static function load_request($allow)
{
$uri = getRequestURI();
$parts = explode('?', $uri);
$uri = $parts[0];
$path = ltrim(substr($uri, strlen(WEBPATH) + 1), '/');
if (empty($path)) {
return $allow;
} else {
$rest = strpos($path, '/');
if ($rest === false) {
if (strpos($path, '?') === 0) {
// only a parameter string
return $allow;
}
$l = $path;
} else {
$l = substr($path, 0, $rest);
}
}
$locale = validateLocale($l, 'seo_locale');
if ($locale) {
// set the language cookie and redirect to the "base" url
zp_setCookie('dynamic_locale', $locale);
$uri = pathurlencode(preg_replace('|/' . $l . '[/$]|', '/', $uri));
if (isset($parts[1])) {
$uri .= '?' . $parts[1];
}
header("HTTP/1.0 302 Found");
header("Status: 302 Found");
header('Location: ' . $uri);
exitZP();
}
return $allow;
}
static function adminLoginAttempt($success, $user, $pass, $athority)
{
if ($athority == 'zp_admin_auth' && $success) {
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
return $success;
}
/**
* If in debug mode, prints the given error message and continues; otherwise redirects
* to the given error message image and exits; designed for a production gallery.
* @param $errormessage string the error message to print if $_GET['debug'] is set.
* @param $errorimg string the filename of the error image to display for production. Defaults
* to 'err-imagegeneral.png'. Images should be located in /zen/images .
*/
function imageError($status_text, $errormessage, $errorimg = 'err-imagegeneral.png')
{
global $newfilename, $album, $image;
$debug = isset($_GET['debug']);
if ($debug) {
echo '<strong>' . sprintf(gettext('Zenphoto Image Processing Error: %s'), $errormessage) . '</strong>' . '<br /><br />' . sprintf(gettext('Request URI: [ <code>%s</code> ]'), html_encode(getRequestURI())) . '<br />PHP_SELF: [ <code>' . html_encode($_SERVER['PHP_SELF']) . '</code> ]' . (empty($newfilename) ? '' : '<br />' . sprintf(gettext('Cache: [<code>%s</code>]'), '/' . CACHEFOLDER . '/' . html_encode(sanitize($newfilename, 3))) . ' ') . (empty($image) || empty($album) ? '' : ' <br />' . sprintf(gettext('Image: [<code>%s</code>]'), html_encode(sanitize($album . '/' . $image, 3))) . ' <br />');
} else {
if (DEBUG_IMAGE_ERR) {
trigger_error($errormessage, E_USER_NOTICE);
}
header("HTTP/1.0 {$status_text}");
header("Status: {$status_text}");
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/images/' . $errorimg);
}
exitZP();
}
/**
* If in debug mode, prints the given error message and continues; otherwise redirects
* to the given error message image and exits; designed for a production gallery.
* @param $errormessage string the error message to print if $_GET['debug'] is set.
* @param $errorimg string the filename of the error image to display for production. Defaults
* to 'err-imagegeneral.png'. Images should be located in /zen/images .
*/
function imageError($status_text, $errormessage, $errorimg = 'err-imagegeneral.png')
{
global $newfilename, $album, $image;
$debug = isset($_GET['debug']);
$err = sprintf(gettext('Image Processing Error: %s'), $errormessage);
if ($debug) {
echo '<strong>' . $err . '</strong>';
} else {
if (DEBUG_IMAGE) {
$msg = $err . "\n\t\t" . sprintf(gettext('Request URI: [%s]'), getRequestURI()) . "\n\t\t" . 'PHP_SELF: [' . sanitize($_SERVER['PHP_SELF'], 3) . ']';
if ($newfilename) {
$msg .= "\n\t\t" . sprintf(gettext('Cache: [%s]'), '/' . CACHEFOLDER . '/' . sanitize($newfilename, 3));
}
if ($image || $album) {
$msg .= "\n\t\t" . sprintf(gettext('Image: [%s]'), sanitize($album . '/' . $image, 3));
}
debugLog($msg);
}
header("HTTP/1.0 {$status_text}");
header("Status: {$status_text}");
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/images/' . $errorimg);
}
exitZP();
}
/**
* Starts the caching: Gets either an already cached file if existing or starts the output buffering.
*
*/
function startHTMLCache()
{
global $_zp_gallery_page, $_zp_script_timer;
if ($this->enabled && ($accessType = $this->checkIfAllowedPage())) {
$_zp_script_timer['static cache start'] = microtime();
$cachefilepath = $this->createCacheFilepath($accessType);
if (!empty($cachefilepath)) {
$cachefilepath = SERVERPATH . '/' . STATIC_CACHE_FOLDER . "/" . $cachefilepath;
if (file_exists($cachefilepath)) {
$lastmodified = filemtime($cachefilepath);
// don't use cache if comment is posted or cache has expired
if (time() - $lastmodified < getOption("static_cache_expire")) {
//send the headers!
header('Content-Type: text/html; charset=' . LOCAL_CHARSET);
header("HTTP/1.0 200 OK");
header("Status: 200 OK");
header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $lastmodified) . ' GMT');
echo file_get_contents($cachefilepath);
// cache statistics
list($usec, $sec) = explode(' ', $_zp_script_timer['start']);
$start = (double) $usec + (double) $sec;
list($usec, $sec) = explode(' ', $_zp_script_timer['static cache start']);
$start_cache = (double) $usec + (double) $sec;
list($usec, $sec) = explode(' ', microtime());
$end = (double) $usec + (double) $sec;
echo "<!-- " . sprintf(gettext('Cached content of %3$s served by static_html_cache in %1$.4f seconds plus %2$.4f seconds unavoidable Zenphoto overhead.'), $end - $start_cache, $start_cache - $start, date('D, d M Y H:i:s', filemtime($cachefilepath))) . " -->\n";
exitZP();
}
}
$this->deletestatic_html_cacheFile($cachefilepath);
if (ob_start()) {
$this->pageCachePath = $cachefilepath;
}
}
unset($_zp_script_timer['static cache start']);
// leave it out of the summary page
}
}
static function parse($success)
{
if (isset($_GET['p']) && isset($_GET['t'])) {
// zenphoto tiny url
unset($_GET['t']);
$tiny = sanitize_numeric($_GET['p']);
$tbl = $tiny & 7;
if (array_key_exists($tbl, self::$tableAsoc)) {
$tbl = self::$tableAsoc[$tbl];
$id = $tiny >> 3;
$result = query_single_row('SELECT * FROM ' . prefix($tbl) . ' WHERE `id`=' . $id);
if ($result) {
switch ($tbl) {
case 'news':
case 'pages':
$_GET['p'] = $tbl;
$_GET['title'] = $result['titlelink'];
break;
case 'news_categories':
$_GET['p'] = 'news';
$_GET['category'] = $result['titlelink'];
break;
case 'images':
$image = $_GET['image'] = $result['filename'];
$result = query_single_row('SELECT * FROM ' . prefix('albums') . ' WHERE `id`=' . $result['albumid']);
case 'albums':
$album = $_GET['album'] = $result['folder'];
unset($_GET['p']);
if (!empty($image)) {
$success = zp_load_image($album, $image);
} else {
if (!empty($album)) {
$success = zp_load_album($album);
}
}
break;
case 'comments':
unset($_GET['p']);
$commentid = $id;
$type = $result['type'];
$result = query_single_row('SELECT * FROM ' . prefix($result['type']) . ' WHERE `id`=' . $result['ownerid']);
switch ($type) {
case 'images':
$image = $result['filename'];
$result = query_single_row('SELECT * FROM ' . prefix('albums') . ' WHERE `id`=' . $result['albumid']);
$redirect = 'index.php?album=' . $result['folder'] . '&image=' . $image;
break;
case 'albums':
$album = $result['folder'];
$redirect = 'index.php?album=' . $result['folder'];
break;
case 'pages':
$redirect = 'index.php?p=pages&title=' . $result['titlelink'];
break;
}
$redirect .= '#zp_comment_id_' . $commentid;
header("HTTP/1.0 301 Moved Permanently");
header("Status: 301 Moved Permanently");
header('Location: ' . FULLWEBPATH . '/' . $redirect);
exitZP();
break;
}
}
}
}
return $success;
}
/**
* Re-validates user's e-mail via ticket.
* @param string $path the script (which we ignore)
* @return string
*/
static function reverify($path)
{
//process any verifications posted
if (isset($_GET['user_expiry_reverify'])) {
$params = unserialize(pack("H*", trim(sanitize($_GET['user_expiry_reverify']), '.')));
if (time() - $params['date'] < 2592000) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
if ($userobj) {
$credentials = $userobj->getCredentials();
$credentials[] = 'expiry';
$credentials[] = 'email';
$credentials = array_unique($credentials);
}
$userobj->setCredentials($credentials);
$userobj->setValid(1);
$userobj->set('loggedin', date('Y-m-d H:i:s'));
$userobj->save();
Zenphoto_Authority::logUser($userobj);
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
}
if (user_expiry::checkPasswordRenew()) {
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin-users.php?page=users&tab=users');
exitZP();
}
return $path;
}
/**
*
* Executes the configuration change code
*/
function reconfigureAction($mandatory)
{
list($diff, $needs) = checkSignature($mandatory);
$diffkeys = array_keys($diff);
if ($mandatory) {
if (isset($_GET['rss']) || isset($_GET['external'])) {
if (isset($_GET['rss']) && file_exists(SERVERPATH . '/' . DATA_FOLDER . '/rss-closed.xml')) {
$xml = file_get_contents(SERVERPATH . '/' . DATA_FOLDER . '/rss-closed.xml');
$xml = preg_replace('~<pubDate>(.*)</pubDate>~', '<pubDate>' . date("r", time()) . '</pubDate>', $xml);
echo $xml;
}
exit;
// can't really run setup from an RSS feed.
}
if (empty($needs)) {
$dir = str_replace('\\', '/', dirname($_SERVER['SCRIPT_NAME']));
$p = strpos($dir, ZENFOLDER);
if ($p !== false) {
$dir = substr($dir, 0, $p);
}
if (OFFSET_PATH) {
$where = 'admin';
} else {
$where = 'gallery';
}
$dir = rtrim($dir, '/');
$location = "http://" . $_SERVER['HTTP_HOST'] . $dir . "/" . ZENFOLDER . "/setup/index.php?autorun={$where}";
header("Location: {$location}");
exitZP();
} else {
global $subtabs, $zenphoto_tabs, $main_tab_space, $_zp_admin_tab, $_zp_invisible_execute, $_zp_gallery;
$_zp_invisible_execute = 1;
require_once SERVERPATH . '/' . ZENFOLDER . '/admin-globals.php';
header('Last-Modified: ' . ZP_LAST_MODIFIED);
header('Content-Type: text/html; charset=UTF-8');
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="<?php
echo WEBPATH . '/' . ZENFOLDER;
?>
/admin.css" type="text/css" />
<?php
reconfigureCS();
?>
</head>
<body>
<?php
if ($_zp_gallery) {
printLogoAndLinks();
}
?>
<div id="main">
<?php
if ($_zp_gallery) {
printTabs();
}
?>
<div id="content">
<h1><?php
echo gettext('Setup request');
?>
</h1>
<div class="tabbox">
<?php
reconfigurePage($diff, $needs, $mandatory);
?>
</div>
</div>
</div>
</body>
</html>
<?php
exitZP();
}
} else {
if (!empty($diff)) {
if (function_exists('zp_register_filter') && zp_loggedin(ADMIN_RIGHTS)) {
// no point in telling someone who can't do anything about it
zp_register_filter('admin_note', 'signatureChange');
zp_register_filter('admin_head', 'reconfigureCS');
zp_register_filter('theme_head', 'reconfigureCS');
zp_register_filter('theme_body_open', 'signatureChange');
}
}
}
}
/**
* Checks for Cross Site Request Forgeries
* @param string $action
*/
function XSRFdefender($action)
{
$token = getXSRFToken($action);
if (!isset($_REQUEST['XSRFToken']) || $_REQUEST['XSRFToken'] != $token) {
zp_apply_filter('admin_XSRF_access', false, $action);
header("HTTP/1.0 302 Found");
header("Status: 302 Found");
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php?action=external&error&msg=' . sprintf(gettext('“%s” Cross Site Request Forgery blocked.'), $action));
exitZP();
}
unset($_REQUEST['XSRFToken']);
unset($_POST['XSRFToken']);
unset($_GET['XSRFToken']);
}
/**
* Emits a page error. Used for attempts to bypass password protection
*
* @param string $err error code
* @param string $text error message
*
*/
static function pageError($err, $text)
{
header("HTTP/1.0 " . $err . ' ' . $text);
header("Status: " . $err . ' ' . $text);
echo "<html xmlns=\"http://www.w3.org/1999/xhtml\"><head>\t<title>" . $err . " - " . $text . "</TITLE>\t<META NAME=\"ROBOTS\" CONTENT=\"NOINDEX, FOLLOW\"></head>";
echo "<BODY bgcolor=\"#ffffff\" text=\"#000000\" link=\"#0000ff\" vlink=\"#0000ff\" alink=\"#0000ff\">";
echo "<FONT face=\"Helvitica,Arial,Sans-serif\" size=\"2\">";
echo "<b>" . sprintf(gettext('Page error: %2$s (%1$s)'), $err, $text) . "</b><br /><br />";
echo "</body></html>";
exitZP();
}
/**
* Checks to see if the current URL is a query string url when mod_rewrite is active.
* If so it will redirects to the rewritten URL with a 301 Moved Permanently.
*/
function fix_path_redirect()
{
if (MOD_REWRITE) {
$request_uri = getRequestURI(false);
$parts = parse_url($request_uri);
$redirectURL = NULL;
if (isset($parts['path'])) {
// don't know how this can happen, but if it does, don't redirect
if (isset($parts['query'])) {
parse_str($parts['query'], $query);
$redirectURL = zpRewriteURL($query);
} else {
$query = array();
}
if (isset($_GET['album'])) {
if (isset($_GET['image'])) {
//image URLs should not end in a slash
if (substr($parts['path'], -1, 1) == '/') {
$redirectURL = zpRewriteURL($_GET);
}
} else {
//album URLs should end in a slash for consistency
if (substr($parts['path'], -1, 1) != '/') {
$redirectURL = zpRewriteURL($_GET);
}
}
}
if (isset($_GET['p'])) {
switch ($_GET['p']) {
case 'news':
if (isset($_GET['title'])) {
//article URLs should not end in slash
if (substr($parts['path'], -1, 1) == '/') {
$redirectURL = zpRewriteURL($_GET);
}
} else {
//should be news/
if (substr($parts['path'], -1, 1) != '/') {
$redirectURL = zpRewriteURL($_GET);
}
}
break;
case 'search':
if (isset($_GET['date'])) {
if (substr($parts['path'], -1, 1) != '/') {
$redirectURL = zpRewriteURL($_GET);
}
}
break;
}
}
//page numbers do not have trailing slash
if (isset($_GET['page'])) {
if (substr($parts['path'], -1, 1) == '/') {
$redirectURL = zpRewriteURL($_GET);
}
}
if ($redirectURL) {
$parts2 = parse_url($redirectURL);
if (isset($parts2['query'])) {
parse_str($parts2['query'], $query2);
} else {
$query2 = array();
}
if ($query != $query2 || preg_replace('~^' . WEBPATH . '/~', '', $parts['path']) != preg_replace('~^' . WEBPATH . '/~', '', html_encode($parts['path']))) {
header("HTTP/1.0 301 Moved Permanently");
header("Status: 301 Moved Permanently");
header('Location: ' . FULLWEBPATH . '/' . preg_replace('~^' . WEBPATH . '/~', '', $redirectURL));
exitZP();
}
}
}
}
}
static function setBase()
{
setOption('cookieInvalidator_base', time());
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
/**
* Deletes an object from the database
*
*/
function deleteZenpageObj($obj, $redirect = false)
{
$result = $obj->remove();
if ($result) {
if ($redirect) {
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/' . $redirect . '?deleted');
exitZP();
}
switch ($obj->table) {
case 'pages':
$msg = gettext("Page successfully deleted!");
break;
case 'news':
$msg = gettext("Article successfully deleted!");
break;
case 'news_categories':
$msg = gettext("Category successfully deleted!");
break;
}
return "<p class='messagebox fade-message'>" . $msg . "</p>";
}
switch ($obj->table) {
case 'pages':
$msg = gettext("Page delete failed!");
break;
case 'news':
$msg = gettext("Article delete failed!");
break;
case 'news_categories':
$msg = gettext("Category delete failed!");
break;
}
return "<p class='errorbox fade-message'>" . $msg . "</p>";
}
/**
*
* Handles the POSTing of a comment
* @return NULL|boolean
*/
function comment_form_handle_comment()
{
global $_zp_current_image, $_zp_current_album, $_zp_comment_stored, $_zp_current_article, $_zp_current_page, $_zp_HTML_cache;
$comment_error = 0;
$cookie = zp_getCookie('zenphoto_comment');
if (isset($_POST['comment']) && (!isset($_POST['username']) || empty($_POST['username']))) {
// 'username' is a honey-pot trap
/*
* do not save the post page in the cache
* Also the cache should be cleared so that a new page is saved at the first non-comment posting viewing.
