/** * Show shouts or shout */ public function index() { $shout = new Shout_Model(); $form_values = $shout->as_array(); $form_errors = array(); // Check post if (csrf::valid() && ($post = $this->input->post())) { $shout->author_id = $this->user->id; $shout->shout = $post['shout']; try { $shout->save(); if (!request::is_ajax()) { url::redirect(url::current()); } } catch (ORM_Validation_Exception $e) { $form_errors = $e->validation->errors(); $form_values = arr::overwrite($form_values, $post); } } $shouts = ORM::factory('shout')->find_all(10); $view = View_Mod::factory('generic/shout', array('mod_title' => __('Shouts'), 'shouts' => $shouts, 'can_shout' => ORM::factory('shout')->has_access(Shout_Model::ACCESS_WRITE, $this->user), 'errors' => $form_errors, 'values' => $form_values)); if (request::is_ajax()) { echo $view; return; } widget::add('main', $view); }
/** * Edit topic * * @param mixed $topic_id * @param mixed $area_id */ public function _topic_edit($topic_id, $area_id = false) { $this->history = false; $errors = array(); $forum_topic = new Forum_Topic_Model((int) $topic_id); $forum_area = $forum_topic->loaded() ? $forum_topic->forum_area : new Forum_Area_Model((int) $area_id); if ($forum_topic->loaded()) { // Editing topic $editing = true; if (!$forum_topic->has_access(Forum_Topic_Model::ACCESS_EDIT)) { url::back('forum'); } } else { if ($forum_area->loaded()) { // New topic $editing = false; if (!$forum_area->has_access(Forum_Area_Model::ACCESS_WRITE)) { url::back('forum'); } } else { // New topic in unknown area $errors[] = __('Area :area or topic :topic not found', array(':area' => (int) $area_id, ':topic' => (int) $topic_id)); } } if (empty($errors)) { $forum_post = new Forum_Post_Model((int) $forum_topic->first_post_id); $form_errors = array(); $form_values_topic = $forum_topic->as_array(); $form_values_post = $forum_post->as_array(); $form_topics = false; // Bound area? if ($forum_area->is_type(Forum_Area_Model::TYPE_BIND)) { // Get bind config and load topics $bind = Forum_Area_Model::binds($forum_area->bind); if ($editing) { // Can't edit bound topic $form_topics = array($forum_topic->bind_id => $forum_topic->name); } else { // Try to load options from configured model try { $bind_topics = ORM::factory($bind['model'])->find_bind_topics($forum_area->bind); $form_topics = array(0 => __('Choose..')) + $bind_topics; } catch (Kohana_Exception $e) { $form_topics = array(); } } } // Admin actions if ($editing && $forum_topic->has_access(Forum_Topic_Model::ACCESS_DELETE)) { $this->page_actions[] = array('link' => url::model($forum_topic) . '/delete/?token=' . csrf::token(), 'text' => __('Delete topic'), 'class' => 'topic-delete'); } // Check post if ($post = $this->input->post()) { $post['forum_area_id'] = $forum_area->id; $topic = $post; if (isset($bind_topics)) { $topic['name'] = arr::get($bind_topics, (int) $topic['bind_id'], ''); } $post_extra = $topic_extra = array('author_id' => $this->user->id, 'author_name' => $this->user->username); if ($editing) { $post_extra['modifies'] = (int) $forum_post->modifies + 1; $post_extra['modified'] = date::unix2sql(time()); } $post_extra['author_ip'] = $this->input->ip_address(); $post_extra['author_host'] = $this->input->host_name(); // validate post first and save topic if ok if (csrf::valid() && $forum_post->validate($post, false, $post_extra) && $forum_topic->validate($topic, true, $topic_extra)) { // post $forum_post->forum_topic_id = $forum_topic->id; $forum_post->save(); if (!$editing) { // topic $forum_topic->first_post_id = $forum_post->id; $forum_topic->last_post_id = $forum_post->id; $forum_topic->last_poster = $this->user->username; $forum_topic->last_posted = date::unix2sql(time()); $forum_topic->posts = 1; $forum_topic->save(); // area $forum_area->last_topic_id = $forum_topic->id; $forum_area->posts += 1; $forum_area->topics += 1; $forum_area->save(); // user $this->user->posts += 1; $this->user->save(); // News feed newsfeeditem_forum::topic($this->user, $forum_topic); } // redirect back to topic URL::redirect(url::model($forum_topic)); } else { $form_errors = array_merge($post->errors(), is_object($topic) ? $topic->errors() : array()); } $form_values_topic = arr::overwrite($form_values_topic, is_object($topic) ? $topic->as_array() : $topic); $form_values_post = arr::overwrite($form_values_post, $post->as_array()); } } // Show form if (empty($errors)) { $this->breadcrumb[] = html::anchor(url::model($forum_area), text::title($forum_area->name)); $this->page_title = $editing ? text::title($forum_topic->name) : __('New topic'); $this->page_subtitle = __('Area :area', array(':area' => html::anchor(url::model($forum_area), text::title($forum_area->name), array('title' => strip_tags($forum_area->description))))); widget::add('head', html::script(array('js/jquery.markitup.pack', 'js/markitup.bbcode'))); widget::add('main', View_Mod::factory('forum/topic_edit', array('topic' => $form_values_topic, 'topics' => $form_topics, 'post' => $form_values_post, 'errors' => $form_errors))); } else { $this->_error(__('Error'), $errors); } $this->_side_views(); }
/** * User profile */ public function _view() { $this->tab_id = 'profile'; $owner = $this->user && $this->member->id == $this->user->id; if ($owner && $this->user->newcomments) { $this->user->newcomments = 0; $this->user->save(); } // Actions if ($this->member->has_access(User_Model::ACCESS_EDIT)) { $this->page_actions[] = array('link' => url::user($this->member) . '/edit', 'text' => __('Settings'), 'class' => 'settings'); } // Picture widget::add('side', View_Mod::factory('member/member', array('mod_class' => 'member member-' . $this->member->id, 'user' => $this->member))); // Comments if ($this->member->has_access(User_Model::ACCESS_COMMENT)) { $comment = new User_Comment_Model(); $form_values = $comment->as_array(); $form_errors = array(); // check post if (csrf::valid() && ($post = $this->input->post())) { $comment->user_id = $this->member->id; $comment->author_id = $this->user->id; $comment->comment = $post['comment']; if (isset($post['private'])) { $comment->private = 1; } try { $comment->save(); if (!$owner) { $this->member->newcomments += 1; $this->member->save(); } $this->user->commentsleft += 1; $this->user->save(); if (!request::is_ajax()) { url::redirect(url::current()); } } catch (ORM_Validation_Exception $e) { $form_errors = $e->validation->errors(); $form_values = arr::overwrite($form_values, $post); } } // Handle pagination $per_page = 25; $page_num = $this->uri->segment('page') ? $this->uri->segment('page') : 1; $page_offset = ($page_num - 1) * $per_page; $total_comments = $this->member->get_comment_count(); $comments = $this->member->find_comments($page_num, $per_page, $this->user); $pagination = new Pagination(array('items_per_page' => $per_page, 'total_items' => $total_comments)); $view = View::factory('generic/comments', array('delete' => '/member/comment/%d/delete/?token=' . csrf::token(), 'private' => '/member/comment/%d/private/?token=' . csrf::token(), 'comments' => $comments, 'errors' => $form_errors, 'values' => $form_values, 'pagination' => $pagination, 'user' => $this->user)); if (request::is_ajax()) { echo $view; return; } widget::add('main', $view); } // Basic info $basic_info = array(); if (!empty($this->member->name)) { $basic_info[__('Name')] = html::specialchars($this->member->name); } if (!empty($this->member->city_name)) { $basic_info[__('City')] = html::specialchars($this->member->city_name); } if (!empty($this->member->dob) && $this->member->dob != '0000-00-00') { $basic_info[__('Date of Birth')] = __(':dob (:years years)', array(':dob' => date::format('DMYYYY', $this->member->dob), ':years' => date::timespan(strtotime($this->member->dob), null, 'years'))); } if (!empty($this->member->gender)) { $basic_info[__('Gender')] = $this->member->gender == 'm' ? __('Male') : __('Female'); } if (!empty($this->member->latitude) && !empty($this->member->longitude)) { $basic_info[__('Location')] = $this->member->latitude . ', ' . $this->member->longitude; $basic_info[__('Location')] = html::anchor('#map', __('Toggle map'), array('class' => 'expander', 'title' => __('Show/hide'))) . '<div id="map" style="display: none">' . __('Map loading') . '</div>'; $map = new Gmap('map', array('ScrollWheelZoom' => true)); $map->center($this->member->latitude, $this->member->longitude, 15)->controls('small')->types(); $map->add_marker($this->member->latitude, $this->member->longitude, html::avatar($this->member->avatar, $this->member->username) . html::user($this->member)); widget::add('foot', html::script_source($map->render('gmaps/jquery_event'))); widget::add('foot', html::script_source("\$('a[href*=\"#map\"]:first').click(function() { \$('#map').toggle('normal', gmap_open); return