Context Navigation

source: branches/2.1/include/functions_comment.inc.php @ 8512

Last change on this file since 8512 was 7783, checked in by plg, 14 years ago
bug 2036 fixed: anti flood limitations for user comments should not apply to administrators.
Property svn:eol-style set to `LF`
File size: 10.1 KB

Rev	Line
[1849]	1	<?php
	2	// +-----------------------------------------------------------------------+
[2297]	3	// \| Piwigo - a PHP based picture gallery \|
	4	// +-----------------------------------------------------------------------+
[5196]	5	// \| Copyright(C) 2008-2010 Piwigo Team http://piwigo.org \|
[2297]	6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
	7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
	8	// +-----------------------------------------------------------------------+
	9	// \| This program is free software; you can redistribute it and/or modify \|
	10	// \| it under the terms of the GNU General Public License as published by \|
	11	// \| the Free Software Foundation \|
	12	// \| \|
	13	// \| This program is distributed in the hope that it will be useful, but \|
	14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
	16	// \| General Public License for more details. \|
	17	// \| \|
	18	// \| You should have received a copy of the GNU General Public License \|
	19	// \| along with this program; if not, write to the Free Software \|
	20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
	21	// \| USA. \|
	22	// +-----------------------------------------------------------------------+
[1849]	23
	24	//returns string action to perform on a new comment: validate, moderate, reject
	25	function user_comment_check($action, $comment)
	26	{
	27	global $conf,$user;
	28
	29	if ($action=='reject')
	30	return $action;
	31
	32	$my_action = $conf['comment_spam_reject'] ? 'reject':'moderate';
	33
	34	if ($action==$my_action)
	35	return $action;
	36
	37	// we do here only BASIC spam check (plugins can do more)
[2029]	38	if ( !is_a_guest() )
[1849]	39	return $action;
	40
	41	$link_count = preg_match_all( '/https?:\/\//',
	42	$comment['content'], $matches);
	43
	44	if ( strpos($comment['author'], 'http://')!==false )
	45	{
	46	$link_count++;
	47	}
[2155]	48
[1849]	49	if ( $link_count>$conf['comment_spam_max_links'] )
	50	return $my_action;
	51
	52	return $action;
	53	}
	54
	55
	56	add_event_handler('user_comment_check', 'user_comment_check',
	57	EVENT_HANDLER_PRIORITY_NEUTRAL, 2);
	58
	59	/**
	60	* Tries to insert a user comment in the database and returns one of :
	61	* validate, moderate, reject
	62	* @param array comm contains author, content, image_id
	63	* @param string key secret key sent back to the browser
	64	* @param array infos out array of messages
	65	*/
	66	function insert_user_comment( &$comm, $key, &$infos )
	67	{
	68	global $conf, $user;
[2155]	69
	70	$comm = array_merge( $comm,
[1849]	71	array(
	72	'ip' => $_SERVER['REMOTE_ADDR'],
	73	'agent' => $_SERVER['HTTP_USER_AGENT']
	74	)
	75	);
	76
	77	$infos = array();
	78	if (!$conf['comments_validation'] or is_admin())
	79	{
	80	$comment_action='validate'; //one of validate, moderate, reject
	81	}
	82	else
	83	{
	84	$comment_action='moderate'; //one of validate, moderate, reject
	85	}
	86
[2029]	87	// display author field if the user status is guest or generic
	88	if (!is_classic_user())
[1849]	89	{
	90	if ( empty($comm['author']) )
	91	{
	92	$comm['author'] = 'guest';
	93	}
[3450]	94	$comm['author_id'] = $conf['guest_id'];
[1849]	95	// if a guest try to use the name of an already existing user, he must be
	96	// rejected
	97	if ( $comm['author'] != 'guest' )
	98	{
	99	$query = '
