MercurialGeeklog / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | raw | help
public_html/comment.php
author Dirk Haun <dirk@haun-online.de>
Sat, 17 Oct 2009 14:09:44 +0200
branchHEAD
changeset 7383 2b8b42245059
parent 7314 f2e37d3490c9
child 7580 b93f6dca49e4
permissions -rw-r--r--
Don't display the comment form for a story when comments aren't enabled for it (bug #0000994) 
     1 <?php

     2 

     3 /* Reminder: always indent with 4 spaces (no tabs). */

     4 // +---------------------------------------------------------------------------+

     5 // | Geeklog 1.6                                                               |

     6 // +---------------------------------------------------------------------------+

     7 // | comment.php                                                               |

     8 // |                                                                           |

     9 // | Let user comment on a story or plugin.                                    |

    10 // +---------------------------------------------------------------------------+

    11 // | Copyright (C) 2000-2009 by the following authors:                         |

    12 // |                                                                           |

    13 // | Authors: Tony Bibbs        - tony AT tonybibbs DOT com                    |

    14 // |          Mark Limburg      - mlimburg AT users DOT sourceforge DOT net    |

    15 // |          Jason Whittenburg - jwhitten AT securitygeeks DOT com            |

    16 // |          Dirk Haun         - dirk AT haun-online DOT de                   |

    17 // |          Vincent Furia     - vinny01 AT users DOT sourceforge DOT net     |

    18 // |          Jared Wenerd      - wenerd87 AT gmail DOT com                    |

    19 // +---------------------------------------------------------------------------+

    20 // |                                                                           |

    21 // | This program is free software; you can redistribute it and/or             |

    22 // | modify it under the terms of the GNU General Public License               |

    23 // | as published by the Free Software Foundation; either version 2            |

    24 // | of the License, or (at your option) any later version.                    |

    25 // |                                                                           |

    26 // | This program is distributed in the hope that it will be useful,           |

    27 // | but WITHOUT ANY WARRANTY; without even the implied warranty of            |

    28 // | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             |

    29 // | GNU General Public License for more details.                              |

    30 // |                                                                           |

    31 // | You should have received a copy of the GNU General Public License         |

    32 // | along with this program; if not, write to the Free Software Foundation,   |

    33 // | Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.           |

    34 // |                                                                           |

    35 // +---------------------------------------------------------------------------+

    36 

    37 /**

    38 * This file is responsible for letting user enter a comment and saving the

    39 * comments to the DB.  All comment display stuff is in lib-common.php

    40 *

    41 * @author   Jason Whittenburg

    42 * @author   Tony Bibbs, tonyAT tonybibbs DOT com

    43 * @author   Vincent Furia, vinny01 AT users DOT sourceforge DOT net

    44 * @author   Jared Wenerd, wenerd87 AT gmail DOT com

    45 *

    46 */

    47 

    48 /**

    49 * Geeklog common function library

    50 */

    51 require_once 'lib-common.php';

    52 

    53 /**

    54  * Geeklog comment function library

    55  */

    56 require_once $_CONF['path_system'] . 'lib-comment.php';

    57 

    58 // Uncomment the line below if you need to debug the HTTP variables being passed

    59 // to the script.  This will sometimes cause errors but it will allow you to see

    60 // the data being passed in a POST operation

    61 // echo COM_debug($_POST);

    62 

    63 /**

    64  * Handles a comment submission

    65  *

    66  * @copyright Vincent Furia 2005

    67  * @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net

    68  * @return string HTML (possibly a refresh)

    69  */

    70 function handleSubmit()

    71 {

    72     global $_CONF, $_TABLES, $_USER, $LANG03;

    73 

    74     $display = '';

    75 

    76     $type = COM_applyFilter ($_POST['type']);

    77     $sid = COM_applyFilter ($_POST['sid']);

    78     switch ( $type ) {

    79         case 'article':

    80             $commentcode = DB_getItem ($_TABLES['stories'], 'commentcode',

    81                                        "sid = '$sid'" . COM_getPermSQL('AND')

    82                                        . " AND (draft_flag = 0) AND (date <= NOW()) "

    83                                        . COM_getTopicSQL('AND'));

    84             if (!isset($commentcode) || ($commentcode != 0)) {

    85                 return COM_refresh($_CONF['site_url'] . '/index.php');

