/**
* Check for block topic access (need to handle 'all' and 'homeonly' as
* special cases)
*
* @param string $tid ID for topic to check on
* @return int returns 3 for read/edit 2 for read only 0 for no access
*
*/
function hasBlockTopicAccess($tid)
{
$access = 0;
if ($tid == 'all' || $tid == 'homeonly') {
$access = 3;
} else {
$access = SEC_hasTopicAccess($tid);
}
return $access;
}
}
}
$display = '';
if ($mode == $LANG_ADMIN['delete'] && !empty($LANG_ADMIN['delete'])) {
$sid = COM_applyFilter($_POST['sid']);
$type = '';
if (isset($_POST['type'])) {
$type = COM_applyFilter($_POST['type']);
}
if (!isset($sid) || empty($sid)) {
COM_errorLog('Attempted to delete story sid=' . $sid);
echo COM_refresh($_CONF['site_admin_url'] . '/story.php');
} else {
if ($type == 'submission') {
$tid = DB_getItem($_TABLES['storysubmission'], 'tid', "sid = '{$sid}'");
if (SEC_hasTopicAccess($tid) < 3) {
COM_accessLog("User {$_USER['username']} tried to illegally delete story submission {$sid}.");
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
} else {
if (SEC_checkToken()) {
DB_delete($_TABLES['storysubmission'], 'sid', $sid, $_CONF['site_admin_url'] . '/moderation.php');
} else {
COM_accessLog("User {$_USER['username']} tried to illegally delete story submission {$sid} and failed CSRF checks.");
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
}
} else {
if (SEC_checkToken()) {
echo STORY_deleteStory($sid);
} else {
COM_accessLog("User {$_USER['username']} tried to delete story and failed CSRF checks {$sid}.");
/**
* Get an existing story
*
* @param array args Contains all the data provided by the client
* @param string &output OUTPUT parameter containing the returned text
* @return int Response code as defined in lib-plugins.php
*/
function service_get_story($args, &$output, &$svc_msg)
{
global $_CONF, $_TABLES, $_USER;
$output = array();
$retval = '';
if (!isset($_CONF['atom_max_stories'])) {
$_CONF['atom_max_stories'] = 10;
// set a resonable default
}
$svc_msg['output_fields'] = array('draft_flag', 'hits', 'numemails', 'comments', 'trackbacks', 'featured', 'commentcode', 'statuscode', 'expire_date', 'postmode', 'advanced_editor_mode', 'frontpage', 'owner_id', 'group_id', 'perm_owner', 'perm_group', 'perm_members', 'perm_anon');
if (empty($args['sid']) && !empty($args['id'])) {
$args['sid'] = $args['id'];
}
if ($args['gl_svc']) {
if (isset($args['mode'])) {
$args['mode'] = COM_applyBasicFilter($args['mode']);
}
if (isset($args['sid'])) {
$args['sid'] = COM_applyBasicFilter($args['sid']);
}
if (empty($args['sid'])) {
$svc_msg['gl_feed'] = true;
} else {
$svc_msg['gl_feed'] = false;
}
} else {
$svc_msg['gl_feed'] = false;
}
if (empty($args['mode'])) {
$args['mode'] = 'view';
}
if (!$svc_msg['gl_feed']) {
$sid = $args['sid'];
$mode = $args['mode'];
$story = new Story();
$retval = $story->loadFromDatabase($sid, $mode);
if ($retval != STORY_LOADED_OK) {
$output = $retval;
return PLG_RET_ERROR;
}
reset($story->_dbFields);
while (list($fieldname, $save) = each($story->_dbFields)) {
$varname = '_' . $fieldname;
$output[$fieldname] = $story->{$varname};
}
$output['username'] = $story->_username;
$output['fullname'] = $story->_fullname;
if ($args['gl_svc']) {
if ($output['statuscode'] == STORY_ARCHIVE_ON_EXPIRE || $output['statuscode'] == STORY_DELETE_ON_EXPIRE) {
// This date format is PHP 5 only,
// but only the web-service uses the value
$output['expire_date'] = date('c', $output['expire']);
}
$output['id'] = $output['sid'];
$output['category'] = array($output['tid']);
$output['published'] = date('c', $output['date']);
