if (TOPIC_hasMultiTopicAccess('article', $sid) < 3) { COM_accessLog("User {$_USER['username']} tried to illegally delete story submission {$sid}."); echo COM_refresh($_CONF['site_admin_url'] . '/index.php'); } else { if (SEC_checkToken()) { // Delete Topic Assignments for this submission TOPIC_deleteTopicAssignments('article', $sid); DB_delete($_TABLES['storysubmission'], 'sid', $sid, $_CONF['site_admin_url'] . '/moderation.php'); } else { COM_accessLog("User {$_USER['username']} tried to illegally delete story submission {$sid} and failed CSRF checks."); echo COM_refresh($_CONF['site_admin_url'] . '/index.php'); } } } else { if (SEC_checkToken()) { echo STORY_deleteStory($sid); } else { COM_accessLog("User {$_USER['username']} tried to delete story and failed CSRF checks {$sid}."); echo COM_refresh($_CONF['site_admin_url'] . '/index.php'); } } } } else { if ($mode == $LANG_ADMIN['preview'] && !empty($LANG_ADMIN['preview'])) { $display .= storyeditor(COM_applyFilter($_POST['sid']), 'preview', '', ''); $display = COM_createHTMLDocument($display, array('pagetitle' => $LANG24[5])); COM_output($display); } elseif ($mode == 'edit' || $mode == 'clone') { $sid = ''; if (isset($_GET['sid'])) { $sid = COM_applyFilter($_GET['sid']);
/** * Performs draft story exclusive work for items deleted by moderation * While moderation.php handles the actual removal from the submission * table, within this function we handle all other deletion related tasks * * @param string $sid Identifying string, i.e. the story id * @return string Any wanted HTML output */ function plugin_moderationdelete_story_draft($sid) { global $_TABLES; STORY_deleteStory($sid); return ''; }
COM_errorLog('User ' . $_USER['username'] . ' attempted to delete a story, sid empty or null, sid=' . $sid); echo COM_refresh($_CONF['site_admin_url'] . '/story.php'); } elseif ($type == 'submission') { $tid = DB_getItem($_TABLES['storysubmission'], 'tid', "sid = '" . DB_escapeString($sid) . "'"); if (SEC_hasTopicAccess($tid) < 3) { COM_accessLog('User ' . $_USER['username'] . ' had insufficient rights to delete a story submission, sid=' . $sid); echo COM_refresh($_CONF['site_admin_url'] . '/index.php'); } elseif (SEC_checkToken()) { DB_delete($_TABLES['storysubmission'], 'sid', DB_escapeString($sid), $_CONF['site_admin_url'] . '/moderation.php'); } else { COM_accessLog("User {$_USER['username']} tried to illegally delete a story submission, sid={$sid} and failed CSRF checks."); echo COM_refresh($_CONF['site_admin_url'] . '/index.php'); } } else { if (SEC_checkToken()) { $display .= STORY_deleteStory($sid); } else { COM_accessLog("User {$_USER['username']} tried to a delete a story, sid={$sid} and failed CSRF checks"); $display = COM_refresh($_CONF['site_admin_url'] . '/index.php'); } } break; case 'global': $pageBody .= STORY_global(); break; case 'globalsave': $pageBody .= STORY_global_save(); break; default: // purge any tokens we created for the advanced editor DB_query("DELETE FROM {$_TABLES['tokens']} WHERE owner_id=" . (int) $_USER['uid'] . " AND urlfor='advancededitor'", 1);
/** * Moderates an item * * This will actually perform moderation (approve or delete) one or more items * * @param array $mid Array of items * @param array $action Array of actions to perform on items * @param string $type Type of items ('story', etc.) * @param int $count Number of items to moderate * @return string HTML for "command and control" page * */ function moderation($mid, $action, $type, $count) { global $_CONF, $_TABLES; $retval = ''; switch ($type) { case 'story': $id = 'sid'; $table = $_TABLES['stories']; $submissiontable = $_TABLES['storysubmission']; $fields = 'sid,uid,tid,title,introtext,date,postmode'; break; case 'comment': $id = 'cid'; $submissiontable = $_TABLES['commentsubmissions']; $sidArray[] = ''; break; default: if (strlen($type) <= 0) { // something is terribly wrong, bail $retval .