Changeset 3450


Ignore:
Timestamp:
06/23/09 23:18:16 (11 years ago)
Author:
nikrou
Message:

Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments

Location:
trunk
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/comments.php

    r3282 r3450  
    135135 
    136136$query = ' 
    137 SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext 
     137SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext 
    138138  FROM '.COMMENTS_TABLE.' AS c 
    139139    INNER JOIN '.IMAGES_TABLE.' AS i 
    140140      ON i.id = c.image_id 
     141    LEFT JOIN '.USERS_TABLE.' AS u 
     142      ON u.id = c.author_id 
    141143  WHERE validated = \'false\' 
    142144  ORDER BY c.date DESC 
     
    152154        ) 
    153155     ); 
     156  if (empty($row['author_id']))  
     157  { 
     158    $author_name = $row['author']; 
     159  } 
     160  else 
     161  { 
     162    $author_name = $row['username']; 
     163  } 
    154164  $template->append( 
    155165    'comments', 
     
    160170      'ID' => $row['id'], 
    161171      'TN_SRC' => $thumb, 
    162       'AUTHOR' => trigger_event('render_comment_author', $row['author']), 
     172      'AUTHOR' => trigger_event('render_comment_author', $author_name), 
    163173      'DATE' => format_date($row['date'], true), 
    164174      'CONTENT' => trigger_event('render_comment_content',$row['content']) 
  • trunk/comments.php

    r3445 r3450  
    101101if (isset($_GET['author']) and !empty($_GET['author'])) 
    102102{ 
    103   $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\''; 
     103  $page['where_clauses'][] =  
     104    'u.username = \''.addslashes($_GET['author']).'\' 
     105     OR author = \''.addslashes($_GET['author']).'\'';     
    104106} 
    105107 
     
    262264 
    263265$query = ' 
    264 SELECT COUNT(DISTINCT(id)) 
     266SELECT COUNT(DISTINCT(com.id)) 
    265267  FROM '.IMAGE_CATEGORY_TABLE.' AS ic 
    266268    INNER JOIN '.COMMENTS_TABLE.' AS com 
    267269    ON ic.image_id = com.image_id 
     270    LEFT JOIN '.USERS_TABLE.' As u 
     271    ON u.id = com.author_id 
    268272  WHERE '.implode(' 
    269273    AND ', $page['where_clauses']).' 
     
    296300     , ic.category_id 
    297301     , com.author 
     302     , com.author_id 
     303     , username 
    298304     , com.date 
    299305     , com.content 
    300306     , com.validated 
    301307  FROM '.IMAGE_CATEGORY_TABLE.' AS ic 
    302     INNER JOIN '.COMMENTS_TABLE.' AS com 
     308    INNER JOIN '.COMMENTS_TABLE.' AS com     
    303309    ON ic.image_id = com.image_id 
     310    LEFT JOIN '.USERS_TABLE.' AS u 
     311    ON u.id = com.author_id 
    304312  WHERE '.implode(' 
    305313    AND ', $page['where_clauses']).' 
     
    367375          ); 
    368376 
    369     $author = $comment['author']; 
    370     if (empty($comment['author'])) 
    371     { 
    372       $author = l10n('guest'); 
     377    if (!empty($comment['author']))  
     378    { 
     379      $author = $comment['author']; 
     380      if ($author == 'guest') 
     381      { 
     382        $author = l10n('guest'); 
     383      } 
     384    } 
     385    else 
     386    { 
     387      $author = $comment['username']; 
    373388    } 
    374389 
     
    383398        ); 
    384399 
    385     if (can_manage_comment('delete', $comment['author']))  
     400    if (can_manage_comment('delete', $comment['author_id']))  
    386401    { 
    387402      $url = get_root_url().'comments.php' 
     
    392407                       ); 
    393408    } 
    394     if (can_manage_comment('edit', $comment['author'])) 
     409    if (can_manage_comment('edit', $comment['author_id'])) 
    395410    { 
    396411      $url = get_root_url().'comments.php' 
  • trunk/include/functions_comment.inc.php

    r3445 r3450  
    9292      $comm['author'] = 'guest'; 
    9393    } 
     94    $comm['author_id'] = $conf['guest_id']; 
    9495    // if a guest try to use the name of an already existing user, he must be 
    9596    // rejected 
     
    110111  else 
    111112  { 
    112     $comm['author'] = $user['username']; 
    113   } 
     113    $comm['author'] = ''; 
     114    $comm['author_id'] = $user['id']; 
     115  } 
     116 
    114117  if ( empty($comm['content']) ) 
    115118  { // empty comment content 
     
    135138SELECT id FROM '.COMMENTS_TABLE.' 
    136139  WHERE date > FROM_UNIXTIME('.$reference_date.') 
    137     AND author = "'.addslashes($comm['author']).'"'; 
     140    AND author_id = '.$comm['author_id']; 
    138141    if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) 
    139142    { 
     