$output['updated'] = date('c', $output['date']);
if (empty($output['bodytext'])) {
$output['content'] = $output['introtext'];
} else {
$output['content'] = $output['introtext'] . LB . '[page_break]' . LB . $output['bodytext'];
}
$output['content_type'] = $output['postmode'] == 'html' ? 'html' : 'text';
$owner_data = SESS_getUserDataFromId($output['owner_id']);
$output['author_name'] = $owner_data['username'];
$output['link_edit'] = $sid;
}
} else {
$output = array();
$mode = $args['mode'];
$sql = array();
if (isset($args['offset'])) {
$offset = COM_applyBasicFilter($args['offset'], true);
} else {
$offset = 0;
}
$max_items = $_CONF['atom_max_stories'] + 1;
$limit = " LIMIT {$offset}, {$max_items}";
$limit_pgsql = " LIMIT {$max_items} OFFSET {$offset}";
$order = " ORDER BY unixdate DESC";
$sql['mysql'] = "SELECT s.*, UNIX_TIMESTAMP(s.date) AS unixdate, UNIX_TIMESTAMP(s.expire) as expireunix, " . "u.username, u.fullname, u.photo, u.email, t.topic, t.imageurl " . "FROM {$_TABLES['stories']} AS s, {$_TABLES['users']} AS u, {$_TABLES['topics']} AS t " . "WHERE (s.uid = u.uid) AND (s.tid = t.tid)" . COM_getPermSQL('AND', $_USER['uid'], 2, 's') . $order . $limit;
$sql['pgsql'] = "SELECT s.*, UNIX_TIMESTAMP(s.date) AS unixdate, UNIX_TIMESTAMP(s.expire) as expireunix, u.username, u.fullname, u.photo, u.email, t.topic, t.imageurl FROM stories s, users u, topics t WHERE (s.uid = u.uid) AND (s.tid = t.tid) FROM {$_TABLES['stories']} AS s, {$_TABLES['users']} AS u, {$_TABLES['topics']} AS t WHERE (s.uid = u.uid) AND (s.tid = t.tid)" . COM_getPermSQL('AND', $_USER['uid'], 2, 's') . $order . $limit_pgsql;
$result = DB_query($sql);
$count = 0;
while (($story_array = DB_fetchArray($result, false)) !== false) {
$count += 1;
if ($count == $max_items) {
$svc_msg['offset'] = $offset + $_CONF['atom_max_stories'];
break;
}
$story = new Story();
$story->loadFromArray($story_array);
// This access check is not strictly necessary
$access = SEC_hasAccess($story_array['owner_id'], $story_array['group_id'], $story_array['perm_owner'], $story_array['perm_group'], $story_array['perm_members'], $story_array['perm_anon']);
$story->_access = min($access, SEC_hasTopicAccess($story->_tid));
if ($story->_access == 0) {
continue;
}
$story->sanitizeData();
reset($story->_dbFields);
$output_item = array();
while (list($fieldname, $save) = each($story->_dbFields)) {
$varname = '_' . $fieldname;
$output_item[$fieldname] = $story->{$varname};
}
if ($args['gl_svc']) {
if ($output_item['statuscode'] == STORY_ARCHIVE_ON_EXPIRE || $output_item['statuscode'] == STORY_DELETE_ON_EXPIRE) {
// This date format is PHP 5 only,
// but only the web-service uses the value
$output_item['expire_date'] = date('c', $output_item['expire']);
}
$output_item['id'] = $output_item['sid'];
$output_item['category'] = array($output_item['tid']);
$output_item['published'] = date('c', $output_item['date']);
$output_item['updated'] = date('c', $output_item['date']);
if (empty($output_item['bodytext'])) {
$output_item['content'] = $output_item['introtext'];
} else {
$output_item['content'] = $output_item['introtext'] . LB . '[page_break]' . LB . $output_item['bodytext'];
}
$output_item['content_type'] = $output_item['postmode'] == 'html' ? 'html' : 'text';
$owner_data = SESS_getUserDataFromId($output_item['owner_id']);
$output_item['author_name'] = $owner_data['username'];
}
$output[] = $output_item;
}
}
return PLG_RET_OK;
}
/**
* Creates a <input> checklist from a database list for use in forms
*
* Creates a group of checkbox form fields with given arguments
*
