// if not logged in, redirect to the index page
$login = isset($_COOKIE['mnm_user']) ? sanitize($_COOKIE['mnm_user'], 3) : '';
//$login = isset($_GET['login']) ? sanitize($_GET['login'], 3) : '';
if ($login === '') {
if ($current_user->user_id > 0) {
$login = $current_user->user_login;
} else {
header('Location: ./');
die;
}
}
if (Allow_User_Change_Templates && file_exists("./templates/" . $_POST['template'] . "/header.tpl")) {
$domain = $_SERVER['HTTP_HOST'] == 'localhost' ? '' : preg_replace('/^www/', '', $_SERVER['HTTP_HOST']);
setcookie("template", $_POST['template'], time() + 60 * 60 * 24 * 30, '/', $domain);
}
$CSRF->check_expired('user_settings');
if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'user_settings')) {
$CSRF->show_invalid_error(1);
exit;
}
$login_user = $db->escape($login);
//$login_user = $_GET['login'];
$sqlGetiUserId = $db->get_var("SELECT user_id from " . table_users . " where user_login = '******';");
$select_check = $_POST['chack'];
/* $geturl = $_SERVER['HTTP_REFERER'];
$url = strtolower(end(explode('/', $geturl)));
$vowels = array($url);
$Get_URL = str_replace($vowels, "", $geturl); */
if ($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], $my_base_url . $my_pligg_base) === 0) {
$geturl = $_SERVER['HTTP_REFERER'];
} else {
//check group admin
$canIhaveAccess = checklevel('god');
if ($current_user->user_id != get_group_creator($requestID) && $canIhaveAccess != 1) {
//page redirect
$redirect = '';
$redirect = getmyurl("group_story", $requestID);
// header("Location: $redirect");
die;
}
// pagename
define('pagename', 'editgroup');
$main_smarty->assign('pagename', pagename);
$CSRF = new csrf();
// uploading avatar
if ($_POST["avatar"] == "uploaded") {
$CSRF->check_expired('edit_group');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_group')) {
$user_image_path = "avatars/groups_uploaded" . "/";
$user_image_apath = "/" . $user_image_path;
$allowedFileTypes = array("image/jpeg", "image/gif", "image/png", 'image/x-png', 'image/pjpeg');
unset($imagename);
$myfile = $_FILES['image_file']['name'];
$imagename = basename($myfile);
$mytmpfile = $_FILES['image_file']['tmp_name'];
if (!in_array($_FILES['image_file']['type'], $allowedFileTypes)) {
$error['Type'] = 'Only these file types are allowed : jpeg, gif, png';
}
if (empty($error)) {
$imagesize = getimagesize($mytmpfile);
$width = $imagesize[0];
$height = $imagesize[1];
// $main_smarty->display($template_dir . '/admin/admin.tpl');
header("Location: " . getmyurl('login', $_SERVER['REQUEST_URI']));
die;
}
// read the mysql database to get the pligg version
$sql = "SELECT data FROM " . table_misc_data . " WHERE name = 'pligg_version'";
$pligg_version = $db->get_var($sql);
$main_smarty->assign('version_number', $pligg_version);
// sidebar
$main_smarty = do_sidebar($main_smarty);
if ($canIhaveAccess == 1) {
// sessions used to prevent CSRF
$CSRF = new csrf();
if (isset($_POST['submit'])) {
if ($_POST["enabled"]) {
$CSRF->check_expired('admin_users_list');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_users_list')) {
foreach ($_POST["enabled"] as $id => $value) {
$_GET['id'] = $id = $db->escape($id);
$value = $db->escape($value);
$user = $db->get_row('SELECT * FROM ' . table_users . " where user_id={$id}");
if ($user->user_enabled != $value) {
canIChangeUser($user->user_level);
$db->query("UPDATE " . table_users . " SET user_enabled='{$value}', user_level=IF(user_level='Spammer','normal',user_level) WHERE user_id='" . $db->escape($id) . "'");
}
}
} else {
$CSRF->show_invalid_error(1);
exit;
}
}
$group_date = $g_date;
$group_published_date = 943941600;
$group_name = $group_title;
$group_description = $group_description;
// $group_safename = str_replace(' ', '-', $group_title);
$group_safename = makeUrlFriendly($group_title, true);
if (isset($_POST['group_privacy'])) {
$group_privacy = $db->escape(sanitize($_POST['group_privacy'], 3));
}
if (auto_approve_group == 'true') {
$group_status = 'enable';
} else {
$group_status = 'disable';
}
if (isset($_POST['group_title'])) {
$CSRF->check_expired('submit_group');
if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'submit_group')) {
$CSRF->show_invalid_error(1);
exit;
}
$errors = '';
if (!$group_name) {
$errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Empty_Title');
} else {
$exists = $db->get_var("select COUNT(*) from " . table_groups . " WHERE group_name='{$group_name}'");
if ($exists) {
$errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Title_Exists');
}
}
if (!$errors) {
//to insert a group
$main_smarty->assign('version_number', $pligg_version);
rebuild_the_tree();
ordernew();
// put the category tree into an array for use in the qeip dropdown
$action = isset($_REQUEST['action']) && sanitize($_REQUEST['action'], 3) != '' ? sanitize($_REQUEST['action'], 3) : "view";
if ($action == "htaccess") {
$htaccess = '../.htaccess';
if (file_exists($htaccess)) {
echo "The file {$htaccess} already exists. To protect you from accidentally removing it, you must manually remove it from your server before moving on.";
} else {
rename("../htaccess.default", "../.htaccess");
