// Check if the request exceed the post max size. If it does then the function will a call header_redirect. check_post_max_size_exceeded(); $action = param_action(); $disp = param('user_tab', 'string', ''); $blog = param('blog', 'integer', 0); // Activate the blog locale because all params were introduced with that locale activate_blog_locale($blog); /** * Basic security checks: */ if (!is_logged_in()) { // must be logged in! bad_request_die(T_('You are not logged in.')); } if ($demo_mode && $current_User->ID <= 3) { bad_request_die('Demo mode: you can\'t edit the admin and demo users profile!<br />[<a href="javascript:history.go(-1)">' . T_('Back to profile') . '</a>]'); } // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('user'); $Blog = NULL; if ($blog > 0) { // Get Blog $BlogCache =& get_BlogCache(); $Blog =& $BlogCache->get_by_ID($blog, false, false); } switch ($action) { case 'add_field': case 'update': case 'subscribe': $current_User->update_from_request(); break;
/** * Initialize internal states for the most common skin displays. * * For more specific skins, this function may not be called and * equivalent code may be customized within the skin. * * @param string What are we going to display. Most of the time the global $disp should be passed. */ function skin_init($disp) { /** * @var Blog */ global $Blog; /** * @var Item */ global $Item; /** * @var Skin */ global $Skin; global $robots_index; global $seo_page_type; global $redir, $ReqURL, $ReqURI, $m, $w, $preview; global $Chapter; global $Debuglog; /** * @var ItemList2 */ global $MainList; /** * This will give more detail when $disp == 'posts'; otherwise it will have the same content as $disp * @var string */ global $disp_detail, $Settings; global $Timer; global $Messages, $PageCache; global $Session, $current_User; $Timer->resume('skin_init'); if (empty($disp_detail)) { $disp_detail = $disp; } $Debuglog->add('skin_init: $disp=' . $disp, 'skins'); // This is the main template; it may be used to display very different things. // Do inits depending on current $disp: switch ($disp) { case 'front': case 'posts': case 'single': case 'page': case 'terms': case 'download': case 'feedback-popup': // We need to load posts for this display: if ($disp == 'terms') { // Initialize the redirect param to know what page redirect after accepting of terms: param('redirect_to', 'url', ''); } // Note: even if we request the same post as $Item above, the following will do more restrictions (dates, etc.) // Init the MainList object: init_MainList($Blog->get_setting('posts_per_page')); // Init post navigation $post_navigation = $Skin->get_post_navigation(); if (empty($post_navigation)) { $post_navigation = $Blog->get_setting('post_navigation'); } if (!empty($MainList) && $MainList->single_post && ($single_Item =& mainlist_get_item())) { // If we are currently viewing a single post // We assume the current user will have read the entire post and all its current comments: $single_Item->update_read_timestamps(true, true); // Restart the items list: $MainList->restart(); } break; case 'search': // Searching post, comments and categories load_funcs('collections/_search.funcs.php'); // Check previous search keywords so it can be displayed in the search input box param('s', 'string', '', true); break; } // SEO stuff & redirects if necessary: $seo_page_type = NULL; switch ($disp) { // CONTENT PAGES: case 'single': case 'page': case 'terms': if ($disp == 'terms' && !$Item) { // Wrong post ID for terms page: global $disp; $disp = '404'; $Messages->add(sprintf(T_('Terms not found. (post ID #%s)'), get_param('p')), 'error'); break; } if (!$preview && empty($Item)) { // No Item, incorrect request and incorrect state of the application, a 404 redirect should have already happened //debug_die( 'Invalid page URL!' ); } if ($disp == 'single') { $seo_page_type = 'Single post page'; } else { $seo_page_type = '"Page" page'; } if (!$preview) { // Check if item has a goal to insert a hit into DB $Item->check_goal(); } // Check if the post has 'redirected' status: if (!$preview && $Item->status == 'redirected' && $redir == 'yes') { // $redir=no here allows to force a 'single post' URL for commenting // Redirect to the URL specified in the post: $Debuglog->add('Redirecting to post URL [' . $Item->url . '].'); header_redirect($Item->url, true, true); } // Check if we want to redirect to a canonical URL for the post // Please document encountered problems. if (!$preview && ($Blog->get_setting('canonical_item_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_item_urls'))) { // We want to redirect to the Item's canonical URL: $canonical_url = $Item->get_permanent_url('', '', '&'); if (preg_match('|[&?](page=\\d+)|', $ReqURI, $page_param)) { // A certain post page has been requested, keep only this param and discard all others: $canonical_url = url_add_param($canonical_url, $page_param[1], '&'); } if (preg_match('|[&?](mode=quote&[qcp]+=\\d+)|', $ReqURI, $page_param)) { // A quote of comment/post, keep only these params and discard all others: $canonical_url = url_add_param($canonical_url, $page_param[1], '&'); } if (!is_same_url($ReqURL, $canonical_url)) { // The requested URL does not look like the canonical URL for this post... // url difference was resolved $url_resolved = false; // Check if the difference is because of an allowed post navigation param if (preg_match('|[&?]cat=(\\d+)|', $ReqURI, $cat_param)) { // A category post navigation param is set $extended_url = ''; if ($post_navigation == 'same_category' && isset($cat_param[1])) { // navigatie through posts from the same category $category_ids = postcats_get_byID($Item->ID); if (in_array($cat_param[1], $category_ids)) { // cat param is one of this Item categories $extended_url = $Item->add_navigation_param($canonical_url, $post_navigation, $cat_param[1], '&'); // Set MainList navigation target to the requested category $MainList->nav_target = $cat_param[1]; } } $url_resolved = is_same_url($ReqURL, $extended_url); } if (preg_match('|[&?]tag=([^&A-Z]+)|', $ReqURI, $tag_param)) { // A tag post navigation param is set $extended_url = ''; if ($post_navigation == 'same_tag' && isset($tag_param[1])) { // navigatie through posts from the same tag $tag_names = $Item->get_tags(); if (in_array($tag_param[1], $tag_names)) { // tag param is one of this Item tags $extended_url = $Item->add_navigation_param($canonical_url, $post_navigation, $tag_param[1], '&'); // Set MainList navigation target to the requested tag $MainList->nav_target = $tag_param[1]; } } $url_resolved = is_same_url($ReqURL, $extended_url); } if (!$url_resolved && $Blog->get_setting('canonical_item_urls') && $redir == 'yes' && !$Item->check_cross_post_nav('auto', $Blog->ID)) { // REDIRECT TO THE CANONICAL URL: $Debuglog->add('Redirecting to canonical URL [' . $canonical_url . '].'); header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } // EXITED. } } if (!$MainList->result_num_rows) { // There is nothing to display for this page, don't index it! $robots_index = false; } break; case 'download': if (empty($Item)) { // No Item, incorrect request and incorrect state of the application, a 404 redirect should have already happened debug_die('Invalid page URL!'); } $download_link_ID = param('download', 'integer', 0); // Check if we can allow to download the selected file $LinkCache =& get_LinkCache(); if (!(($download_Link =& $LinkCache->get_by_ID($download_link_ID, false, false)) && ($LinkItem =& $download_Link->get_LinkOwner()) && ($LinkItem->Item && $LinkItem->Item->ID == $Item->ID) && ($download_File =& $download_Link->get_File()) && $download_File->exists())) { // Bad request, Redirect to Item permanent url $Messages->add(T_('The requested file is not available for download.'), 'error'); $canonical_url = $Item->get_permanent_url('', '', '&'); $Debuglog->add('Redirecting to canonical URL [' . $canonical_url . '].'); header_redirect($canonical_url, true); } // Save the downloading Link to the global vars $GLOBALS['download_Link'] =& $download_Link; // Save global $Item to $download_Item, because $Item can be rewritten by function get_featured_Item() in some skins $GLOBALS['download_Item'] =& $Item; init_ajax_forms('blog'); // auto requires jQuery // Initialize JavaScript to download file after X seconds add_js_headline(' jQuery( document ).ready( function () { jQuery( "#download_timer_js" ).show(); } ); var b2evo_download_timer = ' . intval($Blog->get_setting('download_delay')) . '; var downloadInterval = setInterval( function() { jQuery( "#download_timer" ).html( b2evo_download_timer ); if( b2evo_download_timer == 0 ) { // Stop timer and download a file clearInterval( downloadInterval ); jQuery( "#download_help_url" ).show(); } b2evo_download_timer--; }, 1000 );'); // Use meta tag to download file when JavaScript is NOT enabled add_headline('<meta http-equiv="refresh" content="' . intval($Blog->get_setting('download_delay')) . '; url=' . $download_Link->get_download_url(array('type' => 'action')) . '" />'); $seo_page_type = 'Download page'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'posts': init_ajax_forms('blog'); // auto requires jQuery // fp> if we add this here, we have to exetnd the inner if() // init_ratings_js( 'blog' ); // Get list of active filters: $active_filters = $MainList->get_active_filters(); if (!empty($active_filters)) { // The current page is being filtered... if (array_diff($active_filters, array('page')) == array()) { // This is just a follow "paged" page $disp_detail = 'posts-next'; $seo_page_type = 'Next page'; if ($Blog->get_setting('paged_noindex')) { // We prefer robots not to index category pages: $robots_index = false; } } elseif (array_diff($active_filters, array('cat_array', 'cat_modifier', 'cat_focus', 'posts', 'page')) == array()) { // This is a category page $disp_detail = 'posts-cat'; $seo_page_type = 'Category page'; if ($Blog->get_setting('chapter_noindex')) { // We prefer robots not to index category pages: $robots_index = false; } global $cat, $catsel; if (empty($catsel) && preg_match('~^[0-9]+$~', $cat)) { // We are on a single cat page: // NOTE: we must have selected EXACTLY ONE CATEGORY through the cat parameter // BUT: - this can resolve to including children // - selecting exactly one cat through catsel[] is NOT OK since not equivalent (will exclude children) // echo 'SINGLE CAT PAGE'; if ($Blog->get_setting('canonical_cat_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_cat_urls')) { // Check if the URL was canonical: if (!isset($Chapter)) { $ChapterCache =& get_ChapterCache(); /** * @var Chapter */ $Chapter =& $ChapterCache->get_by_ID($MainList->filters['cat_array'][0], false); } if ($Chapter) { if ($Chapter->parent_ID) { // This is a sub-category page (i-e: not a level 1 category) $disp_detail = 'posts-subcat'; } $canonical_url = $Chapter->get_permanent_url(NULL, NULL, $MainList->get_active_filter('page'), NULL, '&'); if (!is_same_url($ReqURL, $canonical_url)) { // fp> TODO: we're going to lose the additional params, it would be better to keep them... // fp> what additional params actually? if ($Blog->get_setting('canonical_cat_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canonical": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } else { // If the requested chapter was not found display 404 page $Messages->add(T_('The requested chapter was not found')); global $disp; $disp = '404'; break; } } if ($post_navigation == 'same_category') { // Category is set and post navigation should go through the same category, set navigation target param $MainList->nav_target = $cat; } } } elseif (array_diff($active_filters, array('tags', 'posts', 'page')) == array()) { // This is a tag page $disp_detail = 'posts-tag'; $seo_page_type = 'Tag page'; if ($Blog->get_setting('tag_noindex')) { // We prefer robots not to index tag pages: $robots_index = false; } if ($Blog->get_setting('canonical_tag_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_tag_urls')) { // Check if the URL was canonical: $canonical_url = $Blog->gen_tag_url($MainList->get_active_filter('tags'), $MainList->get_active_filter('page'), '&'); if (!is_same_url($ReqURL, $canonical_url)) { if ($Blog->get_setting('canonical_tag_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } $tag = $MainList->get_active_filter('tags'); if ($post_navigation == 'same_tag' && !empty($tag)) { // Tag is set and post navigation should go through the same tag, set navigation target param $MainList->nav_target = $tag; } } elseif (array_diff($active_filters, array('ymdhms', 'week', 'posts', 'page')) == array()) { // This is an archive page // echo 'archive page'; $disp_detail = 'posts-date'; $seo_page_type = 'Date archive page'; if ($Blog->get_setting('canonical_archive_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_archive_urls')) { // Check if the URL was canonical: $canonical_url = $Blog->gen_archive_url(substr($m, 0, 4), substr($m, 4, 2), substr($m, 6, 2), $w, '&', $MainList->get_active_filter('page')); if (!is_same_url($ReqURL, $canonical_url)) { if ($Blog->get_setting('canonical_archive_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } if ($Blog->get_setting('archive_noindex')) { // We prefer robots not to index archive pages: $robots_index = false; } } else { // Other filtered pages: // pre_dump( $active_filters ); $disp_detail = 'posts-filtered'; $seo_page_type = 'Other filtered page'; if ($Blog->get_setting('filtered_noindex')) { // We prefer robots not to index other filtered pages: $robots_index = false; } } } elseif ($Blog->get_setting('front_disp') == 'posts') { // This is the default blog page only if the 'front_disp' is set to 'posts' $disp_detail = 'posts-default'; $seo_page_type = 'Default page'; if ($Blog->get_setting('default_noindex')) { // We prefer robots not to index archive pages: $robots_index = false; } } break; case 'search': $seo_page_type = 'Search page'; if ($Blog->get_setting('filtered_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; // SPECIAL FEATURE PAGES: // SPECIAL FEATURE PAGES: case 'feedback-popup': $seo_page_type = 'Comment popup'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'arcdir': $seo_page_type = 'Date archive directory'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'catdir': $seo_page_type = 'Category directory'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'msgform': global $disp; // get expected message form type $msg_type = param('msg_type', 'string', ''); // initialize $recipient_User = NULL; $Comment = NULL; $allow_msgform = NULL; // get possible params $recipient_id = param('recipient_id', 'integer', 0, true); $comment_id = param('comment_id', 'integer', 0, true); $post_id = param('post_id', 'integer', 0, true); $subject = param('subject', 'string', ''); // try to init recipient_User if (!empty($recipient_id)) { $UserCache =& get_UserCache(); $recipient_User =& $UserCache->get_by_ID($recipient_id); } elseif (!empty($comment_id)) { // comment id is set, try to get comment author user $CommentCache =& get_CommentCache(); $Comment = $CommentCache->get_by_ID($comment_id, false); if ($Comment = $CommentCache->get_by_ID($comment_id, false)) { $recipient_User =& $Comment->get_author_User(); if (empty($recipient_User) && $Comment->allow_msgform && is_email($Comment->get_author_email())) { // set allow message form to email because comment author (not registered) accepts email $allow_msgform = 'email'; param('recipient_address', 'string', $Comment->get_author_email()); param('recipient_name', 'string', $Comment->get_author_name()); } } } else { // Recipient was not defined, try set the blog owner as recipient global $Blog; if (empty($Blog)) { // Blog is not set, this is an invalid request debug_die('Invalid send message request!'); } $recipient_User = $Blog->get_owner_User(); } if ($recipient_User) { // recipient User is set // get_msgform_possibility returns NULL (false), only if there is no messaging option between current_User and recipient user $allow_msgform = $recipient_User->get_msgform_possibility(); if ($msg_type == 'email' && $recipient_User->get_msgform_possibility(NULL, 'email') != 'email') { // User doesn't want to receive email messages, Restrict if this was requested by wrong url: $msg_type = ''; } if ($allow_msgform == 'login') { // user must login first to be able to send a message to this User $disp = 'login'; param('action', 'string', 'req_login'); // override redirect to param param('redirect_to', 'url', regenerate_url(), true, true); if (($msg_Blog =& get_setting_Blog('msg_blog_ID')) && $Blog->ID != $msg_Blog->ID) { // Redirect to special blog for messaging actions if it is defined in general settings header_redirect(url_add_param($msg_Blog->get('msgformurl', array('glue' => '&')), 'redirect_to=' . rawurlencode($redirect_to), '&')); } $Messages->add(T_('You must log in before you can contact this user')); } elseif ($allow_msgform == 'PM' && check_user_status('can_be_validated')) { // user is not activated if ($recipient_User->accepts_email()) { // recipient User accepts email allow to send email $allow_msgform = 'email'; $msg_type = 'email'; $activateinfo_link = 'href="' . get_activate_info_url(NULL, '&') . '"'; $Messages->add(sprintf(T_('You must activate your account before you can send a private message to %s. However you can send them an email if you\'d like. <a %s>More info »</a>'), $recipient_User->get('login'), $activateinfo_link), 'warning'); } else { // Redirect to the activate info page for not activated users $Messages->add(T_('You must activate your account before you can contact a user. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } } elseif ($msg_type == 'PM' && $allow_msgform == 'email') { // only email is allowed but user expect private message form if (!empty($current_User) && $recipient_id == $current_User->ID) { $Messages->add(T_('You cannot send a private message to yourself. However you can send yourself an email if you\'d like.'), 'warning'); } else { $Messages->add(sprintf(T_('You cannot send a private message to %s. However you can send them an email if you\'d like.'), $recipient_User->get('login')), 'warning'); } } elseif ($msg_type != 'email' && $allow_msgform == 'PM') { // private message form should be displayed, change display to create new individual thread with the given recipient user // check if creating new PM is allowed if (check_create_thread_limit(true)) { // thread limit reached header_redirect(); // exited here } global $edited_Thread, $edited_Message, $recipients_selected; // Load classes load_class('messaging/model/_thread.class.php', 'Thread'); load_class('messaging/model/_message.class.php', 'Message'); // Set global variable to auto define the FB autocomplete plugin field $recipients_selected = array(array('id' => $recipient_User->ID, 'title' => $recipient_User->login)); init_tokeninput_js('blog'); $disp = 'threads'; $edited_Thread = new Thread(); $edited_Message = new Message(); $edited_Message->Thread =& $edited_Thread; $edited_Thread->recipients = $recipient_User->login; param('action', 'string', 'new', true); param('thrdtype', 'string', 'individual', true); } if ($allow_msgform == 'email') { // set recippient user param set_param('recipient_id', $recipient_User->ID); } } if ($allow_msgform == NULL) { // should be Prevented by UI if (!empty($recipient_User)) { $Messages->add(sprintf(T_('The user "%s" does not want to be contacted through the message form.'), $recipient_User->get('login')), 'error'); } elseif (!empty($Comment)) { $Messages->add(T_('This commentator does not want to get contacted through the message form.'), 'error'); } $blogurl = $Blog->gen_blogurl(); // If it was a front page request or the front page is set to 'msgform' then we must not redirect to the front page because it is forbidden for the current User $redirect_to = is_front_page() || $Blog->get_setting('front_disp') == 'msgform' ? url_add_param($blogurl, 'disp=403', '&') : $blogurl; header_redirect($redirect_to, 302); // exited here } if ($allow_msgform == 'PM' || $allow_msgform == 'email') { // Some message form is available // Get the suggested subject for the email: if (empty($subject)) { // no subject provided by param: global $DB; if (!empty($comment_id)) { // fp>TODO there should be NO SQL in this file. Make a $ItemCache->get_by_comment_ID(). $row = $DB->get_row(' SELECT post_title FROM T_items__item, T_comments WHERE comment_ID = ' . $DB->quote($comment_id) . ' AND post_ID = comment_item_ID'); if ($row) { $subject = T_('Re:') . ' ' . sprintf(T_('Comment on %s'), $row->post_title); } } if (empty($subject) && !empty($post_id)) { // fp>TODO there should be NO SQL in this file. Use $ItemCache->get_by_ID. $row = $DB->get_row(' SELECT post_title FROM T_items__item WHERE post_ID = ' . $post_id); if ($row) { $subject = T_('Re:') . ' ' . $row->post_title; } } } if ($allow_msgform == 'PM' && isset($edited_Thread)) { $edited_Thread->title = $subject; } else { param('subject', 'string', $subject, true); } } if (($msg_Blog =& get_setting_Blog('msg_blog_ID')) && $Blog->ID != $msg_Blog->ID) { // Redirect to special blog for messaging actions if it is defined in general settings header_redirect($msg_Blog->get('msgformurl', array('glue' => '&'))); } $seo_page_type = 'Contact form'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'messages': case 'contacts': case 'threads': switch ($disp) { case 'messages': // Actions ONLY for disp=messages // fp> The correct place to get thrd_ID is here, because we want it in redirect_to in case we need to ask for login. $thrd_ID = param('thrd_ID', 'integer', '', true); if (!is_logged_in()) { // Redirect to the login page for anonymous users $Messages->add(T_('You must log in to read your messages.')); header_redirect(get_login_url('cannot see messages'), 302); // will have exited } // check if user status allow to view messages if (!$current_User->check_status('can_view_messages')) { // user status does not allow to view messages if ($current_User->check_status('can_be_validated')) { // user is logged in but his/her account is not activate yet $Messages->add(T_('You must activate your account before you can read & send messages. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } $Messages->add('You are not allowed to view Messages!'); header_redirect($Blog->gen_blogurl(), 302); // will have exited } // check if user permissions allow to view messages if (!$current_User->check_perm('perm_messaging', 'reply')) { // Redirect to the blog url for users without messaging permission $Messages->add('You are not allowed to view Messages!'); header_redirect($Blog->gen_blogurl(), 302); // will have exited } if (!empty($thrd_ID)) { // if this thread exists and current user is part of this thread update status because won't be any unread messages on this conversation // we need to mark this early to make sure the unread message count will be correct in the evobar mark_as_read_by_user($thrd_ID, $current_User->ID); } if (($unsaved_message_params = get_message_params_from_session()) !== NULL) { // set Message and Thread saved params from Session global $edited_Message, $action; load_class('messaging/model/_message.class.php', 'Message'); $edited_Message = new Message(); $edited_Message->text = $unsaved_message_params['message']; $edited_Message->original_text = $unsaved_message_params['message_original']; $edited_Message->set_renderers($unsaved_message_params['renderers']); $edited_Message->thread_ID = $thrd_ID; $action = $unsaved_message_params['action']; } break; case 'contacts': // Actions ONLY for disp=contacts if (!is_logged_in()) { // Redirect to the login page for anonymous users $Messages->add(T_('You must log in to manage your contacts.')); header_redirect(get_login_url('cannot see contacts'), 302); // will have exited } if (!$current_User->check_status('can_view_contacts')) { // user is logged in, but his status doesn't allow to view contacts if ($current_User->check_status('can_be_validated')) { // user is logged in but his/her account was not activated yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can manage your contacts. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } // Redirect to the blog url for users without messaging permission $Messages->add('You are not allowed to view Contacts!'); $blogurl = $Blog->gen_blogurl(); // If it was a front page request or the front page is set to display 'contacts' then we must not redirect to the front page because it is forbidden for the current User $redirect_to = is_front_page() || $Blog->get_setting('front_disp') == 'contacts' ? url_add_param($blogurl, 'disp=403', '&') : $blogurl; header_redirect($redirect_to, 302); } if (has_cross_country_restriction('any') && empty($current_User->ctry_ID)) { // User may browse/contact other users only from the same country $Messages->add(T_('Please specify your country before attempting to contact other users.')); header_redirect(get_user_profile_url()); } // Get action parameter from request: $action = param_action(); if (!