function vote($lang, $content_id, $content_type, $nomore) { $action = 'init'; if (!$nomore) { if (isset($_POST['vote_plusone']) and isset($_POST['vote_id']) and $_POST['vote_id'] == $content_id and isset($_POST['vote_type']) and $_POST['vote_type'] == $content_type) { $action = 'vote'; } } switch ($action) { case 'vote': require_once 'clientipaddress.php'; require_once 'userprofile.php'; $ip_address = client_ip_address(); $user_id = user_profile('id'); $r = vote_plusone($content_type, $content_id, $lang, $ip_address, $user_id); break; default: break; } $vote_count = $vote_total = 0; $r = vote_get_total_count($content_type, $content_id, $lang); if ($r) { extract($r); // vote_count, vote_total } $output = view('vote', $lang, compact('content_type', 'content_id', 'vote_total', 'nomore')); return $output; }
function track($request_uri = false, $track_agent = false) { global $track_log, $track_db; global $track_agent_blacklist; if (!($track_log or $track_db)) { return true; } if (!$request_uri) { $request_uri = request_uri(); } if (!$request_uri) { return false; } $user_agent = false; if ($track_agent or $track_agent_blacklist) { $user_agent = user_agent(); if (!validate_user_agent($user_agent)) { $user_agent = false; } if ($user_agent and $track_agent_blacklist) { $reg = '/' . implode('|', $track_agent_blacklist) . '/i'; if (preg_match($reg, $user_agent)) { return true; } } } $r = true; if ($track_log) { require_once 'log.php'; $logmsg = $request_uri; if ($user_agent) { $logmsg .= "\t" . $user_agent; } $r = write_log($track_log === true ? 'track.log' : $track_log, $logmsg); if (!$r) { return false; } } if ($track_db) { $ip_address = client_ip_address(); if (!validate_ip_address($ip_address)) { return false; } $sqlipaddress = db_sql_arg($ip_address, false); $sqlrequesturi = db_sql_arg($request_uri, true); $sqluseragent = db_sql_arg($user_agent, true, true); $tabtrack = db_prefix_table($track_db === true ? 'track' : $track_db); $sql = "INSERT INTO {$tabtrack} (ip_address, request_uri, user_agent) VALUES (INET_ATON({$sqlipaddress}), {$sqlrequesturi}, {$sqluseragent})"; $r = db_insert($sql); if (!$r) { return false; } } return true; }
function write_log($logfile, $textline = false) { global $log_dir; $ipaddress = client_ip_address(); if (!validate_ip_address($ipaddress)) { return false; } $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $logmsg = "{$timestamp} {$ipaddress}"; if ($textline) { $logmsg .= "\t{$textline}"; } $logmsg .= "\n"; $file = isset($log_dir) ? $log_dir . DIRECTORY_SEPARATOR . $logfile : $logfile; $r = @file_put_contents($file, $logmsg, FILE_APPEND); return $r; }
function login($lang) { $with_name = true; $with_captcha = true; $with_facebook = false; $with_newuser = true; $with_newpassword = true; if ($with_facebook) { require_once 'facebook.php'; $facebook = facebook(); } $login = $password = $code = $token = false; if (isset($_SESSION['login'])) { $login = $_SESSION['login']; } $action = 'init'; if (isset($_POST['login_enter'])) { $action = 'enter'; } switch ($action) { case 'init': if ($with_facebook) { $facebook_user = $facebook->getUser(); if ($facebook_user) { try { $facebook_user_profile = $facebook->api('/me', 'GET'); if (!empty($facebook_user_profile['email'])) { $login = $facebook_user_profile['email']; } $action = 'facebook'; } catch (FacebookApiException $e) { } $facebook->destroySession(); } } break; case 'enter': if (isset($_POST['login_login'])) { $login = strtolower(strflat(readarg($_POST['login_login']))); } if (isset($_POST['login_password'])) { $password = readarg($_POST['login_password']); } if (isset($_POST['login_code'])) { $code = readarg($_POST['login_code']); } if (isset($_POST['login_token'])) { $token = readarg($_POST['login_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_login = false; $bad_login = false; $missing_password = false; $access_denied = false; switch ($action) { case 'enter': if (!isset($_SESSION['login_token']) or $token != $_SESSION['login_token']) { $bad_token = true; break; } if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['login']) ? $_SESSION['captcha']['login'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } if (!$password) { $missing_password = true; } /* fall thru */ /* fall thru */ case 'facebook': if (!$login) { $missing_login = true; } else { if (!(validate_user_name($login) or validate_mail($login))) { $bad_login = true; } } break; default: break; } switch ($action) { case 'enter': case 'facebook': if ($bad_token or $missing_code or $bad_code or $missing_login or $bad_login or $missing_password) { break; } require_once 'models/user.inc'; $user = user_login($login, $password); if (!$user) { $access_denied = true; require_once 'log.php'; write_log('enter.err', substr($login, 0, 100)); $_SESSION['login'] = $login; break; } $user['ip'] = client_ip_address(); if (in_array('administrator', $user['role'])) { require_once 'serveripaddress.php'; require_once 'emailme.php'; global $sitename; $ip = server_ip_address(); $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $subject = 'login' . '@' . $sitename; $msg = $ip . ' ' . $timestamp . ' ' . $user['id'] . ' ' . $lang . ' ' . $user['ip']; @emailme($subject, $msg); if ($action == 'facebook') { $access_denied = true; break; } } session_regenerate(); $_SESSION['user'] = $user; unset($_SESSION['login']); unset($_SESSION['login_token']); return true; default: break; } $connectbar = false; if ($with_facebook) { $scope = 'email'; $facebook_login_url = $facebook->getLoginUrl(compact('scope')); $connectbar = view('connect', $lang, compact('facebook_login_url')); } $password_page = $with_newpassword ? url('password', $lang) : false; $newuser_page = $with_newuser ? url('newuser', $lang) : false; $_SESSION['login_token'] = $token = token_id(); $errors = compact('missing_code', 'bad_code', 'missing_login', 'bad_login', 'missing_password', 'access_denied'); $output = view('login', $lang, compact('token', 'connectbar', 'with_captcha', 'with_name', 'password_page', 'newuser_page', 'login', 'errors')); return $output; }
