/** * Handles comment processing * * @param string $mode Mode of comment processing * @param string $type Type of item (article, polls, etc.) * @param string $title Title of item * @param string $sid ID for item to show comments for * @param string $format 'threaded', 'nested', or 'flat' * @return string HTML formated */ function CMT_handleComment($mode = '', $type = '', $title = '', $sid = '', $format = '') { global $_CONF, $_TABLES, $_USER, $LANG03, $LANG_ADMIN, $topic, $_PLUGINS; $commentmode = ''; if (!empty($_REQUEST[CMT_MODE])) { $commentmode = COM_applyFilter($_REQUEST[CMT_MODE]); } if (empty($mode)) { $mode = COM_applyFilter(COM_getArgument(CMT_MODE)); } if (empty($commentmode) && !empty($mode)) { $commentmode = $mode; } if (empty($sid) && !empty($_REQUEST[CMT_SID])) { $sid = COM_applyFilter($_REQUEST[CMT_SID]); } $pid = 0; if (!empty($_REQUEST[CMT_PID])) { $pid = COM_applyFilter($_REQUEST[CMT_PID], true); } if (empty($type) && !empty($_REQUEST[CMT_TYPE])) { $type = COM_applyFilter($_REQUEST[CMT_TYPE]); } if (!empty($_REQUEST['title'])) { $title = $_REQUEST['title']; // apply filters later in CMT_commentForm or CMT_saveComment } if (!empty($_REQUEST[CMT_UID])) { $uid = COM_applyFilter($_REQUEST[CMT_UID]); } else { $uid = 1; if (!empty($_USER['uid'])) { $uid = $_USER['uid']; } } $postmode = $_CONF['postmode']; if (isset($_REQUEST['postmode'])) { $postmode = COM_applyFilter($_REQUEST['postmode']); } $formtype = ''; if (!empty($_REQUEST['formtype'])) { $formtype = COM_applyFilter($_REQUEST['formtype']); } // Get comment id, may not be there...will handle in function $cid = 0; if (isset($_REQUEST[CMT_CID])) { $cid = COM_applyFilter($_REQUEST[CMT_CID], true); } TOPIC_getTopic('comment', $cid); if (empty($format) && isset($_REQUEST['format'])) { $format = COM_applyFilter($_REQUEST['format']); } if (!in_array($format, array('threaded', 'nested', 'flat', 'nocomment'))) { if (COM_isAnonUser()) { $format = $_CONF['comment_mode']; } else { $format = DB_getItem($_TABLES['usercomment'], 'commentmode', "uid = {$_USER['uid']}"); } } $order = ''; if (isset($_REQUEST['order'])) { $order = COM_applyFilter($_REQUEST['order']); } $cpage = 1; if (!empty($_REQUEST['cpage'])) { $cpage = COM_applyFilter($_REQUEST['cpage'], true); if (empty($cpage)) { $cpage = 1; } } $is_comment_page = CMT_isCommentPage(); $retval = ''; if ($_CONF['show_comments_at_replying'] && $is_comment_page && !empty($sid) && !empty($type) && in_array($commentmode, array('', $LANG03[28], $LANG03[34], $LANG03[14], 'edit'))) { if ($commentmode == 'edit') { $cid = 0; if (isset($_REQUEST[CMT_CID])) { $cid = COM_applyFilter($_REQUEST[CMT_CID], true); } if ($cid <= 0) { COM_errorLog("CMT_handleComment(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } $pid = $cid; } if ($pid > 0 && empty($title)) { $atype = DB_escapeString($type); $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')"); } if (empty($title)) { $title = PLG_getItemInfo($type, $sid, 'title'); $title = str_replace('$', '$', $title); // CMT_userComments expects non-htmlspecial chars for title... $title = str_replace('&', '&', $title); $title = str_replace('"', '"', $title); $title = str_replace('<', '<', $title); $title = str_replace('>', '>', $title); } $retval .= CMT_userComments($sid, $title, $type, $order, $format, $pid, $cpage, $pid > 0, false, 0); } switch ($commentmode) { case $LANG03[28]: // Preview Changes (for edit) // Preview Changes (for edit) case $LANG03[34]: // Preview Submission changes (for edit) // Preview Submission changes (for edit) case $LANG03[14]: // Preview $retval .= CMT_commentForm($title, $_POST['comment'], $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage); if ($is_comment_page) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[14])); } break; case $LANG03[35]: // Submit Changes to Moderation table // Submit Changes to Moderation table case $LANG03[29]: // Submit Changes if (SEC_checkToken()) { $retval .= CMT_handleEditSubmit($commentmode); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case $LANG03[11]: // Submit comment $retval .= CMT_handleSubmit($title, $sid, $pid, $type, $postmode, $uid); break; case $LANG_ADMIN['delete']: case 'delete': // Delete comment if (SEC_checkToken()) { $retval .= CMT_handleDelete($sid, $type, $formtype); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case 'view': // View comment by $cid $retval .= CMT_handleView($format, $order, $cpage, true); break; case 'display': // View comment by $pid $retval .= CMT_handleView($format, $order, $cpage, false); break; case 'report': if ($is_comment_page) { $cid = 0; if (isset($_GET[CMT_CID])) { $cid = COM_applyFilter($_GET[CMT_CID], true); } $type = ''; if (isset($_GET[CMT_TYPE])) { $type = COM_applyFilter($_GET[CMT_TYPE]); } if ($cid <= 0 || empty($type)) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $retval .