$current_User->check_perm('perm_messaging', 'reply')) { // Redirect to the blog url for users without messaging permission $Messages->add('You are not allowed to view Contacts!'); $blogurl = $Blog->gen_blogurl(); // If it was a front page request or the front page is set to display 'contacts' then we must not redirect to the front page because it is forbidden for the current User $redirect_to = is_front_page() || $Blog->get_setting('front_disp') == 'contacts' ? url_add_param($blogurl, 'disp=403', '&') : $blogurl; header_redirect($redirect_to, 302); // will have exited } switch ($action) { case 'add_user': // Add user to contacts list // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $user_ID = param('user_ID', 'integer', 0); if ($user_ID > 0) { // Add user to contacts if (create_contacts_user($user_ID)) { // Add user to the group $group_ID = param('group_ID', 'string', ''); if ($result = create_contacts_group_users($group_ID, $user_ID, 'group_ID_combo')) { // User has been added to the group $Messages->add(sprintf(T_('User has been added to the «%s» group.'), $result['group_name']), 'success'); } else { // User has been added ONLY to the contacts list $Messages->add('User has been added to your contacts.', 'success'); } } header_redirect($Blog->get('userurl', array('url_suffix' => 'user_ID=' . $user_ID, 'glue' => '&'))); } break; case 'unblock': // Unblock user // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $user_ID = param('user_ID', 'integer', 0); if ($user_ID > 0) { set_contact_blocked($user_ID, 0); $Messages->add(T_('Contact was unblocked.'), 'success'); } break; case 'remove_user': // Remove user from contacts group // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $view = param('view', 'string', 'profile'); $user_ID = param('user_ID', 'integer', 0); $group_ID = param('group_ID', 'integer', 0); if ($user_ID > 0 && $group_ID > 0) { // Remove user from selected group if (remove_contacts_group_user($group_ID, $user_ID)) { // User has been removed from the group if ($view == 'contacts') { // Redirect to the contacts list header_redirect($Blog->get('contactsurl', array('glue' => '&'))); } else { // Redirect to the user profile page header_redirect($Blog->get('userurl', array('url_suffix' => 'user_ID=' . $user_ID, 'glue' => '&'))); } } } break; case 'add_group': // Add users to the group // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $group = param('group', 'string', ''); $users = param('users', 'string', ''); if ($result = create_contacts_group_users($group, $users)) { // Users have been added to the group $Messages->add(sprintf(T_('%d contacts have been added to the «%s» group.'), $result['count_users'], $result['group_name']), 'success'); $redirect_to = $Blog->get('contactsurl', array('glue' => '&')); $item_ID = param('item_ID', 'integer', 0); if ($item_ID > 0) { $redirect_to = url_add_param($redirect_to, 'item_ID=' . $item_ID, '&'); } header_redirect($redirect_to); } break; case 'rename_group': // Rename the group // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $group_ID = param('group_ID', 'integer', true); if (rename_contacts_group($group_ID)) { $item_ID = param('item_ID', 'integer', 0); $redirect_to = url_add_param($Blog->get('contactsurl', array('glue' => '&')), 'g=' . $group_ID, '&'); if ($item_ID > 0) { $redirect_to = url_add_param($redirect_to, 'item_ID=' . $item_ID, '&'); } $Messages->add(T_('The group has been renamed.'), 'success'); header_redirect($redirect_to); } break; case 'delete_group': // Delete the group // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('messaging_contacts'); $group_ID = param('group_ID', 'integer', true); if (delete_contacts_group($group_ID)) { $item_ID = param('item_ID', 'integer', 0); $redirect_to = $Blog->get('contactsurl', array('glue' => '&')); if ($item_ID > 0) { $redirect_to = url_add_param($redirect_to, 'item_ID=' . $item_ID, '&'); } $Messages->add(T_('The group has been deleted.'), 'success'); header_redirect($redirect_to); } break; } modules_call_method('switch_contacts_actions', array('action' => $action)); break; case 'threads': // Actions ONLY for disp=threads if (!is_logged_in()) { // Redirect to the login page for anonymous users $Messages->add(T_('You must log in to read your messages.')); header_redirect(get_login_url('cannot see messages'), 302); // will have exited } if (!$current_User->check_status('can_view_threads')) { // user status does not allow to view threads if ($current_User->check_status('can_be_validated')) { // user is logged in but his/her account is not activate yet $Messages->add(T_('You must activate your account before you can read & send messages. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } $Messages->add('You are not allowed to view Messages!'); $blogurl = $Blog->gen_blogurl(); // If it was a front page request or the front page is set to display 'threads' then we must not redirect to the front page because it is forbidden for the current User $redirect_to = is_front_page() || $Blog->get_setting('front_disp') == 'threads' ? url_add_param($blogurl, 'disp=404', '&') : $blogurl; header_redirect($redirect_to, 302); // will have exited } if (!$current_User->check_perm('perm_messaging', 'reply')) { // Redirect to the blog url for users without messaging permission $Messages->add('You are not allowed to view Messages!'); $blogurl = $Blog->gen_blogurl(); // If it was a front page request or the front page is set to display 'threads' then we must not redirect to the front page because it is forbidden for the current User $redirect_to = is_front_page() || $Blog->get_setting('front_disp') == 'threads' ? url_add_param($blogurl, 'disp=403', '&') : $blogurl; header_redirect($redirect_to, 302); // will have exited } $action = param('action', 'string', 'view'); if ($action == 'new') { // Before new message form is displayed ... if (has_cross_country_restriction('contact') && empty($current_User->ctry_ID)) { // Cross country contact restriction is enabled, but user country is not set yet $Messages->add(T_('Please specify your country before attempting to contact other users.')); header_redirect(get_user_profile_url()); } elseif (check_create_thread_limit(true)) { // don't allow to create new thread, because the new thread limit was already reached set_param('action', 'view'); } } // Load classes load_class('messaging/model/_thread.class.php', 'Thread'); load_class('messaging/model/_message.class.php', 'Message'); // Get action parameter from request: $action = param_action('view'); switch ($action) { case 'new': // Check permission: $current_User->check_perm('perm_messaging', 'reply', true); global $edited_Thread, $edited_Message; $edited_Thread = new Thread(); $edited_Message = new Message(); $edited_Message->Thread =& $edited_Thread; modules_call_method('update_new_thread', array('Thread' => &$edited_Thread)); if (($unsaved_message_params = get_message_params_from_session()) !== NULL) { // set Message and Thread saved params from Session $edited_Message->text = $unsaved_message_params['message']; $edited_Message->original_text = $unsaved_message_params['message_original']; $edited_Message->set_renderers($unsaved_message_params['renderers']); $edited_Thread->title = $unsaved_message_params['subject']; $edited_Thread->recipients = $unsaved_message_params['thrd_recipients']; $edited_Message->Thread = $edited_Thread; global $thrd_recipients_array, $thrdtype, $action, $creating_success; $thrd_recipients_array = $unsaved_message_params['thrd_recipients_array']; $thrdtype = $unsaved_message_params['thrdtype']; $action = $unsaved_message_params['action']; $creating_success = !empty($unsaved_message_params['creating_success']) ? $unsaved_message_params['creating_success'] : false; } else { if (empty($edited_Thread->recipients)) { $edited_Thread->recipients = param('thrd_recipients', 'string', ''); } if (empty($edited_Thread->title)) { $edited_Thread->title = param('subject', 'string', ''); } } break; default: // Check permission: $current_User->check_perm('perm_messaging', 'reply', true); break; } break; } // Actions for disp = messages, contacts, threads: if (($msg_Blog =& get_setting_Blog('msg_blog_ID')) && $Blog->ID != $msg_Blog->ID) { // Redirect to special blog for messaging actions if it is defined in general settings $blog_url_params = array('glue' => '&'); if (!empty($thrd_ID)) { // Don't forget the important param on redirect $blog_url_params['url_suffix'] = 'thrd_ID=' . $thrd_ID; } header_redirect($msg_Blog->get($disp . 'url', $blog_url_params)); } // just in case some robot would be logged in: $seo_page_type = 'Messaging module'; $robots_index = false; // Display messages depending on user email status display_user_email_status_message(); break; case 'login': global $Plugins, $transmit_hashed_password; if (is_logged_in()) { // User is already logged in if ($current_User->check_status('can_be_validated')) { // account is not active yet, redirect to the account activation page $Messages->add(T_('You are logged in but your account is not activated. You will find instructions about activating your account below:')); header_redirect(get_activate_info_url(), 302); // will have exited } // User is already logged in, redirect to "redirect_to" page $Messages->add(T_('You are already logged in.'), 'note'); $redirect_to = param('redirect_to', 'url', NULL); if (empty($redirect_to)) { // If empty redirect to referer page $redirect_to = ''; } header_redirect($redirect_to, 302); // will have exited } if (($login_Blog =& get_setting_Blog('login_blog_ID')) && $Blog->ID != $login_Blog->ID) { // Redirect to special blog for login/register actions if it is defined in general settings header_redirect($login_Blog->get('loginurl', array('glue' => '&'))); } $seo_page_type = 'Login form'; $robots_index = false; break; case 'register': if (is_logged_in()) { // If user is logged in the register form should not be displayed. In this case redirect to the blog home page. $Messages->add(T_('You are already logged in.'), 'note'); header_redirect($Blog->gen_blogurl(), false); } if (($login_Blog =& get_setting_Blog('login_blog_ID')) && $Blog->ID != $login_Blog->ID) { // Redirect to special blog for login/register actions if it is defined in general settings header_redirect($login_Blog->get('registerurl', array('glue' => '&'))); } $seo_page_type = 'Register form'; $robots_index = false; // Check invitation code if it exists and registration is enabled global $display_invitation; $display_invitation = check_invitation_code(); break; case 'lostpassword': if (is_logged_in()) { // If user is logged in the lost password form should not be displayed. In this case redirect to the blog home page. $Messages->add(T_('You are already logged in.'), 'note'); header_redirect($Blog->gen_blogurl(), false); } if (($login_Blog =& get_setting_Blog('login_blog_ID')) && $Blog->ID != $login_Blog->ID) { // Redirect to special blog for login/register actions if it is defined in general settings header_redirect($login_Blog->get('lostpasswordurl', array('glue' => '&'))); } $seo_page_type = 'Lost password form'; $robots_index = false; break; case 'activateinfo': if (!is_logged_in()) { // Redirect to the login page for anonymous users $Messages->add(T_('You must log in before you can activate your account.')); header_redirect(get_login_url('cannot see messages'), 302); // will have exited } if (!$current_User->check_status('can_be_validated')) { // don't display activateinfo screen $after_email_validation = $Settings->get('after_email_validation'); if ($after_email_validation == 'return_to_original') { // we want to return to original page after account activation // check if Session 'validatemail.redirect_to' param is still set $redirect_to = $Session->get('core.validatemail.redirect_to'); if (empty($redirect_to)) { // Session param is empty try to get general redirect_to param $redirect_to = param('redirect_to', 'url', ''); } else { // cleanup validateemail.redirect_to param from session $Session->delete('core.validatemail.redirect_to'); } } else { // go to after email validation url which is set in the user general settings form $redirect_to = $after_email_validation; } if (empty($redirect_to) || preg_match('#disp=activateinfo#', $redirect_to)) { // redirect_to is pointing to the activate info display or is empty // redirect to referer page $redirect_to = ''; } if ($current_User->check_status('is_validated')) { $Messages->add(T_('Your account has already been activated.')); } header_redirect($redirect_to, 302); // will have exited } if (($login_Blog =& get_setting_Blog('login_blog_ID')) && $Blog->ID != $login_Blog->ID) { // Redirect to special blog for login/register actions if it is defined in general settings header_redirect($login_Blog->get('activateinfourl', array('glue' => '&'))); } break; case 'profile': case 'avatar': $action = param_action(); if ($action == 'crop' && is_logged_in()) { // Check data for crop action: global $current_User, $cropped_File; $file_ID = param('file_ID', 'integer'); if (!($cropped_File = $current_User->get_File_by_ID($file_ID, $error_code))) { // Current user cannot crop this file set_param('action', ''); } } case 'pwdchange': case 'userprefs': case 'subs': $seo_page_type = 'Special feature page'; if ($Blog->get_setting('special_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } // Display messages depending on user email status display_user_email_status_message(); break; case 'users': if (!is_logged_in() && !$Settings->get('allow_anonymous_user_list')) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $Messages->add(T_('You must log in to view the user directory.')); header_redirect(get_login_url('cannot see user'), 302); // will have exited } if (is_logged_in() && !check_user_status('can_view_users')) { // user status doesn't permit to view users list if (check_user_status('can_be_validated')) { // user is logged in but his/her account is not active yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can view the user directory. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } // set where to redirect $error_redirect_to = empty($Blog) ? $baseurl : $Blog->gen_blogurl(); $Messages->add(T_('Your account status currently does not permit to view the user directory.')); header_redirect($error_redirect_to, 302); // will have exited } if (has_cross_country_restriction('users', 'list') && empty($current_User->ctry_ID)) { // User may browse other users only from the same country $Messages->add(T_('Please specify your country before attempting to contact other users.')); header_redirect(get_user_profile_url()); } $seo_page_type = 'Users list'; $robots_index = false; break; case 'user': // get user_ID because we want it in redirect_to in case we need to ask for login. $user_ID = param('user_ID', 'integer', '', true); // set where to redirect in case of error $error_redirect_to = empty($Blog) ? $baseurl : $Blog->gen_blogurl(); if (!is_logged_in()) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $user_available_by_group_level = true; if (!empty($user_ID)) { $UserCache =& get_UserCache(); if ($User =& $UserCache->get_by_ID($user_ID, false)) { // If user exists we can check if the anonymous users have an access to view the user by group level limitation $User->get_Group(); $user_available_by_group_level = $User->Group->level >= $Settings->get('allow_anonymous_user_level_min') && $User->Group->level <= $Settings->get('allow_anonymous_user_level_max'); } } if (!$Settings->get('allow_anonymous_user_profiles') || !$user_available_by_group_level || empty($user_ID)) { // If this user is not available for anonymous users $Messages->add(T_('You must log in to view this user profile.')); header_redirect(get_login_url('cannot see user'), 302); // will have exited } } if (is_logged_in() && !check_user_status('can_view_user', $user_ID)) { // user is logged in, but his/her status doesn't permit to view user profile if (check_user_status('can_be_validated')) { // user is logged in but his/her account is not active yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can view this user profile. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } $Messages->add(T_('Your account status currently does not permit to view this user profile.')); header_redirect($error_redirect_to, 302); // will have exited } if (!empty($user_ID)) { $UserCache =& get_UserCache(); $User =& $UserCache->get_by_ID($user_ID, false); if (empty($User)) { $Messages->add(T_('The requested user does not exist!')); header_redirect($error_redirect_to); // will have exited } if ($User->check_status('is_closed')) { $Messages->add(T_('The requested user account is closed!')); header_redirect($error_redirect_to); // will have exited } if (has_cross_country_restriction('any')) { if (empty($current_User->ctry_ID)) { // Current User country is not set $Messages->add(T_('Please specify your country before attempting to contact other users.')); header_redirect(get_user_profile_url()); // will have exited } if (has_cross_country_restriction('users', 'profile') && $current_User->ctry_ID !== $User->ctry_ID) { // Current user country is different then edited user country and cross country user browsing is not enabled. $Messages->add(T_('You don\'t have permission to view this user profile.')); header_redirect(url_add_param($error_redirect_to, 'disp=403', '&')); // will have exited } } } // Initialize users list from session cache in order to display prev/next links: // It is used to navigate between users load_class('users/model/_userlist.class.php', 'UserList'); global $UserList; $UserList = new UserList(); $UserList->memorize = false; $UserList->load_from_Request(); $seo_page_type = 'User display'; break; case 'edit': global $current_User, $post_ID; // Post ID, go from $_GET when we edit a post from Front-office // or from $_POST when we switch from Back-office $post_ID = param('p', 'integer', empty($post_ID) ? 0 : $post_ID, true); if (!is_logged_in()) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $redirect_to = url_add_param($Blog->gen_blogurl(), 'disp=edit'); $Messages->add(T_('You must log in to create & edit posts.')); header_redirect(get_login_url('cannot edit posts', $redirect_to), 302); // will have exited } if (!$current_User->check_status('can_edit_post')) { if ($current_User->check_status('can_be_validated')) { // user is logged in but his/her account was not activated yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can create & edit posts. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } // Redirect to the blog url for users without messaging permission $Messages->add(T_('You are not allowed to create & edit posts!')); header_redirect($Blog->gen_blogurl(), 302); } // user logged in and the account was activated check_item_perm_edit($post_ID); if (!blog_has_cats($Blog->ID)) { // No categories are in this blog $error_message = T_('Since this blog has no categories, you cannot post into it.'); if ($current_User->check_perm('blog_cats', 'edit', false, $Blog->ID)) { // If current user has a permission to create a category global $admin_url; $error_message .= ' ' . sprintf(T_('You must <a %s>create categories</a> first.'), 'href="' . $admin_url . '?ctrl=chapters&blog=' . $Blog->ID . '"'); } $Messages->add($error_message, 'error'); header_redirect($Blog->gen_blogurl(), 302); } // Prepare the 'In-skin editing': init_inskin_editing(); break; case 'edit_comment': global $current_User, $edited_Comment, $comment_Item, $Item, $comment_title, $comment_content, $display_params; // comment ID $comment_ID = param('c', 'integer', 0, true); if (!is_logged_in()) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $redirect_to = url_add_param($Blog->gen_blogurl(), 'disp=edit_comment'); $Messages->add(T_('You must log in to edit comments.')); header_redirect(get_login_url('cannot edit comments', $redirect_to), 302); // will have exited } if (!$current_User->check_status('can_edit_comment')) { if ($current_User->check_status('can_be_validated')) { // user is logged in but his/her account was not activated yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can edit comments. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } // Redirect to the blog url for users without messaging permission $Messages->add('You are not allowed to edit comments!'); header_redirect($Blog->gen_blogurl(), 302); } if (empty($comment_ID)) { // Can't edit a not exisiting comment $Messages->add('Invalid comment edit URL!'); global $disp; $disp = 404; break; } $CommentCache =& get_CommentCache(); $edited_Comment = $CommentCache->get_by_ID($comment_ID); $comment_Item = $edited_Comment->get_Item(); if (!$current_User->check_perm('comment!CURSTATUS', 'edit', false, $edited_Comment)) { // If User has no permission to edit comments with this comment status: $Messages->add('You are not allowed to edit the previously selected comment!'); header_redirect($Blog->gen_blogurl(), 302); } $comment_title = ''; $comment_content = htmlspecialchars_decode($edited_Comment->content); // Format content for editing, if we were not already in editing... $Plugins_admin =& get_Plugins_admin(); $comment_Item->load_Blog(); $params = array('object_type' => 'Comment', 'object_Blog' => &$comment_Item->Blog); $Plugins_admin->unfilter_contents($comment_title, $comment_content, $edited_Comment->get_renderers_validated(), $params); $Item = $comment_Item; $display_params = array(); break; case 'useritems': case 'usercomments': global $display_params, $viewed_User; // get user_ID because we want it in redirect_to in case we need to ask for login. $user_ID = param('user_ID', 'integer', true, true); if (empty($user_ID)) { bad_request_die(sprintf(T_('Parameter «%s» is required!'), 'user_ID')); } // set where to redirect in case of error $error_redirect_to = empty($Blog) ? $baseurl : $Blog->gen_blogurl(); if (!is_logged_in()) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $Messages->add(T_('You must log in to view this user profile.')); header_redirect(get_login_url('cannot see user'), 302); // will have exited } if (is_logged_in() && !check_user_status('can_view_user', $user_ID)) { // user is logged in, but his/her status doesn't permit to view user profile if (check_user_status('can_be_validated')) { // user is logged in but his/her account is not active yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can view this user profile. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } $Messages->add(T_('Your account status currently does not permit to view this user profile.')); header_redirect($error_redirect_to, 302); // will have exited } if (!empty($user_ID)) { $UserCache =& get_UserCache(); $viewed_User = $UserCache->get_by_ID($user_ID, false); if (empty($viewed_User)) { $Messages->add(T_('The requested user does not exist!')); header_redirect($error_redirect_to); // will have exited } if ($viewed_User->check_status('is_closed')) { $Messages->add(T_('The requested user account is closed!')); header_redirect($error_redirect_to); // will have exited } } $display_params = !empty($Skin) ? $Skin->get_template('Results') : NULL; if ($disp == 'useritems') { // Init items list global $user_ItemList; $useritems_Blog = NULL; $user_ItemList = new ItemList2($useritems_Blog, NULL, NULL, NULL, 'ItemCache', 'useritems_'); $user_ItemList->load_from_Request(); $user_ItemList->set_filters(array('authors' => $user_ID), true, true); $user_ItemList->query(); } else { // Init comments list global $user_CommentList; $user_CommentList = new CommentList2(NULL, NULL, 'CommentCache', 'usercmts_'); $user_CommentList->load_from_Request(); $user_CommentList->set_filters(array('author_IDs' => $user_ID), true, true); $user_CommentList->query(); } break; case 'comments': if (!$Blog->get_setting('comments_latest')) { // If latest comments page is disabled - Display 404 page with error message $Messages->add(T_('This feature is disabled.'), 'error'); global $disp; $disp = '404'; } break; case 'closeaccount': global $current_User; if (!$Settings->get('account_close_enabled') || is_logged_in() && $current_User->check_perm('users', 'edit', false) || !is_logged_in() && !$Session->get('account_closing_success')) { // If an account closing page is disabled - Display 404 page with error message // Don't allow admins close own accounts from front office // Don't display this message for not logged in users, except of one case to display a bye message after account closing global $disp; $disp = '404'; } elseif ($Session->get('account_closing_success')) { // User has closed the account global $account_closing_success; $account_closing_success = $Session->get('account_closing_success'); // Unset this temp session var to don't display the message twice $Session->delete('account_closing_success'); if (is_logged_in()) { // log out current User logout(); } } break; case 'tags': $seo_page_type = 'Tags'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; } $Debuglog->add('skin_init: $disp=' . $disp . ' / $disp_detail=' . $disp_detail . ' / $seo_page_type=' . $seo_page_type, 'skins'); // Make this switch block special only for 404 page switch ($disp) { case '404': // We have a 404 unresolved content error // How do we want do deal with it? skin_404_header(); // This MAY or MAY not have exited -- will exit on 30x redirect, otherwise will return here. // Just in case some dumb robot needs extra directives on this: $robots_index = false; break; } global $Hit, $check_browser_version; if ($check_browser_version && $Hit->get_browser_version() > 0 && $Hit->is_IE(9, '<')) { // Display info message if browser IE < 9 version and it is allowed by config var: global $debug; $Messages->add(T_('Your web browser is too old. For this site to work correctly, we recommend you use a more recent browser.'), 'note'); if ($debug) { $Messages->add('User Agent: ' . $Hit->get_user_agent(), 'note'); } } // dummy var for backward compatibility with versions < 2.4.1 -- prevents "Undefined variable" global $global_Cache, $credit_links; $credit_links = $global_Cache->get('creds'); $Timer->pause('skin_init'); // Check if user is logged in with a not active account, and display an error message if required check_allow_disp($disp); // initialize Blog enabled widgets, before displaying anything init_blog_widgets($Blog->ID); // Initialize displaying.... $Timer->start('Skin:display_init'); $Skin->display_init(); $Timer->pause('Skin:display_init'); // Send default headers: // See comments inside of this function: headers_content_mightcache('text/html'); // In most situations, you do NOT want to cache dynamic content! // Never allow Messages to be cached! if ($Messages->count() && !empty($PageCache)) { // Abort PageCache collect $PageCache->abort_collect(); } }