* @param string $table DB Table to pull data from
* @param string $selection Comma delimited list of fields to pull from table
* @param string $where Where clause of SQL statement
* @param string $selected Value to set to CHECKED
* @param string $fieldname Name to use for the checkbox array
* @return string HTML with Checkbox code
* @see COM_optionList
*
*/
function COM_checkList($table, $selection, $where = '', $selected = '', $fieldname = '')
{
global $_TABLES, $_COM_VERBOSE;
$sql = "SELECT {$selection} FROM {$table}";
if (!empty($where)) {
$sql .= " WHERE {$where}";
}
$result = DB_query($sql);
$nrows = DB_numRows($result);
if (!empty($selected)) {
if ($_COM_VERBOSE) {
COM_errorLog("exploding selected array: {$selected} in COM_checkList", 1);
}
$S = explode(' ', $selected);
} else {
if ($_COM_VERBOSE) {
COM_errorLog('selected string was empty COM_checkList', 1);
}
$S = array();
}
$retval = '<ul class="checkboxes-list">' . LB;
for ($i = 0; $i < $nrows; $i++) {
$access = true;
$A = DB_fetchArray($result, true);
if ($table == $_TABLES['topics'] and SEC_hasTopicAccess($A['tid']) == 0) {
$access = false;
}
if (empty($fieldname)) {
// Not a good idea, as that will expose our table name and prefix!
// Make sure you pass a distinct field name!
$fieldname = $table;
}
if ($access) {
$retval .= '<li><input type="checkbox" name="' . $fieldname . '[]" value="' . $A[0] . '"';
$sizeS = count($S);
for ($x = 0; $x < $sizeS; $x++) {
if ($A[0] == $S[$x]) {
$retval .= ' checked="checked"';
break;
}
}
if ($table == $_TABLES['blocks'] && isset($A[2]) && $A[2] == 'gldefault') {
$retval .= XHTML . '><span class="gldefault">' . stripslashes($A[1]) . '</span></li>' . LB;
} else {
$retval .= XHTML . '><span>' . stripslashes($A[1]) . '</span></li>' . LB;
}
}
}
$retval .= '</ul>' . LB;
return $retval;
}
/**
* Implements the [topic:] autotag.
*
* @param string $op operation to perform
* @param string $content item (e.g. topic text), including the autotag
* @param array $autotag parameters used in the autotag
* @param mixed tag names (for $op='tagname') or formatted content
*
*/
function plugin_autotags_topic($op, $content = '', $autotag = '')
{
global $_CONF, $_TABLES, $LANG27, $_GROUPS;
if ($op == 'tagname') {
return array('topic', 'related_topics', 'related_items');
} elseif ($op == 'permission' || $op == 'nopermission') {
if ($op == 'permission') {
$flag = true;
} else {
$flag = false;
}
$tagnames = array();
if (isset($_GROUPS['Topic Admin'])) {
$group_id = $_GROUPS['Topic Admin'];
} else {
$group_id = DB_getItem($_TABLES['groups'], 'grp_id', "grp_name = 'Topic Admin'");
}
$owner_id = SEC_getDefaultRootUser();
if (COM_getPermTag($owner_id, $group_id, $_CONF['autotag_permissions_topic'][0], $_CONF['autotag_permissions_topic'][1], $_CONF['autotag_permissions_topic'][2], $_CONF['autotag_permissions_topic'][3]) == $flag) {
$tagnames[] = 'topic';
}
if (COM_getPermTag($owner_id, $group_id, $_CONF['autotag_permissions_related_topics'][0], $_CONF['autotag_permissions_related_topics'][1], $_CONF['autotag_permissions_related_topics'][2], $_CONF['autotag_permissions_related_topics'][3]) == $flag) {
$tagnames[] = 'related_topics';
}
if (COM_getPermTag($owner_id, $group_id, $_CONF['autotag_permissions_related_items'][0], $_CONF['autotag_permissions_related_items'][1], $_CONF['autotag_permissions_related_items'][2], $_CONF['autotag_permissions_related_items'][3]) == $flag) {
$tagnames[] = 'related_items';
}
if (count($tagnames) > 0) {
return $tagnames;
}
} elseif ($op == 'description') {