echo "We have renamed htaccess.default to .htaccess for you. You still need to manually add the special category structure for it to fully work.";
}
}
if ($action == "save") {
$CSRF->check_expired('category_manager');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'category_manager')) {
if (!$_POST['safename']) {
$_POST['safename'] = makeCategoryFriendly($_POST['name']);
$row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'], 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'");
$i = '';
while ($row->category_id > 0) {
$i++;
$row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'] . $i, 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'");
}
$_POST['safename'] .= $i;
}
if ($_POST['auto_id'] && is_numeric($_POST['auto_id'])) {
$id = sanitize($_POST['auto_id'], 3);
$parent = sanitize($_POST['parent'], 3);
if (!is_numeric($id)) {
$user->username = sanitize($_GET["user"], 3);
if (!$user->read()) {
echo "Invalid User";
die;
}
// module system hook
$vars = '';
check_actions('admin_users_edit', $vars);
// show the template
$main_smarty->assign('tpl_center', '/admin/user_edit_center');
$main_smarty->display($template_dir . '/admin/admin.tpl');
}
if (sanitize($_GET["mode"], 3) == $main_smarty->get_config_vars('PLIGG_Visual_Profile_Save')) {
//save user info
// code to prevent CSRF
$CSRF->check_expired('admin_users_edit');
// code to prevent CSRF
if ($CSRF->check_valid(sanitize($_GET['token'], 3), 'admin_users_edit')) {
$user = $db->get_row('SELECT * FROM ' . table_users . ' where user_login="******"user"], 3) . '"');
canIChangeUser($user->user_level);
if ($user) {
$userdata = new User();
$userdata->username = $user->user_login;
if (!$userdata->read()) {
echo "Error reading user data.";
die;
}
// module system hook
$vars = '';
check_actions('admin_users_save', $vars);
$userdata->username = trim(sanitize($_GET["login"], 3));
$linkid = isset($_POST['linkid']) && is_numeric($_POST['linkid']) ? $_POST['linkid'] : 0;
$main_smarty->assign('ts_random', rand(10000000, 99999999));
$main_smarty->assign('Default_Message', Default_Message);
$main_smarty->assign('link_shakebox_index', $htmlid);
$main_smarty->assign('link_id', $linkid);
$main_smarty->assign('instpath', my_base_url . my_pligg_base . "/");
$main_smarty->display($the_template . '/recommend_small.tpl');
}
} else {
// we're submitting the form and sending the emails
global $current_user, $db;
if (!$current_user->authenticated) {
echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Logged_In') . '</div></p>';
die;
}
$CSRF->check_expired('recommend');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'recommend')) {
$sql = 'SELECT `last_email_friend` FROM `' . table_users . '` WHERE `user_login` = "' . $current_user->user_login . '"';
$last_email = $db->get_var($sql);
$time_since_last_email = time() - strtotime($last_email);
if ($time_since_last_email < Recommend_Time_Limit) {
echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Limit') . '</div></p>';
die;
}
$requestID = isset($_POST['original_id']) && is_numeric($_POST['original_id']) ? $_POST['original_id'] : 0;
if ($requestID > 0) {
$id = $requestID;
$link = new Link();
$link->id = $requestID;
$link->read();
$link_url = my_base_url . getmyurl("story", $link->id);
$cached_comments[$dbfiltered->comment_id] = $dbfiltered;
$comment->read();
# $user->id = $comment->author;
# $user->read();
$template_comments[] = array('comment_id' => $comment->id, 'comment_content' => txt_shorter($comment->content, 90), 'comment_content_long' => $comment->content, 'comment_votes' => $comment->votes, 'comment_author' => $dbfiltered->user_login, 'comment_link_id' => $comment->link, 'comment_status' => $comment->status, 'comment_date' => $dbfiltered->comment_date);
}
$main_smarty->assign('template_comments', $template_comments);
}
// breadcrumbs and page title
$navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
$navwhere['link1'] = getmyurl('admin', '');
$navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Comments');
$main_smarty->assign('navbar_where', $navwhere);
$main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'));
if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['submit'])) {
$CSRF->check_expired('admin_comments_edit');
$killspammed = array();
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_comments_edit')) {
$comment = array();
foreach ($_POST["comment"] as $k => $v) {
$comment[intval($k)] = sanitize($v, 3);
}
foreach ($comment as $key => $value) {
if ($value == "published") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "published" WHERE `comment_id` = "' . $key . '"');
} elseif ($value == "moderated") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "moderated" WHERE `comment_id` = "' . $key . '"');
} elseif ($value == "discard" || $value == "delete") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "discard" WHERE `comment_id` = "' . $key . '"');
$vars = array('comment_id' => $key);
check_actions('comment_discard', $vars);
$link->read();
$user->id = $link->author;
$user->read();
$template_stories[] = array('link_title_url' => $link->title_url, 'link_id' => $link->id, 'link_title' => $link->title, 'link_status' => $link->status, 'link_author' => $user->username, 'link_date' => date("d-m-Y", $link->date));