* Prevent double loading since require_once won't work in all situations * on windows when some subfolders have caps :( * (Check it out on static page generation) */ if (defined('EVO_MAIN_INIT')) { return; } define('EVO_MAIN_INIT', true); /** * Security check for older PHP versions * Contributed by counterpoint / MAMBO team */ $protects = array('_REQUEST', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_ENV', 'GLOBALS', '_SESSION'); foreach ($protects as $protect) { if (in_array($protect, array_keys($_REQUEST)) || in_array($protect, array_keys($_GET)) || in_array($protect, array_keys($_POST)) || in_array($protect, array_keys($_COOKIE)) || in_array($protect, array_keys($_FILES))) { bad_request_die('Unacceptable params.'); } } /* * fp> We might want to kill all auto registered globals this way: * TODO: testing * $superglobals = array($_SERVER, $_ENV, $_FILES, $_COOKIE, $_POST, $_GET); if (isset( $_SESSION )) array_unshift ( $superglobals , $_SESSION ); if (ini_get('register_globals') && !$this->mosConfig_register_globals) { foreach ( $superglobals as $superglobal ) { foreach ( $superglobal as $key => $value) { unset( $GLOBALS[$key]);
/** * Handle collections module htsrv actions */ function handle_htsrv_action() { global $demo_mode, $current_User, $DB, $Session, $Messages; global $UserSettings, $samedomain_htsrv_url; if (!is_logged_in()) { // user must be logged in bad_request_die($this->T_('You are not logged in.')); } // Init the objects we want to work on. $action = param_action(true); // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('collections_' . $action); switch ($action) { case 'unlink': // Unlink a file from a LinkOwner ( Item, Comment ) object, and delete that file if it's not linked to any other object $link_ID = param('link_ID', 'integer', true); $redirect_to = param('redirect_to', 'url', ''); $LinkCache =& get_LinkCache(); $edited_Link =& $LinkCache->get_by_ID($link_ID, false); if (!$edited_Link) { // the edited Link object doesn't exists $Messages->add(sprintf(T_('Requested «%s» object does not exist any longer.'), T_('Link')), 'error'); header_redirect(); } // We have a link, get the LinkOwner it is attached to: $LinkOwner =& $edited_Link->get_LinkOwner(); $linked_File =& $edited_Link->get_File(); // Load the blog we're in: $Blog =& $LinkOwner->get_Blog(); set_working_blog($Blog->ID); // Check permission: $LinkOwner->check_perm('edit', true); $confirmed = param('confirmed', 'integer', 0); if ($confirmed) { // Unlink File from Item: $edited_Link->dbdelete(true); unset($edited_Link); $Messages->add($LinkOwner->translate('Link has been deleted from $ownerTitle$.'), 'success'); if ($current_User->check_perm('files', 'edit')) { // current User has permission to edit/delete files $file_name = $linked_File->get_name(); // Get number of objects where this file is attahced to // TODO: attila>this must be handled with a different function $file_links = get_file_links($linked_File->ID, array('separator' => '<br />')); $links_count = strlen($file_links) > 0 ? substr_count($file_links, '<br />') + 1 : 0; if ($links_count > 0) { // File is linked to other objects $Messages->add(sprintf(T_('File %s is still linked to %d other objects'), $file_name, $links_count), 'note'); } else { // File is not linked to other objects if ($linked_File->unlink()) { // File removed successful ( removed from db and from storage device also ) $Messages->add(sprintf(T_('File %s has been deleted.'), $file_name), 'success'); } else { // Could not completly remove the file $Messages->add(sprintf(T_('File %s could not be deleted.'), $file_name), 'error'); } } } } else { // Display confirm unlink/delete message $delete_url = $samedomain_htsrv_url . 'action.php?mname=collections&action=unlink&link_ID=' . $edited_Link->ID . '&confirmed=1&crumb_collections_unlink=' . get_crumb('collections_unlink'); $ok_button = '<span class="linkbutton"><a href="' . $delete_url . '">' . T_('I am sure!') . '!</a></span>'; $cancel_button = '<span class="linkbutton"><a href="' . $redirect_to . '">CANCEL</a></span>'; $msg = sprintf(T_('You are about to unlink and delete the attached file from %s path.'), $linked_File->get_root_and_rel_path()); $msg .= '<br />' . T_('This CANNOT be undone!') . '<br />' . T_('Are you sure?') . '<br /><br />' . $ok_button . "\t" . $cancel_button; $Messages->add($msg, 'error'); } header_redirect($redirect_to); break; case 'isubs_update': // Subscribe/Unsubscribe user on the selected item if ($demo_mode && $current_User->ID <= 3) { // don't allow default users profile change on demo mode bad_request_die('Demo mode: you can\'t edit the admin and demo users profile!<br />[<a href="javascript:history.go(-1)">' . T_('Back to profile') . '</a>]'); } // Get params $item_ID = param('p', 'integer', true); $notify = param('notify', 'integer', 0); if ($notify < 0 || $notify > 1) { // Invalid notify param. It should be 0 for unsubscribe and 1 for subscribe. $Messages->add('Invalid params!', 'error'); } if (!is_email($current_User->get('email'))) { // user doesn't have a valid email address $Messages->add(T_('Your email address is invalid. Please set your email address first.'), 'error'); } if ($Messages->has_errors()) { // errors detected header_redirect(); // already exited here } if (set_user_isubscription($current_User->ID, $item_ID, $notify)) { if ($notify == 0) { $Messages->add(T_('You have successfully unsubscribed.'), 'success'); } else { $Messages->add(T_('You have successfully subscribed to notifications.'), 'success'); } } else { $Messages->add(T_('Could not subscribe to notifications.'), 'error'); } header_redirect(); break; // already exited here } }
$current_User->check_perm('options', 'view', true); // Set admin skin, used for buttons, @see button_class() $admin_skin = $UserSettings->get('admin_skin', $current_User->ID); require_once $adminskins_path . $admin_skin . '/_adminUI.class.php'; $AdminUI = new AdminUI(); param('plugin_ID', 'integer', true); $admin_Plugins =& get_Plugins_admin(); // use Plugins_admin, because a plugin might be disabled $Plugin =& $admin_Plugins->get_by_ID($plugin_ID); if (!$Plugin) { bad_request_die('Invalid Plugin.'); } param('set_type', 'string', ''); // "Settings" or "UserSettings" if ($set_type != 'Settings') { bad_request_die('Invalid set_type param!'); } param('set_path', '/^\\w+(?:\\[\\w+\\])+$/', ''); load_funcs('plugins/_plugin.funcs.php'); // Init the new setting set: _set_setting_by_path($Plugin, $set_type, $set_path, array()); // Get the new plugin setting set and display it with a fake Form $r = get_plugin_settings_node_by_path($Plugin, $set_type, $set_path, false); $Form = new Form(); // fake Form to display plugin setting autoform_display_field($set_path, $r['set_meta'], $Form, $set_type, $Plugin, NULL, $r['set_node']); break; case 'set_object_link_position': // Change a position of a link on the edit item screen (fieldset "Images & Attachments") // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('link');
/** * Template tag. Initializes internal states for the most common skin displays. * * For more specific skins, this function should not be called and * equivalent code should be customized within the skin. * * @param string What are we going to display. Most of the time the global $disp should be passed. */ function skin_init($disp) { /** * @var Blog */ global $Blog; /** * @var Item */ global $Item; /** * @var Skin */ global $Skin; global $robots_index; global $seo_page_type; global $redir, $ReqURL, $ReqURI, $m, $w, $preview; global $Chapter; global $Debuglog; /** * @var ItemList2 */ global $MainList; /** * This will give more detail when $disp == 'posts'; otherwise it will have the same content as $disp * @var string */ global $disp_detail, $Settings; global $Timer; global $Messages, $PageCache; $Timer->resume('skin_init'); if (empty($disp_detail)) { $disp_detail = $disp; } $Debuglog->add('skin_init: ' . $disp, 'skins'); // This is the main template; it may be used to display very different things. // Do inits depending on current $disp: switch ($disp) { case 'posts': case 'single': case 'page': case 'feedback-popup': case 'search': // We need to load posts for this display: // Note: even if we request the same post as $Item above, the following will do more restrictions (dates, etc.) // Init the MainList object: init_MainList($Blog->get_setting('posts_per_page')); // Init post navigation $post_navigation = $Skin->get_post_navigation(); if (empty($post_navigation)) { $post_navigation = $Blog->get_setting('post_navigation'); } break; } // SEO stuff & redirects if necessary: $seo_page_type = NULL; switch ($disp) { // CONTENT PAGES: case 'single': case 'page': init_ajax_forms(); // auto requires jQuery init_ratings_js(); init_voting_comment_js(); init_scrollwide_js(); // Add jQuery Wide Scroll plugin if ($disp == 'single') { $seo_page_type = 'Single post page'; } else { $seo_page_type = '"Page" page'; } // Check if the post has 'redirected' status: if (!$preview && $Item->status == 'redirected' && $redir == 'yes') { // $redir=no here allows to force a 'single post' URL for commenting // Redirect to the URL specified in the post: $Debuglog->add('Redirecting to post URL [' . $Item->url . '].'); header_redirect($Item->url, true); } // Check if we want to redirect to a canonical URL for the post // Please document encountered problems. if (!$preview && ($Blog->get_setting('canonical_item_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_item_urls'))) { // We want to redirect to the Item's canonical URL: $canonical_url = $Item->get_permanent_url('', '', '&'); if (preg_match('|[&?](page=\\d+)|', $ReqURI, $page_param)) { // A certain post page has been requested, keep only this param and discard all others: $canonical_url = url_add_param($canonical_url, $page_param[1], '&'); } if (preg_match('|[&?](mode=quote&[qcp]+=\\d+)|', $ReqURI, $page_param)) { // A quote of comment/post, keep only these params and discard all others: $canonical_url = url_add_param($canonical_url, $page_param[1], '&'); } if (!is_same_url($ReqURL, $canonical_url)) { // The requested URL does not look like the canonical URL for this post... // url difference was resolved $url_resolved = false; // Check if the difference is because of an allowed post navigation param if (preg_match('|[&?]cat=(\\d+)|', $ReqURI, $cat_param)) { // A category post navigation param is set $extended_url = ''; if ($post_navigation == 'same_category' && isset($cat_param[1])) { // navigatie through posts from the same category $category_ids = postcats_get_byID($Item->ID); if (in_array($cat_param[1], $category_ids)) { // cat param is one of this Item categories $extended_url = $Item->add_navigation_param($canonical_url, $post_navigation, $cat_param[1], '&'); // Set MainList navigation target to the requested category $MainList->nav_target = $cat_param[1]; } } $url_resolved = is_same_url($ReqURL, $extended_url); } if (!$url_resolved && $Blog->get_setting('canonical_item_urls') && $redir == 'yes' && !$Item->check_cross_post_nav('auto', $Blog->ID)) { // REDIRECT TO THE CANONICAL URL: $Debuglog->add('Redirecting to canonical URL [' . $canonical_url . '].'); header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } // EXITED. } } if (!$MainList->result_num_rows) { // There is nothing to display for this page, don't index it! $robots_index = false; } break; case 'posts': init_ajax_forms('blog'); // auto requires jQuery init_scrollwide_js('blog'); // Add jQuery Wide Scroll plugin // fp> if we add this here, we have to exetnd the inner if() // init_ratings_js( 'blog' ); // Get list of active filters: $active_filters = $MainList->get_active_filters(); if (!empty($active_filters)) { // The current page is being filtered... if (array_diff($active_filters, array('page')) == array()) { // This is just a follow "paged" page $disp_detail = 'posts-next'; $seo_page_type = 'Next page'; if ($Blog->get_setting('paged_noindex')) { // We prefer robots not to index category pages: $robots_index = false; } } elseif (array_diff($active_filters, array('cat_array', 'cat_modifier', 'cat_focus', 'posts', 'page')) == array()) { // This is a category page $disp_detail = 'posts-cat'; $seo_page_type = 'Category page'; if ($Blog->get_setting('chapter_noindex')) { // We prefer robots not to index category pages: $robots_index = false; } global $cat, $catsel; if (empty($catsel) && preg_match('~[0-9]+~', $cat)) { // We are on a single cat page: // NOTE: we must have selected EXACTLY ONE CATEGORY through the cat parameter // BUT: - this can resolve to including children // - selecting exactly one cat through catsel[] is NOT OK since not equivalent (will exclude children) // echo 'SINGLE CAT PAGE'; if ($Blog->get_setting('canonical_cat_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_cat_urls')) { // Check if the URL was canonical: if (!isset($Chapter)) { $ChapterCache =& get_ChapterCache(); /** * @var Chapter */ $Chapter =& $ChapterCache->get_by_ID($MainList->filters['cat_array'][0], false); } if ($Chapter) { if ($Chapter->parent_ID) { // This is a sub-category page (i-e: not a level 1 category) $disp_detail = 'posts-subcat'; } $canonical_url = $Chapter->get_permanent_url(NULL, NULL, $MainList->get_active_filter('page'), NULL, '&'); if (!is_same_url($ReqURL, $canonical_url)) { // fp> TODO: we're going to lose the additional