Beispiel #1
0
/**
 * Handles comment processing
 *
 * @param    string   $mode    Mode of comment processing
 * @param    string   $type    Type of item (article, polls, etc.)
 * @param    string   $title   Title of item
 * @param    string   $sid     ID for item to show comments for
 * @param    string   $format  'threaded', 'nested', or 'flat'
 * @return   string            HTML formated
 */
function CMT_handleComment($mode = '', $type = '', $title = '', $sid = '', $format = '')
{
    global $_CONF, $_TABLES, $_USER, $LANG03, $LANG_ADMIN, $topic, $_PLUGINS;
    $commentmode = '';
    if (!empty($_REQUEST[CMT_MODE])) {
        $commentmode = COM_applyFilter($_REQUEST[CMT_MODE]);
    }
    if (empty($mode)) {
        $mode = COM_applyFilter(COM_getArgument(CMT_MODE));
    }
    if (empty($commentmode) && !empty($mode)) {
        $commentmode = $mode;
    }
    if (empty($sid) && !empty($_REQUEST[CMT_SID])) {
        $sid = COM_applyFilter($_REQUEST[CMT_SID]);
    }
    $pid = 0;
    if (!empty($_REQUEST[CMT_PID])) {
        $pid = COM_applyFilter($_REQUEST[CMT_PID], true);
    }
    if (empty($type) && !empty($_REQUEST[CMT_TYPE])) {
        $type = COM_applyFilter($_REQUEST[CMT_TYPE]);
    }
    if (!empty($_REQUEST['title'])) {
        $title = $_REQUEST['title'];
        // apply filters later in CMT_commentForm or CMT_saveComment
    }
    if (!empty($_REQUEST[CMT_UID])) {
        $uid = COM_applyFilter($_REQUEST[CMT_UID]);
    } else {
        $uid = 1;
        if (!empty($_USER['uid'])) {
            $uid = $_USER['uid'];
        }
    }
    $postmode = $_CONF['postmode'];
    if (isset($_REQUEST['postmode'])) {
        $postmode = COM_applyFilter($_REQUEST['postmode']);
    }
    $formtype = '';
    if (!empty($_REQUEST['formtype'])) {
        $formtype = COM_applyFilter($_REQUEST['formtype']);
    }
    // Get comment id, may not be there...will handle in function
    $cid = 0;
    if (isset($_REQUEST[CMT_CID])) {
        $cid = COM_applyFilter($_REQUEST[CMT_CID], true);
    }
    TOPIC_getTopic('comment', $cid);
    if (empty($format) && isset($_REQUEST['format'])) {
        $format = COM_applyFilter($_REQUEST['format']);
    }
    if (!in_array($format, array('threaded', 'nested', 'flat', 'nocomment'))) {
        if (COM_isAnonUser()) {
            $format = $_CONF['comment_mode'];
        } else {
            $format = DB_getItem($_TABLES['usercomment'], 'commentmode', "uid = {$_USER['uid']}");
        }
    }
    $order = '';
    if (isset($_REQUEST['order'])) {
        $order = COM_applyFilter($_REQUEST['order']);
    }
    $cpage = 1;
    if (!empty($_REQUEST['cpage'])) {
        $cpage = COM_applyFilter($_REQUEST['cpage'], true);
        if (empty($cpage)) {
            $cpage = 1;
        }
    }
    $is_comment_page = CMT_isCommentPage();
    $retval = '';
    if ($_CONF['show_comments_at_replying'] && $is_comment_page && !empty($sid) && !empty($type) && in_array($commentmode, array('', $LANG03[28], $LANG03[34], $LANG03[14], 'edit'))) {
        if ($commentmode == 'edit') {
            $cid = 0;
            if (isset($_REQUEST[CMT_CID])) {
                $cid = COM_applyFilter($_REQUEST[CMT_CID], true);
            }
            if ($cid <= 0) {
                COM_errorLog("CMT_handleComment(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.');
                return COM_refresh($_CONF['site_url'] . '/index.php');
            }
            $pid = $cid;
        }
        if ($pid > 0 && empty($title)) {
            $atype = DB_escapeString($type);
            $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')");
        }
        if (empty($title)) {
            $title = PLG_getItemInfo($type, $sid, 'title');
            $title = str_replace('$', '&#36;', $title);
            // CMT_userComments expects non-htmlspecial chars for title...
            $title = str_replace('&amp;', '&', $title);
            $title = str_replace('&quot;', '"', $title);
            $title = str_replace('&lt;', '<', $title);
            $title = str_replace('&gt;', '>', $title);
        }
        $retval .= CMT_userComments($sid, $title, $type, $order, $format, $pid, $cpage, $pid > 0, false, 0);
    }
    switch ($commentmode) {
        case $LANG03[28]:
            // Preview Changes (for edit)
        // Preview Changes (for edit)
        case $LANG03[34]:
            // Preview Submission changes (for edit)
        // Preview Submission changes (for edit)
        case $LANG03[14]:
            // Preview
            $retval .= CMT_commentForm($title, $_POST['comment'], $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage);
            if ($is_comment_page) {
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[14]));
            }
            break;
        case $LANG03[35]:
            // Submit Changes to Moderation table
        // Submit Changes to Moderation table
        case $LANG03[29]:
            // Submit Changes
            if (SEC_checkToken()) {
                $retval .= CMT_handleEditSubmit($commentmode);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
                exit;
            }
            break;
        case $LANG03[11]:
            // Submit comment
            $retval .= CMT_handleSubmit($title, $sid, $pid, $type, $postmode, $uid);
            break;
        case $LANG_ADMIN['delete']:
        case 'delete':
            // Delete comment
            if (SEC_checkToken()) {
                $retval .= CMT_handleDelete($sid, $type, $formtype);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
                exit;
            }
            break;
        case 'view':
            // View comment by $cid
            $retval .= CMT_handleView($format, $order, $cpage, true);
            break;
        case 'display':
            // View comment by $pid
            $retval .= CMT_handleView($format, $order, $cpage, false);
            break;
        case 'report':
            if ($is_comment_page) {
                $cid = 0;
                if (isset($_GET[CMT_CID])) {
                    $cid = COM_applyFilter($_GET[CMT_CID], true);
                }
                $type = '';
                if (isset($_GET[CMT_TYPE])) {
                    $type = COM_applyFilter($_GET[CMT_TYPE]);
                }
                if ($cid <= 0 || empty($type)) {
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
                    exit;
                }
                $retval .= CMT_reportAbusiveComment($cid, $type);
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[27]));
            }
            break;
        case 'sendreport':
            if (SEC_checkToken()) {
                $cid = 0;
                if (isset($_POST[CMT_CID])) {
                    $cid = COM_applyFilter($_POST[CMT_CID], true);
                }
                $type = '';
                if (isset($_POST[CMT_TYPE])) {
                    $type = COM_applyFilter($_POST[CMT_TYPE]);
                }
                if ($cid <= 0 || empty($type)) {
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
                    exit;
                }
                $retval .= CMT_sendReport($cid, $type);
            } else {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
                exit;
            }
            break;
        case 'editsubmission':
            if (!SEC_hasRights('comment.moderate')) {
                echo COM_refresh($_CONF['site_url'] . '/index.php');
                exit;
            }
            // deliberate fall-through
        // deliberate fall-through
        case 'edit':
            $retval .= CMT_handleEdit($commentmode, $postmode, $format, $order, $cpage);
            if ($is_comment_page) {
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1]));
            }
            break;
        case 'unsubscribe':
            $cid = 0;
            $key = COM_applyFilter($_GET['key']);
            if (!empty($key)) {
                $key = DB_escapeString($key);
                $cid = DB_getItem($_TABLES['commentnotifications'], 'cid', "deletehash = '{$key}'");
                if (!empty($cid)) {
                    $redirecturl = $_CONF['site_url'] . '/comment.php?mode=view&amp;cid=' . $cid . '&amp;format=nested&amp;msg=16';
                    DB_delete($_TABLES['commentnotifications'], 'deletehash', $key, $redirecturl);
                    exit;
                }
            }
            echo COM_refresh($_CONF['site_url'] . '/index.php');
            exit;
            break;
        case $LANG_ADMIN['cancel']:
            if ($formtype == 'editsubmission') {
                echo COM_refresh($_CONF['site_admin_url'] . '/moderation.php');
                exit;
            } else {
                $retval .= CMT_handleCancel();
                // moved to function for readibility
            }
            break;