    86             }

    87 

    88             $ret = CMT_saveComment ( strip_tags ($_POST['title']), 

    89                 $_POST['comment'], $sid, COM_applyFilter ($_POST['pid'], true), 

    90                 'article', COM_applyFilter ($_POST['postmode']));

    91 

    92             if ($ret == -1) {

    93                 $url = COM_buildUrl($_CONF['site_url'] . '/article.php?story='

    94                                     . $sid);

    95                 $url .= (strpos($url, '?') ? '&' : '?') . 'msg=15';

    96                 $display = COM_refresh($url);

    97             } elseif ( $ret > 0 ) { // failure //FIXME: some failures should not return to comment form

    98                 $display .= COM_siteHeader ('menu', $LANG03[1])

    99                          . CMT_commentForm ($_POST['title'], $_POST['comment'],

   100                            $sid, COM_applyFilter($_POST['pid']), $type,

   101                            $LANG03[14], COM_applyFilter($_POST['postmode']))

   102                          . COM_siteFooter();

   103             } else { // success

   104                 $comments = DB_count ($_TABLES['comments'], 'sid', $sid);

   105                 DB_change ($_TABLES['stories'], 'comments', $comments, 'sid', $sid);

   106                 COM_olderStuff (); // update comment count in Older Stories block

   107                 $display = COM_refresh (COM_buildUrl ($_CONF['site_url']

   108                     . "/article.php?story=$sid"));

   109             }

   110             break;

   111         default: // assume plugin

   112             if ( !($display = PLG_commentSave($type, strip_tags ($_POST['title']), 

   113                                 $_POST['comment'], $sid, COM_applyFilter ($_POST['pid'], true),

   114                                 COM_applyFilter ($_POST['postmode']))) ) {

   115                 $display = COM_refresh ($_CONF['site_url'] . '/index.php');

   116             }

   117             break;

   118     }

   119 

   120     return $display;

   121 }

   122 

   123 /**

   124  * Handles a comment delete

   125  *

   126  * @copyright Vincent Furia 2005

   127  * @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net

   128  * @return string HTML (possibly a refresh)

   129  */

   130 function handleDelete()

   131 {

   132     global $_CONF, $_TABLES;

   133 

   134     $display = '';

   135 

   136     $type = COM_applyFilter($_REQUEST['type']);

   137     $sid = COM_applyFilter($_REQUEST['sid']);

   138 

   139     switch ($type) {

   140     case 'article':

   141         $has_editPermissions = SEC_hasRights('story.edit');

   142         $result = DB_query("SELECT owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon FROM {$_TABLES['stories']} WHERE sid = '$sid'");

   143         $A = DB_fetchArray($result);

   144 

   145         if ($has_editPermissions && SEC_hasAccess($A['owner_id'],

   146                 $A['group_id'], $A['perm_owner'], $A['perm_group'],

   147                 $A['perm_members'], $A['perm_anon']) == 3) {

   148             CMT_deleteComment(COM_applyFilter($_REQUEST['cid'], true), $sid,

   149                               'article');

   150             $comments = DB_count($_TABLES['comments'], 'sid', $sid);

   151             DB_change($_TABLES['stories'], 'comments', $comments,

   152                       'sid', $sid);

   153             $display .= COM_refresh(COM_buildUrl ($_CONF['site_url']

   154                                     . "/article.php?story=$sid") . '#comments');

   155         } else {

   156             COM_errorLog("User {$_USER['username']} (IP: {$_SERVER['REMOTE_ADDR']}) tried to illegally delete comment $cid from $type $sid");

   157             $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   158         }

   159         break;

   160 

   161     default: // assume plugin

   162         if (!($display = PLG_commentDelete($type, 

   163                             COM_applyFilter($_REQUEST['cid'], true), $sid))) {

   164             $display = COM_refresh($_CONF['site_url'] . '/index.php');

   165         }

   166         break;

   167     }

   168 

   169     return $display;

   170 }

   171 

   172 /**

   173  * Handles a comment view request

   174  *

   175  * @copyright Vincent Furia 2005

   176  * @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net

   177  * @param boolean $view View or display (true for view)

   178  * @return string HTML (possibly a refresh)

   179  */

   180 function handleView($view = true)