= COM_errorLog("Unable to find type of {$type} in moderation() in moderation.php"); return $retval; } list($id, $table, $fields, $submissiontable) = PLG_getModerationValues($type); } // Set true if an valid action other than delete_all is selected $formaction = false; for ($i = 0; $i < $count; $i++) { if (isset($action[$i]) and $action[$i] != '') { $formaction = true; } else { continue; } switch ($action[$i]) { case 'delete': if (!empty($type) && $type != 'story' && $type != 'draft') { // There may be some plugin specific processing that needs to // happen first. $retval .= PLG_deleteSubmission($type, $mid[$i]); } if (empty($mid[$i])) { $retval .= COM_errorLog("moderation.php just tried deleting everything in table {$submissiontable} because it got an empty id. Please report this immediately to your site administrator"); return $retval; } if ($type == 'draft') { STORY_deleteStory($mid[$i]); } else { DB_delete($submissiontable, "{$id}", $mid[$i]); } break; case 'approve': if ($type == 'story') { $result = DB_query("SELECT * FROM {$_TABLES['storysubmission']} WHERE sid = '{$mid[$i]}'"); $A = DB_fetchArray($result); $A['related'] = addslashes(implode("\n", STORY_extractLinks($A['introtext']))); $A['owner_id'] = $A['uid']; $A['title'] = addslashes($A['title']); $A['introtext'] = addslashes($A['introtext']); $A['bodytext'] = addslashes($A['bodytext']); $result = DB_query("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon,archive_flag FROM {$_TABLES['topics']} WHERE tid = '{$A['tid']}'"); $T = DB_fetchArray($result); if ($T['archive_flag'] == 1) { $frontpage = 0; } else { if (isset($_CONF['frontpage'])) { $frontpage = $_CONF['frontpage']; } else { $frontpage = 1; } } DB_save($_TABLES['stories'], 'sid,uid,tid,title,introtext,bodytext,related,date,show_topic_icon,commentcode,trackbackcode,postmode,frontpage,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon', "'{$A['sid']}',{$A['uid']},'{$A['tid']}','{$A['title']}','{$A['introtext']}','{$A['bodytext']}','{$A['related']}','{$A['date']}','{$_CONF['show_topic_icon']}','{$_CONF['comment_code']}','{$_CONF['trackback_code']}','{$A['postmode']}',{$frontpage},{$A['owner_id']},{$T['group_id']},{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}"); DB_delete($_TABLES['storysubmission'], "{$id}", $mid[$i]); PLG_itemSaved($A['sid'], 'article'); COM_rdfUpToDateCheck(); COM_olderStuff(); } else { if ($type == 'draft') { DB_query("UPDATE {$_TABLES['stories']} SET draft_flag = 0 WHERE sid = '{$mid[$i]}'"); COM_rdfUpToDateCheck(); COM_olderStuff(); } else { if ($type == 'comment') { $sid = CMT_approveModeration($mid[$i]); if (!in_array($sid, $sidArray)) { $sidArray[$i] = $sid; } } else { // This is called in case this is a plugin. There may be some // plugin specific processing that needs to happen. DB_copy($table, $fields, $fields, $submissiontable, $id, $mid[$i]); $retval .= PLG_approveSubmission($type, $mid[$i]); } } } break; } } // after loop update comment tree and count for each story if (isset($sidArray)) { foreach ($sidArray as $sid) { CMT_rebuildTree($sid); //update comment count of stories; $comments = DB_count($_TABLES['comments'], 'sid', $sid); DB_change($_TABLES['stories'], 'comments', $comments, 'sid', $sid); } } //Add new comment users to group comment.submit group if (isset($_POST['publishfuture'])) { for ($i = 0; $i < count($_POST['publishfuture']); $i++) { $uid = COM_applyFilter($_POST['publishfuture'][$i], true); if ($uid > 1 && !SEC_inGroup('Comment Submitters', $uid)) { SEC_addUserToGroup($uid, 'Comment Submitters'); } } } // Check if there was no direct action used on the form // and if the delete_all submit action was used if (!$formaction and isset($_POST['delitem'])) { foreach ($_POST['delitem'] as $delitem) { $delitem = COM_applyFilter($delitem); if (!empty($type) && $type != 'story' && $type != 'draft') { // There may be some plugin specific processing that needs to // happen first. $retval .= PLG_deleteSubmission($type, $delitem); } if ($type == 'draft') { STORY_deleteStory($delitem); } else { DB_delete($submissiontable, "{$id}", $delitem); } } } $retval .= commandcontrol(SEC_createToken()); return $retval; }
/** * Moderates a single item * * This will actually perform moderation (approve or delete) one or more items * * @param string $action Action to perform ('delete' or 'approve') * @param string $type Type of item ('user', 'draftstory', 'story', etc.) * @param string $id ID of item to approve or delete * @return string HTML for "command and control" page * */ function MODERATE_item($action = '', $type = '', $id = '') { global $_CONF, $_TABLES; $retval = ''; if (empty($action)) { // null action $retval .= COM_errorLog("Submissions Error: An attempt was made to moderate an item with a null action."); return $retval; } if (empty($type)) { // null item type $retval .= COM_errorLog("Submissions Error: An attempt was made to moderate a null item type."); return $retval; } if (empty($id)) { // null item type $retval .= COM_errorLog("Submissions Error: An attempt was made to moderate an item with a null id."); return $retval; } list($key, $table, $fields, $submissiontable) = PLG_getModerationValues($type); switch ($action) { case 'delete': switch ($type) { case 'user': // user if ($id > 1) { USER_deleteAccount($id); } break; case 'story': // story (needs to move to a plugin) DB_delete($submissiontable, "{$key}", $id); break; case 'draftstory': // draft story STORY_deleteStory($id); break; default: // plugin $retval .= PLG_deleteSubmission($type, $id); DB_delete($submissiontable, "{$key}", $id); break; } break; case 'approve': switch ($type) { case 'story': // story (needs to move to a plugin) $result = DB_query("SELECT * FROM {$submissiontable} WHERE {$key} = '{$id}'"); $A = DB_fetchArray($result); $A['related'] = DB_escapeString(implode("\n", STORY_extractLinks($A['introtext']))); $A['owner_id'] = $A['uid']; $A['title'] = DB_escapeString($A['title']); $A['introtext'] = DB_escapeString($A['introtext']); $A['bodytext'] = DB_escapeString($A['bodytext']); $result = DB_query("SELECT group_id,perm_owner,perm_group,perm_members,perm_anon,archive_flag FROM {$_TABLES['topics']} WHERE tid = '{$A['tid']}'"); $T = DB_fetchArray($result); if ($T['archive_flag'] == 1) { $frontpage = 0; } else { if (isset($_CONF['frontpage'])) { $frontpage = $_CONF['frontpage']; } else { $frontpage = 1; } } DB_save($table, 'sid,uid,tid,title,introtext,bodytext,related,date,show_topic_icon,commentcode,trackbackcode,postmode,frontpage,owner_id,group_id,perm_owner,perm_group,perm_members,perm_anon', "'{$A['sid']}',{$A['uid']},'{$A['tid']}','{$A['title']}','{$A['introtext']}','{$A['bodytext']}','{$A['related']}','{$A['date']}','{$_CONF['show_topic_icon']}','{$_CONF['comment_code']}','{$_CONF['trackback_code']}','{$A['postmode']}',{$frontpage},{$A['owner_id']},{$T['group_id']},{$T['perm_owner']},{$T['perm_group']},{$T['perm_members']},{$T['perm_anon']}"); DB_delete($submissiontable, "{$key}", $id); PLG_itemSaved($A['sid'], 'article'); COM_rdfUpToDateCheck(); COM_olderStuff(); break; case 'draftstory': // draft story DB_query("UPDATE {$table} SET draft_flag = 0 WHERE {$key} = '{$id}'"); COM_rdfUpToDateCheck(); COM_olderStuff(); break; case 'user': // user $result = DB_query("SELECT {$fields} FROM {$table} WHERE {$key} = '{$id}'"); $nrows = DB_numRows($result); if ($nrows == 1) { $A = DB_fetchArray($result); if ($_CONF['registration_type'] == 1) { $sql = "UPDATE {$table} SET status=" . USER_ACCOUNT_AWAITING_VERIFICATION . " WHERE {$key} = '{$A['uid']}'"; } else { $sql = "UPDATE {$table} SET status=" . USER_ACCOUNT_AWAITING_ACTIVATION . " WHERE {$key} = '{$A['uid']}'"; } DB_query($sql); USER_createAndSendPassword($A['username'], $A['email'], $A['uid']); } break; default: // plugin DB_copy($table, $fields, $fields, $submissiontable, $key, $id); $retval .= PLG_approveSubmission($type, $id); break; } break; } // switch ($action) return $retval; }