= CMT_reportAbusiveComment($cid, $type); $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[27])); } break; case 'sendreport': if (SEC_checkToken()) { $cid = 0; if (isset($_POST[CMT_CID])) { $cid = COM_applyFilter($_POST[CMT_CID], true); } $type = ''; if (isset($_POST[CMT_TYPE])) { $type = COM_applyFilter($_POST[CMT_TYPE]); } if ($cid <= 0 || empty($type)) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $retval .= CMT_sendReport($cid, $type); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case 'editsubmission': if (!SEC_hasRights('comment.moderate')) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } // deliberate fall-through // deliberate fall-through case 'edit': $retval .= CMT_handleEdit($commentmode, $postmode, $format, $order, $cpage); if ($is_comment_page) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1])); } break; case 'unsubscribe': $cid = 0; $key = COM_applyFilter($_GET['key']); if (!empty($key)) { $key = DB_escapeString($key); $cid = DB_getItem($_TABLES['commentnotifications'], 'cid', "deletehash = '{$key}'"); if (!empty($cid)) { $redirecturl = $_CONF['site_url'] . '/comment.php?mode=view&cid=' . $cid . '&format=nested&msg=16'; DB_delete($_TABLES['commentnotifications'], 'deletehash', $key, $redirecturl); exit; } } echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; break; case $LANG_ADMIN['cancel']: if ($formtype == 'editsubmission') { echo COM_refresh($_CONF['site_admin_url'] . '/moderation.php'); exit; } else { $retval .= CMT_handleCancel(); // moved to function for readibility } break; default: // New Comment or Reply Comment $abort = false; // Check to make sure comment type exists if ($type != 'article' && !in_array($type, $_PLUGINS)) { $abort = true; } // Check article permissions if (!$abort && $type == 'article' && !empty($sid)) { $dbTitle = DB_getItem($_TABLES['stories'], 'title', "(sid = '{$sid}') AND (draft_flag = 0) AND (date <= NOW()) AND (commentcode = 0)" . COM_getPermSQL('AND')); // if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid) < 2) { // Make sure have at least read access to topics to post comment if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid, $topic) < 2) { // Make sure have at least read access to current topic of article to post comment // no permissions, or no story of that title $abort = true; } } if (!$abort && !empty($sid) && !empty($type)) { if ($pid > 0 && empty($title)) { $atype = DB_escapeString($type); $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')"); } if (empty($title)) { $title = PLG_getItemInfo($type, $sid, 'title'); // Check title, if for some reason blank assume no access allowed to plugin item (therefore cannot add comment) so return to homepage if (is_array($title) || empty($title) || $title == false) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $title = str_replace('$', '$', $title); // CMT_commentForm expects non-htmlspecial chars for title... $title = str_replace('&', '&', $title); $title = str_replace('"', '"', $title); $title = str_replace('<', '<', $title); $title = str_replace('>', '>', $title); } $retval .= CMT_commentForm($title, '', $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage); } else { if (COMMENT_ON_SAME_PAGE) { // Do nothing and do not show comment form (happens most likely when admin viewing draft article) } else { // For comments not displayed on same page (probably owner pushed the post comment button on a draft article) echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } } if ($is_comment_page) { $noindex = '<meta name="robots" content="noindex"' . XHTML . '>'; $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1], 'headercode' => $noindex)); } break; } return $retval; }
} break; case 'view': $display .= handleView(true); // moved to function for readibility break; case 'display': $display .= handleView(false); // moved to function for readibility break; case 'report': $display .= COM_siteHeader('menu', $LANG03[27]) . CMT_reportAbusiveComment(COM_applyFilter($_GET['cid'], true), COM_applyFilter($_GET['type'])) . COM_siteFooter(); break; case 'sendreport': if (SEC_checkToken()) { $display .= CMT_sendReport(COM_applyFilter($_POST['cid'], true), COM_applyFilter($_POST['type'])); } else { $display .= COM_refresh($_CONF['site_url'] . '/index.php'); } break; case 'editsubmission': if (!SEC_hasRights('comment.moderate')) { $display .= COM_refresh($_CONF['site_url'] . '/index.php'); break; } // deliberate fall-through // deliberate fall-through case 'edit': $display .= handleEdit($mode); break; case 'unsubscribe':
echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } } elseif (isset($_POST['sendreport'])) { if (SEC_checkToken()) { if (isset($_POST['type'])) { $type = $_POST['type']; if ($type != 'article') { if (!in_array($type, $_PLUGINS)) { $type = 'article'; } } } else { $type = ''; } $pageBody .= CMT_sendReport(COM_sanitizeID(COM_applyFilter($_POST['cid'], true)), $type); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } } else { // finished with button checks, now look at $_GET items... switch ($mode) { case 'view': $pageBody .= handleView(true); break; case 'display': $pageBody .= handleView(false); break; case 'report': if (isset($_POST['type'])) {