/** * article: saves a comment * * @param string $title comment title * @param string $comment comment text * @param string $id Item id to which $cid belongs * @param int $pid comment parent * @param string $postmode 'html' or 'text' * @return mixed false for failure, HTML string (redirect?) for success */ function plugin_savecomment_article($title, $comment, $id, $pid, $postmode) { global $_CONF, $_TABLES, $LANG03, $_USER; $retval = ''; $commentcode = DB_getItem($_TABLES['stories'], 'commentcode', "(sid = '{$id}') AND (draft_flag = 0) AND (date <= NOW())" . COM_getPermSQL('AND')); if (!isset($commentcode) || ($commentcode != 0 || TOPIC_hasMultiTopicAccess('article', $id) < 2)) { // Need read access of topics to post comment COM_redirect($_CONF['site_url'] . '/index.php'); } $ret = CMT_saveComment($title, $comment, $id, $pid, 'article', $postmode); if ($ret == -1) { $url = COM_buildUrl($_CONF['site_url'] . '/article.php?story=' . $id); $url .= (strpos($url, '?') ? '&' : '?') . 'msg=15'; COM_redirect($url); } elseif ($ret > 0) { // failure // FIXME: some failures should not return to comment form $retval .= CMT_commentForm($title, $comment, $id, $pid, 'article', $LANG03[14], $postmode); if (!defined('COMMENT_ON_SAME_PAGE')) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1])); } else { if (!COMMENT_ON_SAME_PAGE) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1])); } } } else { // success $comments = DB_count($_TABLES['comments'], array('type', 'sid'), array('article', $id)); DB_change($_TABLES['stories'], 'comments', $comments, 'sid', $id); // Comment count in Older Stories block may have changed so delete cache $cacheInstance = 'olderarticles__'; // remove all olderarticles instances CACHE_remove_instance($cacheInstance); COM_redirect(COM_buildUrl($_CONF['site_url'] . "/article.php?story={$id}")); } return $retval; }
/** * Handles a comment edit submission * * @copyright Jared Wenerd 2008 * @author Jared Wenerd, wenerd87 AT gmail DOT com * @param string $mode 'edit' or 'editsubmission' * @return string HTML (possibly a refresh) */ function handleEdit($mode) { global $_TABLES, $LANG03; //get needed data $cid = COM_applyFilter($_REQUEST['cid']); if ($mode == 'editsubmission') { $table = $_TABLES['commentsubmissions']; $result = DB_query("SELECT type, sid FROM {$_TABLES['commentsubmissions']} WHERE cid = {$cid}"); list($type, $sid) = DB_fetchArray($result); } else { $sid = COM_applyFilter($_REQUEST['sid']); $type = COM_applyFilter($_REQUEST['type']); $table = $_TABLES['comments']; } //check for bad data if (!is_numeric($cid) || $cid < 0 || empty($sid) || empty($type)) { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } $result = DB_query("SELECT title,comment FROM {$table} " . "WHERE cid = {$cid} AND sid = '{$sid}' AND type = '{$type}'"); if (DB_numRows($result) == 1) { $A = DB_fetchArray($result); $title = COM_stripslashes($A['title']); $commenttext = COM_stripslashes(COM_undoSpecialChars($A['comment'])); //remove signature $pos = strpos($commenttext, '<!-- COMMENTSIG --><span class="comment-sig">'); if ($pos > 0) { $commenttext = substr($commenttext, 0, $pos); } //get format mode if (preg_match('/<.*>/', $commenttext) != 0) { $postmode = 'html'; } else { $postmode = 'plaintext'; } } else { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment that doesn\'t exist as described.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } return COM_siteHeader('menu', $LANG03[1]) . CMT_commentForm($title, $commenttext, $sid, $cid, $type, $mode, $postmode) . COM_siteFooter(); }
/** * Handles a comment edit submission * * @copyright Jared Wenerd 2008 * @author Jared Wenerd <wenerd87 AT gmail DOT com> * @return string HTML (possibly a refresh) */ function handleEdit() { global $_TABLES, $LANG03, $_USER, $_CONF, $_PLUGINS; if (isset($_POST['cid'])) { $cid = COM_applyFilter($_POST['cid'], true); } else { if (isset($_GET['cid'])) { $cid = COM_applyFilter($_GET['cid'], true); } else { $cid = -1; } } if (isset($_POST['sid'])) { $sid = COM_sanitizeID(COM_applyFilter($_POST['sid'])); } else { if (isset($_GET['sid'])) { $sid = COM_sanitizeID(COM_applyFilter($_GET['sid'])); } else { $sid = ''; } } if (isset($_POST['type'])) { $type = COM_applyFilter($_POST['type']); } else { if (isset($_GET['type'])) { $type = COM_applyFilter($_GET['type']); } else { $type = ''; } } if ($type != 'article') { if (!in_array($type, $_PLUGINS)) { $type = ''; } } if (!is_numeric($cid) || $cid < 0 || empty($sid) || empty($type)) { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.'); echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $result = DB_query("SELECT title,comment FROM {$_TABLES['comments']} " . "WHERE cid = " . (int) $cid . " AND sid = '" . DB_escapeString($sid) . "' AND type = '" . DB_escapeString($type) . "'"); if (DB_numRows($result) == 1) { $A = DB_fetchArray($result); $title = $A['title']; $commenttext = COM_undoSpecialChars($A['comment']); //remove signature $pos = strpos($commenttext, '<!-- COMMENTSIG --><div class="comment-sig">'); if ($pos > 0) { $commenttext = substr($commenttext, 0, $pos); } //get format mode if (preg_match('/<.*>/', $commenttext) != 0) { $postmode = 'html'; } else { $postmode = 'plaintext'; } } else { COM_errorLog("handleEdit(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment that doesn\'t exist as described.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } $pid = isset($_REQUEST['pid']) ? COM_applyFilter($_REQUEST['pid'], true) : 0; return PLG_displayComment($type, $sid, 0, $title, '', 'nobar', 0, 0) . CMT_commentForm($title, $commenttext, $sid, $pid, $type, 'edit', $postmode); }
