Changeset 3450


Ignore:
Timestamp:
Jun 23, 2009, 11:18:16 PM (15 years ago)
Author:
nikrou
Message:

Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments

Location:
trunk
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/comments.php

    r3282 r3450  
    135135
    136136$query = '
    137 SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext
     137SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext
    138138  FROM '.COMMENTS_TABLE.' AS c
    139139    INNER JOIN '.IMAGES_TABLE.' AS i
    140140      ON i.id = c.image_id
     141    LEFT JOIN '.USERS_TABLE.' AS u
     142      ON u.id = c.author_id
    141143  WHERE validated = \'false\'
    142144  ORDER BY c.date DESC
     
    152154        )
    153155     );
     156  if (empty($row['author_id']))
     157  {
     158    $author_name = $row['author'];
     159  }
     160  else
     161  {
     162    $author_name = $row['username'];
     163  }
    154164  $template->append(
    155165    'comments',
     
    160170      'ID' => $row['id'],
    161171      'TN_SRC' => $thumb,
    162       'AUTHOR' => trigger_event('render_comment_author', $row['author']),
     172      'AUTHOR' => trigger_event('render_comment_author', $author_name),
    163173      'DATE' => format_date($row['date'], true),
    164174      'CONTENT' => trigger_event('render_comment_content',$row['content'])

  • trunk/comments.php

    r3445 r3450  
    101101if (isset($_GET['author']) and !empty($_GET['author']))
    102102{
    103   $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
     103  $page['where_clauses'][] =
     104    'u.username = \''.addslashes($_GET['author']).'\'
     105     OR author = \''.addslashes($_GET['author']).'\'';   
    104106}
    105107
     
    262264
    263265$query = '
    264 SELECT COUNT(DISTINCT(id))
     266SELECT COUNT(DISTINCT(com.id))
    265267  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
    266268    INNER JOIN '.COMMENTS_TABLE.' AS com
    267269    ON ic.image_id = com.image_id
     270    LEFT JOIN '.USERS_TABLE.' As u
     271    ON u.id = com.author_id
    268272  WHERE '.implode('
    269273    AND ', $page['where_clauses']).'
     
    296300     , ic.category_id
    297301     , com.author
     302     , com.author_id
     303     , username
    298304     , com.date
    299305     , com.content
    300306     , com.validated
    301307  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
    302     INNER JOIN '.COMMENTS_TABLE.' AS com
     308    INNER JOIN '.COMMENTS_TABLE.' AS com   
    303309    ON ic.image_id = com.image_id
     310    LEFT JOIN '.USERS_TABLE.' AS u
     311    ON u.id = com.author_id
    304312  WHERE '.implode('
    305313    AND ', $page['where_clauses']).'
     
    367375          );
    368376
    369     $author = $comment['author'];
    370     if (empty($comment['author']))
    371     {
    372       $author = l10n('guest');
     377    if (!empty($comment['author']))
     378    {
     379      $author = $comment['author'];
     380      if ($author == 'guest')
     381      {
     382        $author = l10n('guest');
     383      }
     384    }
     385    else
     386    {
     387      $author = $comment['username'];
    373388    }
    374389
     
    383398        );
    384399
    385     if (can_manage_comment('delete', $comment['author']))
     400    if (can_manage_comment('delete', $comment['author_id']))
    386401    {
    387402      $url = get_root_url().'comments.php'
     
    392407                       );
    393408    }
    394     if (can_manage_comment('edit', $comment['author']))
     409    if (can_manage_comment('edit', $comment['author_id']))
    395410    {
    396411      $url = get_root_url().'comments.php'

  • trunk/include/functions_comment.inc.php

    r3445 r3450  
    9292      $comm['author'] = 'guest';
    9393    }
     94    $comm['author_id'] = $conf['guest_id'];
    9495    // if a guest try to use the name of an already existing user, he must be
    9596    // rejected
     
    110111  else
    111112  {
    112     $comm['author'] = $user['username'];
    113   }
     113    $comm['author'] = '';
     114    $comm['author_id'] = $user['id'];
     115  }
     116
    114117  if ( empty($comm['content']) )
    115118  { // empty comment content
     
    135138SELECT id FROM '.COMMENTS_TABLE.'
    136139  WHERE date > FROM_UNIXTIME('.$reference_date.')
    137     AND author = "'.addslashes($comm['author']).'"';
     140    AND author_id = '.$comm['author_id'];
    138141    if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
    139142    {
     