return array('topic' => $LANG27['autotag_desc_topic'], 'related_topics' => $LANG27['autotag_desc_related_topics'], 'related_items' => $LANG27['autotag_desc_related_items']);
} elseif ($op == 'parse') {
if ($autotag['tag'] != 'topic' && $autotag['tag'] != 'related_topics' && $autotag['tag'] != 'related_items') {
return $content;
}
if ($autotag['tag'] == 'topic') {
$tid = COM_applyFilter($autotag['parm1']);
if (!empty($tid) && SEC_hasTopicAccess($tid) > 0) {
$tid = DB_escapeString($tid);
$sql = "SELECT COUNT(*) AS count FROM {$_TABLES['topics']} WHERE tid = '{$tid}'";
$result = DB_query($sql);
$A = DB_fetchArray($result);
if ($A['count'] == 1) {
$url = COM_buildUrl($_CONF['site_url'] . '/index.php?topic=' . $tid);
$linktext = $autotag['parm2'];
if (empty($linktext)) {
$linktext = stripslashes(DB_getItem($_TABLES['topics'], 'topic', "tid = '{$tid}'"));
}
$link = COM_createLink($linktext, $url);
$content = str_replace($autotag['tagstr'], $link, $content);
}
}
} elseif ($autotag['tag'] == 'related_topics') {
$id = COM_applyFilter($autotag['parm1']);
$type = '';
$max = $_CONF['related_topics_max'];
// Article Default
$tids = array();
$skip = 0;
$px = explode(' ', trim($autotag['parm2']));
if (is_array($px)) {
foreach ($px as $part) {
if (substr($part, 0, 5) == 'type:') {
$a = explode(':', $part);
$type = $a[1];
$skip++;
} elseif (substr($part, 0, 4) == 'max:') {
$a = explode(':', $part);
$max = $a[1];
$skip++;
} elseif (substr($part, 0, 6) == 'topic:') {
$a = explode(':', $part);
$tids[] = $a[1];
// Add each topic when found
$skip++;
} else {
break;
}
}
}
$related_topics = '';
if (!empty($type) and !empty($id)) {
// Return topics of object
$related_topics = TOPIC_relatedTopics($type, $id, $max);
} elseif (!empty($tids)) {
// Since list of topics specified add id to topic list (since really a topic)
if (!empty($id)) {
$tids[] = $id;
}
$related_topics = TOPIC_relatedTopics('', '', $max, $tids);
}
if (!empty($related_topics)) {
$content = str_replace($autotag['tagstr'], $related_topics, $content);
}
} elseif ($autotag['tag'] == 'related_items') {
$id = COM_applyFilter($autotag['parm1']);
$type = '';
$max = $_CONF['related_topics_max'];
// Article Default
$trim = 0;
$include_types = array();
$tids = array();
$skip = 0;
$px = explode(' ', trim($autotag['parm2']));
if (is_array($px)) {
foreach ($px as $part) {
if (substr($part, 0, 5) == 'type:') {
$a = explode(':', $part);
$type = $a[1];
$skip++;
} elseif (substr($part, 0, 4) == 'max:') {
$a = explode(':', $part);
$max = $a[1];
$skip++;
} elseif (substr($part, 0, 5) == 'trim:') {
$a = explode(':', $part);
$trim = $a[1];
$skip++;
} elseif (substr($part, 0, 6) == 'topic:') {
$a = explode(':', $part);
$tids[] = $a[1];
// Add each topic when found
$skip++;
} elseif (substr($part, 0, 8) == 'include:') {
$a = explode(':', $part);
$include_types[] = $a[1];
// Add each type when found
$skip++;
} else {
break;
}
}
}
$related_items = '';
if (!empty($type) and !empty($id)) {
// Return topics of object
$related_items = TOPIC_relatedItems($type, $id, $include_types, $max, $trim, $tids);
} elseif (!empty($tids) or !empty($id)) {
// Since list of topics specified add id to topic list (since really a topic)
$tids[] = $id;
$related_items = TOPIC_relatedItems('', '', $include_types, $max, $trim, $tids);
}
if (!empty($related_items)) {
$content = str_replace($autotag['tagstr'], $related_items, $content);
}
}
return $content;
}
}
/**
* Loads a story from the post data. This is the most exciting function in
* the whole entire world. First it'll clean up that horrible Magic Quotes
* crap. Then it'll do all Geeklog's funky security stuff, anti XSS, anti
* SQL Injection. Yay.