        default:
            // New Comment or Reply Comment
            $abort = false;
            // Check to make sure comment type exists
            if ($type != 'article' && !in_array($type, $_PLUGINS)) {
                $abort = true;
            }
            // Check article permissions
            if (!$abort && $type == 'article' && !empty($sid)) {
                $dbTitle = DB_getItem($_TABLES['stories'], 'title', "(sid = '{$sid}') AND (draft_flag = 0) AND (date <= NOW()) AND (commentcode = 0)" . COM_getPermSQL('AND'));
                // if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid) < 2) { // Make sure have at least read access to topics to post comment
                if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid, $topic) < 2) {
                    // Make sure have at least read access to current topic of article to post comment
                    // no permissions, or no story of that title
                    $abort = true;
                }
            }
            if (!$abort && !empty($sid) && !empty($type)) {
                if ($pid > 0 && empty($title)) {
                    $atype = DB_escapeString($type);
                    $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')");
                }
                if (empty($title)) {
                    $title = PLG_getItemInfo($type, $sid, 'title');
                    // Check title, if for some reason blank assume no access allowed to plugin item (therefore cannot add comment) so return to homepage
                    if (is_array($title) || empty($title) || $title == false) {
                        echo COM_refresh($_CONF['site_url'] . '/index.php');
                        exit;
                    }
                    $title = str_replace('$', '&#36;', $title);
                    // CMT_commentForm expects non-htmlspecial chars for title...
                    $title = str_replace('&amp;', '&', $title);
                    $title = str_replace('&quot;', '"', $title);
                    $title = str_replace('&lt;', '<', $title);
                    $title = str_replace('&gt;', '>', $title);
                }
                $retval .= CMT_commentForm($title, '', $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage);
            } else {
                if (COMMENT_ON_SAME_PAGE) {
                    // Do nothing and do not show comment form (happens most likely when admin viewing draft article)
                } else {
                    // For comments not displayed on same page (probably owner pushed the post comment button on a draft article)
                    echo COM_refresh($_CONF['site_url'] . '/index.php');
                    exit;
                }
            }
            if ($is_comment_page) {
                $noindex = '<meta name="robots" content="noindex"' . XHTML . '>';
                $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1], 'headercode' => $noindex));
            }
            break;
    }
    return $retval;
}
Beispiel #2
0
     }
     break;
 case 'view':
     $display .= handleView(true);
     // moved to function for readibility
     break;
 case 'display':
     $display .= handleView(false);
     // moved to function for readibility
     break;
 case 'report':
     $display .= COM_siteHeader('menu', $LANG03[27]) . CMT_reportAbusiveComment(COM_applyFilter($_GET['cid'], true), COM_applyFilter($_GET['type'])) . COM_siteFooter();
     break;
 case 'sendreport':
     if (SEC_checkToken()) {
         $display .= CMT_sendReport(COM_applyFilter($_POST['cid'], true), COM_applyFilter($_POST['type']));
     } else {
         $display .= COM_refresh($_CONF['site_url'] . '/index.php');
     }
     break;
 case 'editsubmission':
     if (!SEC_hasRights('comment.moderate')) {
         $display .= COM_refresh($_CONF['site_url'] . '/index.php');
         break;
     }
     // deliberate fall-through
 // deliberate fall-through
 case 'edit':
     $display .= handleEdit($mode);
     break;
 case 'unsubscribe':
Beispiel #3
0
        echo COM_refresh($_CONF['site_url'] . '/index.php');
        exit;
    }
} elseif (isset($_POST['sendreport'])) {
    if (SEC_checkToken()) {
        if (isset($_POST['type'])) {
            $type = $_POST['type'];
            if ($type != 'article') {
                if (!in_array($type, $_PLUGINS)) {
                    $type = 'article';
                }
            }
        } else {
            $type = '';
        }
        $pageBody .= CMT_sendReport(COM_sanitizeID(COM_applyFilter($_POST['cid'], true)), $type);
    } else {
        echo COM_refresh($_CONF['site_url'] . '/index.php');
        exit;
    }
} else {
    // finished with button checks, now look at $_GET items...
    switch ($mode) {
        case 'view':
            $pageBody .= handleView(true);
            break;
        case 'display':
            $pageBody .= handleView(false);
            break;
        case 'report':
            if (isset($_POST['type'])) {