Changeset 4508 for branches/2.0/comments.php
- Timestamp:
- Dec 17, 2009, 11:47:31 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2.0/comments.php
r4191 r4508 114 114 } 115 115 116 // search a specific comment (if you're coming directly from an admin 117 // notification email) 118 if (!empty($_GET['comment_id'])) 119 { 120 check_input_parameter('comment_id', $_GET['comment_id'], false, PATTERN_ID); 121 122 // currently, the $_GET['comment_id'] is only used by admins from email 123 // for management purpose (validate/delete) 124 if (!is_admin()) 125 { 126 $login_url = 127 get_root_url().'identification.php?redirect=' 128 .urlencode(urlencode($_SERVER['REQUEST_URI'])) 129 ; 130 redirect($login_url); 131 } 132 133 $page['where_clauses'][] = 'com.id = '.$_GET['comment_id']; 134 } 135 116 136 // search a substring among comments content 117 137 if (!empty($_GET['keyword'])) … … 153 173 // | comments management | 154 174 // +-----------------------------------------------------------------------+ 155 if (isset($_GET['delete']) and is_numeric($_GET['delete']) 156 and !is_adviser() ) 157 {// comments deletion 158 check_status(ACCESS_ADMINISTRATOR); 159 $query = ' 160 DELETE FROM '.COMMENTS_TABLE.' 161 WHERE id='.$_GET['delete'].' 162 ;'; 163 pwg_query($query); 164 } 165 166 if (isset($_GET['validate']) and is_numeric($_GET['validate']) 167 and !is_adviser() ) 168 { // comments validation 169 check_status(ACCESS_ADMINISTRATOR); 170 $query = ' 175 176 if (isset($_GET['delete']) or isset($_GET['validate'])) 177 { 178 check_pwg_token(); 179 180 if (!is_adviser()) 181 { 182 check_status(ACCESS_ADMINISTRATOR); 183 184 if (isset($_GET['delete'])) 185 { 186 check_input_parameter('delete', $_GET['delete'], false, PATTERN_ID); 187 188 $query = ' 189 DELETE 190 FROM '.COMMENTS_TABLE.' 191 WHERE id = '.$_GET['delete'].' 192 ;'; 193 pwg_query($query); 194 } 195 196 if (isset($_GET['validate'])) 197 { 198 check_input_parameter('validate', $_GET['validate'], false, PATTERN_ID); 199 200 $query = ' 171 201 UPDATE '.COMMENTS_TABLE.' 172 SET validated = \'true\' 173 , validation_date = NOW() 174 WHERE id='.$_GET['validate'].' 175 ;'; 176 pwg_query($query); 202 SET validated = "true" 203 , validation_date = NOW() 204 WHERE id = '.$_GET['validate'].' 205 ;'; 206 pwg_query($query); 207 } 208 209 $redirect_url = 210 PHPWG_ROOT_PATH 211 .'comments.php' 212 .get_query_string_diff(array('delete','validate','pwg_token')); 213 redirect($redirect_url); 214 } 177 215 } 178 216 … … 269 307 $url = PHPWG_ROOT_PATH 270 308 .'comments.php' 271 .get_query_string_diff(array('start','delete','validate'));309 .get_query_string_diff(array('start','delete','validate','pwg_token')); 272 310 273 311 $navbar = create_navigation_bar($url, … … 381 419 if ( is_admin() ) 382 420 { 383 $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate')); 384 $tpl_comment['U_DELETE'] = add_url_params($url, 385 array('delete'=>$comment['comment_id']) 386 ); 421 $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate','pwg_token')); 422 423 $tpl_comment['U_DELETE'] = add_url_params( 424 $url, 425 array( 426 'delete' => $comment['comment_id'], 427 'pwg_token' => get_pwg_token(), 428 ) 429 ); 387 430 388 431 if ($comment['validated'] != 'true') 389 432 { 390 $tpl_comment['U_VALIDATE'] = add_url_params($url, 391 array('validate'=>$comment['comment_id']) 392 ); 433 $tpl_comment['U_VALIDATE'] = add_url_params( 434 $url, 435 array( 436 'validate' => $comment['comment_id'], 437 'pwg_token' => get_pwg_token(), 438 ) 439 ); 393 440 } 394 441 }
Note: See TracChangeset
for help on using the changeset viewer.