/** * Move/ Delete the document in the seession * @return void|Object */ function procDocumentManageCheckedDocument() { @set_time_limit(0); if (!Context::get('is_logged')) { return new Object(-1, 'msg_not_permitted'); } if (!checkCSRF()) { return new Object(-1, 'msg_invalid_request'); } $type = Context::get('type'); $target_module = Context::get('target_module'); $module_srl = Context::get('module_srl'); if ($target_module && !$module_srl) { $module_srl = $target_module; } $category_srl = Context::get('target_category'); // send default message - misol 2015-07-23 $send_default_message = Context::get('send_default_message'); if ($send_default_message === 'Y') { $logged_info = Context::get('logged_info'); $message_content = ''; $default_message_verbs = lang('default_message_verbs'); if (isset($default_message_verbs[$type]) && is_string($default_message_verbs[$type])) { $message_content = sprintf(lang('default_message_format'), $logged_info->nick_name, $default_message_verbs[$type]); } } else { $message_content = Context::get('message_content'); if ($message_content) { $message_content = nl2br($message_content); } } $cart = Context::get('cart'); if (!is_array($cart)) { $document_srl_list = explode('|@|', $cart); } else { $document_srl_list = $cart; } $document_srl_count = count($document_srl_list); $oDocumentModel = getModel('document'); $document_items = array(); foreach ($document_srl_list as $document_srl) { $oDocument = $oDocumentModel->getDocument($document_srl); $document_items[] = $oDocument; if (!$oDocument->isGranted()) { return $this->stop('msg_not_permitted'); } } // Set a spam-filer not to be filtered to spams $oSpamController = getController('spamfilter'); $oSpamController->setAvoidLog(); $oDocumentAdminController = getAdminController('document'); if ($type == 'move') { if (!$module_srl) { return new Object(-1, 'fail_to_move'); } $output = $oDocumentAdminController->moveDocumentModule($document_srl_list, $module_srl, $category_srl); if (!$output->toBool()) { return new Object(-1, 'fail_to_move'); } $msg_code = 'success_moved'; } else { if ($type == 'copy') { if (!$module_srl) { return new Object(-1, 'fail_to_move'); } $output = $oDocumentAdminController->copyDocumentModule($document_srl_list, $module_srl, $category_srl); if (!$output->toBool()) { return new Object(-1, 'fail_to_move'); } $msg_code = 'success_copied'; } else { if ($type == 'delete') { $oDB =& DB::getInstance(); $oDB->begin(); for ($i = 0; $i < $document_srl_count; $i++) { $document_srl = $document_srl_list[$i]; $output = $this->deleteDocument($document_srl, true); if (!$output->toBool()) { return new Object(-1, 'fail_to_delete'); } } $oDB->commit(); $msg_code = 'success_deleted'; } else { if ($type == 'trash') { $args = new stdClass(); $args->description = $message_content; $oDB =& DB::getInstance(); $oDB->begin(); for ($i = 0; $i < $document_srl_count; $i++) { $args->document_srl = $document_srl_list[$i]; $output = $this->moveDocumentToTrash($args); if (!$output || !$output->toBool()) { return new Object(-1, 'fail_to_trash'); } } $oDB->commit(); $msg_code = 'success_trashed'; } else { if ($type == 'cancelDeclare') { $args = new stdClass(); $args->document_srl = $document_srl_list; $output = executeQuery('document.deleteDeclaredDocuments', $args); $msg_code = 'success_declare_canceled'; } } } } } // Send a message if ($message_content) { $oCommunicationController = getController('communication'); $logged_info = Context::get('logged_info'); $title = cut_str($message_content, 10, '...'); $sender_member_srl = $logged_info->member_srl; foreach ($document_items as $oDocument) { if (!$oDocument->get('member_srl') || $oDocument->get('member_srl') == $sender_member_srl) { continue; } if ($type == 'move') { $purl = sprintf("<a href=\"%s\" onclick=\"window.open(this.href);return false;\" style=\"padding:10px 0;\">%s</a><hr />", $oDocument->getPermanentUrl(), $oDocument->getPermanentUrl()); } else { $purl = ""; } $content = sprintf("<div style=\"padding:10px 0;\"><p>%s</p></div><hr />%s<div style=\"padding:10px 0;font-weight:bold\">%s</div>%s", $message_content, $purl, $oDocument->getTitleText(), $oDocument->getContent(false, false, false)); $oCommunicationController->sendMessage($sender_member_srl, $oDocument->get('member_srl'), $title, $content, false); } } $_SESSION['document_management'] = array(); $this->setMessage($msg_code); $returnUrl = Context::get('success_return_url') ? Context::get('success_return_url') : getNotEncodedUrl('', 'module', 'admin', 'act', 'dispDocumentAdminList'); $this->setRedirectUrl($returnUrl); }