* But this has to wait until processing is finished to avoid race conditions.
*/
$_zp_HTML_cache->disable();
if (in_context(ZP_IMAGE)) {
$commentobject = $_zp_current_image;
$redirectTo = $_zp_current_image->getLink();
} else {
if (in_context(ZP_ALBUM)) {
$commentobject = $_zp_current_album;
$redirectTo = $_zp_current_album->getLink();
} else {
if (in_context(ZP_ZENPAGE_NEWS_ARTICLE)) {
$commentobject = $_zp_current_article;
$redirectTo = FULLWEBPATH . '/index.php?p=news&title=' . $_zp_current_article->getTitlelink();
} else {
if (in_context(ZP_ZENPAGE_PAGE)) {
$commentobject = $_zp_current_page;
$redirectTo = FULLWEBPATH . '/index.php?p=pages&title=' . $_zp_current_page->getTitlelink();
} else {
$commentobject = NULL;
$error = gettext('Comment posted on unknown page!');
}
}
}
}
if (is_object($commentobject)) {
if (isset($_POST['name'])) {
$p_name = sanitize($_POST['name'], 3);
} else {
$p_name = NULL;
}
if (isset($_POST['email'])) {
$p_email = sanitize($_POST['email'], 3);
if (!is_valid_email_zp($p_email)) {
$p_email = NULL;
}
} else {
$p_email = NULL;
}
if (isset($_POST['website'])) {
$p_website = sanitize($_POST['website'], 3);
if ($p_website && strpos($p_website, 'http') !== 0) {
$p_website = 'http://' . $p_website;
}
if (!isValidURL($p_website)) {
$p_website = NULL;
}
} else {
$p_website = NULL;
}
if (isset($_POST['comment'])) {
$p_comment = sanitize($_POST['comment'], 1);
} else {
$p_comment = '';
}
$p_server = getUserIP();
if (isset($_POST['code'])) {
$code1 = sanitize($_POST['code'], 3);
$code2 = sanitize($_POST['code_h'], 3);
} else {
$code1 = '';
$code2 = '';
}
$p_private = isset($_POST['private']);
$p_anon = isset($_POST['anon']);
$commentadded = $commentobject->addComment($p_name, $p_email, $p_website, $p_comment, $code1, $code2, $p_server, $p_private, $p_anon, serialize(getCommentAddress(0)));
$comment_error = $commentadded->getInModeration();
$_zp_comment_stored = array('name' => $commentadded->getName(), 'email' => $commentadded->getEmail(), 'website' => $commentadded->getWebsite(), 'comment' => $commentadded->getComment(), 'saved' => isset($_POST['remember']), 'private' => $commentadded->getPrivate(), 'anon' => $commentadded->getAnon(), 'custom' => $commentadded->getCustomData());
if ($comment_error) {
$error = $commentadded->comment_error_text;
$comment_error++;
} else {
$_zp_HTML_cache->clearHtmlCache();
$error = NULL;
if (isset($_POST['remember'])) {
// Should always re-cookie to update info in case it's changed...
$_zp_comment_stored['comment'] = '';
// clear the comment itself
zp_setCookie('zenphoto_comment', serialize($_zp_comment_stored));
} else {
zp_clearCookie('zenphoto_comment');
}
//use $redirectTo to send users back to where they came from instead of booting them back to the gallery index. (default behaviour)
if (!isset($_SERVER['SERVER_SOFTWARE']) || strpos(strtolower($_SERVER['SERVER_SOFTWARE']), 'microsoft-iis') === false) {
// but not for Microsoft IIS because that server fails if we redirect!
header('Location: ' . $redirectTo . '#zp_comment_id_' . $commentadded->getId());
exitZP();
}
}
}
return $error;
} else {
if (!empty($cookie)) {
$cookiedata = getSerializedArray($cookie);
if (count($cookiedata) > 1) {
$_zp_comment_stored = $cookiedata;
}
}
}
return false;
}
/**
* User authentication support
*/
function handleLogon()
{
global $_zp_current_admin_obj, $_zp_login_error, $_zp_captcha, $_zp_loggedin;
if (isset($_POST['login'])) {
$post_user = sanitize(@$_POST['user'], 0);
$post_pass = sanitize(@$_POST['pass'], 0);
$_zp_loggedin = false;
switch (@$_POST['password']) {
default:
$user = self::checkLogon($post_user, $post_pass);
if ($user) {
$_zp_loggedin = $user->getRights();
}
$_zp_loggedin = zp_apply_filter('admin_login_attempt', $_zp_loggedin, $post_user, $post_pass);
if ($_zp_loggedin) {
self::logUser($user);
$_zp_current_admin_obj = $user;
session_regenerate_id(true);
} else {
zp_clearCookie("zp_user_auth");
// Clear the cookie, just in case
$_zp_login_error = 1;
}
break;
case 'challenge':
$user = $this->getAnAdmin(array('`user`=' => $post_user, '`valid`=' => 1));
if (is_object($user)) {
$info = $user->getChallengePhraseInfo();
if ($post_pass && $info['response'] == $post_pass) {
$ref = self::getResetTicket($post_user, $user->getPass());
header('location:' . WEBPATH . '/' . ZENFOLDER . '/admin-users.php?ticket=' . $ref . '&user='******'Sorry, that is not the answer.');
$_REQUEST['logon_step'] = 'challenge';
break;
case 'captcha':
if ($_zp_captcha->checkCaptcha(trim(@$_POST['code']), sanitize(@$_POST['code_h'], 3))) {
require_once dirname(__FILE__) . '/load_objectClasses.php';
// be sure that the plugins are loaded for the mail handler
if (empty($post_user)) {
$requestor = gettext('You are receiving this e-mail because of a password reset request on your ZenPhoto20 gallery.');
} else {
$requestor = sprintf(gettext("You are receiving this e-mail because of a password reset request on your ZenPhoto20 gallery from a user who tried to log in as %s."), $post_user);
}
$admins = $this->getAdministrators();
$mails = array();
$user = NULL;
foreach ($admins as $key => $tuser) {
if (!empty($tuser['email'])) {
if (!empty($post_user) && ($tuser['user'] == $post_user || $tuser['email'] == $post_user)) {
$name = $tuser['name'];
if (empty($name)) {
$name = $tuser['user'];
}
$mails[$name] = $tuser['email'];
$user = $tuser;
unset($admins[$key]);
// drop him from alternate list.
} else {
if (!($tuser['rights'] & ADMIN_RIGHTS)) {
unset($admins[$key]);
// eliminate any peons from the list
}
}
} else {
unset($admins[$key]);
// we want to ignore groups and users with no email address here!
}
}
$cclist = array();
foreach ($admins as $tuser) {
$name = $tuser['name'];
if (empty($name)) {
$name = $tuser['user'];
}
if (is_null($user)) {
$user = $tuser;
$mails[$name] = $tuser['email'];
} else {
$cclist[$name] = $tuser['email'];
}
}
if (is_null($user)) {
$_zp_login_error = gettext('There was no one to which to send the reset request.');
} else {
$ref = self::getResetTicket($user['user'], $user['pass']);
$msg = "\n" . $requestor . "\n" . sprintf(gettext("To reset your Admin passwords visit: %s"), FULLWEBPATH . "/" . ZENFOLDER . "/admin-users.php?ticket={$ref}&user="******"\n" . gettext("If you do not wish to reset your passwords just ignore this message. This ticket will automatically expire in 3 days.");
$err_msg = zp_mail(gettext("The ZenPhoto20 information you requested"), $msg, $mails, $cclist);
if (empty($err_msg)) {
$_zp_login_error = 2;
} else {
$_zp_login_error = $err_msg;
}
}
} else {
$_zp_login_error = gettext('Your input did not match the captcha');
$_REQUEST['logon_step'] = 'captcha';
}
break;
}
}
return $_zp_loggedin;
}
function executeRSS()
{
if (!$_GET['rss']) {
$_GET['rss'] = 'gallery';
}
$_zp_gallery_page = 'rss.php';
$rss = new RSS(sanitize($_GET));
$rss->printFeed();
exitZP();
}
static function pageCount($count, $gallery_page, $page)
{
global $_firstPageImages, $_oneImagePage;
if (stripSuffix($gallery_page) == 'favorites') {
$albums_per_page = max(1, getOption('albums_per_page'));
$pageCount = (int) ceil(getNumAlbums() / $albums_per_page);
$imageCount = getNumImages();
if ($_oneImagePage) {
if ($_oneImagePage === true) {
$imageCount = min(1, $imageCount);
} else {
$imageCount = 0;
}
}
$images_per_page = max(1, getOption('images_per_page'));
$count = $pageCount + (int) ceil(($imageCount - $_firstPageImages) / $images_per_page);
if ($count < $page && isset($_POST['addToFavorites']) && !$_POST['addToFavorites']) {
//We've deleted last item on page, need a place to land when we return
global $_zp_page;
header('location: ' . FULLWEBPATH . '/' . $this->getLink($_zp_page - 1));
exitZP();
}
}
return $count;
}
/**
* Prints the Galleria slideshow for albums or search results.
*
* Two ways to use (see readme/documentation):
* a) Used on the included theme slideshow.php page and called via printSlideShowLink() from the core slideshow plugin:
* b) Calling directly via printGslideshow() function in a template file or codeblock.
*
* @param obj $albumobj The object of the album to show the slideshow of. Not needed if calling slideshow from album, image, or search.
* @param obj $imageobj The object of the image to start the slideshow with. If not set the slideshow starts with the first image of the album, or current image if called from image.php. Not needed if calling slideshow from album, image, or search.
* @param bool $linkslides Set to true if you want the slides to be linked to their image pages
* @param mixed $autoplay true to autoplay slideshow with interval set in options, false to start with slideshow stopped. Set integer in milliseconds to autoplay at that interval (Ex. 4000), overriding plugin option set.
* @param bool $shuffle Set to true if you want random (shuffled) order of the slides
*
* */
function printGslideshow($albumobj = null, $imageobj = null, $linkslides = true, $autoplay = true, $forceheight = false, $shuffle = false)
{
$data = 'data';
// no POST data from slidehow link and $albumobj provided is not valid, exit
if (!isset($_POST['albumid']) and !is_object($albumobj)) {
echo "<div class=\"errorbox\" id=\"message\"><h2>" . gettext("Invalid linking to the slideshow page.") . "</h2></div>";
echo "</div></body></html>";
exitZP();
}
global $_zp_current_image, $_zp_current_album, $_zp_gallery, $_myFavorites, $_zp_conf_vars;
$imagenumber = 0;
//getting the image to start with
if (!empty($_POST['imagenumber']) and !is_object($imageobj)) {
$imagenumber = sanitize_numeric($_POST['imagenumber']) - 1;
// slideshows starts with 0, but zp with 1.
} elseif (is_object($imageobj)) {
makeImageCurrent($imageobj);
$imagenumber = imageNumber() - 1;
}
// set pagenumber to 0 if not called via POST link
if (isset($_POST['pagenr'])) {
$pagenumber = sanitize_numeric($_POST['pagenr']);
} else {
$pagenumber = 1;
}
// getting the number of images
if (!empty($_POST['numberofimages'])) {
$numberofimages = sanitize_numeric($_POST['numberofimages']);
} elseif (is_object($albumobj)) {
$numberofimages = $albumobj->getNumImages();
} else {
$numberofimages = 0;
}
if ($imagenumber < 2 || $imagenumber > $numberofimages) {
$imagenumber = 0;
}
//getting the album to show
if (!empty($_POST['albumid']) && !is_object($albumobj)) {
$albumid = sanitize_numeric($_POST['albumid']);
$embedded = false;
} elseif (is_object($albumobj)) {
$albumid = $albumobj->getID();
$embedded = true;
} else {
$albumid = 0;
$embedded = false;
}
if ($numberofimages == 0) {
return NULL;
}
// get slideshow data
if (isset($_POST['preserve_search_params'])) {
// search page
$search = new SearchEngine();
$params = sanitize($_POST['preserve_search_params']);
$search->setSearchParams($params);
$images = $search->getImages(0);
$searchwords = $search->getSearchWords();
$searchdate = $search->getSearchDate();
$searchfields = $search->getSearchFields(true);
$page = $search->page;
$returnpath = getSearchURL($searchwords, $searchdate, $searchfields, $page);
$albumtitle = gettext('Search');
} else {
if (isset($_POST['favorites_page'])) {
$album = $_myFavorites;
$albumtitle = gettext('My Favorites');
$images = $album->getImages(0);
$returnpath = rewrite_path(favorites::getFavorites_link() . '/' . $pagenumber, FULLWEBPATH . '/index.php?p=favorites' . '&page=' . $pagenumber);
} else {
$albumq = query_single_row("SELECT title, folder FROM " . prefix('albums') . " WHERE id = " . $albumid);
$album = newAlbum($albumq['folder']);
$albumtitle = $album->getTitle();
if (!$album->isMyItem(LIST_RIGHTS) && !checkAlbumPassword($albumq['folder'])) {
echo gettext("This album is password protected!");
exitZP();
}
$dynamic = $album->isDynamic();
$images = $album->getImages(0);
// return path to get back to the page we called the slideshow from
if (empty($_POST['imagenumber'])) {
$returnpath = rewrite_path('/' . pathurlencode($album->name) . '/page/' . $pagenumber, '/index.php?album=' . urlencode($album->name) . '&page=' . $pagenumber);
} else {
$returnpath = rewrite_path('/' . pathurlencode($album->name) . '/' . rawurlencode(sanitize($_POST['imagefile'])) . getOption('mod_rewrite_image_suffix'), '/index.php?album=' . urlencode($album->name) . '&image=' . urlencode($_POST['imagefile']));
}
}
}
if ($shuffle) {
shuffle($images);
}
// slideshow display section
?>
<script>
var data = [
<?php
for ($imgnr = 0, $cntr = 0, $idx = 0; $imgnr < $numberofimages; $imgnr++, $idx++) {
if (is_array($images[$idx])) {
$filename = $images[$idx]['filename'];
$album = newAlbum($images[$idx]['folder']);
$image = newImage($album, $filename);
} else {
$filename = $images[$idx];
$image = newImage($album, $filename);
}
$ext = isImagePhoto($image);
if ($ext) {
makeImageCurrent($image);
echo '{' . "\n";
echo 'thumb: \'' . getCustomSizedImageMaxSpace(getOption('gslideshow_thumbsize'), getOption('gslideshow_thumbsize')) . '\',' . "\n";
echo 'image: \'' . getCustomSizedImageMaxSpace(getOption('gslideshow_mediumsize'), getOption('gslideshow_mediumsize')) . '\',' . "\n";
echo 'big: \'' . getCustomSizedImageMaxSpace(getOption('gslideshow_bigsize'), getOption('gslideshow_bigsize')) . '\',' . "\n";
echo 'title: \'' . js_encode($image->getTitle()) . '\',' . "\n";
$desc = $image->getDesc();
$desc = str_replace("\r\n", '<br />', $desc);
$desc = str_replace("\r", '<br />', $desc);
echo 'description: \'' . js_encode($desc) . '\',' . "\n";
if ($linkslides) {
echo 'link: \'' . html_encode($image->getLink()) . '\'' . "\n";
}
if ($imgnr == $numberofimages - 1) {
echo '}' . "\n";
} else {
echo '},' . "\n";
}
}
}
echo "\n";
?>
];
</script>
<?php
printGalleriaRun($data, $linkslides, $autoplay, $embedded, $forceheight, $imagenumber, $albumtitle, $returnpath);
//restore_context(); // needed if the slideshow is for example called directly via album object before the next_album loop on index.php
}
/**
* Deletes an news article from the database
*
*/
function deleteArticle($titlelink)
{
if (is_object($titlelink)) {
$obj = $titlelink;
} else {
$obj = new ZenpageNews($titlelink);
}
$result = $obj->remove();
if ($result) {
if (is_object($titlelink)) {
header('Location: ' . FULLWEBPATH . '/' . ZENFOLDER . '/' . PLUGIN_FOLDER . '/zenpage/admin-news-articles.php?deleted');
exitZP();
}
SearchEngine::clearSearchCache();
return "<p class='messagebox fade-message'>" . gettext("Article successfully deleted!") . "</p>";
}
return "<p class='errorbox fade-message'>" . gettext("Article delete failed!") . "</p>";
}
/**
* checks password posting
*
* @param string $authType override of athorization type
*/
function zp_handle_password($authType = NULL, $check_auth = NULL, $check_user = NULL)
{
global $_zp_loggedin, $_zp_login_error, $_zp_current_album, $_zp_current_zenpage_page, $_zp_gallery;
if (empty($authType)) {
// not supplied by caller
$check_auth = '';
if (isset($_GET['z']) && @$_GET['p'] == 'full-image' || isset($_GET['p']) && $_GET['p'] == '*full-image') {
$authType = 'zp_image_auth';
$check_auth = getOption('protected_image_password');
$check_user = getOption('protected_image_user');
} else {
if (in_context(ZP_SEARCH)) {
// search page
$authType = 'zp_search_auth';
$check_auth = getOption('search_password');
$check_user = getOption('search_user');
} else {
if (in_context(ZP_ALBUM)) {
// album page
$authType = "zp_album_auth_" . $_zp_current_album->getID();
$check_auth = $_zp_current_album->getPassword();
$check_user = $_zp_current_album->getUser();
if (empty($check_auth)) {
$parent = $_zp_current_album->getParent();
while (!is_null($parent)) {
$check_auth = $parent->getPassword();
$check_user = $parent->getUser();
$authType = "zp_album_auth_" . $parent->getID();
if (!empty($check_auth)) {
break;
}
$parent = $parent->getParent();
}
}
} else {
if (in_context(ZP_ZENPAGE_PAGE)) {
$authType = "zp_page_auth_" . $_zp_current_zenpage_page->getID();
$check_auth = $_zp_current_zenpage_page->getPassword();
$check_user = $_zp_current_zenpage_page->getUser();
if (empty($check_auth)) {
$pageobj = $_zp_current_zenpage_page;
while (empty($check_auth)) {
$parentID = $pageobj->getParentID();
if ($parentID == 0) {
break;
}
$sql = 'SELECT `titlelink` FROM ' . prefix('pages') . ' WHERE `id`=' . $parentID;
$result = query_single_row($sql);
$pageobj = new ZenpagePage($result['titlelink']);
$authType = "zp_page_auth_" . $pageobj->getID();
$check_auth = $pageobj->getPassword();
$check_user = $pageobj->getUser();
}
}
}
}
}
}
if (empty($check_auth)) {
// anything else is controlled by the gallery credentials
$authType = 'zp_gallery_auth';
$check_auth = $_zp_gallery->getPassword();
$check_user = $_zp_gallery->getUser();
}
}
// Handle the login form.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: \$authType={$authType}; \$check_auth={$check_auth}; \$check_user={$check_user}; ");
}
if (isset($_POST['password']) && isset($_POST['pass'])) {
// process login form
if (isset($_POST['user'])) {
$post_user = sanitize($_POST['user']);
} else {
$post_user = '';
}
$post_pass = $_POST['pass'];
// We should not sanitize the password
foreach (Zenphoto_Authority::$hashList as $hash => $hi) {
$auth = Zenphoto_Authority::passwordHash($post_user, $post_pass, $hi);
$success = $auth == $check_auth && $post_user == $check_user;
if (DEBUG_LOGIN) {
debugLog("zp_handle_password({$success}): \$post_user={$post_user}; \$post_pass={$post_pass}; \$check_auth={$check_auth}; \$auth={$auth}; \$hash={$hash};");
}
if ($success) {
break;
}
}
$success = zp_apply_filter('guest_login_attempt', $success, $post_user, $post_pass, $authType);
if ($success) {
// Correct auth info. Set the cookie.
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid credentials");
}
zp_setCookie($authType, $auth);
if (isset($_POST['redirect'])) {
$redirect_to = sanitizeRedirect($_POST['redirect'], true);
if (!empty($redirect_to)) {
header("Location: " . $redirect_to);
exitZP();
}
}
} else {
// Clear the cookie, just in case
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid credentials");
}
zp_clearCookie($authType);
$_zp_login_error = true;
}
return;
}
if (empty($check_auth)) {
//no password on record or admin logged in
return;
}
if (($saved_auth = zp_getCookie($authType)) != '') {
if ($saved_auth == $check_auth) {
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: valid cookie");
}
return;
} else {
// Clear the cookie
if (DEBUG_LOGIN) {
debugLog("zp_handle_password: invalid cookie");
}
zp_clearCookie($authType);
}
}
}
/**
* Checks to see if the current URL is a query string url when mod_rewrite is active.
* If so it will redirects to the rewritten URL with a 301 Moved Permanently.
*/
function fix_path_redirect()
{
if (MOD_REWRITE) {
$request_uri = getRequestURI();
$parts = parse_url($request_uri);
if (isset($parts['query'])) {
parse_str($parts['query'], $query);
$redirectURL = zpRewriteURL($query);
if ($redirectURL) {
header("HTTP/1.0 301 Moved Permanently");
header("Status: 301 Moved Permanently");
header('Location: ' . FULLWEBPATH . '/' . $redirectURL);
exitZP();
}
}
}
}
protected static function feed404()
{
include SERVERPATH . '/' . ZENFOLDER . '/404.php';
exitZP();
}
/**
* Monitors front end access and excludes access if appropriate
* @param string $path
* @return string
*/
static function load()
{
if (self::blocked() || self::suspended()) {
sleep(30);
header("HTTP/1.0 403 " . gettext("Forbidden"));
header("Status: 403 " . gettext("Forbidden"));
exitZP();
// terminate the script with no output
}
}
/**
* Processes the verification POST tickets
* @param string $script (we do not use this)
* @return string
*/
static function verify($script)
{
//process any verifications posted
if (isset($_GET['verify_federated_user'])) {
$params = unserialize(pack("H*", trim(sanitize($_GET['verify_federated_user']), '.')));
if (time() - $params['date'] < 2592000) {
$userobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $params['user'], '`email`=' => $params['email'], '`valid`>' => 0));
if ($userobj) {
$groupname = getOption('federated_login_group');
$groupobj = Zenphoto_Authority::getAnAdmin(array('`user`=' => $groupname, '`valid`=' => 0));
if ($groupobj) {
$userobj->setRights($groupobj->getRights());
$userobj->setGroup($groupname);
$userobj->setObjects($groupobj->getObjects());
if (getOption('register_user_create_album')) {
$userobj->createPrimealbum();
}
$userobj->save();
}
zp_apply_filter('register_user_verified', $userobj);
if (getOption('register_logon_user_notify')) {
zp_mail(gettext('Zenphoto Gallery registration'), sprintf(gettext('%1$s (%2$s) has registered for the zenphoto gallery providing an e-mail address of %3$s.'), $userobj->getName(), $userobj->getUser(), $userobj->getEmail()));
}
Zenphoto_Authority::logUser($userobj);
header("Location: " . FULLWEBPATH . '/' . ZENFOLDER . '/admin.php');
exitZP();
}
}
}
return $script;
}
protected static function feed404()
{
header("HTTP/1.0 404 Not Found");
header("Status: 404 Not Found");
include SERVERPATH . '/' . ZENFOLDER . '/404.php';
exitZP();
}
if (isset($_GET['lang'])) {
$locale = sanitize($_GET['lang']);
} else {
$locale = getOption('locale');
}
$gallery = new Gallery();
// Create new MergedRSS object with desired parameters
$MergedRSS = new MergedRSS($feeds, getBare(get_language_string($gallery->getTitle(), $locale)), FULLWEBPATH, getBare(get_language_string($gallery->getDesc(), $locale)), $RSS_date);
//Export the first 10 items to screen
$mergedrss_feeditems = getOption('mergedrss_items');
if (empty($mergedrss_feeditems)) {
$mergedrss_feeditems = 10;
}
$MergedRSS->export(false, true, $mergedrss_feeditems);
//getOption('RSS_items')
exitZP();
}
class MergedRSSOptions
{
function __construct()
{
if (OFFSET_PATH == 2) {
setOptionDefault('mergedrss_items', 10);
}
}
function getOptionsSupported()
{
return array(gettext('RSS feeds to merge') => array('key' => 'mergedrss_feeds', 'type' => OPTION_TYPE_TEXTAREA, 'order' => 11, 'multilingual' => false, 'desc' => gettext('Enter the full urls of the feeds to merge separated by semicolons (e.g. "http://www.domain1.com/rss; http://www.domain2.com/rss")')), gettext('Feed items:') => array('key' => 'mergedrss_items', 'type' => OPTION_TYPE_NUMBER, 'order' => 2, 'desc' => gettext("The number of new entries you want to appear in your site’s RSS feed")));
}
function handleOption($option, $currentValue)
{
/**
*
* Monitors front end access and excludes access as defined by the options
* @param string $path
* @return string
*/
static function load($path)
{
$list = getSerializedArray(getOption('ipBlocker_list'));
$allow = getOption('ipBlocker_type') == 'allow';
$gate = $allow;
if (!empty($list)) {
$ipa = explode('.', getUserIP());
$ip = sprintf('%03u.%03u.%03u.%03u', @$ipa[0], @$ipa[1], @$ipa[2], @$ipa[3]);
foreach ($list as $range) {
if ($ip >= $range['start'] && $ip <= $range['end']) {
$gate = !$allow;
break;
}
}
}
if ($gate) {
header("HTTP/1.0 403 " . gettext("Forbidden"));
header("Status: 403 " . gettext("Forbidden"));
exitZP();
// terminate the script with no output
} else {
return $path;
}
}
