Ejemplo n.º 1
0
function nvweb_webuser($vars = array())
{
    global $website;
    global $theme;
    global $current;
    global $webgets;
    global $webuser;
    global $DB;
    $webget = "webuser";
    if (!isset($webgets[$webget])) {
        $webgets[$webget] = array();
        global $lang;
        if (empty($lang)) {
            $lang = new language();
            $lang->load($current['lang']);
        }
        // default translations
        $webgets[$webget]['translations'] = array('login_incorrect' => t(4, 'Login incorrect.'), 'subscribed_ok' => t(541, 'Your email has been successfully subscribed to the newsletter.'), 'subscribe_error' => t(542, 'There was a problem subscribing your email to the newsletter.'), 'email_confirmation' => t(454, "An e-mail with a confirmation link has been sent to your e-mail account."), 'click_to_confirm_account' => t(607, "Click on the link below to confirm your account"), 'email_confirmation_notice' => t(608, "This is an automated e-mail sent as a result of a newsletter subscription request. If you received this e-mail by error just ignore it."), 'forgot_password_success' => t(648, "An e-mail with a temporary password has been sent to your e-mail account."), 'forgot_password_error' => t(446, "We're sorry. Your contact request could not be sent. Please try again or find another way to contact us."));
        // theme translations
        // if the web theme has custom translations for this string subtypes, use it (for the user selected language)
        /* just add the following translations to your json theme dictionary:
               "login_incorrect": "Login incorrect.",
               "subscribed_ok": "Your email has been successfully subscribed to the newsletter.",
               "subscribe_error": "There was a problem subscribing your email to the newsletter.",
               "email_confirmation": "An e-mail with a confirmation link has been sent to your e-mail account.",
               "click_to_confirm_account": "Click on the link below to confirm your account",
               "email_confirmation_notice": "This is an automated e-mail sent as a result of a newsletter subscription request. If you received this e-mail by error just ignore it."
               "forgot_password_success": "An e-mail with a temporary password has been sent to your e-mail account.",
               "forgot_password_error": "We're sorry. Your contact request could not be sent. Please try again or find another way to contact us."
           */
        if (!empty($website->theme) && method_exists($theme, 't')) {
            foreach ($webgets[$webget]['translations'] as $code => $text) {
                $theme_translation = $theme->t($code);
                if (!empty($theme_translation) && $code != $theme_translation) {
                    $webgets[$webget]['translations'][$code] = $theme_translation;
                }
            }
        }
    }
    $out = '';
    switch ($vars['mode']) {
        case 'id':
            if (!empty($webuser->id)) {
                $out = $webuser->id;
            }
            break;
        case 'username':
            if (!empty($webuser->username)) {
                $out = $webuser->username;
            }
            break;
        case 'fullname':
            if (!empty($webuser->fullname)) {
                $out = $webuser->fullname;
            }
            break;
        case 'gender':
            if (!empty($webuser->gender)) {
                $out = $webuser->gender;
            }
            break;
        case 'newsletter':
            $out = $webuser->newsletter;
            break;
        case 'email':
            if (!empty($webuser->email)) {
                $out = $webuser->email;
            }
            break;
        case 'authenticate':
            $webuser_website = $vars['website'];
            if (empty($webuser_website)) {
                $webuser_website = $website->id;
            }
            $signin_username = $_REQUEST[empty($vars['username_field']) ? 'signin_username' : $vars['username_field']];
            $signin_password = $_REQUEST[empty($vars['password_field']) ? 'signin_password' : $vars['password_field']];
            // a page may have several forms, which one do we have to check?
            if (!empty($vars['form'])) {
                list($field_name, $field_value) = explode('=', $vars['form']);
                if ($_POST[$field_name] != $field_value) {
                    return;
                }
            }
            // ignore empty (or partial empty) forms
            if (!empty($signin_username) && !empty($signin_password)) {
                $signed_in = $webuser->authenticate($webuser_website, $signin_username, $signin_password);
                if (!$signed_in) {
                    $message = $webgets[$webget]['translations']['login_incorrect'];
                    if (empty($vars['notify'])) {
                        $vars['notify'] = 'inline';
                    }
                    switch ($vars['notify']) {
                        case 'alert':
                            nvweb_after_body('js', 'alert("' . $message . '");');
                            break;
                        case 'inline':
                            $out = '<div class="nvweb-signin-form-error">' . $message . '</div>';
                            break;
                            // javascript callback
                        // javascript callback
                        default:
                            nvweb_after_body('js', $vars['error_callback'] . '("' . $message . '");');
                            break;
                    }
                } else {
                    $webuser->set_cookie();
                    if (!empty($vars['notify'])) {
                        if ($vars['notify'] == 'callback') {
                            nvweb_after_body('js', $vars['callback'] . '(true);');
                        }
                    }
                }
            }
            break;
        case 'signout_link':
            $out = NVWEB_ABSOLUTE . $website->homepage() . '?webuser_signout';
            break;
        case 'forgot_password':
            // pre checks: correct form, not spambot, email not empty and valid
            // load the associated user account
            // create temporary password and send email
            // TODO: don't change the password, just generate a link and let the user enter their preferred new password
            // a page may have several forms, which one do we have to check?