/** * Add a user (Administrator) * @return void|Object (void : success, Object : fail) */ function procMemberAdminInsert() { // if(Context::getRequestMethod() == "GET") return new Object(-1, "msg_invalid_request"); // Extract the necessary information in advance $logged_info = Context::get('logged_info'); if ($logged_info->is_admin != 'Y' || !checkCSRF()) { return new Object(-1, 'msg_invalid_request'); } $args = Context::gets('member_srl', 'email_address', 'find_account_answer', 'allow_mailing', 'allow_message', 'denied', 'is_admin', 'description', 'group_srl_list', 'limit_date'); $oMemberModel =& getModel('member'); $config = $oMemberModel->getMemberConfig(); $getVars = array(); if ($config->signupForm) { foreach ($config->signupForm as $formInfo) { if ($formInfo->isDefaultForm && ($formInfo->isUse || $formInfo->required || $formInfo->mustRequired)) { $getVars[] = $formInfo->name; } } } foreach ($getVars as $val) { $args->{$val} = Context::get($val); } $args->member_srl = Context::get('member_srl'); if (Context::get('reset_password')) { $args->password = Context::get('reset_password'); } else { unset($args->password); } // Remove some unnecessary variables from all the vars $all_args = Context::getRequestVars(); unset($all_args->module); unset($all_args->act); unset($all_args->mid); unset($all_args->error_return_url); unset($all_args->success_return_url); unset($all_args->ruleset); if (!isset($args->limit_date)) { $args->limit_date = ""; } unset($all_args->password); unset($all_args->password2); unset($all_args->reset_password); // Add extra vars after excluding necessary information from all the requested arguments $extra_vars = delObjectVars($all_args, $args); $args->extra_vars = serialize($extra_vars); // Check if an original member exists having the member_srl if ($args->member_srl) { // Create a member model object $oMemberModel = getModel('member'); // Get memebr profile $columnList = array('member_srl'); $member_info = $oMemberModel->getMemberInfoByMemberSrl($args->member_srl, 0, $columnList); // If no original member exists, make a new one if ($member_info->member_srl != $args->member_srl) { unset($args->member_srl); } } // remove whitespace $checkInfos = array('user_id', 'nick_name', 'email_address'); $replaceStr = array("\r\n", "\r", "\n", " ", "\t", ""); foreach ($checkInfos as $val) { if (isset($args->{$val})) { $args->{$val} = str_replace($replaceStr, '', $args->{$val}); } } $oMemberController = getController('member'); // Execute insert or update depending on the value of member_srl if (!$args->member_srl) { $args->password = Context::get('password'); $output = $oMemberController->insertMember($args); $msg_code = 'success_registed'; } else { $output = $oMemberController->updateMember($args); $msg_code = 'success_updated'; } if (!$output->toBool()) { return $output; } // Save Signature $signature = Context::get('signature'); $oMemberController->putSignature($args->member_srl, $signature); // Return result $this->add('member_srl', $args->member_srl); $this->setMessage($msg_code); $profile_image = $_FILES['profile_image']; if (is_uploaded_file($profile_image['tmp_name'])) { $oMemberController->insertProfileImage($args->member_srl, $profile_image['tmp_name']); } $image_mark = $_FILES['image_mark']; if (is_uploaded_file($image_mark['tmp_name'])) { $oMemberController->insertImageMark($args->member_srl, $image_mark['tmp_name']); } $image_name = $_FILES['image_name']; if (is_uploaded_file($image_name['tmp_name'])) { $oMemberController->insertImageName($args->member_srl, $image_name['tmp_name']); } $returnUrl = Context::get('success_return_url') ? Context::get('success_return_url') : getNotEncodedUrl('', 'module', 'admin', 'act', 'dispMemberAdminList'); $this->setRedirectUrl($returnUrl); }
/** * Fix the comment * @param object $obj * @param bool $is_admin * @param bool $manual_updated * @return object */ function updateComment($obj, $is_admin = FALSE, $manual_updated = FALSE) { if (!$manual_updated && !checkCSRF()) { return new Object(-1, 'msg_invalid_request'); } if (!is_object($obj)) { $obj = new stdClass(); } $obj->__isupdate = TRUE; // call a trigger (before) $output = ModuleHandler::triggerCall('comment.updateComment', 'before', $obj); if (!$output->toBool()) { return $output; } // create a comment model object $oCommentModel = getModel('comment'); // get the original data $source_obj = $oCommentModel->getComment($obj->comment_srl); if (!$source_obj->getMemberSrl()) { $obj->member_srl = $source_obj->get('member_srl'); $obj->user_name = $source_obj->get('user_name'); $obj->nick_name = $source_obj->get('nick_name'); $obj->email_address = $source_obj->get('email_address'); $obj->homepage = $source_obj->get('homepage'); } // check if permission is granted if (!$is_admin && !$source_obj->isGranted()) { return new Object(-1, 'msg_not_permitted'); } if ($obj->password) { $obj->password = getModel('member')->hashPassword($obj->password); } if ($obj->homepage) { $obj->homepage = removeHackTag($obj->homepage); if (!preg_match('/^[a-z]+:\\/\\//i', $obj->homepage)) { $obj->homepage = 'http://' . $obj->homepage; } } // set modifier's information if logged-in and posting author and modifier are matched. if (Context::get('is_logged')) { $logged_info = Context::get('logged_info'); if ($source_obj->member_srl == $logged_info->member_srl) { $obj->member_srl = $logged_info->member_srl; $obj->user_name = $logged_info->user_name; $obj->nick_name = $logged_info->nick_name; $obj->email_address = $logged_info->email_address; $obj->homepage = $logged_info->homepage; } } // if nick_name of the logged-in author doesn't exist if ($source_obj->get('member_srl') && !