   181 {

   182     global $_CONF, $_TABLES, $_USER, $LANG_ACCESS;

   183 

   184     $display = '';

   185 

   186     if ($view) {

   187         $cid = COM_applyFilter ($_REQUEST['cid'], true);

   188     } else {

   189         $cid = COM_applyFilter ($_REQUEST['pid'], true);

   190     }

   191 

   192     if ($cid <= 0) {

   193         return COM_refresh($_CONF['site_url'] . '/index.php');

   194     }

   195     

   196     $sql = "SELECT sid, title, type FROM {$_TABLES['comments']} WHERE cid = $cid";

   197     $A = DB_fetchArray( DB_query($sql) );

   198     $sid   = $A['sid'];

   199     $title = $A['title'];

   200     $type  = $A['type'];

   201 

   202     $format = $_CONF['comment_mode'];

   203     if( isset( $_REQUEST['format'] )) {

   204         $format = COM_applyFilter( $_REQUEST['format'] );

   205     }

   206     if ( $format != 'threaded' && $format != 'nested' && $format != 'flat' ) {

   207         if ( $_USER['uid'] > 1 ) {

   208             $format = DB_getItem( $_TABLES['usercomment'], 'commentmode', 

   209                                   "uid = {$_USER['uid']}" );

   210         } else {

   211             $format = $_CONF['comment_mode'];

   212         }

   213     }

   214 

   215     switch ( $type ) {

   216         case 'article':

   217             $sql = 'SELECT COUNT(*) AS count, commentcode, owner_id, group_id, perm_owner, perm_group, '

   218                  . "perm_members, perm_anon FROM {$_TABLES['stories']} WHERE (sid = '$sid') "

   219                  . 'AND (draft_flag = 0) AND (commentcode >= 0) AND (date <= NOW())' . COM_getPermSQL('AND') 

   220                  . COM_getTopicSQL('AND') . ' GROUP BY sid,owner_id, group_id, perm_owner, perm_group,perm_members, perm_anon ';

   221             $result = DB_query ($sql);

   222             $B = DB_fetchArray ($result);

   223             $allowed = $B['count'];

   224 

   225             if ( $allowed == 1 ) {

   226                 $delete_option = ( SEC_hasRights( 'story.edit' ) &&

   227                     ( SEC_hasAccess( $B['owner_id'], $B['group_id'],

   228                         $B['perm_owner'], $B['perm_group'], $B['perm_members'],

   229                         $B['perm_anon'] ) == 3 ) );

   230                 $order = '';

   231                 if (isset ( $_REQUEST['order'])) {

   232                     $order = COM_applyFilter ($_REQUEST['order']);

   233                 }

   234                 $page = 0;

   235                 if (isset ($_REQUEST['page'])) {

   236                     $page = COM_applyFilter ($_REQUEST['page'], true);

   237                 }

   238                 $display .= CMT_userComments ($sid, $title, $type, $order,

   239                                 $format, $cid, $page, $view, $delete_option,

   240                                 $B['commentcode']);

   241             } else {

   242                 $display .= COM_startBlock ($LANG_ACCESS['accessdenied'], '',

   243                                     COM_getBlockTemplate ('_msg_block', 'header'))

   244                          . $LANG_ACCESS['storydenialmsg']

   245                          . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));

   246             }

   247             break;

   248 

   249         default: // assume plugin

   250             $order = '';

   251             if (isset($_REQUEST['order'])) {

   252                 $order = COM_applyFilter($_REQUEST['order']);

   253             }

   254             $page = 0;

   255             if (isset($_REQUEST['page'])) {

   256                 $page = COM_applyFilter($_REQUEST['page'], true);

   257             }

   258             if ( !($display = PLG_displayComment($type, $sid, $cid, $title,

   259                                   $order, $format, $page, $view)) ) {

   260                 return COM_refresh($_CONF['site_url'] . '/index.php');

   261             }

   262             break;

   263     }

   264 

   265     return COM_siteHeader('menu', $title)

   266            . COM_showMessageFromParameter()

   267            . $display

   268            . COM_siteFooter();

   269 }

   270 

   271 /**

   272  * Handles a comment edit submission

   273  *

   274  * @copyright Jared Wenerd 2008

   275  * @author Jared Wenerd, wenerd87 AT gmail DOT com

   276  * @param  string $mode 'edit' or 'editsubmission'

