source: trunk/comments.php @ 7319

Last change on this file since 7319 was 6910, checked in by plg, 14 years ago

merge r6909 from branch 2.1 to trunk

bug 1850 fixed: strong check of $_GETcat

  • Property svn:eol-style set to LF
File size: 15.1 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2010 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24// +-----------------------------------------------------------------------+
25// |                           initialization                              |
26// +-----------------------------------------------------------------------+
27define('PHPWG_ROOT_PATH','./');
28include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
29include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
30
31// +-----------------------------------------------------------------------+
32// | Check Access and exit when user status is not ok                      |
33// +-----------------------------------------------------------------------+
34check_status(ACCESS_GUEST);
35
36$sort_order = array(
37  'DESC' => l10n('descending'),
38  'ASC'  => l10n('ascending')
39  );
40
41// sort_by : database fields proposed for sorting comments list
42$sort_by = array(
43  'date' => l10n('comment date'),
44  'image_id' => l10n('picture')
45  );
46
47// items_number : list of number of items to display per page
48$items_number = array(5,10,20,50,'all');
49
50// since when display comments ?
51//
52$since_options = array(
53  1 => array('label' => l10n('today'),
54             'clause' => 'date > '.pwg_db_get_recent_period_expression(1)),
55  2 => array('label' => sprintf(l10n('last %d days'), 7),
56             'clause' => 'date > '.pwg_db_get_recent_period_expression(7)),
57  3 => array('label' => sprintf(l10n('last %d days'), 30),
58             'clause' => 'date > '.pwg_db_get_recent_period_expression(30)),
59  4 => array('label' => l10n('the beginning'),
60             'clause' => '1=1') // stupid but generic
61  );
62
63if (!empty($_GET['since']) && is_numeric($_GET['since']))
64{
65  $page['since'] = $_GET['since'];
66}
67else
68{
69  $page['since'] = 4;
70}
71
72// on which field sorting
73//
74$page['sort_by'] = 'date';
75// if the form was submitted, it overloads default behaviour
76if (isset($_GET['sort_by']) and isset($sort_by[$_GET['sort_by']]) )
77{
78  $page['sort_by'] = $_GET['sort_by'];
79}
80
81// order to sort
82//
83$page['sort_order'] = 'DESC';
84// if the form was submitted, it overloads default behaviour
85if (isset($_GET['sort_order']) and isset($sort_order[$_GET['sort_order']]))
86{
87  $page['sort_order'] = $_GET['sort_order'];
88}
89
90// number of items to display
91//
92$page['items_number'] = 10;
93if (isset($_GET['items_number']))
94{
95  $page['items_number'] = $_GET['items_number'];
96}
97if ( !is_numeric($page['items_number']) and $page['items_number']!='all' )
98{
99  $page['items_number'] = 10;
100}
101
102$page['where_clauses'] = array();
103
104// which category to filter on ?
105if (isset($_GET['cat']) and 0 != $_GET['cat'])
106{
107  check_input_parameter('cat', $_GET, false, PATTERN_ID);
108 
109  $page['where_clauses'][] =
110    'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
111}
112
113// search a particular author
114if (!empty($_GET['author']))
115{
116  $page['where_clauses'][] =
117    'u.'.$conf['user_fields']['username'].' = \''.$_GET['author'].'\'
118     OR author = \''.$_GET['author'].'\'';
119}
120
121// search a specific comment (if you're coming directly from an admin
122// notification email)
123if (!empty($_GET['comment_id']))
124{
125  check_input_parameter('comment_id', $_GET, false, PATTERN_ID);
126
127  // currently, the $_GET['comment_id'] is only used by admins from email
128  // for management purpose (validate/delete)
129  if (!is_admin())
130  {
131    $login_url =
132      get_root_url().'identification.php?redirect='
133      .urlencode(urlencode($_SERVER['REQUEST_URI']))
134      ;
135    redirect($login_url);
136  }
137
138  $page['where_clauses'][] = 'com.id = '.$_GET['comment_id'];
139}
140
141// search a substring among comments content
142if (!empty($_GET['keyword']))
143{
144  $page['where_clauses'][] =
145    '('.