$obj->nick_name) { $obj->member_srl = $source_obj->get('member_srl'); $obj->user_name = $source_obj->get('user_name'); $obj->nick_name = $source_obj->get('nick_name'); $obj->email_address = $source_obj->get('email_address'); $obj->homepage = $source_obj->get('homepage'); } if (!$obj->content) { $obj->content = $source_obj->get('content'); } // remove XE's wn tags from contents $obj->content = preg_replace('!<\\!--(Before|After)(Document|Comment)\\(([0-9]+),([0-9]+)\\)-->!is', '', $obj->content); if (Mobile::isFromMobilePhone()) { if ($obj->use_html != 'Y') { $obj->content = htmlspecialchars($obj->content, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); } $obj->content = nl2br($obj->content); } // remove iframe and script if not a top administrator on the session if ($logged_info->is_admin != 'Y') { $obj->content = removeHackTag($obj->content); } // begin transaction $oDB = DB::getInstance(); $oDB->begin(); // Update $output = executeQuery('comment.updateComment', $obj); if (!$output->toBool()) { $oDB->rollback(); return $output; } // call a trigger (after) if ($output->toBool()) { $trigger_output = ModuleHandler::triggerCall('comment.updateComment', 'after', $obj); if (!$trigger_output->toBool()) { $oDB->rollback(); return $trigger_output; } } // commit $oDB->commit(); $output->add('comment_srl', $obj->comment_srl); return $output; }
/** * Handle launch and/or set up the LTI session and global variables * * Make sure we have the values we need in the LTI session * This routine will not start a session if none exists. It will * die is there if no session_name() (PHPSESSID) cookie or * parameter. No need to create any fresh sessions here. * * @param $needed (optional, mixed) Indicates which of * the data structures are * needed. If this is omitted, * this assumes that CONTEXT, LINK, and USER data are required. * If LTIX::NONE is present, then none of the three are rquired. * If some combination of the three are needed, this accepts * an array of the LTIX::CONTEXT, LTIX: LINK, and LTIX::USER * can be passed in. * */ public static function requireData($needed = self::ALL) { global $CFG, $USER, $CONTEXT, $LINK; if ($needed == self::NONE) { $needed = array(); } if ($needed == self::ALL) { $needed = array(self::CONTEXT, self::LINK, self::USER); } if (is_string($needed)) { $needed = array($needed); } // Check if we are processing an LTI launch. If so, handle it self::launchCheck(); // Check to see if the session already exists. $sess = session_name(); if (ini_get('session.use_cookies') != '0') { if (!isset($_COOKIE[$sess])) { send403(); die_with_error_log("Missing session cookie - please re-launch"); } } else { // non-cookie session if (isset($_POST[$sess]) || isset($_GET[$sess])) { // We tried to set a session.. } else { if ($_SERVER['REQUEST_METHOD'] == 'POST') { send403(); die_with_error_log('Missing ' . $sess . ' from POST data'); } else { send403(); die_with_error_log('This tool should be launched from a learning system using LTI'); } } } // Start a session if it has not been started.. if (session_id() == "") { session_start(); // Should reassociate } // This happens from time to time when someone closes and reopens a laptop // Or their computer goes to sleep and wakes back up hours later. // So it is just a warning - nothing much we can do except tell them. if (!isset($_SESSION['lti'])) { // $debug = safe_var_dump($_SESSION); // error_log($debug); send403(); error_log('Session expired - please re-launch ' . session_id()); die('Session expired - please re-launch'); // with error_log } // Check the referrer... $trusted = checkReferer() || checkCSRF(); // Check to see if we switched browsers or IP addresses // TODO: Change these to warnings once we get more data if (!$trusted && isset($_SESSION['HTTP_USER_AGENT'])) { if (!isset($_SERVER['HTTP_USER_AGENT']) || $_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) { send403(); die_with_error_log("Session has expired", " " . session_id() . " HTTP_USER_AGENT " . $_SESSION['HTTP_USER_AGENT'] . ' ::: ' . isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'Empty user agent', 'DIE:'); } } // We only check the first three octets as some systems wander throught the addresses on // class C - Perhaps it is even NAT - who knows - but we forgive those on the same Class C if (!$trusted && isset($_SESSION['REMOTE_ADDR']) && isset($_SERVER['REMOTE_ADDR'])) { $sess_pieces = explode('.', $_SESSION['REMOTE_ADDR']); $serv_pieces = explode('.', $_SERVER['REMOTE_ADDR']); if (count($sess_pieces) == 4 && count($serv_pieces) == 4) { if ($sess_pieces[0] != $serv_pieces[0] || $sess_pieces[1] != $serv_pieces[1] || $sess_pieces[2] != $serv_pieces[2]) { send403(); die_with_error_log('Session address has expired', " " . session_id() . " REMOTE_ADDR " . $_SESSION['REMOTE_ADDR'] . ' ' . $_SERVER['REMOTE_ADDR'], 'DIE:'); } } } // Check to see if the user has navigated to a new place in the hierarchy if (isset($_SESSION['script_path']) && getScriptPath() != 'core/blob' && strpos(getScriptPath(), $_SESSION['script_path']) !