	100	SELECT COUNT(*) AS user_exists
	101	FROM '.USERS_TABLE.'
[4304]	102	WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
[4325]	103	$row = pwg_db_fetch_assoc( pwg_query( $query ) );
[1849]	104	if ( $row['user_exists'] == 1 )
	105	{
[5021]	106	array_push($infos, l10n('This login is already used by another user') );
[1849]	107	$comment_action='reject';
	108	}
	109	}
	110	}
	111	else
	112	{
[3600]	113	$comm['author'] = addslashes($user['username']);
[3450]	114	$comm['author_id'] = $user['id'];
[1849]	115	}
[3450]	116
[1849]	117	if ( empty($comm['content']) )
	118	{ // empty comment content
	119	$comment_action='reject';
	120	}
	121
	122	$key = explode( ':', @$key );
	123	if ( count($key)!=2
	124	or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
	125	or $key[0]<time()-3600 // 60 minutes expiration
	126	or hash_hmac(
	127	'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
	128	) != $key[1]
	129	)
	130	{
	131	$comment_action='reject';
	132	}
[2155]	133
[7783]	134	if ($comment_action!='reject' and $conf['anti-flood_time']>0 and !is_admin())
[1849]	135	{ // anti-flood system
[6605]	136	$reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
	137
[1849]	138	$query = '
[6605]	139	SELECT count(1) FROM '.COMMENTS_TABLE.'
	140	WHERE date > '.$reference_date.'
[3450]	141	AND author_id = '.$comm['author_id'];
[6605]	142	list($counter) = pwg_db_fetch_row(pwg_query($query));
	143	if ( $counter > 0 )
[1849]	144	{
[5021]	145	array_push( $infos, l10n('Anti-flood system : please wait for a moment before trying to post another comment') );
[1849]	146	$comment_action='reject';
	147	}
	148	}
	149
	150	// perform more spam check
	151	$comment_action = trigger_event('user_comment_check',
	152	$comment_action, $comm
	153	);
	154
	155	if ( $comment_action!='reject' )
	156	{
	157	$query = '
	158	INSERT INTO '.COMMENTS_TABLE.'
[3450]	159	(author, author_id, content, date, validated, validation_date, image_id)
[1849]	160	VALUES (
[6590]	161	\''.$comm['author'].'\',
[3450]	162	'.$comm['author_id'].',
[6590]	163	\''.$comm['content'].'\',
[1849]	164	NOW(),
[6590]	165	\''.($comment_action=='validate' ? 'true':'false').'\',
[1849]	166	'.($comment_action=='validate' ? 'NOW()':'NULL').',
[2155]	167	'.$comm['image_id'].'
[1849]	168	)
	169	';
	170
	171	pwg_query($query);
	172
[4892]	173	$comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
[1849]	174
[5195]	175	if ($conf['email_admin_on_comment']
	176	or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
[1849]	177	{
	178	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
	179
[5195]	180	$comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
[1849]	181
[1908]	182	$keyargs_content = array
	183	(
[3600]	184	get_l10n_args('Author: %s', stripslashes($comm['author']) ),
[3488]	185	get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
[1908]	186	get_l10n_args('', ''),
[5195]	187	get_l10n_args('Manage this user comment: %s', $comment_url)
[1908]	188	);
[1849]	189
[5195]	190	if ('moderate' == $comment_action)
[1849]	191	{
[5195]	192	$keyargs_content[] = get_l10n_args('', '');
	193	$keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
[1849]	194	}
	195
[1908]	196	pwg_mail_notification_admins
[1849]	197	(
[3600]	198	get_l10n_args('Comment by %s', stripslashes($comm['author']) ),
[1908]	199	$keyargs_content
[1849]	200	);
	201	}
	202	}
	203	return $comment_action;
	204	}
	205
[3445]	206	/**
	207	* Tries to delete a user comment in the database
	208	* only admin can delete all comments
[3488]	209	* other users can delete their own comments
[3445]	210	* so to avoid a new sql request we add author in where clause
	211	*
[3488]	212	* @param comment_id
[3445]	213	*/
	214	function delete_user_comment($comment_id) {
	215	$user_where_clause = '';
	216	if (!is_admin())
	217	{
[3450]	218	$user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\'';
[3445]	219	}
	220	$query = '
	221	DELETE FROM '.COMMENTS_TABLE.'
	222	WHERE id = '.$comment_id.
	223	$user_where_clause.'