146    implode(' AND ',
147            array_map(
148              create_function(
149                '$s',
150                'return "content LIKE \'%$s%\'";'
151                ),
152              preg_split('/[\s,;]+/', $_GET['keyword'] )
153              )
154      ).
155    ')';
156}
157
158$page['where_clauses'][] = $since_options[$page['since']]['clause'];
159
160// which status to filter on ?
161if ( !is_admin() )
162{
163  $page['where_clauses'][] = 'validated=\'true\'';
164}
165
166$page['where_clauses'][] = get_sql_condition_FandF
167  (
168    array
169      (
170        'forbidden_categories' => 'category_id',
171        'visible_categories' => 'category_id',
172        'visible_images' => 'ic.image_id'
173      ),
174    '', true
175  );
176
177// +-----------------------------------------------------------------------+
178// |                         comments management                           |
179// +-----------------------------------------------------------------------+
180
181$comment_id = null;
182$action = null;
183
184$actions = array('delete', 'validate', 'edit');
185foreach ($actions as $loop_action)
186{
187  if (isset($_GET[$loop_action]))
188  {
189    $action = $loop_action;
190    check_input_parameter($action, $_GET, false, PATTERN_ID);
191    $comment_id = $_GET[$action];
192    break;
193  }
194}
195
196if (isset($action))
197{
198  check_pwg_token();
199
200  $comment_author_id = get_comment_author_id($comment_id);
201
202  if (can_manage_comment($action, $comment_author_id))
203  {
204    $perform_redirect = false;
205
206    if ('delete' == $action)
207    {
208      delete_user_comment($comment_id);
209      $perform_redirect = true;
210    }
211
212    if ('validate' == $action)
213    {
214      validate_user_comment($comment_id);
215      $perform_redirect = true;
216    }
217
218    if ('edit' == $action)
219    {
220      if (!empty($_POST['content']))
221      {
222        update_user_comment(
223          array(
224            'comment_id' => $_GET['edit'],
225            'image_id' => $_POST['image_id'],
226            'content' => $_POST['content']
227            ),
228          $_POST['key']
229          );
230
231        $edit_comment = null;
232      }
233      else
234      {
235        $edit_comment = $_GET['edit'];
236      }
237    }
238
239    if ($perform_redirect)
240    {
241      $redirect_url =
242        PHPWG_ROOT_PATH
243        .'comments.php'
244        .get_query_string_diff(array('delete','validate','pwg_token'));
245
246      redirect($redirect_url);
247    }
248  }
249}
250
251// +-----------------------------------------------------------------------+
252// |                       page header and options                         |
253// +-----------------------------------------------------------------------+
254
255$title= l10n('User comments');
256$page['body_id'] = 'theCommentsPage';
257
258$template->set_filenames(array('comments'=>'comments.tpl'));
259$template->assign(
260  array(
261    'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
262    'F_KEYWORD'=> @htmlspecialchars(stripslashes($_GET['keyword'], ENT_QUOTES, 'utf-8')),
263    'F_AUTHOR'=> @htmlspecialchars(stripslashes($_GET['author'], ENT_QUOTES, 'utf-8')),
264    )
265  );
266
267// +-----------------------------------------------------------------------+
268// |                          form construction                            |
269// +-----------------------------------------------------------------------+
270
271// Search in a particular category
272$blockname = 'categories';
273
274$query = '
275SELECT id, name, uppercats, global_rank
276  FROM '.CATEGORIES_TABLE.'
277'.get_sql_condition_FandF
278  (
279    array
280      (
281        'forbidden_categories' => 'id',
282        'visible_categories' => 'id'
283      ),
284    'WHERE'
285  ).'