== 0) { send403(); die_with_error_log('Improper navigation detected', " " . session_id() . " script_path " . $_SESSION['script_path'] . ' / ' . getScriptPath(), 'DIE:'); } $LTI = $_SESSION['lti']; if (is_array($needed)) { foreach ($needed as $feature) { if (isset($LTI[$feature])) { continue; } die_with_error_log("This tool requires an LTI launch parameter:" . $feature); } } // Check to see if the session needs to be extended due to this request checkHeartBeat(); // Restart the number of continuous heartbeats $_SESSION['HEARTBEAT_COUNT'] = 0; // Populate the $USER $CONTEXT and $LINK objects if (isset($LTI['user_id']) && !is_object($USER)) { $USER = new \Tsugi\Core\User(); $USER->id = $LTI['user_id']; if (isset($LTI['user_email'])) { $USER->email = $LTI['user_email']; } if (isset($LTI['user_displayname'])) { $USER->displayname = $LTI['user_displayname']; $pieces = explode(' ', $USER->displayname); if (count($pieces) > 0) { $USER->firstname = $pieces[0]; } if (count($pieces) > 1) { $USER->lastname = $pieces[count($pieces) - 1]; } } $USER->instructor = isset($LTI['role']) && $LTI['role'] != 0; } if (isset($LTI['context_id']) && !is_object($CONTEXT)) { $CONTEXT = new \Tsugi\Core\Context(); $CONTEXT->id = $LTI['context_id']; if (isset($LTI['context_title'])) { $CONTEXT->title = $LTI['context_title']; } } if (isset($LTI['link_id']) && !is_object($LINK)) { $LINK = new \Tsugi\Core\Link(); $LINK->id = $LTI['link_id']; if (isset($LTI['grade'])) { $LINK->grade = $LTI['grade']; } if (isset($LTI['link_title'])) { $LINK->title = $LTI['link_title']; } if (isset($LTI['result_id'])) { $LINK->result_id = $LTI['result_id']; } } // Return the LTI structure return $LTI; }
$email = str_normalize($validator->optionalPostVar('email')); $title = trim($validator->optionalPostVar('title')); $rm_groups = $validator->optionalPostVar('remove_groups'); $add_groups = $validator->optionalPostVar('add_groups'); $enabled = $validator->optionalPostVar('enabled'); $primary_group_id = $validator->optionalPostVar('primary_group_id'); // For updating passwords. The user's current password must also be included (passwordcheck) if they are resetting their own password. $password = $validator->optionalPostVar('password'); $passwordc = $validator->optionalPostVar('passwordc'); $passwordcheck = $validator->optionalPostVar('passwordcheck'); // Add alerts for any failed input validation foreach ($validator->errors as $error) { addAlert("danger", $error); } // Validate csrf token checkCSRF($ajax, $csrf_token); if (count($validator->errors) > 0) { apiReturnError($ajax, getReferralPage()); } // Special case to update the logged in user (self) $self = false; if ($user_id == "0") { $self = true; $user_id = $loggedInUser->user_id; } //Check if selected user exists if (!$user_id or !userIdExists($user_id)) { addAlert("danger", lang("ACCOUNT_INVALID_USER_ID")); apiReturnError($ajax, getReferralPage()); } $userdetails = fetchUserAuthById($user_id);
<?php session_start(); include_once "testlogin.php"; redirectIfNotLoggedIn("https://127.0.0.1/"); ?> <html> <body> <?php include_once "../nonPublic/csrftoken.php"; if (!checkCSRF()) { if (!function_exists("redirect")) { function redirect($url) { $h = "Location: " . $url; header($h); die; } redirect("https://127.0.0.1/searchView.php"); } } //Visa valda produkter. echo "If confirmed, the following items will be purchased:<br/>"; echo "<table>"; for ($x = 1; $x <= $_SESSION['purchaseNbr']; $x++) { $username = $_SESSION["username"]; $itemId = $_SESSION["purchasesId" . $x]; $itemName = $_SESSION["purchases" . $x]; echo "<tr><th> " . $itemName . " </th>";
/** * Enter comments * @param object $obj * @param bool $manual_inserted * @return object */ function insertComment($obj, $manual_inserted = FALSE) { if (!$manual_inserted && !checkCSRF()) { return new Object(-1, 'msg_invalid_request'); } if (!is_object($obj)) { $obj = new stdClass(); } // check if comment's module is using comment validation and set the publish status to 0 (false) // for inserting query, otherwise default is 1 (true - means comment is published) $using_validation = $this->isModuleUsingPublishValidation($obj->module_srl); if (!$manual_inserted) { if (Context::get('is_logged')) { $logged_info = Context::get('logged_info'); if ($logged_info->is_admin == 'Y') { $is_admin = TRUE; } else { $is_admin = FALSE; } } } else { $is_admin = FALSE; } if (!$using_validation) { $obj->status = 1; } else { if ($is_admin) { $obj->status = 1; } else { $obj->status = 0; } } $obj->__isupdate = FALSE; // call a trigger (before) $output = ModuleHandler::triggerCall('comment.insertComment', 'before', $obj); if (!