            if (!empty($vars['form'])) {
                list($field_name, $field_value) = explode('=', $vars['form']);
                if ($_POST[$field_name] != $field_value) {
                    return;
                }
            }
            // check if this send request really comes from the website and not from a spambot
            if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->subdomain . '.' . $website->domain && parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->domain) {
                return;
            }
            if (empty($vars['email_field'])) {
                $vars['email_field'] = 'newsletter_email';
            }
            $email = $_REQUEST[$vars['email_field']];
            $email = filter_var($email, FILTER_SANITIZE_EMAIL);
            if (!empty($vars['email_field']) && !empty($email)) {
                $ok = false;
                if (filter_var($email, FILTER_VALIDATE_EMAIL) !== FALSE) {
                    $wu_id = $DB->query_single('id', 'nv_webusers', ' email = ' . protect($email) . '
                          AND website = ' . $website->id);
                    $wu = new webuser();
                    if (!empty($wu_id)) {
                        $wu->load($wu_id);
                        if ($wu->access == 0 || $wu->access == 2 && ($wu->access_begin == 0 || time() > $wu->access_begin) && ($wu->access_end == 0 || time() < $wu->access_end)) {
                            // generate new password
                            $password = generate_password(8, false, 'luds');
                            $wu->set_password($password);
                            $ok = $wu->save();
                            // send a message to communicate the new webuser's email
                            $message = navigate_compose_email(array(array('title' => $website->name, 'content' => t(451, "This is an automated e-mail sent as a result of a password request process. If you received this e-mail by error just ignore it.")), array('title' => t(1, "User"), 'content' => $wu->username), array('title' => t(2, "Password"), 'content' => $password), array('footer' => '<a href="' . $website->absolute_path() . $website->homepage() . '">' . $website->name . '</a>')));
                            @nvweb_send_email($website->name, $message, $wu->email);
                        }
                    }
                }
                if ($ok) {
                    $message = $webgets[$webget]['translations']['forgot_password_success'];
                } else {
                    $message = $webgets[$webget]['translations']['forgot_password_error'];
                }
                if (empty($vars['notify'])) {
                    $vars['notify'] = 'inline';
                }
                switch ($vars['notify']) {
                    case 'alert':
                        nvweb_after_body('js', 'alert("' . $message . '");');
                        break;
                    case 'inline':
                        if ($ok) {
                            $out = '<div class="nvweb-forgot-password-form-success">' . $message . '</div>';
                        } else {
                            $out = '<div class="nvweb-forgot-password-form-error">' . $message . '</div>';
                        }
                        break;
                    case 'boolean':
                        $out = $ok;
                        break;
                    case 'false':
                        break;
                        // javascript callback
                    // javascript callback
                    case 'callback':
                    default:
                        if ($ok) {
                            nvweb_after_body('js', $vars['callback'] . '("' . $message . '");');
                        } else {
                            if (!empty($vars['error_callback'])) {
                                nvweb_after_body('js', $vars['error_callback'] . '("' . $message . '");');
                            } else {
                                nvweb_after_body('js', $vars['callback'] . '("' . $message . '");');
                            }
                        }
                        break;
                }
            }
            break;
        case 'signup':
            // TODO
            // pre checks: correct form, not spambot, email not empty and valid
            // get the profile data from the form
            // more checks: password strength & confirmation, etc.
            // save the new webuser account
            // prepare account confirmation (unless not required by webget attributes)
            //      leave the account blocked
            //      generate an activation key
            //      send confirmation email
            // if no account confirmation is required, auto login
            break;
        case 'avatar':
            $size = '48';
            $extra = '';
            if (!empty($vars['size'])) {
                $size = intval($vars['size']);
            }
            if (!empty($vars['border'])) {
                $extra .= '&border=' . $vars['border'];
            }
            if (!empty($webuser->avatar)) {
                $out = '<img class="' . $vars['class'] . '" src="' . NVWEB_OBJECT . '?type=image' . $extra . '&id=' . $webuser->avatar . '" width="' . $size . 'px" height="' . $size . 'px"/>';
            } else {
                if (!empty($vars['default'])) {
                    // the comment creator has not an avatar, but the template wants to show a default one
                    // 3 cases:
                    //  numerical   ->  ID of the avatar image file in Navigate CMS
                    //  absolute path (http://www...)
                    //  relative path (/img/avatar.png) -> path to the avatar file included in the THEME used
                    if (is_numeric($vars['default'])) {
                        $out = '<img class="' . $vars['class'] . '" src="' . NVWEB_OBJECT . '?type=image' . $extra . '&id=' . $vars['default'] . '" width="' . $size . 'px" height="' . $size . 'px"/>';
                    } else {
                        if (strpos($vars['default'], 'http://') === 0) {
                            $out = '<img class="' . $vars['class'] . '" src="' . $vars['default'] . '" width="' . $size . 'px" height="' . $size . 'px"/>';
                        } else {
                            if ($vars['default'] == 'none') {
                                $out = '';
                            } else {
                                $out = '<img class="' . $vars['class'] . '"src="' . NAVIGATE_URL . '/themes/' . $website->theme . '/' . $vars['default'] . '" width="' . $size . 'px" height="' . $size . 'px"/>';
                            }
                        }
                    }
                } else {
                    $gravatar_hash = "";
                    $gravatar_default = 'blank';
                    if (!empty($vars['gravatar_default'])) {
                        $gravatar_default = $vars['gravatar_default'];
                    }
                    if (!empty($webuser->email)) {
                        $gravatar_hash = md5(strtolower(trim($webuser->email)));
                    }
                    if (!empty($gravatar_hash) && $gravatar_default != 'none') {
                        // gravatar real url: https://www.gravatar.com/avatar/
                        // we use libravatar to get more userbase
                        $gravatar_url = 'https://seccdn.libravatar.org/avatar/' . $gravatar_hash . '?s=' . $size . '&d=' . $gravatar_default;
                        $out = '<img class="' . $vars['class'] . '" src="' . $gravatar_url . '" width="' . $size . 'px" height="' . $size . 'px"/>';
                    } else {
                        $out = '<img class="' . $vars['class'] . '" src="data:image/gif;base64,R0lGODlhAQABAPAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" width="' . $size . 'px" height="' . $size . 'px"/>';
                    }
                }
            }
            break;
        case 'newsletter_subscribe':
            // a page may have several forms, which one do we have to check?