}
$main_smarty->assign('template_stories', $template_stories);
}
// breadcrumbs and page title
$navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
$navwhere['link1'] = getmyurl('admin', '');
$navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Links');
$main_smarty->assign('navbar_where', $navwhere);
$main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'));
// if admin changes the link status
if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['admin_acction'])) {
$CSRF->check_expired('admin_links_edit');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_links_edit')) {
$comment = array();
$admin_acction = $_POST['admin_acction'];
foreach ($_POST["link"] as $key => $v) {
if ($admin_acction == "published" || $admin_acction == "new" || $admin_acction == "discard" || $admin_acction == "spam") {
$link_status = $db->get_var('select link_status from ' . table_links . ' WHERE link_id = "' . $key . '"');
if ($link_status != $admin_acction) {
if ($admin_acction == "published") {
$db->query('UPDATE `' . table_links . '` SET `link_status` = "published", link_published_date = now() WHERE `link_id` = "' . $key . '"');
$vars = array('link_id' => $key);
check_actions('link_published', $vars);
} elseif ($admin_acction == "new") {
$db->query('UPDATE `' . table_links . '` SET `link_status` = "new", link_published_date=0 WHERE `link_id` = "' . $key . '"');
} elseif ($admin_acction == "discard") {
$db->query('UPDATE `' . table_links . '` SET `link_status` = "discard" WHERE `link_id` = "' . $key . '"');
$link = $db->get_row("SELECT link_id, link_author, UNIX_TIMESTAMP(link_date) AS date FROM " . table_links . " WHERE link_id=" . $theid . ";");
/////
if ($link) {
if ($link->link_author == $current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god") {
// DB 11/11/08
if ($current_user->user_level != "god" && $current_user->user_level != "admin" && limit_time_to_edit != 0 && (time() - $link->date) / 60 > edit_time_limit) {
echo "<br /><br />" . sprintf($main_smarty->get_config_vars('PLIGG_Visual_EditLink_Timeout'), edit_time_limit) . "<br/ ><br /><a href=" . my_base_url . my_pligg_base . ">" . $main_smarty->get_config_vars('PLIGG_Visual_Name') . " home</a>";
exit;
}
/////
$CSRF = new csrf();
if (isset($_POST["id"])) {
//print_r($_POST);
//exit;
echo $_POST['title'];
$CSRF->check_expired('edit_link');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_link')) {
$linkres = new Link();
$linkres->id = $link_id = sanitize($_GET['id'], 3);
if (!is_numeric($link_id)) {
die;
}
$linkres->read();
// if notify link submitter is selected
if (isset($_POST["notify"])) {
if (sanitize($_POST["notify"], 3) == "yes") {
$link_author = $db->get_col("SELECT link_author FROM " . table_links . " WHERE link_id=" . $theid . ";");
$user = $db->get_row("SELECT * FROM " . table_users . " WHERE user_id=" . $link_author[0] . ";");
$to = $user->user_email;
$subject = $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_Subject');
$body = $user->user_login . ", \r\n\r\n" . $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_AdminMadeChange') . "\r\n";
$cached_comments[$dbfiltered->comment_id] = $dbfiltered;
$comment->read();
# $user->id = $comment->author;
# $user->read();
$template_comments[] = array('comment_id' => $comment->id, 'comment_content' => txt_shorter($comment->content, 90), 'comment_content_long' => $comment->content, 'comment_votes' => $comment->votes, 'comment_author' => $dbfiltered->user_login, 'comment_link_id' => $comment->link, 'comment_status' => $comment->status, 'comment_date' => $dbfiltered->comment_date);
}
$main_smarty->assign('template_comments', $template_comments);
}
// breadcrumbs and page title
$navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
$navwhere['link1'] = getmyurl('admin', '');
$navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Comments');
$main_smarty->assign('navbar_where', $navwhere);
$main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'));
if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['admin_acction'])) {
$CSRF->check_expired('comments_edit');
$killspammed = array();
$admin_acction = $_POST['admin_acction'];
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'comments_edit')) {
foreach ($_POST["comment"] as $key => $value) {
$comment_status = $db->get_var('select comment_status from ' . table_comments . ' WHERE comment_id = "' . $key . '"');
if ($comment_status != $admin_acction) {
if ($admin_acction == "published") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "published" WHERE `comment_id` = "' . $key . '"');
} elseif ($admin_acction == "moderated") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "moderated" WHERE `comment_id` = "' . $key . '"');
} elseif ($admin_acction == "discard" || $admin_acction == "delete") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "discard" WHERE `comment_id` = "' . $key . '"');
$vars = array('comment_id' => $key);
check_actions('comment_discard', $vars);
} elseif ($admin_acction == "spam" && !$killspammed[$user_id]) {