$output->toBool()) { return $output; } // check if a posting of the corresponding document_srl exists $document_srl = $obj->document_srl; if (!$document_srl) { return new Object(-1, 'msg_invalid_document'); } // get a object of document model $oDocumentModel = getModel('document'); // even for manual_inserted if password exists, hash it. if ($obj->password) { $obj->password = getModel('member')->hashPassword($obj->password); } // get the original posting if (!$manual_inserted) { $oDocument = $oDocumentModel->getDocument($document_srl); if ($document_srl != $oDocument->document_srl) { return new Object(-1, 'msg_invalid_document'); } if ($oDocument->isLocked()) { return new Object(-1, 'msg_invalid_request'); } if ($obj->homepage) { $obj->homepage = removeHackTag($obj->homepage); if (!preg_match('/^[a-z]+:\\/\\//i', $obj->homepage)) { $obj->homepage = 'http://' . $obj->homepage; } } // input the member's information if logged-in if (Context::get('is_logged')) { $logged_info = Context::get('logged_info'); $obj->member_srl = $logged_info->member_srl; // user_id, user_name and nick_name already encoded $obj->user_id = htmlspecialchars_decode($logged_info->user_id); $obj->user_name = htmlspecialchars_decode($logged_info->user_name); $obj->nick_name = htmlspecialchars_decode($logged_info->nick_name); $obj->email_address = $logged_info->email_address; $obj->homepage = $logged_info->homepage; } } // error display if neither of log-in info and user name exist. if (!$logged_info->member_srl && !$obj->nick_name) { return new Object(-1, 'msg_invalid_request'); } if (!$obj->comment_srl) { $obj->comment_srl = getNextSequence(); } elseif (!$is_admin && !$manual_inserted && !checkUserSequence($obj->comment_srl)) { return new Object(-1, 'msg_not_permitted'); } // determine the order $obj->list_order = getNextSequence() * -1; // remove XE's own tags from the contents $obj->content = preg_replace('!<\\!--(Before|After)(Document|Comment)\\(([0-9]+),([0-9]+)\\)-->!is', '', $obj->content); if (Mobile::isFromMobilePhone()) { if ($obj->use_html != 'Y') { $obj->content = htmlspecialchars($obj->content, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); } $obj->content = nl2br($obj->content); } if (!$obj->regdate) { $obj->regdate = date("YmdHis"); } // remove iframe and script if not a top administrator on the session. if ($logged_info->is_admin != 'Y') { $obj->content = removeHackTag($obj->content); } if (!$obj->notify_message) { $obj->notify_message = 'N'; } if (!$obj->is_secret) { $obj->is_secret = 'N'; } // begin transaction $oDB = DB::getInstance(); $oDB->begin(); // Enter a list of comments first $list_args = new stdClass(); $list_args->comment_srl = $obj->comment_srl; $list_args->document_srl = $obj->document_srl; $list_args->module_srl = $obj->module_srl; $list_args->regdate = $obj->regdate; // If parent comment doesn't exist, set data directly if (!$obj->parent_srl) { $list_args->head = $list_args->arrange = $obj->comment_srl; $list_args->depth = 0; // If parent comment exists, get information of the parent comment } else { // get information of the parent comment posting $parent_args = new stdClass(); $parent_args->comment_srl = $obj->parent_srl; $parent_output = executeQuery('comment.getCommentListItem', $parent_args); // return if no parent comment exists if (!$parent_output->toBool() || !$parent_output->data) { return; } $parent = $parent_output->data; $list_args->head = $parent->head; $list_args->depth = $parent->depth + 1; // if the depth of comments is less than 2, execute insert. if ($list_args->depth < 2) { $list_args->arrange = $obj->comment_srl; // if the depth of comments is greater than 2, execute update. } else { // get the top listed comment among those in lower depth and same head with parent's. $p_args = new stdClass(); $p_args->head = $parent->head; $p_args->arrange = $parent->arrange; $p_args->depth = $parent->depth; $output = executeQuery('comment.getCommentParentNextSibling', $p_args); if ($output->data->arrange) { $list_args->arrange = $output->data->arrange; $output = executeQuery('comment.updateCommentListArrange', $list_args); } else { $list_args->arrange = $obj->comment_srl; } } } $output = executeQuery('comment.insertCommentList', $list_args); if (!$output->toBool()) { return $output; } // insert comment $output = executeQuery('comment.insertComment', $obj); if (!$output->toBool()) { $oDB->rollback(); return $output; } // creat the comment model object $oCommentModel = getModel('comment'); // get the number of all comments in the posting $comment_count = $oCommentModel->getCommentCount($document_srl); // create the controller object of the document $oDocumentController = getController('document'); // Update the number of comments in the post if (!$using_validation) { $output = $oDocumentController->updateCommentCount($document_srl, $comment_count, $obj->nick_name, TRUE); } else { if ($is_admin) { $output = $oDocumentController->updateCommentCount($document_srl, $comment_count, $obj->nick_name, TRUE); } } // grant autority of the comment if (!