            if (!empty($vars['form'])) {
                list($field_name, $field_value) = explode('=', $vars['form']);
                if ($_POST[$field_name] != $field_value) {
                    return;
                }
            }
            // check if this send request really comes from the website and not from a spambot
            if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->subdomain . '.' . $website->domain && parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->domain) {
                return;
            }
            if (empty($vars['email_field'])) {
                $vars['email_field'] = 'newsletter_email';
            }
            $email = $_REQUEST[$vars['email_field']];
            $email = filter_var($email, FILTER_SANITIZE_EMAIL);
            if (!empty($vars['email_field']) && !empty($email)) {
                $ok = false;
                if (filter_var($email, FILTER_VALIDATE_EMAIL) !== FALSE) {
                    $wu_id = $DB->query_single('id', 'nv_webusers', ' email = ' . protect($email) . '
                          AND website = ' . $website->id);
                    $wu = new webuser();
                    if (!empty($wu_id)) {
                        $wu->load($wu_id);
                        if ($wu->access == 0 || $wu->access == 2 && ($wu->access_begin == 0 || time() > $wu->access_begin) && ($wu->access_end == 0 || time() < $wu->access_end)) {
                            $wu->newsletter = 1;
                            $ok = $wu->save();
                        }
                    }
                    if (empty($wu_id) || $wu->access == 1 && !empty($wu->activation_key)) {
                        // create a new webuser account with that email
                        $username = strtolower(substr($email, 0, strpos($email, '@')));
                        // left part of the email
                        if (!empty($username) && !in_array($username, array('info', 'admin', 'contact', 'demo', 'test'))) {
                            // check if the proposed username already exists,
                            // in that case use the full email as username
                            // ** if the email already exists, the subscribe process only updates the newsletter setting!
                            $wu_id = $DB->query_single('id', 'nv_webusers', ' username = '******'
                              AND website = ' . $website->id);
                        }
                        if (!empty($wu_id)) {
                            // oops, user already exists... try another username -- the full email address
                            $wu_id = $DB->query_single('id', 'nv_webusers', ' username = '******'
                                    AND website = ' . $website->id);
                            if (empty($wu_id)) {
                                // ok, email is a new username
                                $username = $email;
                            } else {
                                // nope, email is already used (this code should never execute **)
                                $username = uniqid($username . '-');
                            }
                        } else {
                            // new sign up
                            $wu->id = 0;
                            $wu->website = $website->id;
                            $wu->email = $email;
                            $wu->newsletter = 1;
                            $wu->language = $current['lang'];
                            // infer the webuser language by the active website language
                            $wu->username = $username;
                            $wu->access = 1;
                            // user is blocked until the server recieves an email confirmation
                        }
                        $wu->activation_key = md5($wu->email . rand(1, 9999999));
                        $ok = $wu->save();
                        // send a message to verify the new user's email
                        $email_confirmation_link = $website->absolute_path() . '/nv.webuser/verify?email=' . $wu->email . '&hash=' . $wu->activation_key;
                        $message = navigate_compose_email(array(array('title' => $website->name, 'content' => $webgets[$webget]['translations']['click_to_confirm_account'] . '<br />' . '<a href="' . $email_confirmation_link . '">' . $email_confirmation_link . '</a>'), array('footer' => $webgets[$webget]['translations']['email_confirmation_notice'] . '<br />' . '<a href="' . $website->absolute_path() . $website->homepage() . '">' . $website->name . '</a>')));
                        @nvweb_send_email($website->name, $message, $wu->email);
                        $pending_confirmation = true;
                    }
                }
                $message = $webgets[$webget]['translations']['subscribe_error'];
                if ($pending_confirmation) {
                    $message = $webgets[$webget]['translations']['email_confirmation'];
                } else {
                    if ($ok) {
                        $message = $webgets[$webget]['translations']['subscribed_ok'];
                    }
                }
                if (empty($vars['notify'])) {
                    $vars['notify'] = 'inline';
                }
                switch ($vars['notify']) {
                    case 'alert':
                        nvweb_after_body('js', 'alert("' . $message . '");');
                        break;
                    case 'inline':
                        if ($ok) {
                            $out = '<div class="nvweb-newsletter-form-success">' . $message . '</div>';
                        } else {
                            $out = '<div class="nvweb-newsletter-form-error">' . $message . '</div>';
                        }
                        break;
                    case 'boolean':
                        $out = $ok;
                        break;
                    case 'false':
                        break;
                        // javascript callback
                    // javascript callback
                    case 'callback':
                    default:
                        if ($ok) {
                            nvweb_after_body('js', $vars['callback'] . '("' . $message . '");');