false; });")); } // Site info $site_info = array(__('Registered') => date::format('DMYYYY_HM', $this->member->created) . ' [#' . $this->member->id . ']', __('Logins') => __(':logins (:ago ago)', array(':logins' => number_format($this->member->logins, 0), ':ago' => '<abbr title="' . date::format('DMYYYY_HM', $this->member->last_login) . '">' . date::timespan_short($this->member->last_login) . '</abbr>')), __('Posts') => number_format($this->member->posts, 0), __('Comments') => number_format($this->member->commentsleft, 0)); // Initialize tabs $tabs = array('basic-info' => array('href' => '#basic-info', 'title' => __('Basic info'), 'tab' => new View('generic/list_info', array('id' => 'basic-info', 'title' => __('Basic info'), 'list' => $basic_info))), 'site-info' => array('href' => '#site-info', 'title' => __('Site info'), 'tab' => new View('generic/list_info', array('id' => 'site-info', 'title' => __('Site info'), 'list' => $site_info)))); widget::add('side', View::factory('generic/tabs', array('id' => 'info-tab', 'tabs' => $tabs))); $this->_side_views(); }
/** * Delete entry * * @param integer|string $entry_id */ public function _entry_delete($entry_id) { $this->history = false; $entry = new Blog_Entry_Model((int) $entry_id); if ($this->user && $entry->id && csrf::valid($this->input->get('token'), $this->user->id) && ($entry->is_author() || $this->visitor->logged_in('admin'))) { $entry->delete(); url::redirect('/blogs'); } url::back('/blogs'); }
/** * Validate by processing pre-filters, rules, callbacks, and post-filters. * All fields that have filters, rules, or callbacks will be initialized if * they are undefined. Validation will only be run if there is data already * in the array. * * @param bool $validate_csrf When TRUE, performs CSRF token validation * @return bool */ public function validate($validate_csrf = TRUE) { // CSRF token field $csrf_token_key = 'form_auth_token'; if (array_key_exists($csrf_token_key, $this)) { unset($this[$csrf_token_key]); } // Delete the CSRF token field if it's in the validation // rules if (array_key_exists($csrf_token_key, $this->callbacks)) { unset($this->callbacks[$csrf_token_key]); } elseif (array_key_exists($csrf_token_key, $this->rules)) { unset($this->rules[$csrf_token_key]); } // Disable CSRF for XHR // Same method as django CSRF protection: // http://michael-coates.blogspot.co.nz/2010/12/djangos-built-in-csrf-defense-for-ajax.html if (request::is_ajax()) { $validate_csrf = FALSE; } // Perform CSRF validation for all HTTP POST requests // where CSRF validation is enabled and the request // was not submitted via the API if ($_POST and $validate_csrf and !Validation::$is_api_request) { // Check if CSRF module is loaded if (in_array(MODPATH . 'csrf', Kohana::config('config.modules'))) { // Check for presence of CSRF token in HTTP POST payload $form_auth_token = isset($_POST[$csrf_token_key]) ? $_POST[$csrf_token_key] : text::random('alnum', 10); // Validate the token if (!csrf::valid($form_auth_token)) { Kohana::log('debug', 'Invalid CSRF token: ' . $form_auth_token); Kohana::log('debug', 'Actual CSRF token: ' . csrf::token()); // Flag CSRF validation as having failed $this->csrf_validation_failed = TRUE; // Set the error message $this->errors[$csrf_token_key] = Kohana::lang('csrf.form_auth_token.error'); return FALSE; } } } // All the fields that are being validated $all_fields = array_unique(array_merge(array_keys($this->pre_filters), array_keys($this->rules), array_keys($this->callbacks), array_keys($this->post_filters))); // Copy the array from the object, to optimize multiple sets $object_array = $this->getArrayCopy(); foreach ($all_fields as $i => $field) { if ($field === $this->any_field) { // Remove "any field" from the list of fields unset($all_fields[$i]); continue; } if (substr($field, -2) === '.