$manual_inserted) { $this->addGrant($obj->comment_srl); } // call a trigger(after) if ($output->toBool()) { $trigger_output = ModuleHandler::triggerCall('comment.insertComment', 'after', $obj); if (!$trigger_output->toBool()) { $oDB->rollback(); return $trigger_output; } } // commit $oDB->commit(); if (!$manual_inserted) { // send a message if notify_message option in enabled in the original article $oDocument->notify(Context::getLang('comment'), $obj->content); // send a message if notify_message option in enabled in the original comment if ($obj->parent_srl) { $oParent = $oCommentModel->getComment($obj->parent_srl); if ($oParent->get('member_srl') != $oDocument->get('member_srl')) { $oParent->notify(Context::getLang('comment'), $obj->content); } } } $this->sendEmailToAdminAfterInsertComment($obj); $output->add('comment_srl', $obj->comment_srl); return $output; }
/** * get a module instance and execute an action * @return ModuleObject executed module instance * */ function procModule() { $oModuleModel = getModel('module'); $display_mode = Mobile::isFromMobilePhone() ? 'mobile' : 'view'; // If error occurred while preparation, return a message instance if ($this->error) { $this->_setInputErrorToContext(); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); if ($this->httpStatusCode) { $oMessageObject->setHttpStatusCode($this->httpStatusCode); } return $oMessageObject; } // Get action information with conf/module.xml $xml_info = $oModuleModel->getModuleActionXml($this->module); // If not installed yet, modify act if ($this->module == "install") { if (!$this->act || !$xml_info->action->{$this->act}) { $this->act = $xml_info->default_index_act; } } // if act exists, find type of the action, if not use default index act if (!$this->act) { $this->act = $xml_info->default_index_act; } // still no act means error if (!$this->act) { $this->error = 'msg_module_is_not_exists'; $this->httpStatusCode = '404'; $this->_setInputErrorToContext(); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); if ($this->httpStatusCode) { $oMessageObject->setHttpStatusCode($this->httpStatusCode); } return $oMessageObject; } // get type, kind $type = $xml_info->action->{$this->act}->type; $ruleset = $xml_info->action->{$this->act}->ruleset; $kind = stripos($this->act, 'admin') !== FALSE ? 'admin' : ''; if (!$kind && $this->module == 'admin') { $kind = 'admin'; } // check REQUEST_METHOD in controller if ($type == 'controller') { $allowedMethod = $xml_info->action->{$this->act}->method; if (!$allowedMethod) { $allowedMethodList[0] = 'POST'; } else { $allowedMethodList = explode('|', strtoupper($allowedMethod)); } if (!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList)) { $this->error = "msg_invalid_request"; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } } if ($this->module_info->use_mobile != "Y") { Mobile::setMobile(FALSE); } $logged_info = Context::get('logged_info'); // check CSRF for POST actions if (Context::getRequestMethod() === 'POST' && Context::isInstalled() && $this->act !== 'procFileUpload' && !checkCSRF()) { $this->error = 'msg_invalid_request'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } // Admin ip if ($kind == 'admin' && $_SESSION['denied_admin'] == 'Y') { $this->_setInputErrorToContext(); $this->error = "msg_not_permitted_act"; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } // if(type == view, and case for using mobilephone) if ($type == "view" && Mobile::isFromMobilePhone() && Context::isInstalled()) { $orig_type = "view"; $type = "mobile"; // create a module instance $oModule = $this->getModuleInstance($this->module, $type, $kind); if (!is_object($oModule) || !method_exists($oModule, $this->act)) { $type = $orig_type; Mobile::setMobile(FALSE); $oModule = $this->getModuleInstance($this->module, $type, $kind); } } else { // create a module instance $oModule = $this->getModuleInstance($this->module, $type, $kind); } if (!is_object($oModule)) { $this->_setInputErrorToContext(); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); if ($this->httpStatusCode) { $oMessageObject->setHttpStatusCode($this->httpStatusCode); } return $oMessageObject; } // If there is no such action in the module object if (!isset($xml_info->action->{$this->act}) || !method_exists($oModule, $this->act)) { if (!Context::isInstalled()) { $this->_setInputErrorToContext(); $this->error = 'msg_invalid_request'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); if ($this->httpStatusCode) { $oMessageObject->setHttpStatusCode($this->httpStatusCode); } return $oMessageObject; } $forward = NULL; // 1. Look for the module with action name if (preg_match('/^([a-z]+)([A-Z])([a-z0-9\\_]+)(.*)$/', $this->act, $matches)) { $module = strtolower($matches[2] . $matches[3]); $xml_info = $oModuleModel->getModuleActionXml($module); if ($xml_info->action->{$this->act} && (stripos($this->act, 'admin') !