                        } else {
                            if (!empty($vars['error_callback'])) {
                                nvweb_after_body('js', $vars['error_callback'] . '("' . $message . '");');
                            } else {
                                nvweb_after_body('js', $vars['callback'] . '("' . $message . '");');
                            }
                        }
                        break;
                }
            }
            break;
    }
    return $out;
}
Ejemplo n.º 2
0
function nvweb_contact($vars = array())
{
    global $website;
    global $DB;
    global $current;
    global $webgets;
    global $dictionary;
    global $webuser;
    global $theme;
    global $events;
    $webget = 'contact';
    if (!isset($webgets[$webget])) {
        $webgets[$webget] = array();
        global $lang;
        if (empty($lang)) {
            $lang = new language();
            $lang->load($current['lang']);
        }
        // default translations
        $webgets[$webget]['translations'] = array('name' => t(159, 'Name'), 'email' => t(44, 'E-Mail'), 'message' => t(380, 'Message'), 'fields_blank' => t(444, 'You left some required fields blank.'), 'contact_request_sent' => t(445, 'Your contact request has been sent. We will contact you shortly.'), 'contact_request_failed' => t(446, 'We\'re sorry. Your contact request could not be sent. Please try again or find another way to contact us.'), 'receipt_confirmation' => t(650, 'Receipt confirmation'));
        // theme translations
        // if the web theme has custom translations for this string subtypes, use it (for the user selected language)
        /* just add the following translations to your json theme dictionary:
        
        			"name": "Name",
        			"email": "E-Mail",
        			"message": "Message",
        		    "fields_blank": "You left some required fields blank.",
        		    "contact_request_sent": "Your contact request has been sent. We will contact you shortly.",
        		    "contact_request_failed": "We're sorry. Your contact request could not be sent. Please try again or find another way to contact us.",
        		    "receipt_confirmation": "Receipt confirmation"
        
        		*/
        if (!empty($website->theme) && method_exists($theme, 't')) {
            foreach ($webgets[$webget]['translations'] as $code => $text) {
                $theme_translation = $theme->t($code);
                if (!empty($theme_translation) && $code != $theme_translation) {
                    $webgets[$webget]['translations'][$code] = $theme_translation;
                }
            }
        }
    }
    if (empty($vars['notify'])) {
        $vars['notify'] = 'alert';
    }
    $out = '';
    switch (@$vars['mode']) {
        case 'send':
            if (!empty($_POST)) {
                // a page may have several forms, which one do we have to check?
                if (!empty($vars['form'])) {
                    list($field_name, $field_value) = explode('=', $vars['form']);
                    $field_name = trim($field_name);
                    $field_value = trim($field_value);
                    if ($_POST[$field_name] != $field_value) {
                        return;
                    }
                }
                // try to check if this send request really comes from the website and not from a spambot
                if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->subdomain . '.' . $website->domain && parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) != $website->domain) {
                    return;
                }
                // prepare fields and labels
                $fields = explode(',', @$vars['fields']);
                $labels = explode(',', @$vars['labels']);
                if (empty($labels)) {
                    $labels = $fields;
                }
                $labels = array_map(function ($key) {
                    global $webgets;
                    global $theme;
                    $key = trim($key);
                    $tmp = $theme->t($key);
                    if (!empty($tmp)) {
                        return $tmp;
                    } else {
                        return $webgets['contact']['translations'][$key];
                    }
                }, $labels);
                $fields = array_combine($fields, $labels);
                // $fields = array( 'field_name' => 'field_label', ... )
                // check required fields
                $errors = array();
                $required = array();
                if (!empty($vars['required'])) {
                    $required = explode(',', $vars['required']);
                }
                if (!empty($required)) {
                    foreach ($required as $field) {
                        $field = trim($field);
                        $value = trim($_POST[$field]);
                        if (empty($value)) {
                            $errors[] = $fields[$field];
                        }
                    }
                    if (!empty($errors)) {
                        return nvweb_contact_notify($vars, true, $webgets[$webget]['translations']['fields_blank'] . ' (' . implode(", ", $errors) . ')');
                    }
                }
                // create e-mail message and send it
                $message = nvweb_contact_generate($fields);
                // prepare any attachment to be sent
                $attachments = array();
                foreach ($fields as $field => $label) {
                    if (isset($_FILES[$field]) && $_FILES[$field]['error'] == 0) {
                        $attachments[] = array('file' => $_FILES[$field]['tmp_name'], 'name' => $_FILES[$field]['name']);
                    }
                }
                $subject = $vars['subject'];
                if (!empty($subject)) {
                    $subject = ' | ' . $theme->t($subject);
                }
                $subject = $website->name . $subject;
                $sent = nvweb_send_email($subject, $message, $website->contact_emails, $attachments);
                if ($sent) {
                    if (!empty($vars['receipt_confirmation_email'])) {
                        $confirmation_email = '';
