comment['KEY'] = $key;
191          $tpl_comment['CONTENT'] = $row['content'];
192        }
193      }
194      if (is_admin())
195      {
196        if ($row['validated'] != 'true')
197        {
198          $tpl_comment['U_VALIDATE'] =
199            add_url_params($url_self,
200                           array('action' => 'validate_comment',
201                                 'comment_to_validate' => $row['id']
202                                 )
203                           );
204        }
205      }
206      $template->append('comments', $tpl_comment);
207    }
208  }
209
210  if (!is_a_guest()
211      or (is_a_guest() and $conf['comments_forall'])
212      or (empty($edit_comment)))
213  {
214    $key = get_comment_post_key($page['image_id']);
215    $content = '';
216    if ('reject'===@$comment_action)
217    {
218      $content = htmlspecialchars($comm['content']);
219    }
220    $template->assign('comment_add',
221        array(
222          'F_ACTION' => $url_self,
223          'KEY' => $key,
224          'CONTENT' => $content,
225          'SHOW_AUTHOR' => !is_classic_user()
226        ));
227  }
228}
229
230?>
Note: See TracBrowser for help on using the repository browser.