params, it would be better to keep them... // fp> what additional params actually? if ($Blog->get_setting('canonical_cat_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canonical": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } } if ($post_navigation == 'same_category') { // Category is set and post navigation should go through the same category, set navigation target param $MainList->nav_target = $cat; } } } elseif (array_diff($active_filters, array('tags', 'posts', 'page')) == array()) { // This is a tag page $disp_detail = 'posts-tag'; $seo_page_type = 'Tag page'; if ($Blog->get_setting('tag_noindex')) { // We prefer robots not to index tag pages: $robots_index = false; } if ($Blog->get_setting('canonical_tag_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_tag_urls')) { // Check if the URL was canonical: $canonical_url = $Blog->gen_tag_url($MainList->get_active_filter('tags'), $MainList->get_active_filter('page'), '&'); if (!is_same_url($ReqURL, $canonical_url)) { if ($Blog->get_setting('canonical_tag_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } } elseif (array_diff($active_filters, array('ymdhms', 'week', 'posts', 'page')) == array()) { // This is an archive page // echo 'archive page'; $disp_detail = 'posts-date'; $seo_page_type = 'Date archive page'; if ($Blog->get_setting('canonical_archive_urls') && $redir == 'yes' || $Blog->get_setting('relcanonical_archive_urls')) { // Check if the URL was canonical: $canonical_url = $Blog->gen_archive_url(substr($m, 0, 4), substr($m, 4, 2), substr($m, 6, 2), $w, '&', $MainList->get_active_filter('page')); if (!is_same_url($ReqURL, $canonical_url)) { if ($Blog->get_setting('canonical_archive_urls') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } if ($Blog->get_setting('archive_noindex')) { // We prefer robots not to index archive pages: $robots_index = false; } } else { // Other filtered pages: // pre_dump( $active_filters ); $disp_detail = 'posts-filtered'; $seo_page_type = 'Other filtered page'; if ($Blog->get_setting('filtered_noindex')) { // We prefer robots not to index other filtered pages: $robots_index = false; } } } else { // This is the default blog page $disp_detail = 'posts-default'; $seo_page_type = 'Default page'; if ($Blog->get_setting('canonical_homepage') && $redir == 'yes' || $Blog->get_setting('relcanonical_homepage')) { // Check if the URL was canonical: $canonical_url = $Blog->gen_blogurl(); if (!is_same_url($ReqURL, $canonical_url)) { if ($Blog->get_setting('canonical_homepage') && $redir == 'yes') { // REDIRECT TO THE CANONICAL URL: header_redirect($canonical_url, true); } else { // Use rel="canoncial": add_headline('<link rel="canonical" href="' . $canonical_url . '" />'); } } } if ($Blog->get_setting('default_noindex')) { // We prefer robots not to index archive pages: $robots_index = false; } } break; case 'search': $seo_page_type = 'Search page'; if ($Blog->get_setting('filtered_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; // SPECIAL FEATURE PAGES: // SPECIAL FEATURE PAGES: case 'feedback-popup': $seo_page_type = 'Comment popup'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'arcdir': $seo_page_type = 'Date archive directory'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'catdir': $seo_page_type = 'Category directory'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'msgform': init_ajax_forms('blog'); // auto requires jQuery $seo_page_type = 'Contact form'; if ($Blog->get_setting($disp . '_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'messages': case 'contacts': case 'threads': init_results_js('blog'); // Add functions to work with Results tables // just in case some robot would be logged in: $seo_page_type = 'Messaging module'; $robots_index = false; break; case 'login': global $Plugins, $transmit_hashed_password; $seo_page_type = 'Login form'; $robots_index = false; require_js('functions.js', 'blog'); $transmit_hashed_password = (bool) $Settings->get('js_passwd_hashing') && !(bool) $Plugins->trigger_event_first_true('LoginAttemptNeedsRawPassword'); if ($transmit_hashed_password) { // Include JS for client-side password hashing: require_js('sha1_md5.js', 'blog'); } break; case 'register': if (is_logged_in()) { // If user is logged in the register form should not be displayed. In this case redirect to the blog home page. $Messages->add(T_('You are already logged in.'), 'note'); header_redirect($Blog->gen_blogurl(), false); } $seo_page_type = 'Register form'; $robots_index = false; break; case 'lostpassword': if (is_logged_in()) { // If user is logged in the lost password form should not be displayed. In this case redirect to the blog home page. $Messages->add(T_('You are already logged in.'), 'note'); header_redirect($Blog->gen_blogurl(), false); } $seo_page_type = 'Lost password form'; $robots_index = false; break; case 'profile': global $rsc_url; require_css($rsc_url . 'css/jquery/smoothness/jquery-ui.css'); init_userfields_js('blog'); case 'avatar': case 'pwdchange': case 'userprefs': case 'subs': $seo_page_type = 'Special feature page'; if ($Blog->get_setting('special_noindex')) { // We prefer robots not to index these pages: $robots_index = false; } break; case 'users': $seo_page_type = 'Users list'; $robots_index = false; global $rsc_url; require_css($rsc_url . 'css/jquery/smoothness/jquery-ui.css'); init_results_js('blog'); // Add functions to work with Results tables break; case 'user': $seo_page_type = 'User display'; if (is_logged_in()) { // Used for combo_box contacts groups require_js('form_extensions.js', 'blog'); } break; case 'edit': init_datepicker_js('blog'); require_js('admin.js', 'blog'); init_inskin_editing('blog'); init_plugins_js('blog'); break; case 'edit_comment': init_plugins_js('blog'); break; case 'useritems': case 'usercomments': global $inc_path, $display_params, $viewed_User; // get user_ID because we want it in redirect_to in case we need to ask for login. $user_ID = param('user_ID', 'integer', true, true); if (empty($user_ID)) { bad_request_die(sprintf(T_('Parameter «%s» is required!'), 'user_ID')); } // set where to redirect in case of error $error_redirect_to = empty($Blog) ? $baseurl : $Blog->gen_blogurl(); if (!is_logged_in()) { // Redirect to the login page if not logged in and allow anonymous user setting is OFF $Messages->add(T_('You must log in to view this user profile.')); header_redirect(get_login_url('cannot see user'), 302); // will have exited } if (is_logged_in() && !check_user_status('can_view_user', $user_ID)) { // user is logged in, but his/her status doesn't permit to view user profile if (check_user_status('can_be_validated')) { // user is logged in but his/her account is not active yet // Redirect to the account activation page $Messages->add(T_('You must activate your account before you can view this user profile. <b>See below:</b>')); header_redirect(get_activate_info_url(), 302); // will have exited } $Messages->add(T_('Your account status currently does not permit to view this user profile.')); header_redirect($error_redirect_to, 302); // will have exited } if (!empty($user_ID)) { $UserCache =& get_UserCache(); $viewed_User = $UserCache->get_by_ID($user_ID, false); if (empty($viewed_User)) { $Messages->add(T_('The requested user does not exist!')); header_redirect($error_redirect_to); // will have exited } if ($viewed_User->check_status('is_closed')) { $Messages->add(T_('The requested user account is closed!')); header_redirect($error_redirect_to); // will have exited } } // Require results.css to display thread query results in a table require_css('results.css'); // Results/tables styles // Require functions.js to show/hide a panel with filters require_js('functions.js', 'blog'); // Include this file to expand/collapse the filters panel when JavaScript is disabled require_once $inc_path . '_filters.inc.php'; $display_params = !empty($Skin) ? $Skin->get_template('Results') : NULL; if ($disp == 'useritems') { // Init items list global $user_ItemList; $param_prefix = 'useritems_'; $page = param($param_prefix . 'paged', 'integer', 1); $orderby = param($param_prefix . 'orderby', 'string', $Blog->get_setting('orderby')); $order = param($param_prefix . 'order', 'string', $Blog->get_setting('orderdir')); $useritems_Blog = NULL; $user_ItemList = new ItemList2($useritems_Blog, NULL, NULL, NULL, 'ItemCache', $param_prefix); $user_ItemList->load_from_Request(); $user_ItemList->set_filters(array('page' => $page, 'authors' => $user_ID, 'orderby' => str_replace($param_prefix, '', $orderby), 'order' => str_replace($param_prefix, '', $order))); $user_ItemList->query(); } else { // Init comments list global $user_CommentList; $param_prefix = 'usercmts_'; $page = param($param_prefix . 'paged', 'integer', 1); $orderby = param($param_prefix . 'orderby', 'string', 'date'); $order = param($param_prefix . 'order', 'string', $Blog->get_setting('orderdir')); $user_CommentList = new CommentList2(NULL, NULL, 'CommentCache', $param_prefix); $user_CommentList->load_from_Request(); $user_CommentList->set_filters(array('page' => $page, 'author_IDs' => $user_ID, 'orderby' => str_replace($param_prefix, '', $orderby), 'order' => str_replace($param_prefix, '', $order))); $user_CommentList->query(); } break; case 'comments': if (!$Blog->get_setting('comments_latest')) { // If latest comments page is disabled - Display 404 page with error message $Messages->add(T_('This feature is disabled.'), 'error'); global $disp; $disp = '404'; } else { break; } case '404': // We have a 404 unresolved content error // How do we want do deal with it? skin_404_header(); // This MAY or MAY not have exited -- will exit on 30x redirect, otherwise will return here. // Just in case some dumb robot needs extra directives on this: $robots_index = false; break; } if (!empty($_SERVER['HTTP_USER_AGENT'])) { // Detect IE browser version preg_match('/msie (\\d+)/i', $_SERVER['HTTP_USER_AGENT'], $browser_ie); if (count($browser_ie) == 2 && $browser_ie[1] < 7) { // IE < 7 require_css('ie6.css', 'relative'); $Messages->add(T_('Your web browser is too old. For this site to work correctly, we recommend you use a more recent browser.'), 'note'); } } // dummy var for backward compatibility with versions < 2.4.1 -- prevents "Undefined variable" global $global_Cache, $credit_links; $credit_links = $global_Cache->get('creds'); $Timer->pause('skin_init'); // Check if user is logged in with a not active account, and display an error message if required check_allow_disp($disp); // initialize Blog enabled widgets, before displaying anything init_blog_widgets($Blog->ID); // Initialize displaying.... $Timer->start('Skin:display_init'); $Skin->display_init(); $Timer->pause('Skin:display_init'); // Send default headers: // See comments inside of this function: headers_content_mightcache('text/html'); // In most situations, you do NOT want to cache dynamic content! // Never allow Messages to be cached! if ($Messages->count() && !empty($PageCache)) { // Abort PageCache collect $PageCache->abort_collect(); } }
/** * This callback method removes the twitter user oAuth data from DB. */ function htsrv_unlink_account($params) { global $current_User, $Messages, $admin_url, $Session; if (!isset($params['target_type']) || !isset($params['target_id'])) { bad_request_die('Missing target params!'); } $target_type = $params['target_type']; $target_id = $params['target_id']; // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb($target_type); if ($target_type == 'blog') { // Blog settings $redirect_to = url_add_param($admin_url, 'ctrl=coll_settings&tab=plugin_settings&blog=' . $target_id); $BlogCache =& get_BlogCache(); $Blog = $BlogCache->get_by_ID($target_id); $this->delete_coll_setting('twitter_token', $target_id); $this->delete_coll_setting('twitter_secret', $target_id); $this->delete_coll_setting('twitter_contact', $target_id); $Blog->dbupdate(); } else { if ($target_type == 'user') { // User settings $redirect_to = url_add_param($admin_url, 'ctrl=user&user_tab=advanced&user_ID=' . $target_id); if (isset($current_User) && !$current_User->check_perm('users', 'edit') && $target_id != $current_User->ID) { // user is only allowed to update him/herself $Messages->add(T_('You are only allowed to update your own profile!'), 'error'); header_redirect($redirect_to); // We have EXITed already at this point!! } $this->UserSettings->delete('twitter_token', $target_id); $this->UserSettings->delete('twitter_secret', $target_id); $this->UserSettings->delete('twitter_contact', $target_id); $this->UserSettings->dbupdate(); } else { debug_die('Target type has incorrect value!'); } } $Messages->add(T_('Your twitter account has been unlinked.'), 'success'); header_redirect($redirect_to); // We have EXITed already at this point!! }