                        if ($vars['receipt_confirmation_email'] == 'webuser') {
                            $confirmation_email = $webuser->email;
                        } else {
                            $confirmation_email = $_POST[$vars['receipt_confirmation_email']];
                        }
                        if (!empty($confirmation_email)) {
                            nvweb_send_email($subject . ' (' . $webgets[$webget]['translations']['receipt_confirmation'] . ')', $message, $confirmation_email, $attachments);
                        }
                    }
                    $events->trigger('contact', 'sent', array('subject' => $subject, 'message' => $message, 'form' => @$vars['form'], 'emails' => $website->contact_emails));
                    $out = nvweb_contact_notify($vars, false, $webgets[$webget]['translations']['contact_request_sent']);
                } else {
                    $out = nvweb_contact_notify($vars, true, $webgets[$webget]['translations']['contact_request_failed']);
                }
            }
    }
    return $out;
}
Ejemplo n.º 3
0
function nvweb_comments($vars = array())
{
    global $website;
    global $DB;
    global $current;
    global $webgets;
    global $dictionary;
    global $webuser;
    global $theme;
    global $events;
    global $session;
    $webget = 'comments';
    if (!isset($webgets[$webget])) {
        $webgets[$webget] = array();
        global $lang;
        if (empty($lang)) {
            $lang = new language();
            $lang->load($current['lang']);
        }
        // default translations
        $webgets[$webget]['translations'] = array('post_a_comment' => t(379, 'Post a comment'), 'name' => t(159, 'Name'), 'email' => t(44, 'E-Mail'), 'website' => t(177, 'Website'), 'message' => t(380, 'Message'), 'email_will_not_be_published' => t(381, 'E-Mail will not be published'), 'submit' => t(382, 'Submit'), 'sign_in_or_sign_up_to_post_a_comment' => t(383, 'Sign in or Sign up to post a comment'), 'comments_on_this_entry_are_closed' => t(384, 'Comments on this entry are closed'), 'please_dont_leave_any_field_blank' => t(385, 'Please don\'t leave any field blank'), 'your_comment_has_been_received_and_will_be_published_shortly' => t(386, 'Your comment has been received and will be published shortly'), 'new_comment' => t(387, 'New comment'), 'review_comments' => t(388, 'Review comments'));
        // theme translations
        // if the web theme has custom translations for this string subtypes, use it (for the user selected language)
        /* just add the following translations to your json theme dictionary:
        
        			"post_a_comment": "Post a comment",
        			"name": "Name",
        			"email": "E-Mail",
        			"website": "Website",
        			"message": "Message",
        			"email_will_not_be_published": "E-Mail will not be published",
        			"submit": "Submit",
        			"sign_in_or_sign_up_to_post_a_comment": "Sign in or Sign up to post a comment",
        			"comments_on_this_entry_are_closed": "Comments on this entry are closed",
        			"please_dont_leave_any_field_blank": "Please don't leave any field blank",
        			"your_comment_has_been_received_and_will_be_published_shortly": "Your comment has been received and will be published shortly",
        			"new_comment": "New comment",
        			"review_comments": "Review comments"
        		*/
        if (!empty($website->theme) && method_exists($theme, 't')) {
            foreach ($webgets[$webget]['translations'] as $code => $text) {
                $theme_translation = $theme->t($code);
                if (!empty($theme_translation) && $theme_translation != $code) {
                    $webgets[$webget]['translations'][$code] = $theme_translation;
                }
            }
        }
    }
    // set default callback
    if (empty($vars['callback'])) {
        $vars['callback'] = 'alert';
    }
    // check callback attributes
    $callback = $vars['callback'];
    if (!empty($vars['alert_callback'])) {
        $callback = $vars['alert_callback'];
    } else {
        if (!empty($vars['callback_alert'])) {
            $callback = $vars['callback_alert'];
        }
    }
    $callback_error = $callback;
    if (!empty($vars['error_callback'])) {
        $callback_error = $vars['error_callback'];
    } else {
        if (!empty($vars['callback_error'])) {
            $callback_error = $vars['callback_error'];
        }
    }
    $out = '';
    // if the current page belongs to a structure entry
    // we need to get the associated elements to retrieve and post its comments
    // (because structure entry pages can't have associated comments)
    // so, ONLY the FIRST element associated to a category can have comments in a structure entry page
    // (of course if the element has its own page, it can have its own comments)
    $element = $current['object'];
    if ($current['type'] == 'structure') {
        if (empty($current['structure_elements'])) {
            $current['structure_elements'] = $element->elements();
        }
        $element = $current['structure_elements'][0];
    }
    switch (@$vars['mode']) {
        case 'process':
            if (isset($_GET['nv_approve_comment'])) {
                // process 1-click comment approval
                $comment = new comment();
                $comment->load($_GET['id']);
                if (!empty($comment->id) && $comment->status == -1) {
                    $hash = $_GET['hash'];
                    if ($hash == sha1($comment->id . $comment->email . APP_UNIQUE . serialize($website->contact_emails))) {
                        // hash check passed
                        $comment->status = 0;
                        $comment->save();
                        $response = t(555, "Item has been successfully published.");
                        if ($vars['notify'] == 'inline' || $callback == 'inline') {
                            $out = '<div class="comment-success">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback . '("' . $response . '");');
                            }
                        }
                    } else {
                        $response = t(344, "Security error");