286;';
287display_select_cat_wrapper($query, array(@$_GET['cat']), $blockname, true);
288
289// Filter on recent comments...
290$tpl_var=array();
291foreach ($since_options as $id => $option)
292{
293  $tpl_var[ $id ] = $option['label'];
294}
295$template->assign( 'since_options', $tpl_var);
296$template->assign( 'since_options_selected', $page['since']);
297
298// Sort by
299$template->assign( 'sort_by_options', $sort_by);
300$template->assign( 'sort_by_options_selected', $page['sort_by']);
301
302// Sorting order
303$template->assign( 'sort_order_options', $sort_order);
304$template->assign( 'sort_order_options_selected', $page['sort_order']);
305
306
307// Number of items
308$blockname = 'items_number_option';
309$tpl_var=array();
310foreach ($items_number as $option)
311{
312  $tpl_var[ $option ] = is_numeric($option) ? $option : l10n($option);
313}
314$template->assign( 'item_number_options', $tpl_var);
315$template->assign( 'item_number_options_selected', $page['items_number']);
316
317
318// +-----------------------------------------------------------------------+
319// |                            navigation bar                             |
320// +-----------------------------------------------------------------------+
321
322if (isset($_GET['start']) and is_numeric($_GET['start']))
323{
324  $start = $_GET['start'];
325}
326else
327{
328  $start = 0;
329}
330
331$query = '
332SELECT COUNT(DISTINCT(com.id))
333  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
334    INNER JOIN '.COMMENTS_TABLE.' AS com
335    ON ic.image_id = com.image_id
336    LEFT JOIN '.USERS_TABLE.' As u
337    ON u.'.$conf['user_fields']['id'].' = com.author_id
338  WHERE '.implode('
339    AND ', $page['where_clauses']).'
340;';
341list($counter) = pwg_db_fetch_row(pwg_query($query));
342
343$url = PHPWG_ROOT_PATH
344    .'comments.php'
345  .get_query_string_diff(array('start','delete','validate','pwg_token'));
346
347$navbar = create_navigation_bar($url,
348                                $counter,
349                                $start,
350                                $page['items_number'],
351                                '');
352
353$template->assign('navbar', $navbar);
354
355// +-----------------------------------------------------------------------+
356// |                        last comments display                          |
357// +-----------------------------------------------------------------------+
358
359$comments = array();
360$element_ids = array();
361$category_ids = array();
362
363$query = '
364SELECT com.id AS comment_id,
365       com.image_id,
366       com.author,
367       com.author_id,
368       com.date,
369       com.content,
370       com.validated
371  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
372    INNER JOIN '.COMMENTS_TABLE.' AS com
373    ON ic.image_id = com.image_id
374    LEFT JOIN '.USERS_TABLE.' As u
375    ON u.'.$conf['user_fields']['id'].' = com.author_id
376  WHERE '.implode('
377    AND ', $page['where_clauses']).'
378  GROUP BY comment_id,
379       com.image_id,
380       com.author,
381       com.author_id,
382       com.date,
383       com.content,
384       com.validated
385  ORDER BY '.$page['sort_by'].' '.$page['sort_order'];
386if ('all' != $page['items_number'])
387{
388  $query.= '
389  LIMIT '.$page['items_number'].' OFFSET '.$start;
390}
391$query.= '
392;';
393$result = pwg_query($query);
394while ($row = pwg_db_fetch_assoc($result))
395{
396  array_push($comments, $row);
397  array_push($element_ids, $row['image_id']);
398}
399
400if (count($comments) > 0)
401{
402  // retrieving element informations
403  $elements = array();
404  $query = '