    152155    $query = '
    153156INSERT INTO '.COMMENTS_TABLE.'
    154   (author, content, date, validated, validation_date, image_id)
     157  (author, author_id, content, date, validated, validation_date, image_id)
    155158  VALUES (
    156159    "'.addslashes($comm['author']).'",
     160    '.$comm['author_id'].',
    157161    "'.addslashes($comm['content']).'",
    158162    NOW(),
     
    167171    $comm['id'] = mysql_insert_id();
    168172
    169     if
    170       (
    171         ($comment_action=='validate' and $conf['email_admin_on_comment'])
    172         or
    173         ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
    174       )
     173    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
     174        ($comment_action!='validate'
     175         and $conf['email_admin_on_comment_validation']))
    175176    {
    176177      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
    177178
    178       $del_url =
    179           get_absolute_root_url().'comments.php?delete='.$comm['id'];
    180 
     179      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
     180
     181      if (empty($comm['author']))
     182      {
     183        $author_name = $user['username'];
     184      }
     185      else
     186      {
     187        $author_name = $comm['author'];
     188      }
    181189      $keyargs_content = array
    182190      (
    183         get_l10n_args('Author: %s', $comm['author']),
     191        get_l10n_args('Author: %s', $author_name),
    184192        get_l10n_args('Comment: %s', $comm['content']),
    185193        get_l10n_args('', ''),
     
    198206      pwg_mail_notification_admins
    199207      (
    200         get_l10n_args('Comment by %s', $comm['author']),
     208        get_l10n_args('Comment by %s', $author_name),
    201209        $keyargs_content
    202210      );
     
    219227  if (!is_admin())
    220228  {
    221     $user_where_clause = '   AND author = \''.$GLOBALS['user']['username'].'\'';
     229    $user_where_clause = '   AND author_id = \''.$GLOBALS['user']['id'].'\'';
    222230  }
    223231  $query = '
     
    265273SELECT id FROM '.COMMENTS_TABLE.'
    266274  WHERE date > FROM_UNIXTIME('.$reference_date.')
    267     AND author = "'.$GLOBALS['user']['username'].'"';
     275    AND author_id = '.$comm['author_id'];
    268276    if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
    269277    {
     
    287295    if (!is_admin())
    288296    {
    289       $user_where_clause = '   AND author = \''.
    290         $GLOBALS['user']['username'].'\'';
     297      $user_where_clause = '   AND author_id = \''.
     298        $GLOBALS['user']['id'].'\'';
    291299    }
    292300    $query = '

  • trunk/include/functions_user.inc.php

    r3445 r3450  
    12031203 * @return bool
    12041204 */
    1205 function can_manage_comment($action, $comment_author)
     1205function can_manage_comment($action, $comment_author_id)
    12061206{
    12071207  if (!in_array($action, array('delete','edit'))) {
     
    12091209  }
    12101210  return (is_admin() ||
    1211           (($GLOBALS['user']['username'] == $comment_author)
     1211          (($GLOBALS['user']['id'] == $comment_author_id)
     1212           && !is_a_guest()
    12121213           && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
    12131214}

  • trunk/include/picture_comment.inc.php

    r3446 r3450  
    129129
    130130    $query = '
    131 SELECT id,author,date,image_id,content,validated
    132   FROM '.COMMENTS_TABLE.'
     131SELECT com.id,author,author_id,username,date,image_id,content,validated
     132  FROM '.COMMENTS_TABLE.' AS com
     133  LEFT JOIN '.USERS_TABLE.' AS u
     134    ON u.id = author_id
    133135  WHERE image_id = '.$page['image_id'].
    134136$validated_clause.'
     
    140142    while ($row = mysql_fetch_array($result))
    141143    {
     144      if (!empty($row['author']))
     145      {
     146        $author = $row['author'];
     147        if ($author == 'guest')
     148        {
     149          $author = l10n('guest');
     150        }
     151      }
     152      else
     153      {
     154        $author = $row['username'];
     155      }
     156
    142157      $tpl_comment =
    143158        array(
    144           'AUTHOR' => trigger_event('render_comment_author',
    145             empty($row['author'])
    146             ? l10n('guest')
    147             : $row['author']),
     159          'AUTHOR' => trigger_event('render_comment_author', $author),
    148160
    149161          'DATE' => format_date( $row['date'], true),
     
    152164        );
    153165
    154       if (can_manage_comment('delete', $row['author']))
     166      if (can_manage_comment('delete', $row['author_id']))
    155167      {
    156168        $tpl_comment['U_DELETE'] =
     
    162174                         );
    163175      }
    164       if (can_manage_comment('edit', $row['author']))
     176      if (can_manage_comment('edit', $row['author_id']))
    165177      {
    166178        $tpl_comment['U_EDIT'] =
Note: See TracChangeset for help on using the changeset viewer.