                        if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                            $out = '<div class="comment-error">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback_error . '("' . $response . '");');
                            }
                        }
                    }
                } else {
                    $response = t(56, "Unexpected error");
                    if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                        $out = '<div class="comment-error">' . $response . '</div>';
                    } else {
                        if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                            nvweb_after_body("js", $callback_error . '("' . $response . '");');
                        }
                    }
                }
            }
            if (isset($_GET['nv_remove_comment'])) {
                // process 1-click comment removal
                $comment = new comment();
                $comment->load($_GET['id']);
                if (!empty($comment->id) && $comment->status == -1) {
                    $hash = $_GET['hash'];
                    if ($hash == sha1($comment->id . $comment->email . APP_UNIQUE . serialize($website->contact_emails))) {
                        // hash check passed
                        $comment->delete();
                        $response = t(55, "Item successfully deleted");
                        if ($vars['notify'] == 'inline' || $callback == 'inline') {
                            $out = '<div class="comment-success">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback . '("' . $response . '");');
                            }
                        }
                    } else {
                        $response = t(344, "Security error");
                        if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                            $out = '<div class="comment-error">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback_error . '("' . $response . '");');
                            }
                        }
                    }
                } else {
                    $response = t(56, "Unexpected error");
                    if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                        $out = '<div class="comment-error">' . $response . '</div>';
                    } else {
                        if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                            nvweb_after_body("js", $callback_error . '("' . $response . '");');
                        }
                    }
                }
            }
            if ($_REQUEST['form-type'] == 'comment-reply' || isset($_POST[$vars['field-message']])) {
                // add comment
                if (empty($vars['field-name'])) {
                    $vars['field-name'] = 'reply-name';
                }
                if (empty($vars['field-email'])) {
                    $vars['field-email'] = 'reply-email';
                }
                if (empty($vars['field-url'])) {
                    $vars['field-url'] = 'reply-url';
                }
                if (empty($vars['field-message'])) {
                    $vars['field-message'] = 'reply-message';
                }
                if (!empty($vars['element'])) {
                    $element = $vars['element'];
                }
                $comment_name = @$_REQUEST[$vars['field-name']];
                $comment_email = @$_REQUEST[$vars['field-email']];
                $comment_url = @$_REQUEST[$vars['field-url']];
                $comment_message = @$_REQUEST[$vars['field-message']];
                if ((empty($comment_name) || empty($comment_email)) && empty($webuser->id) || empty($comment_message)) {
                    $response = $webgets[$webget]['translations']['please_dont_leave_any_field_blank'];
                    if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                        $out = '<div class="comment-error">' . $response . '</div>';
                    } else {
                        if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                            nvweb_after_body("js", $callback_error . '("' . $response . '");');
                        }
                    }
                    return $out;
                }
                $status = -1;
                // new comment, not approved
                if (empty($element->comments_moderator)) {
                    $status = 0;
                }
                // all comments auto-approved
                // remove any <nv /> or {{nv}} tag
                $comment_name = core_remove_nvtags($comment_name);
                $comment_name = strip_tags($comment_name);
                $comment_message = core_remove_nvtags($comment_message);
                $comment = new comment();
                $comment->id = 0;
                $comment->website = $website->id;
                $comment->item = $element->id;
                $comment->user = empty($webuser->id) ? 0 : $webuser->id;
                $comment->name = $comment_name;
                $comment->email = filter_var($comment_email, FILTER_SANITIZE_EMAIL);
                $comment->url = filter_var($comment_url, FILTER_SANITIZE_URL);
                $comment->ip = core_ip();
                $comment->date_created = core_time();
                $comment->date_modified = 0;
                $comment->status = $status;
                $comment->message = $comment_message;
                $properties = array();
                // check if there are comment properties values
                if (isset($vars['field-properties-prefix'])) {
                    // check every possible property
                    $e_properties = property::elements($element->template, 'comment');
                    for ($ep = 0; $ep < count($e_properties); $ep++) {
                        if (isset($_POST[$vars['field-properties-prefix'] . $e_properties[$ep]->id])) {
                            $properties[$e_properties[$ep]->id] = $_POST[$vars['field-properties-prefix'] . $e_properties[$ep]->id];
                        }
                    }
                }
                // trigger the "new_comment" event through the extensions system before inserting it!