*/
function loadFromArgsArray(&$array)
{
global $_TABLES;
/* magic_quotes_gpc cleanup routine now in submitstory() in
* /public_html/admin/story.php
*/
$retval = STORY_LOADED_OK;
// default to success
/* Load the trivial stuff: */
$this->_loadBasics($array);
/* Check to see if we have permission to edit this sid, and that this
* sid is not a duplicate or anything horrible like that. ewww.
*/
$sql = 'SELECT owner_id, group_id, perm_owner, perm_group, perm_members, perm_anon ' . ' FROM ' . $_TABLES['stories'] . ' WHERE sid=\'' . $this->_sid . '\'';
$result = DB_query($sql);
if ($result && DB_numRows($result) > 0) {
/* Sid exists! Is it our article? */
if ($this->_sid != $this->_originalSid) {
// for story preview: don't abort
$retval = STORY_DUPLICATE_SID;
}
$article = DB_fetchArray($result);
/* Check Security */
if (SEC_hasAccess($article['owner_id'], $article['group_id'], $article['perm_owner'], $article['perm_group'], $article['perm_members'], $article['perm_anon']) < 3) {
return STORY_EXISTING_NO_EDIT_PERMISSION;
}
}
$access = SEC_hasAccess($this->_owner_id, $this->_group_id, $this->_perm_owner, $this->_perm_group, $this->_perm_members, $this->_perm_anon);
if ($access < 3 || !SEC_hasTopicAccess($this->_tid) || !SEC_inGroup($this->_group_id)) {
return STORY_NO_ACCESS_PARAMS;
}
/* Load up the topic name and icon */
$topic = DB_query("SELECT topic, imageurl FROM {$_TABLES['topics']} WHERE tid='{$this->_tid}'");
$topic = DB_fetchArray($topic);
$this->_topic = $topic['topic'];
$this->_imageurl = $topic['imageurl'];
//$title = COM_stripSlashes( $array['title'] );
//$intro = COM_stripSlashes( $array['introtext'] );
//$body = COM_stripSlashes( $array['bodytext'] );
/* Then load the title, intro and body */
if ($array['postmode'] == 'html' || $array['postmode'] == 'adveditor' || $array['postmode'] == 'wikitext') {
$this->_htmlLoadStory($array['title'], $array['introtext'], $array['bodytext']);
if ($this->_postmode == 'adveditor') {
$this->_advanced_editor_mode = 1;
$this->_postmode = 'html';
} else {
$this->_advanced_editor_mode = 0;
}
} else {
$this->_advanced_editor_mode = 0;
$this->_plainTextLoadStory($array['title'], $array['introtext'], $array['bodytext']);
}
if (empty($this->_title) || empty($this->_introtext)) {
return STORY_EMPTY_REQUIRED_FIELDS;
}
$this->_sanitizeData();
return $retval;
}
/**
* Get topics the current user has access to
*
* @return array Array of topic IDs
*
*/
function USER_getAllowedTopics()
{
global $_TABLES;
$topics = array();
$result = DB_query("SELECT tid FROM {$_TABLES['topics']}");
$numrows = DB_numRows($result);
for ($i = 0; $i < $numrows; $i++) {
$A = DB_fetchArray($result);
if (SEC_hasTopicAccess($A['tid'])) {
$topics[] = $A['tid'];
}
}
return $topics;
}
/**
* used for the list of stories in admin/story.php
*
*/
function ADMIN_getListField_stories($fieldname, $fieldvalue, $A, $icon_arr)
{
global $_CONF, $_TABLES, $LANG_ADMIN, $LANG24, $LANG_ACCESS, $_IMAGE_TYPE;
static $topics, $topic_access, $topic_anon;
if (!isset($topics)) {
$topics = array();
}
if (!isset($topic_access)) {
$topic_access = array();
}
$retval = '';
switch ($fieldname) {
case 'unixdate':
$curtime = COM_getUserDateTimeFormat($A['unixdate']);
$retval = strftime($_CONF['daytime'], $curtime[1]);
break;
case 'title':
$A['title'] = str_replace('$', '$', $A['title']);
$article_url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $A['sid']);
$retval = COM_createLink(stripslashes($A['title']), $article_url);
break;
case 'draft_flag':
if ($A['draft_flag'] == 1) {
$retval = $LANG24[35];
} else {
$retval = $LANG24[36];
}
break;
case 'access':
case 'edit':
case 'edit_adv':
$access = SEC_hasAccess($A['owner_id'], $A['group_id'], $A['perm_owner'], $A['perm_group'], $A['perm_members'], $A['perm_anon']);
if ($access == 3) {
if (!isset($topic_access[$A['tid']])) {
$topic_access[$A['tid']] = SEC_hasTopicAccess($A['tid']);
}
if ($topic_access[$A['tid']] == 3) {
$access = $LANG_ACCESS['edit'];
} else {
$access = $LANG_ACCESS['readonly'];
}
} else {
$access = $LANG_ACCESS['readonly'];
}
if ($fieldname == 'access') {
$retval = $access;
} elseif ($access == $LANG_ACCESS['edit']) {
if ($fieldname == 'edit_adv') {
$editmode = 'adv';
} elseif ($fieldname == 'edit') {
$editmode = 'std';
}
$editurl = $_CONF['site_admin_url'] . '/story.php?mode=edit&editor=' . $editmode . '&sid=' . $A['sid'];
$retval = COM_createLink($icon_arr['edit'], $editurl);
}
break;
case 'featured':
if ($A['featured'] == 1) {
$retval = $LANG24[35];
} else {
$retval = $LANG24[36];
}
break;
case 'ping':
if (!isset($topic_anon[$A['tid']])) {
$topic_anon[$A['tid']] = DB_getItem($_TABLES['topics'], 'perm_anon', "tid = '" . addslashes($A['tid']) . "'");
}
if ($A['draft_flag'] == 0 && $A['unixdate'] < time() && $A['perm_anon'] != 0 && $topic_anon[$A['tid']] != 0) {
$pingico = '<img src="' . $_CONF['layout_url'] . '/images/sendping.' . $_IMAGE_TYPE . '" alt="' . $LANG24[21] . '" title="' . $LANG24[21] . '"' . XHTML . '>';
$url = $_CONF['site_admin_url'] . '/trackback.php?mode=sendall&id=' . $A['sid'];
$retval = COM_createLink($pingico, $url);
} else {
$retval = '';
}
break;
case 'tid':
if (!isset($topics[$A['tid']])) {
$topics[$A['tid']] = DB_getItem($_TABLES['topics'], 'topic', "tid = '{$A['tid']}'");
}
$retval = $topics[$A['tid']];
break;
case 'username':
$retval = COM_getDisplayName($A['uid'], $A['username'], $A['fullname']);
break;
default:
$retval = $fieldvalue;
break;
}
return $retval;
}
/**
* Loads a story from the post data. This is the most exciting function in
* the whole entire world. First it'll clean up that horrible Magic Quotes
* crap. Then it'll do all glFusion's funky security stuff, anti XSS, anti
* SQL Injection. Yay.
*/
function loadFromArgsArray(&$array)
{
global $_TABLES;
$retval = STORY_LOADED_OK;
/* magic_quotes_gpc cleanup routine now in submitstory() in
* /public_html/admin/story.php
*/
/* Load the trivial stuff: */
$this->_loadBasics($array);
/* Check to see if we have permission to edit this sid, and that this
* sid is not a duplicate or anything horrible like that. ewww.
*/
$sql = 'SELECT owner_id, group_id, perm_owner, perm_group, perm_members, perm_anon ' . ' FROM ' . $_TABLES['stories'] . ' WHERE sid=\'' . DB_escapeString($this->_sid) . '\'';
$result = DB_query($sql);
if ($result && DB_numRows($result) > 0) {
/* Sid exists! Is it our article? */
if ($this->_sid != $this->_originalSid) {
$retval = STORY_DUPLICATE_SID;
} else {
$article = DB_fetchArray($result);
/* Check Security */
if (SEC_hasRights('story.edit') and $this->checkAccess() == 3 and SEC_hasTopicAccess($this->DisplayElements('tid')) == 3) {
$access = 3;
}
if ($access < 3) {
return STORY_EXISTING_NO_EDIT_PERMISSION;
}
if (!empty($array['owner_id'])) {
$this->_owner_id = $array['owner_id'];
} else {
$this->_owner_id = $article['owner_id'];
}
}
}
if (SEC_hasRights('story.edit')) {
$access = 3;
} else {
$access = SEC_hasAccess($this->_owner_id, $this->_group_id, $this->_perm_owner, $this->_perm_group, $this->_perm_members, $this->_perm_anon);
if ($access < 3 || !SEC_hasTopicAccess($this->_tid) || !SEC_inGroup($this->_group_id)) {
return STORY_NO_ACCESS_PARAMS;
}
}
/* Load up the topic name and icon */
$topic = DB_query("SELECT topic, imageurl FROM {$_TABLES['topics']} WHERE tid='" . DB_escapeString($this->_tid) . "'");
$topic = DB_fetchArray($topic);
$this->_topic = $topic['topic'];
$this->_imageurl = $topic['imageurl'];
$alternate_topic = '';
if ($this->_alternate_tid != NULL) {
$alternate_topic = DB_getItem($_TABLES['topics'], 'topic', 'tid="' . DB_escapeString($this->_alternate_tid) . '"');
}
$this->_alternate_topic = $alternate_topic;
/* Then load the title, intro and body */
if ($array['postmode'] == 'html' || $array['postmode'] == 'adveditor') {
$this->_htmlLoadStory($array['title'], $array['introtext'], $array['bodytext']);
if ($this->_postmode == 'adveditor') {
$this->_postmode = 'html';
}
} else {
$this->_plainTextLoadStory($array['title'], $array['introtext'], $array['bodytext']);
}
if (empty($this->_title) || empty($this->_introtext)) {
return STORY_EMPTY_REQUIRED_FIELDS;
}
if ($this->_tid == $this->_alternate_tid) {
$this->_alternate_tid = NULL;
}
$this->_sanitizeData();
return $retval;
}
/**
* Check for menuitem topic access (need to handle 'all' and 'homeonly' as special cases)
*
* @param string $tid ID for topic to check on
* @return int returns 3 for read/edit 2 for read only 0 for no access
*
*/
function CMED_hasMenuitemTopicAccess($tid)
{
if ($tid == 'all' || $tid == 'homeonly') {
$access = 3;
} else {
$access = SEC_hasTopicAccess($tid);
}
return $access;
}
/**
* used for the list of stories in admin/story.php
*
*/
function STORY_getListField($fieldname, $fieldvalue, $A, $icon_arr, $token)
{
global $_CONF, $_USER, $_TABLES, $LANG_ADMIN, $LANG24, $LANG_ACCESS, $_IMAGE_TYPE;
static $topics;
if (!isset($topics)) {
$topics = array();
}
$retval = '';
switch ($fieldname) {
case "access":
case "edit":
case "edit_adv":
if (SEC_inGroup('Story Admin')) {
$access = $LANG_ACCESS['edit'];
} else {
$access = SEC_hasAccess($A['owner_id'], $A['group_id'], $A['perm_owner'], $A['perm_group'], $A['perm_members'], $A['perm_anon']);
if ($access == 3) {
if (SEC_hasTopicAccess($A['tid']) == 3) {
$access = $LANG_ACCESS['edit'];
} else {
