/** * Handles a comment view request * * @copyright Vincent Furia 2005 * @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net * @param string $format 'threaded', 'nested', or 'flat' * @param string $order 'ASC' or 'DESC' or blank * @param int $page Page number of comments to display * @param boolean $view View or display (true for view) * @return string HTML (possibly a refresh) */ function CMT_handleView($format, $order, $page, $view = true) { global $_CONF, $_TABLES, $_USER; $display = ''; $cid = 0; if ($view) { if (isset($_REQUEST[CMT_CID])) { $cid = COM_applyFilter($_REQUEST[CMT_CID], true); } } else { if (isset($_REQUEST[CMT_PID])) { $cid = COM_applyFilter($_REQUEST[CMT_PID], true); } } if ($cid <= 0) { COM_handle404(); } $sql = "SELECT sid, title, type FROM {$_TABLES['comments']} WHERE cid = {$cid}"; $A = DB_fetchArray(DB_query($sql)); $sid = $A['sid']; $title = $A['title']; $type = $A['type']; $display = PLG_displayComment($type, $sid, $cid, $title, $order, $format, $page, $view); if (!$display) { COM_handle404(); } $display = COM_showMessageFromParameter() . $display; $display = COM_createHTMLDocument($display, array('pagetitle' => $title)); return $display; }
/** * Handles a comment view request * * @copyright Vincent Furia 2005 * @author Vincent Furia, vinny01 AT users DOT sourceforge DOT net * @param boolean $view View or display (true for view) * @return string HTML (possibly a refresh) */ function handleView($view = true) { global $_CONF, $_TABLES, $_USER, $LANG_ACCESS; $display = ''; if ($view) { $cid = COM_applyFilter($_REQUEST['cid'], true); } else { $cid = COM_applyFilter($_REQUEST['pid'], true); } if ($cid <= 0) { return COM_refresh($_CONF['site_url'] . '/index.php'); } $sql = "SELECT sid, title, type FROM {$_TABLES['comments']} WHERE cid = {$cid}"; $A = DB_fetchArray(DB_query($sql)); $sid = $A['sid']; $title = $A['title']; $type = $A['type']; $format = $_CONF['comment_mode']; if (isset($_REQUEST['format'])) { $format = COM_applyFilter($_REQUEST['format']); } if ($format != 'threaded' && $format != 'nested' && $format != 'flat') { if (COM_isAnonUser()) { $format = $_CONF['comment_mode']; } else { $format = DB_getItem($_TABLES['usercomment'], 'commentmode', "uid = {$_USER['uid']}"); } } switch ($type) { case 'article': $sql = 'SELECT COUNT(*) AS count, commentcode, owner_id, group_id, perm_owner, perm_group, ' . "perm_members, perm_anon FROM {$_TABLES['stories']} WHERE (sid = '{$sid}') " . 'AND (draft_flag = 0) AND (commentcode >= 0) AND (date <= NOW())' . COM_getPermSQL('AND') . COM_getTopicSQL('AND') . ' GROUP BY sid,owner_id, group_id, perm_owner, perm_group,perm_members, perm_anon '; $result = DB_query($sql); $B = DB_fetchArray($result); $allowed = $B['count']; if ($allowed == 1) { $delete_option = SEC_hasRights('story.edit') && SEC_hasAccess($B['owner_id'], $B['group_id'], $B['perm_owner'], $B['perm_group'], $B['perm_members'], $B['perm_anon']) == 3; $order = ''; if (isset($_REQUEST['order'])) { $order = COM_applyFilter($_REQUEST['order']); } $page = 0; if (isset($_REQUEST['page'])) { $page = COM_applyFilter($_REQUEST['page'], true); } $display .= CMT_userComments($sid, $title, $type, $order, $format, $cid, $page, $view, $delete_option, $B['commentcode']); } else { $display .= COM_startBlock($LANG_ACCESS['accessdenied'], '', COM_getBlockTemplate('_msg_block', 'header')) . $LANG_ACCESS['storydenialmsg'] . COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer')); } break; default: // assume plugin $order = ''; if (isset($_REQUEST['order'])) { $order = COM_applyFilter($_REQUEST['order']); } $page = 0; if (isset($_REQUEST['page'])) { $page = COM_applyFilter($_REQUEST['page'], true); } if (!($display = PLG_displayComment($type, $sid, $cid, $title, $order, $format, $page, $view))) { return COM_refresh($_CONF['site_url'] . '/index.php'); } break; } return COM_siteHeader('menu', $title) . COM_showMessageFromParameter() . $display . COM_siteFooter(); }
/** * Handles a comment edit submission * * @copyright Jared Wenerd 2008 * @author Jared Wenerd <wenerd87 AT gmail DOT com> * @return string HTML (possibly a refresh) */ function handleEdit() { global $_TABLES, $LANG03, $_USER, $_CONF, $_PLUGINS; if (isset($_POST['cid'])) { $cid = COM_applyFilter($_POST['cid'], true); } else { if (isset($_GET['cid'])) { $cid = COM_applyFilter($_GET['cid'], true); } else { $cid = -1; } } if (isset($_POST['sid'])) { $sid = COM_sanitizeID(COM_applyFilter($_POST['sid'])); } else { if (isset($_GET['sid'])) { $sid = COM_sanitizeID(COM_applyFilter($_GET['sid'])); } else { $sid = ''; } } if (isset($_POST['type'])) { $type = COM_applyFilter($_POST['type']); } else { if (isset($_GET['type'])) { $type = COM_applyFilter($_GET['type']); } else { $type = ''; } } if ($type != 'article') { if (!in_array($type, $_PLUGINS)) { $type = ''; } } if (!is_numeric($cid) || $cid < 0 || empty($sid) || empty($type)) { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.'); echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $result = DB_query("SELECT title,comment FROM {$_TABLES['comments']} " . "WHERE cid = " . (int) $cid . " AND sid = '" . DB_escapeString($sid) . "' AND type = '" . DB_escapeString($type) . "'"); if (DB_numRows($result) == 1) { $A = DB_fetchArray($result); $title = $A['title']; $commenttext = COM_undoSpecialChars($A['comment']); //remove signature $pos = strpos($commenttext, '<!-- COMMENTSIG --><div class="comment-sig">'); if ($pos > 0) { $commenttext = substr($commenttext, 0, $pos); } //get format mode if (preg_match('/<.*>/', $commenttext) != 0) { $postmode = 'html'; } else { $postmode = 'plaintext'; } } else { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment that doesn\'t exist as described.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } $pid = isset($_REQUEST['pid']) ? COM_applyFilter($_REQUEST['pid'], true) : 0; return PLG_displayComment($type, $sid, 0, $title, '', 'nobar', 0, 0) . CMT_commentForm($title, $commenttext, $sid, $pid, $type, 'edit', $postmode); }