   277  * @return string HTML (possibly a refresh)

   278  */

   279 function handleEdit($mode)

   280 {

   281     global $_TABLES, $LANG03;

   282     

   283     //get needed data

   284     $cid = COM_applyFilter ($_REQUEST['cid']);

   285     if ($mode == 'editsubmission') {

   286         $table = $_TABLES['commentsubmissions'];

   287         $result = DB_query("SELECT type, sid FROM {$_TABLES['commentsubmissions']} WHERE cid = $cid");

   288         list($type, $sid) = DB_fetchArray($result);

   289     } else {

   290         $sid = COM_applyFilter ($_REQUEST['sid']);

   291         $type = COM_applyFilter ($_REQUEST['type']);

   292         $table = $_TABLES['comments'];

   293     }

   294     

   295     //check for bad data 

   296     if (!is_numeric ($cid) || ($cid < 0) || empty ($sid) || empty ($type)) {

   297         COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried "

   298                . 'to edit a comment with one or more missing/bad values.');

   299         return COM_refresh($_CONF['site_url'] . '/index.php');

   300     }

   301         

   302     $result = DB_query ("SELECT title,comment FROM $table "

   303         . "WHERE cid = $cid AND sid = '$sid' AND type = '$type'"); 

   304     if ( DB_numRows($result) == 1 ) {

   305         $A = DB_fetchArray ($result);

   306         $title = COM_stripslashes($A['title']);

   307         $commenttext = COM_stripslashes(COM_undoSpecialChars ($A['comment']));

   308         

   309         //remove signature   

   310         $pos = strpos( $commenttext,'<!-- COMMENTSIG --><span class="comment-sig">');

   311         if ( $pos > 0) { 

   312             $commenttext = substr($commenttext, 0, $pos);

   313         }

   314         

   315         //get format mode

   316         if ( preg_match( '/<.*>/', $commenttext ) != 0 ){

   317             $postmode = 'html';

   318         } else {

   319             $postmode = 'plaintext';

   320         }

   321     } else {

   322         COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried "

   323                . 'to edit a comment that doesn\'t exist as described.');

   324         return COM_refresh($_CONF['site_url'] . '/index.php');

   325     }

   326             

   327     return COM_siteHeader('menu', $LANG03[1])

   328            . CMT_commentForm($title, $commenttext, $sid, $cid, $type, $mode,

   329                              $postmode)

   330            . COM_siteFooter();

   331 }

   332 

   333 

   334 // MAIN

   335 CMT_updateCommentcodes();

   336 $display = '';

   337 

   338 // If reply specified, force comment submission form

   339 if (isset ($_REQUEST['reply'])) {

   340     $_REQUEST['mode'] = '';

   341 }

   342 

   343 $mode = '';

   344 if (!empty ($_REQUEST['mode'])) {

   345     $mode = COM_applyFilter ($_REQUEST['mode']);

   346 }

   347 switch ($mode) {

   348 case $LANG03[28]: // Preview Changes (for edit)

   349 case $LANG03[34]: // Preview Submission changes (for edit)

   350 case $LANG03[14]: // Preview

   351     $display .= COM_siteHeader('menu', $LANG03[14])

   352              . CMT_commentForm (strip_tags ($_POST['title']), $_POST['comment'],

   353                     COM_applyFilter ($_POST['sid']),

   354                     COM_applyFilter ($_POST['pid'], true),

   355                     COM_applyFilter ($_POST['type']), $mode,

   356                     COM_applyFilter ($_POST['postmode']))

   357              . COM_siteFooter(); 

   358     break;

   359 

   360 case $LANG03[35]: // Submit Changes to Moderation table

   361 case $LANG03[29]: // Submit Changes

   362     if (SEC_checkToken()) {

   363         $display .= CMT_handleEditSubmit($mode);

   364     } else {

   365         $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   366     }

   367     break;

   368     

   369 case $LANG03[11]: // Submit Comment

   370     $display .= handleSubmit();  // moved to function for readibility

   371     break;

   372 

   373 case 'delete':

   374     if (SEC_checkToken()) {

   375         $display .= handleDelete();  // moved to function for readibility

   376     } else {

   377         $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   378     }

   379     break;

   380 

   381 case 'view':

   382     $display .= handleView(true);  // moved to function for readibility

   383     break;