// and letting the plugin deal with its methods internally. param('method', 'string', ''); param('params', 'string', null); // serialized if (is_null($params)) { // Default: $params = array(); } else { // params given. This may result in "false", but this means that unserializing failed. $params = @unserialize($params); } if ($plugin_ID) { $Plugin =& $Plugins->get_by_ID($plugin_ID); if (!$Plugin) { bad_request_die('Invalid Plugin! (maybe not enabled?)'); } if (method_exists($Plugin, 'get_htsrv_methods')) { // TODO: get_htsrv_methods is deprecated, but should stay here for transformation! (blueyed, 2006-04-27) if (!in_array($method, $Plugin->get_htsrv_methods())) { bad_request_die('Call to non-htsrv Plugin method!'); } } else { if (!in_array($method, $Plugin->GetHtsrvMethods())) { bad_request_die('Call to non-htsrv Plugin method!'); } elseif (!method_exists($Plugin, 'htsrv_' . $method)) { bad_request_die('htsrv method does not exist!'); } } // Call the method: $Plugins->call_method($Plugin->ID, 'htsrv_' . $method, $params); }
/** * Sets a parameter with values from the request or to provided default, * except if param is already set! * * Also removes magic quotes if they are set automatically by PHP. * Also forces type. * Priority order: POST, GET, COOKIE, DEFAULT. * * @param string Variable to set * @param string Force value type to one of: * - integer * - float, double * - string (strips (HTML-)Tags, trims whitespace) * - array (TODO: array/integer , array/array/string ) * - html (does nothing) * - '' (does nothing) * - '/^...$/' check regexp pattern match (string) * - boolean (will force type to boolean, but you can't use 'true' as a default since it has special meaning. There is no real reason to pass booleans on a URL though. Passing 0 and 1 as integers seems to be best practice). * Value type will be forced only if resulting value (probably from default then) is !== NULL * @param mixed Default value or TRUE if user input required * @param boolean Do we need to memorize this to regenerate the URL for this page? * @param boolean Override if variable already set * @param boolean Force setting of variable to default if no param is sent and var wasn't set before * @param mixed true will refuse illegal values, * false will try to convert illegal to legal values, * 'allow_empty' will refuse illegal values but will always accept empty values (This helps blocking dirty spambots or borked index bots. Saves a lot of processor time by killing invalid requests) * @return mixed Final value of Variable, or false if we don't force setting and did not set */ function param($var, $type = '', $default = '', $memorize = false, $override = false, $use_default = true, $strict_typing = 'allow_empty') { global $Debuglog, $debug, $evo_charset, $io_charset; // NOTE: we use $GLOBALS[$var] instead of $$var, because otherwise it would conflict with param names which are used as function params ("var", "type", "default", ..)! /* * STEP 1 : Set the variable * * Check if already set * WARNING: when PHP register globals is ON, COOKIES get priority over GET and POST with this!!! * dh> I never understood that comment.. does it refer to "variables_order" php.ini setting? * fp> I guess */ if (!isset($GLOBALS[$var]) || $override) { if (isset($_POST[$var])) { $GLOBALS[$var] = remove_magic_quotes($_POST[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by POST', 'params' ); } elseif (isset($_GET[$var])) { $GLOBALS[$var] = remove_magic_quotes($_GET[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by GET', 'params' ); } elseif (isset($_COOKIE[$var])) { $GLOBALS[$var] = remove_magic_quotes($_COOKIE[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by COOKIE', 'params' ); } elseif ($default === true) { bad_request_die(sprintf(T_('Parameter «%s» is required!'), $var)); } elseif ($use_default) { // We haven't set any value yet and we really want one: use default: $GLOBALS[$var] = $default; // echo '<br>param(-): '.$var.'='.$GLOBALS[$var].' set by default'; // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by default', 'params' ); } else { // param not found! don't set the variable. // Won't be memorized nor type-forced! return false; } } else { // Variable was already set but we need to remove the auto quotes $GLOBALS[$var] = remove_magic_quotes($GLOBALS[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.' already set to ['.var_export($GLOBALS[$var], true).']!', 'params' ); } if (isset($io_charset) && !empty($evo_charset)) { $GLOBALS[$var] = convert_charset($GLOBALS[$var], $evo_charset, $io_charset); } /* * STEP 2: make sure the data fits the expected type * * type will be forced even if it was set before and not overriden */ if (!empty($type) && $GLOBALS[$var] !== NULL) { // Force the type // echo "forcing type!"; switch ($type) { case 'html': // do nothing if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> as RAW Unsecure HTML', 'params'); } break; case 'string': // strip out any html: // echo $var, '=', $GLOBALS[$var], '<br />'; if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string // TODO: dh> debug_die() instead? $GLOBALS[$var] = ''; $Debuglog->add('param(-): <strong>' . $var . '</strong> is not scalar!', 'params'); } else { $GLOBALS[$var] = trim(strip_tags($GLOBALS[$var])); // Make sure the string is a single line $GLOBALS[$var] = preg_replace('¤\\r|\\n¤', '', $GLOBALS[$var]); } $Debuglog->add('param(-): <strong>' . $var . '</strong> as string', 'params'); break; default: if (substr($type, 0, 1) == '/') { // We want to match against a REGEXP: if (preg_match($type, $GLOBALS[$var])) { // Okay, match if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> matched against ' . $type, 'params'); } } elseif ($strict_typing == 'allow_empty' && empty($GLOBALS[$var])) { // No match but we accept empty value: if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> is empty: ok', 'params'); } } elseif ($strict_typing) { // We cannot accept this MISMATCH: bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } else { // Fall back to default: $GLOBALS[$var] = $default; if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> DID NOT match ' . $type . ' set to default value=' . $GLOBALS[$var], 'params'); } } // From now on, consider this as a string: (we need this when memorizing) $type = 'string'; } elseif ($GLOBALS[$var] === '') { // Special handling of empty values. if ($strict_typing === false && $use_default) { // ADDED BY FP 2006-07-06 // We want to consider empty values as invalid and fall back to the default value: $GLOBALS[$var] = $default; } else { // We memorize the empty value as NULL: // fplanque> note: there might be side effects to this, but we need // this to distinguish between 0 and 'no input' // Note: we do this after regexps because we may or may not want to allow empty strings in regexps $GLOBALS[$var] = NULL; if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> set to NULL', 'params'); } } } elseif ($GLOBALS[$var] === array()) { if ($strict_typing === false && $use_default) { // ADDED BY FP 2006-09-07 // We want to consider empty values as invalid and fall back to the default value: $GLOBALS[$var] = $default; } } else { if ($strict_typing) { // We want to make sure the value is valid: $regexp = ''; switch ($type) { case 'boolean': $regexp = '/^(0|1|false|true)$/i'; break; case 'integer': $regexp = '/^(\\+|-)?[0-9]+$/'; break; case 'float': case 'double': $regexp = '/^(\\+|-)?[0-9]+(.[0-9]+)?$/'; break; // Note: other types are not tested here. } if ($strict_typing == 'allow_empty' && empty($GLOBALS[$var])) { // We have an empty value and we accept it // ok.. } elseif (!empty($regexp) && (!is_scalar($GLOBALS[$var]) || !preg_match($regexp, $GLOBALS[$var]))) { // Value does not match! bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } } // Change the variable type: settype($GLOBALS[$var], $type); if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> typed to ' . $type . ', new value=' . $GLOBALS[$var], 'params'); } } } } /* * STEP 3: memorize the value for later url regeneration */ if ($memorize) { // Memorize this parameter memorize_param($var, $type, $default); } // echo $var, '(', gettype($GLOBALS[$var]), ')=', $GLOBALS[$var], '<br />'; return $GLOBALS[$var]; }
$Blog = $BlogCache->get_by_ID($blog, false, false); } } if (!empty($Blog)) { // Activate Blog locale because the new item was created in-skin locale_activate($Blog->get('locale')); // Re-Init charset handling, in case current_charset has changed: init_charsets($current_charset); } $post_ID = param('post_ID', 'integer', 0); /** * Basic security checks: */ if (!is_logged_in()) { // must be logged in! bad_request_die(T_('You are not logged in.')); } // check if user can edit this post check_item_perm_edit($post_ID); $action = param_action(); if (!empty($action) && $action != 'new') { // Check that this action request is not a CSRF hacked request: $Session->assert_received_crumb('item'); } //$post_status = NULL; if ($action == 'create_publish' || $action == 'update_publish') { $post_status = load_publish_status($action == 'create_publish'); $action = substr($action, 0, 6); } else { $post_status = param('post_status', 'string', 'published'); }
/** * Assert that we received a valid crumb for the object we want to act on. * * This will DIE if we have not received a valid crumb. * * The received crumb must match a crumb we previously saved less than 2 hours ago. * * @param string crumb name * @param boolean true if the script should die on error */ function assert_received_crumb($crumb_name, $die = true) { global $servertimenow, $crumb_expires, $debug; if (!($crumb_received = param('crumb_' . $crumb_name, 'string', NULL))) { // We did not receive a crumb! if ($die) { bad_request_die('Missing crumb [' . $crumb_name . '] -- It looks like this request is not legit.'); } return false; } // Retrieve latest saved crumb: $crumb_recalled = $this->get('crumb_latest_' . $crumb_name, '-0'); list($crumb_value, $crumb_time) = explode('-', $crumb_recalled); if ($crumb_received == $crumb_value && $servertimenow - $crumb_time <= $crumb_expires) { // Crumb is valid // echo '<p>-<p>-<p>A'; return true; } $crumb_valid_latest = $crumb_value; // Retrieve previous saved crumb: $crumb_recalled = $this->get('crumb_prev_' . $crumb_name, '-0'); list($crumb_value, $crumb_time) = explode('-', $crumb_recalled); if ($crumb_received == $crumb_value && $servertimenow - $crumb_time <= $crumb_expires) { // Crumb is valid // echo '<p>-<p>-<p>B'; return true; } if (!$die) { return false; } // ERROR MESSAGE, with form/button to bypass and enough warning hopefully. // TODO: dh> please review carefully! echo '<div style="background-color: #fdd; padding: 1ex; margin-bottom: 1ex;">'; echo '<h3 style="color:#f00;">' . T_('Incorrect crumb received!') . ' [' . $crumb_name . ']</h3>'; echo '<p>' . T_('Your request was stopped for security reasons.') . '</p>'; echo '<p>' . sprintf(T_('Have you waited more than %d minutes before submitting your request?'), floor($crumb_expires / 60)) . '</p>'; echo '<p>' . T_('Please go back to the previous page and refresh it before submitting the form again.') . '</p>'; echo '</div>'; if ($debug > 0) { echo '<div>'; echo '<p>Received crumb:' . $crumb_received . '</p>'; echo '<p>Latest saved crumb:' . $crumb_valid_latest . '</p>'; echo '<p>Previous saved crumb:' . $crumb_value . '</p>'; echo '</div>'; } echo '<div>'; echo '<p class="warning">' . T_('Alternatively, you can try to resubmit your request with a refreshed crumb:') . '</p>'; $Form = new Form('', 'evo_session_crumb_resend', $_SERVER['REQUEST_METHOD']); $Form->begin_form('inline'); $Form->add_crumb($crumb_name); $Form->hiddens_by_key(remove_magic_quotes($_REQUEST)); $Form->button(array('submit', '', T_('Resubmit now!'), 'ActionButton')); $Form->end_form(); echo '</div>'; die; }