	224	;';
	225	$result = pwg_query($query);
	226	if ($result) {
[5707]	227	email_admin('delete',
	228	array('author' => $GLOBALS['user']['username'],
	229	'comment_id' => $comment_id
	230	));
[3445]	231	}
	232	}
	233
	234	/**
	235	* Tries to update a user comment in the database
	236	* only admin can update all comments
	237	* users can edit their own comments if admin allow them
	238	* so to avoid a new sql request we add author in where clause
	239	*
[3488]	240	* @param comment_id
[3445]	241	* @param post_key
	242	* @param content
	243	*/
	244
[3488]	245	function update_user_comment($comment, $post_key)
	246	{
[3445]	247	global $conf;
	248
	249	$comment_action = 'validate';
	250
	251	$key = explode( ':', $post_key );
	252	if ( count($key)!=2
	253	or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
	254	or $key[0]<time()-3600 // 60 minutes expiration
	255	or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
	256	) != $key[1]
	257	)
	258	{
	259	$comment_action='reject';
	260	}
	261
	262	// perform more spam check
[3488]	263	$comment_action =
[3445]	264	trigger_event('user_comment_check',
[3488]	265	$comment_action,
	266	array_merge($comment,
[3445]	267	array('author' => $GLOBALS['user']['username'])
	268	)
	269	);
	270
	271	if ( $comment_action!='reject' )
	272	{
	273	$user_where_clause = '';
	274	if (!is_admin())
	275	{
[3450]	276	$user_where_clause = ' AND author_id = \''.
	277	$GLOBALS['user']['id'].'\'';
[3445]	278	}
	279	$query = '
	280	UPDATE '.COMMENTS_TABLE.'
	281	SET content = \''.$comment['content'].'\',
	282	validation_date = now()
	283	WHERE id = '.$comment['comment_id'].
	284	$user_where_clause.'
	285	;';
	286	$result = pwg_query($query);
	287	if ($result) {
	288	email_admin('edit', array('author' => $GLOBALS['user']['username'],
[3488]	289	'content' => stripslashes($comment['content'])) );
[3445]	290	}
	291	}
	292	}
	293
[3488]	294	function email_admin($action, $comment)
	295	{
[3445]	296	global $conf;
	297
	298	if (!in_array($action, array('edit', 'delete'))
	299	or (($action=='edit') and !$conf['email_admin_on_comment_edition'])
	300	or (($action=='delete') and !$conf['email_admin_on_comment_deletion']))
	301	{
	302	return;
	303	}
	304
	305	include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
[3488]	306
[3445]	307	$keyargs_content = array();
	308	$keyargs_content[] = get_l10n_args('Author: %s', $comment['author']);
[3488]	309	if ($action=='delete')
[3445]	310	{
[3488]	311	$keyargs_content[] = get_l10n_args('This author removed the comment with id %d',
[3445]	312	$comment['comment_id']
	313	);
	314	}
	315	else
	316	{
	317	$keyargs_content[] = get_l10n_args('This author modified following comment:', '');
	318	$keyargs_content[] = get_l10n_args('Comment: %s', $comment['content']);
	319	}
[3488]	320
	321	pwg_mail_notification_admins(get_l10n_args('Comment by %s',
[3445]	322	$comment['author']),
	323	$keyargs_content
	324	);
	325	}
[5195]	326
	327	function get_comment_author_id($comment_id, $die_on_error=true)
	328	{
	329	$query = '
	330	SELECT
	331	author_id
	332	FROM '.COMMENTS_TABLE.'
	333	WHERE id = '.$comment_id.'
	334	;';
	335	$result = pwg_query($query);
	336	if (pwg_db_num_rows($result) == 0)
	337	{
	338	if ($die_on_error)
	339	{
	340	fatal_error('Unknown comment identifier');
	341	}
	342	else
	343	{
	344	return false;
	345	}
	346	}
	347
	348	list($author_id) = pwg_db_fetch_row($result);
	349
	350	return $author_id;
	351	}
	352
	353	function validate_user_comment($comment_id)
	354	{
	355	$query = '
	356	UPDATE '.COMMENTS_TABLE.'
[6590]	357	SET validated = \'true\'
[5195]	358	, validation_date = NOW()
	359	WHERE id = '.$comment_id.'
	360	;';
	361	pwg_query($query);
	362	}
[1849]	363	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: