function insert_user_comment_guestbook(&$comm, $key)
{
global $conf, $user, $page;
$comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT']));
if (!$conf['guestbook']['comments_validation'] or is_admin()) {
$comment_action = 'validate';
} else {
$comment_action = 'moderate';
}
// author
if (!is_classic_user()) {
if (empty($comm['author'])) {
$page['errors'][] = l10n('Please enter your username');
$comment_action = 'reject';
} else {
$comm['author_id'] = $conf['guest_id'];
// if a guest try to use the name of an already existing user,
// he must be rejected
$query = '
SELECT COUNT(*) AS user_exists
FROM ' . USERS_TABLE . '
WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'\n;";
$row = pwg_db_fetch_assoc(pwg_query($query));
if ($row['user_exists'] == 1) {
$page['errors'][] = l10n('This login is already used by another user');
$comment_action = 'reject';
}
}
} else {
$comm['author'] = addslashes($user['username']);
$comm['author_id'] = $user['id'];
}
// content
if (empty($comm['content'])) {
$comment_action = 'reject';
}
// key
if (!verify_ephemeral_key(@$key)) {
$comment_action = 'reject';
$_POST['cr'][] = 'key';
}
// email
if (empty($comm['email']) and is_classic_user() and !empty($user['email'])) {
$comm['email'] = $user['email'];
} else {
if (empty($comm['email']) and $conf['comments_email_mandatory']) {
$page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
$comment_action = 'reject';
} else {
if (!empty($comm['email']) and !email_check_format($comm['email'])) {
$page['errors'][] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
$comment_action = 'reject';
}
}
}
// website
if (!empty($comm['website'])) {
$comm['website'] = strip_tags($comm['website']);
if (!preg_match('/^(https?:\\/\\/)/i', $comm['website'])) {
$comm['website'] = 'http://' . $comm['website'];
}
if (!url_check_format($comm['website'])) {
$page['errors'][] = l10n('invalid website address');
$comment_action = 'reject';
}
}
// anonymous id = ip address
$ip_components = explode('.', $_SERVER["REMOTE_ADDR"]);
if (count($ip_components) > 3) {
array_pop($ip_components);
}
$comm['anonymous_id'] = implode('.', $ip_components);
// comment validation and anti-spam
if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) {
$reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
$query = '
SELECT COUNT(1) FROM ' . GUESTBOOK_TABLE . '
WHERE
date > ' . $reference_date . '
AND author_id = ' . $comm['author_id'];
if (!is_classic_user()) {
$query .= '
AND anonymous_id = "' . $comm['anonymous_id'] . '"';
}
$query .= '
;';
list($counter) = pwg_db_fetch_row(pwg_query($query));
if ($counter > 0) {
$page['errors'][] = l10n('Anti-flood system : please wait for a moment before trying to post another comment');
$comment_action = 'reject';
}
}
// perform more spam check
$comment_action = trigger_change('user_comment_check', $comment_action, $comm, 'guestbook');
if ($comment_action != 'reject') {
$query = '
INSERT INTO ' . GUESTBOOK_TABLE . '(
author,
author_id,
anonymous_id,
content,
date,
validated,
validation_date,
website,
rate,
email
)
VALUES (
\'' . $comm['author'] . '\',
' . $comm['author_id'] . ',
\'' . $comm['anonymous_id'] . '\',
\'' . $comm['content'] . '\',
NOW(),
\'' . ($comment_action == 'validate' ? 'true' : 'false') . '\',
' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ',
' . (!empty($comm['website']) ? '\'' . $comm['website'] . '\'' : 'NULL') . ',
' . (!empty($comm['rate']) ? $comm['rate'] : 'NULL') . ',
' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . '
)
';
pwg_query($query);
$comm['id'] = pwg_db_insert_id(GUESTBOOK_TABLE);
if ($conf['guestbook']['email_admin_on_comment'] and 'validate' == $comment_action or $conf['guestbook']['email_admin_on_comment_validation'] and 'moderate' == $comment_action) {
include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
$comment_url = add_url_params(GUESTBOOK_URL, array('comment_id' => $comm['id']));
$keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args('', ''), get_l10n_args('Manage this user comment: %s', $comment_url));
if ('moderate' == $comment_action) {
$keyargs_content[] = get_l10n_args('', '');
$keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
}
pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content);
}
}
return $comment_action;
}
/**
* Creates a new user.
*
* @param string $login
* @param string $password
* @param string $mail_adress
* @param bool $notify_admin
* @param array &$errors populated with error messages
* @param bool $notify_user
* @return int|false user id or false
*/
function register_user($login, $password, $mail_address, $notify_admin = true, &$errors = array(), $notify_user = false)
{
global $conf;
if ($login == '') {
$errors[] = l10n('Please, enter a login');
}
if (preg_match('/^.* $/', $login)) {
$errors[] = l10n('login mustn\'t end with a space character');
}
if (preg_match('/^ .*$/', $login)) {
$errors[] = l10n('login mustn\'t start with a space character');
}
if (get_userid($login)) {
$errors[] = l10n('this login is already used');
}
if ($login != strip_tags($login)) {
$errors[] = l10n('html tags are not allowed in login');
}
$mail_error = validate_mail_address(null, $mail_address);
if ('' != $mail_error) {
$errors[] = $mail_error;
}
if ($conf['insensitive_case_logon'] == true) {
$login_error = validate_login_case($login);
if ($login_error != '') {
$errors[] = $login_error;
}
}
$errors = trigger_change('register_user_check', $errors, array('username' => $login, 'password' => $password, 'email' => $mail_address));
// if no error until here, registration of the user
if (count($errors) == 0) {
$insert = array($conf['user_fields']['username'] => pwg_db_real_escape_string($login), $conf['user_fields']['password'] => $conf['password_hash']($password), $conf['user_fields']['email'] => $mail_address);
single_insert(USERS_TABLE, $insert);
$user_id = pwg_db_insert_id();
// Assign by default groups
$query = '
SELECT id
FROM ' . GROUPS_TABLE . '
WHERE is_default = \'' . boolean_to_string(true) . '\'
ORDER BY id ASC
;';
$result = pwg_query($query);
$inserts = array();
while ($row = pwg_db_fetch_assoc($result)) {
$inserts[] = array('user_id' => $user_id, 'group_id' => $row['id']);
}
if (count($inserts) != 0) {
mass_inserts(USER_GROUP_TABLE, array('user_id', 'group_id'), $inserts);
}
$override = array();
if ($language = get_browser_language()) {
$override['language'] = $language;
}
create_user_infos($user_id, $override);
if ($notify_admin and $conf['email_admin_on_new_user']) {
include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
$admin_url = get_absolute_root_url() . 'admin.php?page=user_list&username='******'User: %s', stripslashes($login)), get_l10n_args('Email: %s', $mail_address), get_l10n_args(''), get_l10n_args('Admin: %s', $admin_url));
pwg_mail_notification_admins(get_l10n_args('Registration of %s', stripslashes($login)), $keyargs_content);
}
if ($notify_user and email_check_format($mail_address)) {
include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
$keyargs_content = array(get_l10n_args('Hello %s,', stripslashes($login)), get_l10n_args('Thank you for registering at %s!', $conf['gallery_title']), get_l10n_args('', ''), get_l10n_args('Here are your connection settings', ''), get_l10n_args('', ''), get_l10n_args('Link: %s', get_absolute_root_url()), get_l10n_args('Username: %s', stripslashes($login)), get_l10n_args('Password: %s', stripslashes($password)), get_l10n_args('Email: %s', $mail_address), get_l10n_args('', ''), get_l10n_args('If you think you\'ve received this email in error, please contact us at %s', get_webmaster_mail_address()));
pwg_mail($mail_address, array('subject' => '[' . $conf['gallery_title'] . '] ' . l10n('Registration'), 'content' => l10n_args($keyargs_content), 'content_format' => 'text/plain'));
}
trigger_notify('register_user', array('id' => $user_id, 'username' => $login, 'email' => $mail_address));
return $user_id;
} else {
return false;
}
}
/**
* Tries to insert a user comment and returns action to perform.
*
* @param array &$comm
* @param string $key secret key sent back to the browser
* @param array &$infos output array of error messages
* @return string validate, moderate, reject
*/
function insert_user_comment(&$comm, $key, &$infos)
{
global $conf, $user;
$comm = array_merge($comm, array('ip' => $_SERVER['REMOTE_ADDR'], 'agent' => $_SERVER['HTTP_USER_AGENT']));
$infos = array();
if (!$conf['comments_validation'] or is_admin()) {
$comment_action = 'validate';
//one of validate, moderate, reject
} else {
$comment_action = 'moderate';
//one of validate, moderate, reject
}
// display author field if the user status is guest or generic
if (!is_classic_user()) {
if (empty($comm['author'])) {
if ($conf['comments_author_mandatory']) {
$infos[] = l10n('Username is mandatory');
$comment_action = 'reject';
}
$comm['author'] = 'guest';
}
$comm['author_id'] = $conf['guest_id'];
// if a guest try to use the name of an already existing user, he must be
// rejected
if ($comm['author'] != 'guest') {
$query = '
SELECT COUNT(*) AS user_exists
FROM ' . USERS_TABLE . '
WHERE ' . $conf['user_fields']['username'] . " = '" . addslashes($comm['author']) . "'";
$row = pwg_db_fetch_assoc(pwg_query($query));
if ($row['user_exists'] == 1) {
$infos[] = l10n('This login is already used by another user');
$comment_action = 'reject';
}
}
} else {
$comm['author'] = addslashes($user['username']);
$comm['author_id'] = $user['id'];
}
if (empty($comm['content'])) {
// empty comment content
$comment_action = 'reject';
}
if (!verify_ephemeral_key(@$key, $comm['image_id'])) {
$comment_action = 'reject';
$_POST['cr'][] = 'key';
// rvelices: I use this outside to see how spam robots work
}
// website
if (!empty($comm['website_url'])) {
if (!$conf['comments_enable_website']) {
// honeypot: if the field is disabled, it should be empty !
$comment_action = 'reject';
$_POST['cr'][] = 'website_url';
} else {
$comm['website_url'] = strip_tags($comm['website_url']);
if (!preg_match('/^https?/i', $comm['website_url'])) {
$comm['website_url'] = 'http://' . $comm['website_url'];
}
if (!url_check_format($comm['website_url'])) {
$infos[] = l10n('Your website URL is invalid');
$comment_action = 'reject';
}
}
}
// email
if (empty($comm['email'])) {
if (!empty($user['email'])) {
$comm['email'] = $user['email'];
} elseif ($conf['comments_email_mandatory']) {
$infos[] = l10n('Email address is missing. Please specify an email address.');
$comment_action = 'reject';
}
} elseif (!email_check_format($comm['email'])) {
$infos[] = l10n('mail address must be like xxx@yyy.eee (example : jack@altern.org)');
$comment_action = 'reject';
}
// anonymous id = ip address
$ip_components = explode('.', $comm['ip']);
if (count($ip_components) > 3) {
array_pop($ip_components);
}
$anonymous_id = implode('.', $ip_components);
if ($comment_action != 'reject' and $conf['anti-flood_time'] > 0 and !is_admin()) {
// anti-flood system
$reference_date = pwg_db_get_flood_period_expression($conf['anti-flood_time']);
$query = '
SELECT count(1) FROM ' . COMMENTS_TABLE . '
WHERE date > ' . $reference_date . '
AND author_id = ' . $comm['author_id'];
if (!is_classic_user()) {
$query .= '
AND anonymous_id LIKE "' . $anonymous_id . '.%"';
}
$query .= '
;';
list($counter) = pwg_db_fetch_row(pwg_query($query));
if ($counter > 0) {
$infos[] = l10n('Anti-flood system : please wait for a moment before trying to post another comment');
$comment_action = 'reject';
$_POST['cr'][] = 'flood_time';
}
}
// perform more spam check
$comment_action = trigger_change('user_comment_check', $comment_action, $comm);
if ($comment_action != 'reject') {
$query = '
INSERT INTO ' . COMMENTS_TABLE . '
(author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email)
VALUES (
\'' . $comm['author'] . '\',
' . $comm['author_id'] . ',
\'' . $comm['ip'] . '\',
\'' . $comm['content'] . '\',
NOW(),
\'' . ($comment_action == 'validate' ? 'true' : 'false') . '\',
' . ($comment_action == 'validate' ? 'NOW()' : 'NULL') . ',
' . $comm['image_id'] . ',
' . (!empty($comm['website_url']) ? '\'' . $comm['website_url'] . '\'' : 'NULL') . ',
' . (!empty($comm['email']) ? '\'' . $comm['email'] . '\'' : 'NULL') . '
)
';
pwg_query($query);
$comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
invalidate_user_cache_nb_comments();
if ($conf['email_admin_on_comment'] && 'validate' == $comment_action or $conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action) {
include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
$comment_url = get_absolute_root_url() . 'comments.php?comment_id=' . $comm['id'];
$keyargs_content = array(get_l10n_args('Author: %s', stripslashes($comm['author'])), get_l10n_args('Email: %s', stripslashes($comm['email'])), get_l10n_args('Comment: %s', stripslashes($comm['content'])), get_l10n_args(''), get_l10n_args('Manage this user comment: %s', $comment_url));
if ('moderate' == $comment_action) {
$keyargs_content[] = get_l10n_args('(!) This comment requires validation');
}
pwg_mail_notification_admins(get_l10n_args('Comment by %s', stripslashes($comm['author'])), $keyargs_content);
}
}
return $comment_action;
}
}
if (empty($_POST['password'])) {
$page['errors'][] = l10n('Password is missing. Please enter the password.');
} else {
if (empty($_POST['password_conf'])) {
$page['errors'][] = l10n('Password confirmation is missing. Please confirm the chosen password.');
} else {
if ($_POST['password'] != $_POST['password_conf']) {
$page['errors'][] = l10n('The passwords do not match');
}
}
}
register_user($_POST['login'], $_POST['password'], $_POST['mail_address'], true, $page['errors'], isset($_POST['send_password_by_mail']));
if (count($page['errors']) == 0) {
// email notification
if (isset($_POST['send_password_by_mail']) and email_check_format($_POST['mail_address'])) {
$_SESSION['page_infos'][] = l10n('Successfully registered, you will soon receive an email with your connection settings. Welcome!');
}
// log user and redirect
$user_id = get_userid($_POST['login']);
log_user($user_id, false);
redirect(make_index_url());
}
$registration_post_key = get_ephemeral_key(2);
} else {
$registration_post_key = get_ephemeral_key(6);
}
$login = !empty($_POST['login']) ? htmlspecialchars(stripslashes($_POST['login'])) : '';
$email = !empty($_POST['mail_address']) ? htmlspecialchars(stripslashes($_POST['mail_address'])) : '';
//----------------------------------------------------- template initialization
//
function ws_pshare_share_create($params, &$service)
{
global $conf, $user;
if (!pshare_is_active()) {
return new PwgError(401, "permission denied");
}
$query = '
SELECT *
FROM ' . IMAGES_TABLE . '
WHERE id = ' . $params['image_id'] . '
;';
$images = query2array($query);
if (count($images) == 0) {
return new PwgError(404, "image not found");
}
$image = $images[0];
if (!pshare_is_photo_visible($params['image_id'])) {
return new PwgError(401, "permissions denied");
}
if (!email_check_format($params['email'])) {
return new PwgError(WS_ERR_INVALID_PARAM, l10n('Invalid email address'));
}
// TODO check the expires_in is in the defined list
$query = '
SELECT
NOW(),
ADDDATE(NOW(), INTERVAL ' . $params['expires_in'] . ' DAY)
;';
list($now, $expire) = pwg_db_fetch_row(pwg_query($query));
$key_uuid = pshare_get_key();
single_insert(PSHARE_KEYS_TABLE, array('uuid' => $key_uuid, 'user_id' => $user['id'], 'image_id' => $params['image_id'], 'sent_to' => $params['email'], 'created_on' => $now, 'duration' => $params['expires_in'], 'expire_on' => $expire));
$query = '
SELECT *
FROM ' . PSHARE_KEYS_TABLE . '
WHERE uuid = \'' . $key_uuid . '\'
;';
$shares = query2array($query);
if (count($shares) == 0) {
return new PwgError(500, "share not created");
}
$share = $shares[0];
//
// Send the email
//
include_once PHPWG_ROOT_PATH . 'include/functions_mail.inc.php';
// force $conf['derivative_url_style'] to 2 (script) to make sure we
// will use i.php?/upload and not _data/i/upload because you don't
// know when the cache will be flushed
$previous_derivative_url_style = $conf['derivative_url_style'];
$conf['derivative_url_style'] = 2;
$thumb_url = DerivativeImage::thumb_url(array('id' => $image['id'], 'path' => $image['path']));
// restore configuration setting
$conf['derivative_url_style'] = $previous_derivative_url_style;
$link = get_absolute_root_url() . 'index.php?/pshare/' . $share['uuid'];
$content = '<p style="text-align:center">';
$content .= l10n('%s has shared a photo with you', $user['username']);
$content .= '<br><br><a href="' . $link . '"><img src="' . $thumb_url . '"></a>';
$content .= '<br><br><a href="' . $link . '">' . l10n('clic to view') . '</a>';
$content .= '</p>';
$subject = l10n('Photo shared');
pwg_mail($params['email'], array('subject' => '[' . $conf['gallery_title'] . '] ' . $subject, 'mail_title' => $conf['gallery_title'], 'mail_subtitle' => $subject, 'content' => $content, 'content_format' => 'text/html'));
return array('message' => l10n('Email sent to %s', $share['sent_to']));
}