   384 

   385 case 'display':

   386     $display .= handleView(false);  // moved to function for readibility

   387     break;

   388 

   389 case 'report':

   390     $display .= COM_siteHeader('menu', $LANG03[27])

   391              . CMT_reportAbusiveComment(COM_applyFilter($_GET['cid'], true),

   392                                         COM_applyFilter($_GET['type']))

   393              . COM_siteFooter();

   394     break;

   395 

   396 case 'sendreport':

   397     if (SEC_checkToken()) {

   398         $display .= CMT_sendReport(COM_applyFilter($_POST['cid'], true),

   399                                    COM_applyFilter($_POST['type']));

   400     } else {

   401         $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   402     }

   403     break;

   404 

   405 case 'editsubmission':

   406     if (!SEC_hasRights('comment.moderate')) { 

   407         $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   408         break; 

   409     }

   410     // deliberate fall-through

   411 case 'edit':

   412     $display .= handleEdit($mode);

   413     break;

   414 

   415 case 'unsubscribe':

   416     $cid = 0;

   417     $key = COM_applyFilter($_GET['key']);

   418     if (! empty($key)) {

   419         $key = addslashes($key);

   420         $cid = DB_getItem($_TABLES['commentnotifications'], 'cid',

   421                           "deletehash = '$key'");

   422         if (! empty($cid)) {

   423             $redirecturl = $_CONF['site_url']

   424                          . '/comment.php?mode=view&amp;cid=' . $cid

   425                          . '&amp;format=nested&amp;msg=16';

   426             DB_delete($_TABLES['commentnotifications'], 'deletehash', $key,

   427                       $redirecturl);

   428             exit;

   429         }

   430     }

   431     $display = COM_refresh($_CONF['site_url'] . '/index.php');

   432     break;

   433 

   434 default:  // New Comment

   435     $abort = false;

   436     $sid = COM_applyFilter ($_REQUEST['sid']);

   437     $type = COM_applyFilter ($_REQUEST['type']);

   438     $title = '';

   439     if (isset ($_REQUEST['title'])) {

   440         $title = strip_tags ($_REQUEST['title']);

   441     }

   442     $postmode = $_CONF['postmode'];

   443     if (isset ($_REQUEST['postmode'])) {

   444         $postmode = COM_applyFilter ($_REQUEST['postmode']);

   445     }

   446 

   447     if ($type == 'article') {

   448         $dbTitle = DB_getItem($_TABLES['stories'], 'title',

   449                     "(sid = '$sid') AND (draft_flag = 0) AND (date <= NOW()) AND (commentcode = 0)"

   450                     . COM_getPermSQL('AND') . COM_getTopicSQL('AND'));

   451         if ($dbTitle === null) {

   452             // no permissions, or no story of that title

   453             $display = COM_refresh($_CONF['site_url'] . '/index.php');

   454             $abort = true;

   455         }

   456     }

   457     if (!$abort) {

   458         if (!empty ($sid) && !empty ($type)) { 

   459             if (empty ($title)) {

   460                 if ($type == 'article') {

   461                     $title = $dbTitle;

   462                 }

   463                 $title = str_replace ('$', '&#36;', $title);

   464                 // CMT_commentForm expects non-htmlspecial chars for title...

   465                 $title = str_replace ( '&amp;', '&', $title );

   466                 $title = str_replace ( '&quot;', '"', $title );

   467                 $title = str_replace ( '&lt;', '<', $title );

   468                 $title = str_replace ( '&gt;', '>', $title );

   469             }

   470             $noindex = '<meta name="robots" content="noindex"' . XHTML . '>'

   471                      . LB;

   472             $pid = 0;

   473             if (isset($_REQUEST['pid'])) {

   474                 $pid = COM_applyFilter($_REQUEST['pid'], true);

   475             }

   476             $display .= COM_siteHeader('menu', $LANG03[1], $noindex)

   477                      . CMT_commentForm($title, '', $sid, $pid, $type, $mode,

   478                                        $postmode)

   479                      . COM_siteFooter();

   480         } else {

   481             $display .= COM_refresh($_CONF['site_url'] . '/index.php');

   482         }

   483     }

   484     break;

   485 }

   486 

   487 COM_output($display);

   488 

   489 ?>
Geeklog