*') { // Set the key to be an array Kohana::key_string_set($object_array, substr($field, 0, -2), array()); } else { // Set the key to be NULL Kohana::key_string_set($object_array, $field, NULL); } } // Swap the array back into the object $this->exchangeArray($object_array); // Reset all fields to ALL defined fields $all_fields = array_keys($this->getArrayCopy()); foreach ($this->pre_filters as $field => $calls) { foreach ($calls as $func) { if ($field === $this->any_field) { foreach ($all_fields as $f) { // Process each filter $this[$f] = is_array($this[$f]) ? arr::map_recursive($func, $this[$f]) : call_user_func($func, $this[$f]); } } else { // Process each filter $this[$field] = is_array($this[$field]) ? arr::map_recursive($func, $this[$field]) : call_user_func($func, $this[$field]); } } } if ($this->submitted === FALSE) { return FALSE; } foreach ($this->rules as $field => $calls) { foreach ($calls as $call) { // Split the rule into function and args list($func, $args) = $call; if ($field === $this->any_field) { foreach ($all_fields as $f) { if (isset($this->array_fields[$f])) { // Use the field key $f_key = $this->array_fields[$f]; // Prevent other rules from running when this field already has errors if (!empty($this->errors[$f_key])) { break; } // Don't process rules on empty fields if (!in_array($func[1], $this->empty_rules, TRUE) and $this[$f_key] == NULL) { continue; } foreach ($this[$f_key] as $k => $v) { if (!call_user_func($func, $this[$f_key][$k], $args)) { // Run each rule $this->errors[$f_key] = is_array($func) ? $func[1] : $func; } } } else { // Prevent other rules from running when this field already has errors if (!empty($this->errors[$f])) { break; } // Don't process rules on empty fields if (!in_array($func[1], $this->empty_rules, TRUE) and $this[$f] == NULL) { continue; } if (!call_user_func($func, $this[$f], $args)) { // Run each rule $this->errors[$f] = is_array($func) ? $func[1] : $func; } } } } else { if (isset($this->array_fields[$field])) { // Use the field key $field_key = $this->array_fields[$field]; // Prevent other rules from running when this field already has errors if (!empty($this->errors[$field_key])) { break; } // Don't process rules on empty fields if (!in_array($func[1], $this->empty_rules, TRUE) and $this[$field_key] == NULL) { continue; } foreach ($this[$field_key] as $k => $val) { if (!call_user_func($func, $this[$field_key][$k], $args)) { // Run each rule $this->errors[$field_key] = is_array($func) ? $func[1] : $func; // Stop after an error is found break 2; } } } else { // Prevent other rules from running when this field already has errors if (!empty($this->errors[$field])) { break; } // Don't process rules on empty fields if (!in_array($func[1], $this->empty_rules, TRUE) and $this[$field] == NULL) { continue; } if (!call_user_func($func, $this[$field], $args)) { // Run each rule $this->errors[$field] = is_array($func) ? $func[1] : $func; // Stop after an error is found break; } } } } } foreach ($this->callbacks as $field => $calls) { foreach ($calls as $func) { if ($field === $this->any_field) { foreach ($all_fields as $f) { // Execute the callback call_user_func($func, $this, $f); // Stop after an error is found if (!empty($errors[$f])) { break 2; } } } else { // Execute the callback call_user_func($func, $this, $field); // Stop after an error is found if (!empty($errors[$field])) { break; } } } } foreach ($this->post_filters as $field => $calls) { foreach ($calls as $func) { if ($field === $this->any_field) { foreach ($all_fields as $f) { if (isset($this->array_fields[$f])) { // Use the field key $f = $this->array_fields[$f]; } // Process each filter $this[$f] = is_array($this[$f]) ? array_map($func, $this[$f]) : call_user_func($func, $this[$f]); } } else { if (isset($this->array_fields[$field])) { // Use the field key $field = $this->array_fields[$field]; } // Process each filter $this[$field] = is_array($this[$field]) ? array_map($func, $this[$field]) : call_user_func($func, $this[$field]); } } } // Return TRUE if there are no errors return count($this->errors) === 0; }
/** * Remove from favorites * * @param int|string $event_id */ public function _favorite_delete($event_id) { $this->history = false; // for authenticated only if ($this->user && csrf::valid()) { // require valid user $this->event = new Event_Model((int) $event_id); if ($this->event->id) { $this->event->delete_favorite($this->user); } } url::back('/members'); }