405SELECT id, name, file, path, tn_ext
406  FROM '.IMAGES_TABLE.'
407  WHERE id IN ('.implode(',', $element_ids).')
408;';
409  $result = pwg_query($query);
410  while ($row = pwg_db_fetch_assoc($result))
411  {
412    $elements[$row['id']] = $row;
413  }
414
415  // retrieving category informations
416  $query = '
417SELECT c.id, name, permalink, uppercats, com.id as comment_id
418  FROM '.CATEGORIES_TABLE.' AS c
419  LEFT JOIN '.IMAGE_CATEGORY_TABLE.' AS ic
420  ON c.id=ic.category_id
421  LEFT JOIN '.COMMENTS_TABLE.' AS com
422  ON ic.image_id=com.image_id
423  '.get_sql_condition_FandF
424    (
425      array
426      (
427        'forbidden_categories' => 'c.id',
428        'visible_categories' => 'c.id'
429       ),
430      'WHERE'
431     ).'
432;';
433  $categories = hash_from_query($query, 'comment_id');
434
435  foreach ($comments as $comment)
436  {
437    if (!empty($elements[$comment['image_id']]['name']))
438    {
439      $name=$elements[$comment['image_id']]['name'];
440    }
441    else
442    {
443      $name=get_name_from_file($elements[$comment['image_id']]['file']);
444    }
445
446    // source of the thumbnail picture
447    $thumbnail_src = get_thumbnail_url( $elements[$comment['image_id']] );
448
449    // link to the full size picture
450    $url = make_picture_url(
451      array(
452        'category' => $categories[ $comment['comment_id'] ],
453        'image_id' => $comment['image_id'],
454        'image_file' => $elements[$comment['image_id']]['file'],
455        )
456      );
457
458    $tpl_comment = array(
459      'U_PICTURE' => $url,
460      'TN_SRC' => $thumbnail_src,
461      'ALT' => $name,
462      'AUTHOR' => trigger_event('render_comment_author', $comment['author']),
463      'DATE'=>format_date($comment['date'], true),
464      'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
465      );
466
467    if (can_manage_comment('delete', $comment['author_id']))
468    {
469      $url =
470        get_root_url()
471        .'comments.php'
472        .get_query_string_diff(array('delete','validate','edit', 'pwg_token'));
473
474      $tpl_comment['U_DELETE'] = add_url_params(
475        $url,
476        array(
477          'delete' => $comment['comment_id'],
478          'pwg_token' => get_pwg_token(),
479          )
480        );
481    }
482
483    if (can_manage_comment('edit', $comment['author_id']))
484    {
485      $url =
486        get_root_url()
487        .'comments.php'
488        .get_query_string_diff(array('edit', 'delete','validate', 'pwg_token'));
489
490      $tpl_comment['U_EDIT'] = add_url_params(
491        $url,
492        array(
493          'edit' => $comment['comment_id'],
494          'pwg_token' => get_pwg_token(),
495          )
496        );
497
498      if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment))
499      {
500        $tpl_comment['IN_EDIT'] = true;
501        $key = get_comment_post_key($comment['image_id']);
502        $tpl_comment['KEY'] = $key;
503        $tpl_comment['IMAGE_ID'] = $comment['image_id'];
504        $tpl_comment['CONTENT'] = $comment['content'];
505      }
506    }
507
508    if (can_manage_comment('validate', $comment['author_id']))
509    {
510      if ('true' != $comment['validated'])
511      {
512        $tpl_comment['U_VALIDATE'] = add_url_params(
513          $url,
514          array(
515            'validate'=> $comment['comment_id'],
516            'pwg_token' => get_pwg_token(),
517            )
518          );
519      }
520    }
521    $template->append('comments', $tpl_comment);
522  }
523}
524// +-----------------------------------------------------------------------+
525// |                           html code display                           |
526// +-----------------------------------------------------------------------+
527include(PHPWG_ROOT_PATH.'include/page_header.php');
528$template->pparse('comments');
529include(PHPWG_ROOT_PATH.'include/page_tail.php');
530?>
Note: See TracBrowser for help on using the repository browser.