== FALSE || $xml_info->action->{$this->act}->standalone != 'false')) { $forward = new stdClass(); $forward->module = $module; $forward->type = $xml_info->action->{$this->act}->type; $forward->ruleset = $xml_info->action->{$this->act}->ruleset; $forward->act = $this->act; } else { $this->error = 'msg_invalid_request'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } } if (!$forward) { $forward = $oModuleModel->getActionForward($this->act); } if ($forward->module && $forward->type && $forward->act && $forward->act == $this->act) { $kind = stripos($forward->act, 'admin') !== FALSE ? 'admin' : ''; $type = $forward->type; $ruleset = $forward->ruleset; $tpl_path = $oModule->getTemplatePath(); $orig_module = $oModule; $xml_info = $oModuleModel->getModuleActionXml($forward->module); // SECISSUE also check foward act method // check REQUEST_METHOD in controller if ($type == 'controller') { $allowedMethod = $xml_info->action->{$forward->act}->method; if (!$allowedMethod) { $allowedMethodList[0] = 'POST'; } else { $allowedMethodList = explode('|', strtoupper($allowedMethod)); } if (!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList)) { $this->error = "msg_invalid_request"; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } } if ($type == "view" && Mobile::isFromMobilePhone()) { $orig_type = "view"; $type = "mobile"; // create a module instance $oModule = $this->getModuleInstance($forward->module, $type, $kind); if (!is_object($oModule) || !method_exists($oModule, $this->act)) { $type = $orig_type; Mobile::setMobile(FALSE); $oModule = $this->getModuleInstance($forward->module, $type, $kind); } } else { $oModule = $this->getModuleInstance($forward->module, $type, $kind); } if (!is_object($oModule)) { $this->_setInputErrorToContext(); $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage('msg_module_is_not_exists'); $oMessageObject->dispMessage(); if ($this->httpStatusCode) { $oMessageObject->setHttpStatusCode($this->httpStatusCode); } return $oMessageObject; } if ($this->module == "admin" && $type == "view") { if ($logged_info->is_admin == 'Y') { if ($this->act != 'dispLayoutAdminLayoutModify') { $oAdminView = getAdminView('admin'); $oAdminView->makeGnbUrl($forward->module); $oModule->setLayoutPath("./modules/admin/tpl"); $oModule->setLayoutFile("layout.html"); } } else { $this->_setInputErrorToContext(); $this->error = 'msg_is_not_administrator'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } } if ($kind == 'admin') { $grant = $oModuleModel->getGrant($this->module_info, $logged_info); if (!$grant->manager) { $this->_setInputErrorToContext(); $this->error = 'msg_is_not_manager'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } else { if (!$grant->is_admin && $this->module != $this->orig_module->module && $xml_info->permission->{$this->act} != 'manager') { $this->_setInputErrorToContext(); $this->error = 'msg_is_not_administrator'; $oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode); $oMessageObject->setError(-1); $oMessageObject->setMessage($this->error); $oMessageObject->dispMessage(); return $oMessageObject; } } } } else { if ($xml_info->default_index_act && method_exists($oModule, $xml_info->default_index_act)) { $this->act = $xml_info->default_index_act; } else { $this->error = 'msg_invalid_request'; $oModule->setError(-1); $oModule->setMessage($this->error); return $oModule; } } } // ruleset check... if (!empty($ruleset)) { $rulesetModule = $forward->module ? $forward->module : $this->module; $rulesetFile = $oModuleModel->getValidatorFilePath($rulesetModule, $ruleset, $this->mid); if (!empty($rulesetFile)) { if ($_SESSION['XE_VALIDATOR_ERROR_LANG']) { $errorLang = $_SESSION['XE_VALIDATOR_ERROR_LANG']; foreach ($errorLang as $key => $val) { Context::setLang($key, $val); } unset($_SESSION['XE_VALIDATOR_ERROR_LANG']); } $Validator = new Validator($rulesetFile); $result = $Validator->validate(); if (!$result) { $lastError = $Validator->getLastError(); $returnUrl = Context::get('error_return_url'); $errorMsg = $lastError['msg'] ? $lastError['msg'] : 'validation error'; //for xml response $oModule->setError(-1); $oModule->setMessage($errorMsg); //for html redirect $this->error = $errorMsg; $_SESSION['XE_VALIDATOR_ERROR'] = -1; $_SESSION['XE_VALIDATOR_MESSAGE'] = $this->error; $_SESSION['XE_VALIDATOR_MESSAGE_TYPE'] = 'error'; $_SESSION['XE_VALIDATOR_RETURN_URL'] = $returnUrl; $_SESSION['XE_VALIDATOR_ID'] = Context::get('xe_validator_id'); $this->_setInputValueToSession(); return $oModule; } } } $oModule->setAct($this->act); $this->module_info->module_type = $type; $oModule->setModuleInfo($this->module_info, $xml_info); $skipAct = array('dispEditorConfigPreview' => 1, 'dispLayoutPreviewWithModule' => 1); $db_use_mobile = Mobile::isMobileEnabled(); if ($type == "view" && $this->module_info->use_mobile == "Y" && Mobile::isMobileCheckByAgent() && !isset($skipAct[Context::get('act')]) && $db_use_mobile === true) { global $lang; $header = '<style>div.xe_mobile{opacity:0.7;margin:1em 0;padding:.5em;background:#333;border:1px solid #666;border-left:0;border-right:0}p.xe_mobile{text-align:center;margin:1em 0}a.xe_mobile{color:#ff0;font-weight:bold;font-size:24px}@media only screen and (min-width:500px){a.xe_mobile{font-size:15px}}</style>'; $footer = '<div class="xe_mobile"><p class="xe_mobile"><a class="xe_mobile" href="' . getUrl('m', '1') . '">' . $lang->msg_pc_to_mobile . '</a></p></div>'; Context::addHtmlHeader($header); Context::addHtmlFooter($footer); } if ($type == "view" && $kind != 'admin') { $module_config = $oModuleModel->getModuleConfig('module'); if ($module_config->htmlFooter) { Context::addHtmlFooter($module_config->htmlFooter); } if ($module_config->siteTitle) { $siteTitle = Context::getBrowserTitle(); if (!