/** * Sets a parameter with values from the request or to provided default, * except if param is already set! * * Also removes magic quotes if they are set automatically by PHP. * Also forces type. * Priority order: POST, GET, COOKIE, DEFAULT. * * @todo when bad_request_die() gets called, the GLOBAL should not be left set to the invalid value! * fp> Why? if the process dies anyway * * @param string Variable to set * @param string Force value type to one of: * - integer * - float, double * - string (strips (HTML-)Tags, trims whitespace) * - text like string but allows multiple lines * - array (it may contains arbitrary array elements) NOTE: If there is one way to avoid and use some other array type then it should not be used * - array:integer (elements of array must be integer) * - array:string (strips (HTML-)Tags, trims whitespace of array's elements) * - array:/regexp/ (elements of array must match to the given regular expression) e.g. 'array:/^[a-z]*$/' * - array:array:integer (two dimensional array and the elements must be integers) * - array:array:string (strips (HTML-)Tags, trims whitespace of the two dimensional array's elements) * - html (does nothing, for now) * - raw (does nothing) * - '' (does nothing) -- DEPRECATED, use "raw" instead * - '/^...$/' check regexp pattern match (string) * - boolean (will force type to boolean, but you can't use 'true' as a default since it has special meaning. There is no real reason to pass booleans on a URL though. Passing 0 and 1 as integers seems to be best practice). * - url (like string but dies on illegal urls) * Value type will be forced only if resulting value (probably from default then) is !== NULL * @param mixed Default value or TRUE if user input required * @param boolean Do we need to memorize this to regenerate the URL for this page? * @param boolean Override if variable already set * @param boolean Force setting of variable to default if no param is sent and var wasn't set before * @param mixed true will refuse illegal values, * false will try to convert illegal to legal values, * 'allow_empty' will refuse illegal values but will always accept empty values (This helps blocking dirty spambots or borked index bots. Saves a lot of processor time by killing invalid requests) * @return mixed Final value of Variable, or false if we don't force setting and did not set */ function param($var, $type = 'raw', $default = '', $memorize = false, $override = false, $use_default = true, $strict_typing = 'allow_empty') { global $Debuglog, $debug, $evo_charset, $io_charset; // NOTE: we use $GLOBALS[$var] instead of $$var, because otherwise it would conflict with param names which are used as function params ("var", "type", "default", ..)! /* * STEP 1 : Set the variable * * Check if already set * WARNING: when PHP register globals is ON, COOKIES get priority over GET and POST with this!!! * dh> I never understood that comment.. does it refer to "variables_order" php.ini setting? * fp> I guess */ if (!isset($GLOBALS[$var]) || $override) { if (isset($_POST[$var])) { $GLOBALS[$var] = remove_magic_quotes($_POST[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by POST', 'params' ); } elseif (isset($_GET[$var])) { $GLOBALS[$var] = remove_magic_quotes($_GET[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by GET', 'params' ); } elseif (isset($_COOKIE[$var])) { $GLOBALS[$var] = remove_magic_quotes($_COOKIE[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by COOKIE', 'params' ); } elseif ($default === true) { bad_request_die(sprintf(T_('Parameter «%s» is required!'), $var)); } elseif ($use_default) { // We haven't set any value yet and we really want one: use default: if (in_array($type, array('array', 'array:integer', 'array:string', 'array:array:integer', 'array:array:string')) && $default === '') { // Change default '' into array() (otherwise there would be a notice with settype() below) $default = array(); } $GLOBALS[$var] = $default; // echo '<br>param(-): '.$var.'='.$GLOBALS[$var].' set by default'; // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.'='.$GLOBALS[$var].' set by default', 'params' ); } else { // param not found! don't set the variable. // Won't be memorized nor type-forced! return false; } } else { // Variable was already set but we need to remove the auto quotes $GLOBALS[$var] = remove_magic_quotes($GLOBALS[$var]); // if( isset($Debuglog) ) $Debuglog->add( 'param(-): '.$var.' already set to ['.var_export($GLOBALS[$var], true).']!', 'params' ); } if (isset($io_charset) && !empty($evo_charset)) { $GLOBALS[$var] = convert_charset($GLOBALS[$var], $evo_charset, $io_charset); } // Check if the type is the special array or regexp if (substr($type, 0, 7) == 'array:/') { // It is an array type param which may contains elements mathcing to the given regular expression $elements_regexp = substr($type, 6); $elements_type = 'string'; $type = 'array:regexp'; } /* * STEP 2: make sure the data fits the expected type * * type will be forced even if it was set before and not overriden */ if (!empty($type) && $GLOBALS[$var] !== NULL) { // Force the type // echo "forcing type!"; switch ($type) { case 'html': // Technically does the same as "raw", but may do more in the future. // Technically does the same as "raw", but may do more in the future. case 'raw': if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } // Clean utf8: $GLOBALS[$var] = utf8_clean($GLOBALS[$var]); // do nothing if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> as RAW Unsecure HTML', 'params'); } break; case 'htmlspecialchars': if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } // convert all html to special characters: $GLOBALS[$var] = utf8_trim(htmlspecialchars($GLOBALS[$var], ENT_COMPAT, $evo_charset)); // cross-platform newlines: $GLOBALS[$var] = preg_replace("~(\r\n|\r)~", "\n", $GLOBALS[$var]); $Debuglog->add('param(-): <strong>' . $var . '</strong> as text with html special chars', 'params'); break; case 'text': if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } // strip out any html: $GLOBALS[$var] = utf8_trim(utf8_strip_tags($GLOBALS[$var])); // cross-platform newlines: $GLOBALS[$var] = preg_replace("~(\r\n|\r)~", "\n", $GLOBALS[$var]); $Debuglog->add('param(-): <strong>' . $var . '</strong> as text', 'params'); break; case 'string': if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } // echo $var, '=', $GLOBALS[$var], '<br />'; // Make sure the string is a single line $GLOBALS[$var] = preg_replace('~\\r|\\n~', '', $GLOBALS[$var]); // strip out any html: $GLOBALS[$var] = utf8_strip_tags($GLOBALS[$var]); // echo "param $var=".$GLOBALS[$var]."<br />\n"; $GLOBALS[$var] = utf8_trim($GLOBALS[$var]); // echo "param $var=".$GLOBALS[$var]."<br />\n"; $Debuglog->add('param(-): <strong>' . $var . '</strong> as string', 'params'); break; case 'url': if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } // Decode url: $GLOBALS[$var] = urldecode($GLOBALS[$var]); // strip out any html: $GLOBALS[$var] = utf8_trim(utf8_strip_tags($GLOBALS[$var])); // Remove new line chars and double quote from url $GLOBALS[$var] = preg_replace('~\\r|\\n|"~', '', $GLOBALS[$var]); if (!empty($GLOBALS[$var]) && !preg_match('#^(/|\\?|https?://)#i', $GLOBALS[$var])) { // We cannot accept this MISMATCH: bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } $Debuglog->add('param(-): <strong>' . $var . '</strong> as url', 'params'); break; case 'array:integer': case 'array:array:integer': // Set elements type to integer, and set the corresponding regular expression $elements_type = 'integer'; $elements_regexp = '/^(\\+|-)?[0-9]+$/'; case 'array': case 'array:string': case 'array:regexp': case 'array:array:string': if (!is_array($GLOBALS[$var])) { // This param must be array debug_die('param(-): <strong>' . $var . '</strong> is not array!'); } // Store current array in temp var for checking and preparing $globals_var = $GLOBALS[$var]; // Check if the given array type is one dimensional array $one_dimensional = $type == 'array' || $type == 'array:integer' || $type == 'array:string' || $type == 'array:regexp'; // Check if the given array type should contains string elements $contains_strings = $type == 'array:string' || $type == 'array:array:string'; if ($one_dimensional) { // Convert to a two dimensional array to handle one and two dimensional arrays the same way $globals_var = array($globals_var); } foreach ($globals_var as $i => $var_array) { if (!is_array($var_array)) { // This param must be array // Note: In case of one dimensional array params this will never happen debug_die('param(-): <strong>' . $var . '[' . $i . ']</strong> is not array!'); } if ($type == 'array') { // This param may contain any kind of elements we need to check and validate it recursively $globals_var[$i] = param_check_general_array($var_array); break; } foreach ($var_array as $j => $var_value) { if (!is_scalar($var_value)) { // This happens if someone uses "foo[][]=x" where "foo[]" is expected as string debug_die('param(-): element of array <strong>' . $var . '</strong> is not scalar!'); } if ($contains_strings) { // Prepare string elements of array // Make sure the string is a single line $var_value = preg_replace('~\\r|\\n~', '', $var_value); // strip out any html: $globals_var[$i][$j] = utf8_trim(utf8_strip_tags($var_value)); continue; } if (isset($elements_regexp)) { // Array contains elements which must match to the given regular expression if (preg_match($elements_regexp, $var_value)) { // OK match, set the corresponding type settype($globals_var[$i][$j], $elements_type); } else { // No match, cannot accept this MISMATCH // Note: In case of array:integer or array:regexp we always use strict typing for the array elements bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } } } } if ($one_dimensional) { // Extract real array from temp array $globals_var = $globals_var[0]; } // Restore current array with prepared data $GLOBALS[$var] = $globals_var; $Debuglog->add('param(-): <strong>' . $var . '</strong> as ' . $type, 'params'); if ($GLOBALS[$var] === array() && $strict_typing === false && $use_default) { // We want to consider empty values as invalid and fall back to the default value: $GLOBALS[$var] = $default; } break; default: if (utf8_substr($type, 0, 1) == '/') { // We want to match against a REGEXP: if (!is_scalar($GLOBALS[$var])) { // This happens if someone uses "foo[]=x" where "foo" is expected as string debug_die('param(-): <strong>' . $var . '</strong> is not scalar!'); } elseif (preg_match($type, $GLOBALS[$var])) { // Okay, match if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> matched against ' . $type, 'params'); } } elseif ($strict_typing == 'allow_empty' && empty($GLOBALS[$var])) { // No match but we accept empty value: if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> is empty: ok', 'params'); } } elseif ($strict_typing) { // We cannot accept this MISMATCH: bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } else { // Fall back to default: $GLOBALS[$var] = $default; if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> DID NOT match ' . $type . ' set to default value=' . $GLOBALS[$var], 'params'); } } // From now on, consider this as a string: (we need this when memorizing) $type = 'string'; } elseif ($GLOBALS[$var] === '') { // Special handling of empty values. if ($strict_typing === false && $use_default) { // ADDED BY FP 2006-07-06 // We want to consider empty values as invalid and fall back to the default value: $GLOBALS[$var] = $default; } else { // We memorize the empty value as NULL: // fplanque> note: there might be side effects to this, but we need // this to distinguish between 0 and 'no input' // Note: we do this after regexps because we may or may not want to allow empty strings in regexps $GLOBALS[$var] = NULL; if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . $var . '</strong> set to NULL', 'params'); } } } else { if ($strict_typing) { // We want to make sure the value is valid: $regexp = ''; switch ($type) { case 'boolean': $regexp = '/^(0|1|false|true)$/i'; break; case 'integer': $regexp = '/^(\\+|-)?[0-9]+$/'; break; case 'float': case 'double': $regexp = '/^(\\+|-)?[0-9]+(.[0-9]+)?$/'; break; default: // Note: other types are not tested and they are not allowed without testing. debug_die('Invalid parameter type!'); } if ($strict_typing == 'allow_empty' && empty($GLOBALS[$var])) { // We have an empty value and we accept it // ok.. } elseif (!empty($regexp)) { if ($type == 'boolean' && strtolower($GLOBALS[$var]) == 'false') { // 'false' string must be interpreted as boolean false value $GLOBALS[$var] = false; } elseif (!is_scalar($GLOBALS[$var]) || !preg_match($regexp, $GLOBALS[$var])) { // Value of scalar var does not match! bad_request_die(sprintf(T_('Illegal value received for parameter «%s»!'), $var)); } } } // Change the variable type: settype($GLOBALS[$var], $type); if (isset($Debuglog)) { $Debuglog->add('param(-): <strong>' . var_export($var, true) . '</strong> typed to ' . $type . ', new value=' . var_export($GLOBALS[$var], true), 'params'); } } } } /* * STEP 3: memorize the value for later url regeneration */ if ($memorize) { // Memorize this parameter memorize_param($var, $type, $default); } // echo $var, '(', gettype($GLOBALS[$var]), ')=', $GLOBALS[$var], '<br />'; return $GLOBALS[$var]; }
if (!defined('EVO_MAIN_INIT')) { die('Please, do not access this page directly.'); } /** * Filelist * fp>> TODO: When the user is viewing details for a file he should (by default) not be presented with the filelist in addition to the file properties * In cases like that, we should try to avoid instanciating a Filelist. */ load_class('files/model/_filelist.class.php'); /** * @var User */ global $current_User; // Check global access permissions: if (!$Settings->get('fm_enabled')) { bad_request_die('The filemanager is disabled.'); } // Check permission: $current_User->check_perm('files', 'add', true); $AdminUI->set_path('files', 'upload'); // Params that may need to be passed through: param('fm_mode', 'string', NULL, true); param('item_ID', 'integer', NULL, true); $action = param_action(); // Standard vs Advanced mode param('uploadwithproperties', 'integer', NULL, false); if (!is_null($uploadwithproperties)) { $UserSettings->set('fm_uploadwithproperties', $uploadwithproperties); $UserSettings->dbupdate(); } else { $uploadwithproperties = $UserSettings->get('fm_uploadwithproperties');