function nodecomment($lang, $node_id, $node_user_id, $node_url, $nomore) { $user_id = user_profile('id'); $moderator = user_has_role('moderator'); // $user_id == $node_user_id || user_has_role('moderator') $now = time(); $message_maxlen = 1000; $with_captcha = false; $action = 'init'; if ($user_id) { if (isset($_POST['comment_comment'])) { $action = 'comment'; } else { if (isset($_POST['comment_edit'])) { $action = 'edit'; } else { if (isset($_POST['comment_validate'])) { $action = 'validate'; } else { if (isset($_POST['comment_moderate'])) { $action = 'moderate'; } else { if (isset($_POST['comment_modify'])) { $action = 'modify'; } else { if (isset($_POST['comment_delete'])) { $action = 'delete'; } } } } } } } $id = $message = $token = false; switch ($action) { case 'validate': if (isset($_POST['comment_code'])) { $code = readarg($_POST['comment_code']); } /* fall thru */ /* fall thru */ case 'comment': case 'edit': if (isset($_POST['comment_message'])) { $message = readarg($_POST['comment_message'], true, false); // trim but DON'T strip! } if (isset($_POST['comment_token'])) { $token = readarg($_POST['comment_token']); } break; case 'moderate': if (isset($_POST['comment_moderate'])) { $id = readarg($_POST['comment_moderate']); } break; case 'modify': case 'delete': if (isset($_POST['comment_id'])) { $id = readarg($_POST['comment_id']); } if (isset($_POST['comment_message'])) { $message = readarg($_POST['comment_message'], true, false); // trim but DON'T strip! } if (isset($_POST['comment_token'])) { $token = readarg($_POST['comment_token']); } break; default: break; } $missing_code = false; $bad_code = false; $bad_token = false; $missing_id = false; $bad_id = false; $missing_message = false; $message_too_long = false; switch ($action) { case 'validate': if ($with_captcha) { if (!$code) { $missing_code = true; break; } $captcha = isset($_SESSION['captcha']['comment']) ? $_SESSION['captcha']['comment'] : false; if (!$captcha or $captcha != strtoupper($code)) { $bad_code = true; break; } } /* fall thru */ /* fall thru */ case 'comment': case 'edit': case 'modify': case 'delete': if (!isset($_SESSION['comment_token']) or $token != $_SESSION['comment_token']) { $bad_token = true; } break; default: break; } switch ($action) { case 'moderate': case 'modify': case 'delete': if ($bad_token) { break; } if (!$id) { $missing_id = true; break; } if (!is_numeric($id)) { $id = false; $bad_id = true; break; } if (!$moderator) { $r = node_get_comment($node_id, $id, $lang); if (!$r) { $id = false; $bad_id = true; break; } extract($r); /* comment_user_id, comment_created */ if (!($comment_user_id == $user_id and $comment_created + 15 * 60 > $now)) { $id = false; $bad_id = true; break; } } break; default: break; } switch ($action) { case 'comment': case 'validate': case 'edit': case 'modify': if ($bad_token or $missing_code or $bad_code or $missing_id or $bad_id) { break; } if (!$message) { $missing_message = true; } else { if (strlen(utf8_decode($message)) > $message_maxlen) { $message_too_long = true; } } break; default: break; } switch ($action) { case 'validate': if ($bad_token or $missing_code or $bad_code or $missing_message or $message_too_long) { break; } $ip_address = client_ip_address(); $r = node_add_comment($node_id, $user_id, $ip_address, $message, $lang); if (!$r) { $internal_error = true; break; } require_once 'serveripaddress.php'; require_once 'emailme.php'; global $sitename; $ip = server_ip_address(); $timestamp = strftime('%Y-%m-%d %H:%M:%S', time()); $subject = 'comment' . '@' . $sitename; $msg = $ip . ' ' . $timestamp . ' ' . $user_id . ' ' . $lang . ' ' . $node_id . ' ' . $node_url; @emailme($subject, $msg); $message = false; break; case 'modify': if ($bad_token or $missing_id or $bad_id or $missing_message or $message_too_long) { break; } $r = node_set_comment($node_id, $id, $message, $lang); if (!$r) { $internal_error = true; break; } $id = $message = false; break; case 'delete': if ($bad_token or $missing_id or $bad_id) { break; } $r = node_delete_comment($node_id, $id); if (!$r) { $internal_error = true; break; } $id = $message = false; break; default: break; } $newcomment = $user_page = false; if (!$id and !$nomore) { if ($user_id) { $newcomment = true; } else { $user_page = url('user', $lang); } } $comments = node_get_all_comments($node_id, $lang); $moderated = false; if ($comments) { if ($moderator) { $moderated = true; } else { $moderated = array(); foreach ($comments as $c) { if ($c['comment_user_id'] == $user_id and $c['comment_created'] + 15 * 60 > $now) { $moderated[] = $c['comment_id']; } } } } $_SESSION['comment_token'] = $token = token_id(); $errors = compact('missing_code', 'bad_code', 'missing_message', 'message_too_long'); $output = view('nodecomment', $lang, compact('token', 'with_captcha', 'comments', 'moderated', 'id', 'newcomment', 'message', 'message_maxlen', 'user_page', 'node_url', 'errors')); return $output; }