$siteTitle) { Context::setBrowserTitle($module_config->siteTitle); } } } // if failed message exists in session, set context $this->_setInputErrorToContext(); $procResult = $oModule->proc(); $methodList = array('XMLRPC' => 1, 'JSON' => 1, 'JS_CALLBACK' => 1); if (!$oModule->stop_proc && !isset($methodList[Context::getRequestMethod()])) { $error = $oModule->getError(); $message = $oModule->getMessage(); $messageType = $oModule->getMessageType(); $redirectUrl = $oModule->getRedirectUrl(); if ($messageType == 'error') { debugPrint($message, 'ERROR'); } if (!$procResult) { $this->error = $message; if (!$redirectUrl && Context::get('error_return_url')) { $redirectUrl = Context::get('error_return_url'); } $this->_setInputValueToSession(); } else { } $_SESSION['XE_VALIDATOR_ERROR'] = $error; $_SESSION['XE_VALIDATOR_ID'] = Context::get('xe_validator_id'); if ($message != 'success') { $_SESSION['XE_VALIDATOR_MESSAGE'] = $message; } $_SESSION['XE_VALIDATOR_MESSAGE_TYPE'] = $messageType; if (Context::get('xeVirtualRequestMethod') != 'xml') { $_SESSION['XE_VALIDATOR_RETURN_URL'] = $redirectUrl; } } unset($logged_info); return $oModule; }
<?php session_start(); include_once "testlogin.php"; redirectIfNotLoggedIn("https://127.0.0.1/"); ?> <html> <body> <?php include_once "../nonPublic/csrftoken.php"; include_once "database.php"; if (checkCSRF()) { $database = new Database(); echo "If confirmed, the following items will be purchased:<br/>"; echo "<table>"; for ($x = 2; $x <= $_SESSION['purchaseNbr']; $x++) { $username = $_SESSION["username"]; $itemId = $_SESSION["purchasesId" . $x]; $itemName = $_SESSION["purchases" . $x]; echo "<tr><th> " . $itemName . " </th>"; $mysqli = $database->openConnection(); $sql = "INSERT INTO purchases (email,itemId,purchDate) VALUES ( ? , ?, NOW() )"; $stmt = $mysqli->prepare($sql); if ($stmt->bind_param('ss', $username, $itemId)) { if ($stmt->execute()) { echo "<th> purchase successful </th></tr>"; } } $stmt->free_result(); $database->closeConnection($mysqli); }
/** * Preview a layout * @return void|Object (void : success, Object : fail) */ function dispLayoutPreview() { if (!checkCSRF()) { $this->stop('msg_invalid_request'); return new Object(-1, 'msg_invalid_request'); } // admin check // this act is admin view but in normal view because do not load admin css/js files $logged_info = Context::get('logged_info'); if ($logged_info->is_admin != 'Y') { return $this->stop('msg_invalid_request'); } $layout_srl = Context::get('layout_srl'); $code = Context::get('code'); $code_css = Context::get('code_css'); if (!$layout_srl || !$code) { return new Object(-1, 'msg_invalid_request'); } // Get the layout information $oLayoutModel = getModel('layout'); $layout_info = $oLayoutModel->getLayout($layout_srl); if (!$layout_info) { return new Object(-1, 'msg_invalid_request'); } // Separately handle the layout if its type is faceoff if ($layout_info && $layout_info->type == 'faceoff') { $oLayoutModel->doActivateFaceOff($layout_info); } // Apply CSS directly Context::addHtmlHeader("<style type=\"text/css\" charset=\"UTF-8\">" . $code_css . "</style>"); // Set names and values of extra_vars to $layout_info if ($layout_info->extra_var_count) { foreach ($layout_info->extra_var as $var_id => $val) { $layout_info->{$var_id} = $val->value; } } // menu in layout information becomes an argument for Context:: set if ($layout_info->menu_count) { foreach ($layout_info->menu as $menu_id => $menu) { $menu->php_file = FileHandler::getRealPath($menu->php_file); if (FileHandler::exists($menu->php_file)) { include $menu->php_file; } Context::set($menu_id, $menu); } } Context::set('layout_info', $layout_info); Context::set('content', lang('layout_preview_content')); // Temporary save the codes $edited_layout_file = _XE_PATH_ . 'files/cache/layout/tmp.tpl'; FileHandler::writeFile($edited_layout_file, $code); // Compile $oTemplate =& TemplateHandler::getInstance(); $layout_path = $layout_info->path; $layout_file = 'layout'; $layout_tpl = $oTemplate->compile($layout_path, $layout_file, $edited_layout_file); Context::set('layout', 'none'); // Convert widgets and others $oContext =& Context::getInstance(); Context::set('layout_tpl', $layout_tpl); // Delete Temporary Files FileHandler::removeFile($edited_layout_file); $this->setTemplateFile('layout_preview'); }