/** * Template loading and setup routine. */ public function __construct() { parent::__construct(); // Get loaded modules $this->modules = Kohana_Config::instance()->get('core.modules'); // Initialize libraries $this->cache = Cache::instance(); $this->input = Input::instance(); $this->uri = URI::instance(); $this->visitor = Visitor::instance(); // Validate CSRF token if (isset($_REQUEST['csrf'])) { $this->valid_csrf = csrf::valid($_REQUEST['csrf']); } // Load current user for easy controller access, null if not logged $this->user =& $this->visitor->get_user(); // Build the page $this->template = View::factory($this->template); // Display the template immediately after the controller method? if ($this->auto_render === true) { Event::add('system.post_controller', array($this, '_display')); } }
/** * Edit venue * * @param integer|string $venue_id * @param integer|string $category_id */ public function _venue_edit($venue_id = false, $category_id = false) { $this->history = false; $venue = new Venue_Model((int) $venue_id); // Check access if (!($venue->loaded() && $venue->has_access(Venue_Model::ACCESS_EDIT)) && !(!$venue->loaded() && $this->visitor->logged_in(array('admin', 'venue moderator', 'venue')))) { url::back('venues'); } $errors = $form_errors = array(); $form_values = $venue->as_array(); // check post if (request::method() == 'post') { $post = array_merge($this->input->post(), $_FILES); $extra = array('author_id' => $this->user->id); // got address, get geocode if (!empty($post['address']) && !empty($post['city_name'])) { list($extra['latitude'], $extra['longitude']) = Gmap::address_to_ll(implode(', ', array($post['address'], $post['zip'], $post['city_name']))); } if (csrf::valid() && $venue->validate($post, true, $extra)) { // handle logo upload if (isset($post->logo) && empty($post->logo['error'])) { $logo = Image_Model::factory('venues.logo', $post->logo, $this->user->id); if ($logo->id) { $venue->add($logo); $venue->default_image_id = $logo->id; $venue->save(); } } // handle picture uploads foreach (array($post->picture1, $post->picture2) as $picture) { if (isset($picture) && empty($picture['error'])) { $image = Image_Model::factory('venues.image', $picture, $this->user->id); if ($image->id) { $venue->add($image); $venue->save(); } } } // update tags $venue->remove(ORM::factory('tag')); if (!empty($post->tags)) { foreach ($post->tags as $tag_id => $tag) { $venue->add(ORM::factory('tag', $tag_id)); } } url::redirect(url::model($venue)); } else { $form_errors = $post->errors(); } $form_values = arr::overwrite($form_values, $post->as_array()); } // editing old? if ($venue_id) { if ($venue->has_access(Venue_Model::ACCESS_DELETE)) { $this->page_actions[] = array('link' => 'venue/' . url::title($venue->id, $venue->name) . '/delete/?token=' . csrf::token(), 'text' => __('Delete venue'), 'class' => 'venue-delete'); } $this->page_subtitle = __('Edit venue'); if (!$venue->id) { $errors = array('venues.error_venue_not_found'); } else { $venue_category = $venue->venue_category; } } else { $this->page_subtitle = __('Add venue'); if ($category_id) { $venue_category = new Venue_Category_Model((int) $category_id); if ($venue_category->id) { $form_values['venue_category_id'] = $venue_category->id; } else { $errors = array('venues.error_venue_category_not_found'); } } } $this->page_actions[] = array('link' => 'venue/' . url::title($venue->id, $venue->name), 'text' => __('Cancel'), 'class' => 'cancel'); $this->breadcrumb[] = html::anchor('/venues/' . url::title($venue_category->id, $venue_category->name), $venue_category->name); if ($venue->id) { $this->breadcrumb[] = html::anchor('/venue/' . url::title($venue->id, $venue->name), $venue->name); } // show form if (empty($errors)) { $form = array(); // tags if ($venue_category->tag_group_id) { $form['tags'] = $form_values['tags'] = array(); foreach ($venue_category->tag_group->tags as $tag) { $form['tags'][$tag->id] = $tag->name; if ($venue->has($tag)) { $form_values['tags'][$tag->id] = $tag->name; } } } $venue_categories = ORM::factory('venue_category')->find_all()->select_list('id', 'name'); $form['venue_category_id'] = $venue_categories; widget::add('main', View_Mod::factory('venues/venue_edit', array('form' => $form, 'values' => $form_values, 'errors' => $form_errors))); // city autocomplete $this->_autocomplete_city(); } else { $this->_error(Kohana::lang('generic.error'), $errors); } $this->_side_views(); }