                $extensions_messages = $events->trigger('comment', 'before_insert', array('comment' => $comment, 'properties' => $properties));
                foreach ($extensions_messages as $ext_name => $ext_result) {
                    if (isset($ext_result['error'])) {
                        $response = $ext_result['error'];
                        if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                            $out = '<div class="comment-error">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback_error . '("' . $response . '");');
                            }
                        }
                        return $out;
                    }
                }
                $comment->insert();
                if (!empty($properties)) {
                    property::save_properties_from_array('comment', $comment->id, $element->template, $properties);
                }
                // reload the element to retrieve the new comments
                $element = new item();
                $element->load($comment->item);
                if ($current['type'] == 'item' && !isset($vars['element'])) {
                    $current['object'] = $element;
                }
                // trigger the "new_comment" event through the extensions system
                $events->trigger('comment', 'after_insert', array('comment' => &$comment, 'properties' => $properties));
                if (!empty($comment->id)) {
                    if ($status == -1) {
                        $response = $webgets[$webget]['translations']['your_comment_has_been_received_and_will_be_published_shortly'];
                        if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                            $out = '<div class="comment-success">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback . '("' . $response . '");');
                            }
                        }
                    } else {
                        $response = $webgets[$webget]['translations']['your_comment_has_been_received_and_will_be_published_shortly'];
                        if ($vars['notify'] == 'inline' || $callback_error == 'inline') {
                            $out = '<div class="comment-success">' . $response . '</div>';
                        } else {
                            if (!isset($vars['notify']) || $vars['notify'] == 'callback') {
                                nvweb_after_body("js", $callback . '("' . $response . '");');
                            }
                        }
                    }
                }
                $notify_addresses = $website->contact_emails;
                if (!empty($element->comments_moderator)) {
                    $notify_addresses[] = user::email_of($element->comments_moderator);
                }
                $hash = sha1($comment->id . $comment->email . APP_UNIQUE . serialize($website->contact_emails));
                $base_url = nvweb_source_url('element', $element->id);
                // default colors
                $background_color = '#E5F1FF';
                $text_color = '#595959';
                $title_color = '#595959';
                $background_color_db = $DB->query_single('value', 'nv_permissions', 'name = ' . protect("nvweb.comments.background_color") . ' AND website = ' . protect($website->id), 'id DESC');
                $text_color_db = $DB->query_single('value', 'nv_permissions', 'name = ' . protect("nvweb.comments.text_color") . ' AND website = ' . protect($website->id), 'id DESC');
                $title_color_db = $DB->query_single('value', 'nv_permissions', 'name = ' . protect("nvweb.comments.titles_color") . ' AND website = ' . protect($website->id), 'id DESC');
                if (!empty($background_color_db)) {
                    $background_color = str_replace('"', '', $background_color_db);
                }
                if (!empty($text_color_db)) {
                    $text_color = str_replace('"', '', $text_color_db);
                }
                if (!empty($title_color_db)) {
                    $title_color = str_replace('"', '', $title_color_db);
                }
                $message = navigate_compose_email(array(array('title' => t(9, 'Content'), 'content' => $element->dictionary[$current['lang']]['title']), array('title' => $webgets[$webget]['translations']['name'], 'content' => $comment_name . @$webuser->username), array('title' => $webgets[$webget]['translations']['email'], 'content' => $comment_email . @$webuser->email), array('title' => $webgets[$webget]['translations']['website'], 'content' => $comment_url . @$webuser->social_website), array('title' => $webgets[$webget]['translations']['message'], 'content' => nl2br($comment_message)), array('footer' => '<a href="' . NAVIGATE_URL . '/' . NAVIGATE_MAIN . '?wid=' . $website->id . '&fid=10&act=2&tab=5&id=' . $element->id . '"><strong>' . $webgets[$webget]['translations']['review_comments'] . '</strong></a>' . '&nbsp;&nbsp;|&nbsp;&nbsp;' . '<a style=" color: #008830" href="' . $base_url . '?nv_approve_comment&id=' . $comment->id . '&hash=' . $hash . '">' . t(258, "Publish") . '</a>' . '&nbsp;&nbsp;|&nbsp;&nbsp;' . '<a style=" color: #FF0090" href="' . $base_url . '?nv_remove_comment&id=' . $comment->id . '&hash=' . $hash . '">' . t(525, "Remove comment (without confirmation)") . '</a>')), array('background' => $background_color, 'title-color' => $title_color, 'content-color' => $text_color));
                // trying to implement One-Click actions (used in Google GMail)
                // You need to be registered with Google first: https://developers.google.com/gmail/markup/registering-with-google
                $one_click_actions = '
                    <script type="application/ld+json">
                    {
                        "@context": "http://schema.org",
                        "@type": "EmailMessage",
                        "potentialAction":
                        {
                            "@type": "ViewAction",
                            "name": "' . $webgets[$webget]['translations']['review_comments'] . '",
                            "url": "' . NAVIGATE_URL . '/' . NAVIGATE_MAIN . '?wid=' . $website->id . '&fid=10&act=2&tab=5&id=' . $element->id . '"
                        }
                    }
                    </script>
				';
                $message = '<html><head>' . $one_click_actions . '</head><body>' . $message . '</body></html>';
                foreach ($website->contact_emails as $contact_address) {
                    @nvweb_send_email($website->name . ' | ' . $webgets[$webget]['translations']['new_comment'], $message, $contact_address, null, true);
                }
            }
            break;
        case 'reply':