$access = $LANG_ACCESS['readonly'];
}
} else {
$access = $LANG_ACCESS['readonly'];
}
}
if ($fieldname == 'access') {
$retval = $access;
} else {
if ($access == $LANG_ACCESS['edit']) {
if ($fieldname == 'edit_adv' || $fieldname == 'edit') {
$retval = COM_createLink($icon_arr['edit'], "{$_CONF['site_admin_url']}/story.php?edit=x&sid={$A['sid']}");
}
}
}
break;
case "copy":
case "copy_adv":
if (SEC_inGroup('Story Admin')) {
$access = $LANG_ACCESS['copy'];
} else {
$access = SEC_hasAccess($A['owner_id'], $A['group_id'], $A['perm_owner'], $A['perm_group'], $A['perm_members'], $A['perm_anon']);
if ($access == 3) {
if (SEC_hasTopicAccess($A['tid']) == 3) {
$access = $LANG_ACCESS['copy'];
} else {
$access = $LANG_ACCESS['readonly'];
}
} else {
$access = $LANG_ACCESS['readonly'];
}
}
if ($fieldname == 'access') {
$retval = $access;
} else {
if ($access == $LANG_ACCESS['copy']) {
if ($fieldname == 'copy_adv') {
$retval = COM_createLink($icon_arr['copy'], "{$_CONF['site_admin_url']}/story.php?clone=x&editor=adv&sid={$A['sid']}");
} else {
if ($fieldname == 'copy') {
$retval = COM_createLink($icon_arr['copy'], "{$_CONF['site_admin_url']}/story.php?clone=x&editor=std&sid={$A['sid']}");
}
}
}
}
break;
case "title":
$A['title'] = str_replace('$', '$', $A['title']);
$article_url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $A['sid']);
$retval = COM_createLink($A['title'], $article_url);
break;
case 'tid':
if (!isset($topics[$A['tid']])) {
$topics[$A['tid']] = DB_getItem($_TABLES['topics'], 'topic', "tid = '" . DB_escapeString($A['tid']) . "'");
}
$retval = $topics[$A['tid']];
break;
case "draft_flag":
$retval = $A['draft_flag'] == 1 ? $icon_arr['check'] : '';
break;
case "featured":
$retval = $A['featured'] == 1 ? $icon_arr['check'] : '';
break;
case 'username':
$retval = COM_getDisplayName($A['uid'], $A['username'], $A['fullname']);
break;
case "unixdate":
$dt = new Date($A['unixdate'], $_USER['tzid']);
$retval = $dt->format($_CONF['daytime'], true);
break;
case "ping":
$pingico = '<img src="' . $_CONF['layout_url'] . '/images/sendping.' . $_IMAGE_TYPE . '" alt="' . $LANG24[21] . '" title="' . $LANG24[21] . '"/>';
if ($A['draft_flag'] == 0 && $A['unixdate'] < time()) {
$url = $_CONF['site_admin_url'] . '/trackback.php?mode=sendall&id=' . $A['sid'];
$retval = COM_createLink($pingico, $url);
} else {
$retval = '';
}
break;
case 'delete':
$retval = '';
$attr['title'] = $LANG_ADMIN['delete'];
$attr['onclick'] = 'return confirm(\'' . $LANG24[89] . '\');';
$retval .= COM_createLink($icon_arr['delete'], $_CONF['site_admin_url'] . '/story.php' . '?deletestory=x&sid=' . $A['sid'] . '&' . CSRF_TOKEN . '=' . $token, $attr);
break;
default:
$retval = $fieldvalue;
break;
}
return $retval;
}
/**
* Build a list of all topics the current user has access to
*
* @return string List of topic IDs, separated by spaces
*
*/
function USER_buildTopicList()
{
global $_TABLES;
$topics = '';
$result = DB_query("SELECT tid FROM {$_TABLES['topics']}");
$numrows = DB_numRows($result);
for ($i = 1; $i <= $numrows; $i++) {
$A = DB_fetchArray($result);
if (SEC_hasTopicAccess($A['tid'])) {
if ($i > 1) {
$topics .= ' ';
}
$topics .= $A['tid'];
}
}
return $topics;
}