<?php // Copyright (c) 2009, LoveMachine Inc. // All Rights Reserved. // http://www.lovemachineinc.com // AJAX request from retrieving rate limiting information include "config.php"; require_once "class.session_handler.php"; include "functions.php"; if (!checkReferer()) { die; } if (empty($_SESSION['username']) || empty($_POST['c']) || empty($_POST['id'])) { echo json_encode(0); die; } $class = mysql_real_escape_string($_POST['c']); $id = mysql_real_escape_string($_POST['id']); echo json_encode(enforceRateLimit($class, $id, true));
function sendlove_toanother($userid, $username, $nickname, $isSuper, $toArg, $forArg, $priv) { // UTF-8 Encode passed parameters to preserve non-latin characters. $username = setEncoding($username); $nickname = setEncoding($nickname); $toArg = setEncoding($toArg); $forArg = setEncoding($forArg); if (enforceRateLimit('love', $userid)) { error_log("User " . $userid . " send love was rate limited."); return 'ratelimit'; } // Only super admins can send love to the guest account $to = mysql_real_escape_string(strtolower(trim($toArg))); if ($to == GUEST_USER && !$isSuper) { return 'guest'; } //Can't send love to self if ($to == $username) { return 'self'; } $sqlView = "SELECT company_id, skill, team FROM " . USERS . " WHERE id='" . $userid . "'"; $resView = mysql_query($sqlView); $rowView = mysql_fetch_array($resView); $company_id = $rowView['company_id']; $skill = $rowView['skill']; $team = $rowView['team']; $sqlView = "SELECT company_id FROM " . USERS . " WHERE username = '******'and removed = 0"; $resView = mysql_query($sqlView); $rowView = mysql_fetch_array($resView); $to_company = $rowView['company_id']; $company = $company_id == $rowView['company_id'] ? ", company_id='" . $company_id . "'" : ""; $private = $priv ? ',private=1' : ''; //$allowed_tags = array(); // no tags are currently allowed in the 'forArg' $for = $forArg; //strip_tags($forArg); // this sends the actual email if (!sl_send_love($username, $nickname, $userid, $company_id, $to, $for, false, $priv)) { // false from sl_send_love means the user was outside the system return 'outside'; } $rc = 'ok'; $query = "insert into " . LOVE . " set giver='" . $username . "', receiver='" . addslashes($to) . "', skill='{$skill}', team='{$team}', why='" . addslashes($for) . "', at=now()" . $company . $private; $res = mysql_query($query); // See if the recipient is has a facebook id, if so we'll return a value so it can be handled. $resfb = mysql_query("select id, fb_id from " . USERS . " where username = '******'"); if (mysql_num_rows($resfb) > 0) { $rowfb = mysql_fetch_assoc($resfb); $fb_id = $rowfb['fb_id']; if (!empty($fb_id)) { $rc = array('facebook', $to, $for, $fb_id); } } if ($company_id == $to_company && $company_id == JOURNAL_API_COMPANY && !$priv) { $toNickname = getNickName($to); if (empty($toNickname)) { $toNickname = $to; } $for = stripslashes($for); $data = array(); $data['user'] = JOURNAL_API_USER; $data['pwd'] = sha1(JOURNAL_API_PWD); $data['message'] = $nickname . " to {$toNickname}: {$for}"; $prc = postRequest(JOURNAL_API_URL, $data); } return $rc; }
function sendFromJournal() { // Check that all required parameters exist if (empty($_POST['caller']) || empty($_POST['from']) || empty($_POST['to']) || empty($_POST['why'])) { $rsp['error'] = SL_BAD_CALL; respond($rsp); } // Prepare received data $to = mysql_real_escape_string(trim(setEncoding($_POST['to']))); $from = mysql_real_escape_string(trim(setEncoding($_POST['from']))); $why = smart_strip_tags(mysql_real_escape_string(trim(setEncoding($_POST['why'])))); $private = isset($_POST['priv']) && (int) $_POST['priv'] > 0; // Can't send love to self if (strtolower($to) == strtolower($from)) { $rsp['error'] = SL_NOT_COWORKER; respond($rsp); } // Check that to and from nicknames exist and find their data foreach (array('from', 'to') as $v) { $query = "select id, fb_id, username, nickname, company_id, skill, team " . "from " . USERS . " where nickname='" . ${$v} . "' and removed = 0"; $res = mysql_query($query); $line = mysql_fetch_array($res, MYSQL_ASSOC); if ($res && $line) { ${$v} = $line; } else { $rsp['error'] = SL_UNKNOWN_USER; respond($rsp); } } // Check rate limit if (enforceRateLimit('love', $from['id'])) { error_log("User " . $from['id'] . " send love was rate limited."); $rsp['error'] = SL_RATE_LIMIT; respond($rsp); } // Send love if (!sl_send_love($from['username'], $from['nickname'], $from['id'], $from['company_id'], $to['username'], $why, false, $private)) { $rsp['error'] = SL_SEND_FAILED; respond($rsp); } // Record love in database $company = $to['company_id'] == $from['company_id'] ? ", company_id={$to['company_id']}" : ""; $priv_str = $private ? ', private=1' : ''; $query = "insert into " . LOVE . " set giver='{$from['username']}', receiver='{$to['username']}', " . "skill='{$from['skill']}', team='{$from['team']}', why='{$why}', at=now()" . $company . $priv_str; $rsp['status'] = SL_OK; $rsp['error'] = SL_NO_ERROR; $rsp['info'] = $query; if (!mysql_query($query)) { error_log("Add Love.err:" . mysql_error()); $rsp['error'] = SL_DB_FAILURE; respond($rsp); } // See if the recipient is has a facebook id, if so we'll return a value so it can be handled. // if (!empty($to['fb_id'])) { // $rc = array('facebook', $to['username'], $why, $to['fb_id']); // } // Make love notice in journal if ($to['company_id'] == JOURNAL_API_COMPANY && !$private) { $data = array('user' => JOURNAL_API_USER, 'pwd' => sha1(JOURNAL_API_PWD), 'message' => "{$from['nickname']} to {$to['nickname']}: {$why}"); $journal_rsp = postRequest(JOURNAL_API_URL, $data); $journal_rsp = trim($journal_rsp); if ($journal_rsp != 'ok') { $rsp['status'] = SL_WARNING; $rsp['error'] = SL_JOURNAL_FAILED; $rsp['info'] = $journal_rsp; respond($rsp); } } }