            if ($element->comments_enabled_to == 2 && empty($webuser->id)) {
                // Post a comment form (unsigned users)
                $out = '
					<div class="comments-reply">
						<div><div class="comments-reply-info">' . $webgets[$webget]['translations']['post_a_comment'] . '</div></div>
						<br />
						<form action="' . NVWEB_ABSOLUTE . '/' . $current['route'] . '" method="post">
							<input type="hidden" name="form-type" value="comment-reply" />
							<div class="comments-reply-field"><label>' . $webgets[$webget]['translations']['name'] . '</label> <input type="text" name="reply-name" value="" /></div>
							<div class="comments-reply-field"><label>' . $webgets[$webget]['translations']['email'] . ' *</label> <input type="text" name="reply-email" value="" /></div>
							<div class="comments-reply-field"><label>' . $webgets[$webget]['translations']['message'] . '</label> <textarea name="reply-message"></textarea></div>
							<!-- {{navigate-comments-reply-extra-fields-placeholder}} -->
							<div class="comments-reply-field comments-reply-field-info-email"><label>&nbsp;</label> * ' . $webgets[$webget]['translations']['email_will_not_be_published'] . '</div>
							<div class="comments-reply-field comments-reply-field-submit"><input class="comments-reply-submit" type="submit" value="' . $webgets[$webget]['translations']['submit'] . '" /></div>
						</form>
					</div>
				';
                $extensions_messages = $events->trigger('comment', 'reply_extra_fields', array('html' => &$out));
                // add any extra field generated
                if (!empty($extensions_messages)) {
                    $extra_fields = array_map(function ($v) {
                        return $v;
                    }, array_values($extensions_messages));
                    $out = str_replace('<!-- {{navigate-comments-reply-extra-fields-placeholder}} -->', implode("\n", $extra_fields), $out);
                }
            } else {
                if ($element->comments_enabled_to > 0 && !empty($webuser->id)) {
                    // Post a comment form (signed in users)
                    if (empty($vars['avatar_size'])) {
                        $vars['avatar_size'] = 32;
                    }
                    $avatar_url = NVWEB_OBJECT . '?type=blank';
                    if (!empty($webuser->avatar)) {
                        $avatar_url = NVWEB_OBJECT . '?wid=' . $website->id . '&id=' . $webuser->avatar . '&amp;disposition=inline&width=' . $vars['avatar_size'] . '&height=' . $vars['avatar_size'];
                    }
                    $out = '
					<div class="comments-reply">
						<div><div class="comments-reply-info">' . $webgets[$webget]['translations']['post_a_comment'] . '</div></div>
						<br />
						<form action="' . NVWEB_ABSOLUTE . '/' . $current['route'] . '" method="post">
							<input type="hidden" name="form-type" value="comment-reply" />
							<div class="comments-reply-field"><label style="display: none;">&nbsp;</label> <img src="' . $avatar_url . '" width="' . $vars['avatar_size'] . '" height="' . $vars['avatar_size'] . '" align="absmiddle" /> <span class="comments-reply-username">' . $webuser->username . '</span><a class="comments-reply-signout" href="?webuser_signout">(x)</a></div>
							<br />
							<div class="comments-reply-field"><label>' . $webgets[$webget]['translations']['message'] . '</label> <textarea name="reply-message"></textarea></div>
							<!-- {{navigate-comments-reply-extra-fields-placeholder}} -->
							<div class="comments-reply-field-submit"><input class="comments-reply-submit" type="submit" value="' . $webgets[$webget]['translations']['submit'] . '" /></div>
						</form>
					</div>
				';
                    $extensions_messages = $events->trigger('comment', 'reply_extra_fields', array('html' => $out));
                    // add any extra field generated
                    if (!empty($extensions_messages)) {
                        $extra_fields = array_map(function ($v) {
                            return $v;
                        }, array_values($extensions_messages));
                        $out = str_replace('<!-- {{navigate-comments-reply-extra-fields-placeholder}} -->', implode("\n", $extra_fields), $out);
                    }
                } else {
                    if ($element->comments_enabled_to == 1) {
                        $out = '<div class="comments-reply">
                            <div class="comments-reply-info">' . $webgets[$webget]['translations']['sign_in_or_sign_up_to_post_a_comment'] . '</div>
                        </div>';
                    } else {
                        $out = '<div class="comments-reply">
                            <div class="comments-reply-info">' . $webgets[$webget]['translations']['comments_on_this_entry_are_closed'] . '</div>
                        </div>';
                    }
                }
            }
            break;
        case 'comments':
            setlocale(LC_ALL, $website->languages[$session['lang']]['system_locale']);
            list($comments, $comments_total) = nvweb_comments_list(0, NULL, NULL, $vars['order']);
            // get all comments of the current entry
            if (empty($vars['avatar_size'])) {
                $vars['avatar_size'] = '48';
            }
            if (empty($vars['date_format'])) {
                $vars['date_format'] = '%d %B %Y %H:%M';
            }
            for ($c = 0; $c < $comments_total; $c++) {
                $avatar = $comments[$c]->avatar;
                if (!empty($avatar)) {
                    $avatar = '<img src="' . NVWEB_OBJECT . '?type=image&id=' . $avatar . '" width="' . $vars['avatar_size'] . 'px" height="' . $vars['avatar_size'] . 'px"/>';
                } else {
                    $avatar = '<img src="data:image/gif;base64,R0lGODlhAQABAPAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" width="' . $vars['avatar_size'] . 'px" height="' . $vars['avatar_size'] . 'px"/>';
                }
                $comment = new comment();
                $comment->load_from_resultset(array($comments[$c]));
                $depth = 'data-depth="' . $comment->depth() . '"';
                $out .= '
					<div class="comment"' . $depth . '>
						<div class="comment-avatar">' . $avatar . '</div>
						<div class="comment-username">' . (!empty($comments[$c]->username) ? $comments[$c]->username : $comments[$c]->name) . '</div>
						<div class="comment-date">' . Encoding::toUTF8(strftime($vars['date_format'], $comments[$c]->date_created)) . '</div>
						<div class="comment-message">' . nl2br($comments[$c]->message) . '</div>
						<div style="clear:both"></div>
					</div>
				';
            }
            break;
    }
    return $out;
}