    152155    $query = ' 
    153156INSERT INTO '.COMMENTS_TABLE.' 
    154   (author, content, date, validated, validation_date, image_id) 
     157  (author, author_id, content, date, validated, validation_date, image_id) 
    155158  VALUES ( 
    156159    "'.addslashes($comm['author']).'", 
     160    '.$comm['author_id'].', 
    157161    "'.addslashes($comm['content']).'", 
    158162    NOW(), 
     
    167171    $comm['id'] = mysql_insert_id(); 
    168172 
    169     if 
    170       ( 
    171         ($comment_action=='validate' and $conf['email_admin_on_comment']) 
    172         or 
    173         ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) 
    174       ) 
     173    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or 
     174        ($comment_action!='validate'  
     175         and $conf['email_admin_on_comment_validation'])) 
    175176    { 
    176177      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); 
    177178 
    178       $del_url = 
    179           get_absolute_root_url().'comments.php?delete='.$comm['id']; 
    180  
     179      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id']; 
     180 
     181      if (empty($comm['author']))  
     182      { 
     183        $author_name = $user['username']; 
     184      } 
     185      else 
     186      { 
     187        $author_name = $comm['author']; 
     188      } 
    181189      $keyargs_content = array 
    182190      ( 
    183         get_l10n_args('Author: %s', $comm['author']), 
     191        get_l10n_args('Author: %s', $author_name), 
    184192        get_l10n_args('Comment: %s', $comm['content']), 
    185193        get_l10n_args('', ''), 
     
    198206      pwg_mail_notification_admins 
    199207      ( 
    200         get_l10n_args('Comment by %s', $comm['author']), 
     208        get_l10n_args('Comment by %s', $author_name), 
    201209        $keyargs_content 
    202210      ); 
     
    219227  if (!is_admin()) 
    220228  { 
    221     $user_where_clause = '   AND author = \''.$GLOBALS['user']['username'].'\''; 
     229    $user_where_clause = '   AND author_id = \''.$GLOBALS['user']['id'].'\''; 
    222230  } 
    223231  $query = ' 
     
    265273SELECT id FROM '.COMMENTS_TABLE.' 
    266274  WHERE date > FROM_UNIXTIME('.$reference_date.') 
    267     AND author = "'.$GLOBALS['user']['username'].'"'; 
     275    AND author_id = '.$comm['author_id']; 
    268276    if ( mysql_num_rows( pwg_query( $query ) ) > 0 ) 
    269277    { 
     
    287295    if (!is_admin()) 
    288296    { 
    289       $user_where_clause = '   AND author = \''. 
    290         $GLOBALS['user']['username'].'\''; 
     297      $user_where_clause = '   AND author_id = \''. 
     298        $GLOBALS['user']['id'].'\''; 
    291299    } 
    292300    $query = ' 
  • trunk/include/functions_user.inc.php

    r3445 r3450  
    12031203 * @return bool 
    12041204 */ 
    1205 function can_manage_comment($action, $comment_author)  
     1205function can_manage_comment($action, $comment_author_id)  
    12061206{ 
    12071207  if (!in_array($action, array('delete','edit'))) { 
     
    12091209  } 
    12101210  return (is_admin() ||  
    1211           (($GLOBALS['user']['username'] == $comment_author)  
     1211          (($GLOBALS['user']['id'] == $comment_author_id)  
     1212           && !is_a_guest() 
    12121213           && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)])); 
    12131214} 
  • trunk/include/picture_comment.inc.php

    r3446 r3450  
    129129 
    130130    $query = ' 
    131 SELECT id,author,date,image_id,content,validated 
    132   FROM '.COMMENTS_TABLE.' 
     131SELECT com.id,author,author_id,username,date,image_id,content,validated 
     132  FROM '.COMMENTS_TABLE.' AS com 
     133  LEFT JOIN '.USERS_TABLE.' AS u 
     134    ON u.id = author_id 
    133135  WHERE image_id = '.$page['image_id']. 
    134136$validated_clause.' 
     
    140142    while ($row = mysql_fetch_array($result)) 
    141143    { 
     144      if (!empty($row['author']))  
     145      { 
     146        $author = $row['author']; 
     147        if ($author == 'guest') 
     148        { 
     149          $author = l10n('guest'); 
     150        } 
     151      } 
     152      else 
     153      { 
     154        $author = $row['username']; 
     155      } 
     156 
    142157      $tpl_comment = 
    143158        array( 
    144           'AUTHOR' => trigger_event('render_comment_author', 
    145             empty($row['author']) 
    146             ? l10n('guest') 
    147             : $row['author']), 
     159          'AUTHOR' => trigger_event('render_comment_author', $author), 
    148160 
    149161          'DATE' => format_date( $row['date'], true), 
     
    152164        ); 
    153165 
    154       if (can_manage_comment('delete', $row['author'])) 
     166      if (can_manage_comment('delete', $row['author_id'])) 
    155167      { 
    156168        $tpl_comment['U_DELETE'] = 
     
    162174                         ); 
    163175      } 
    164       if (can_manage_comment('edit', $row['author'])) 
     176      if (can_manage_comment('edit', $row['author_id'])) 
    165177      { 
    166178        $tpl_comment['U_EDIT'] = 
Note: See TracChangeset for help on using the changeset viewer.