/** * Handles comment processing * * @param string $mode Mode of comment processing * @param string $type Type of item (article, polls, etc.) * @param string $title Title of item * @param string $sid ID for item to show comments for * @param string $format 'threaded', 'nested', or 'flat' * @return string HTML formated */ function CMT_handleComment($mode = '', $type = '', $title = '', $sid = '', $format = '') { global $_CONF, $_TABLES, $_USER, $LANG03, $LANG_ADMIN, $topic, $_PLUGINS; $commentmode = ''; if (!empty($_REQUEST[CMT_MODE])) { $commentmode = COM_applyFilter($_REQUEST[CMT_MODE]); } if (empty($mode)) { $mode = COM_applyFilter(COM_getArgument(CMT_MODE)); } if (empty($commentmode) && !empty($mode)) { $commentmode = $mode; } if (empty($sid) && !empty($_REQUEST[CMT_SID])) { $sid = COM_applyFilter($_REQUEST[CMT_SID]); } $pid = 0; if (!empty($_REQUEST[CMT_PID])) { $pid = COM_applyFilter($_REQUEST[CMT_PID], true); } if (empty($type) && !empty($_REQUEST[CMT_TYPE])) { $type = COM_applyFilter($_REQUEST[CMT_TYPE]); } if (!empty($_REQUEST['title'])) { $title = $_REQUEST['title']; // apply filters later in CMT_commentForm or CMT_saveComment } if (!empty($_REQUEST[CMT_UID])) { $uid = COM_applyFilter($_REQUEST[CMT_UID]); } else { $uid = 1; if (!empty($_USER['uid'])) { $uid = $_USER['uid']; } } $postmode = $_CONF['postmode']; if (isset($_REQUEST['postmode'])) { $postmode = COM_applyFilter($_REQUEST['postmode']); } $formtype = ''; if (!empty($_REQUEST['formtype'])) { $formtype = COM_applyFilter($_REQUEST['formtype']); } // Get comment id, may not be there...will handle in function $cid = 0; if (isset($_REQUEST[CMT_CID])) { $cid = COM_applyFilter($_REQUEST[CMT_CID], true); } TOPIC_getTopic('comment', $cid); if (empty($format) && isset($_REQUEST['format'])) { $format = COM_applyFilter($_REQUEST['format']); } if (!in_array($format, array('threaded', 'nested', 'flat', 'nocomment'))) { if (COM_isAnonUser()) { $format = $_CONF['comment_mode']; } else { $format = DB_getItem($_TABLES['usercomment'], 'commentmode', "uid = {$_USER['uid']}"); } } $order = ''; if (isset($_REQUEST['order'])) { $order = COM_applyFilter($_REQUEST['order']); } $cpage = 1; if (!empty($_REQUEST['cpage'])) { $cpage = COM_applyFilter($_REQUEST['cpage'], true); if (empty($cpage)) { $cpage = 1; } } $is_comment_page = CMT_isCommentPage(); $retval = ''; if ($_CONF['show_comments_at_replying'] && $is_comment_page && !empty($sid) && !empty($type) && in_array($commentmode, array('', $LANG03[28], $LANG03[34], $LANG03[14], 'edit'))) { if ($commentmode == 'edit') { $cid = 0; if (isset($_REQUEST[CMT_CID])) { $cid = COM_applyFilter($_REQUEST[CMT_CID], true); } if ($cid <= 0) { COM_errorLog("CMT_handleComment(): {$_USER['uid']} from {$_SERVER['REMOTE_ADDR']} tried " . 'to edit a comment with one or more missing/bad values.'); return COM_refresh($_CONF['site_url'] . '/index.php'); } $pid = $cid; } if ($pid > 0 && empty($title)) { $atype = DB_escapeString($type); $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')"); } if (empty($title)) { $title = PLG_getItemInfo($type, $sid, 'title'); $title = str_replace('$', '$', $title); // CMT_userComments expects non-htmlspecial chars for title... $title = str_replace('&', '&', $title); $title = str_replace('"', '"', $title); $title = str_replace('<', '<', $title); $title = str_replace('>', '>', $title); } $retval .= CMT_userComments($sid, $title, $type, $order, $format, $pid, $cpage, $pid > 0, false, 0); } switch ($commentmode) { case $LANG03[28]: // Preview Changes (for edit) // Preview Changes (for edit) case $LANG03[34]: // Preview Submission changes (for edit) // Preview Submission changes (for edit) case $LANG03[14]: // Preview $retval .= CMT_commentForm($title, $_POST['comment'], $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage); if ($is_comment_page) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[14])); } break; case $LANG03[35]: // Submit Changes to Moderation table // Submit Changes to Moderation table case $LANG03[29]: // Submit Changes if (SEC_checkToken()) { $retval .= CMT_handleEditSubmit($commentmode); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case $LANG03[11]: // Submit comment $retval .= CMT_handleSubmit($title, $sid, $pid, $type, $postmode, $uid); break; case $LANG_ADMIN['delete']: case 'delete': // Delete comment if (SEC_checkToken()) { $retval .= CMT_handleDelete($sid, $type, $formtype); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case 'view': // View comment by $cid $retval .= CMT_handleView($format, $order, $cpage, true); break; case 'display': // View comment by $pid $retval .= CMT_handleView($format, $order, $cpage, false); break; case 'report': if ($is_comment_page) { $cid = 0; if (isset($_GET[CMT_CID])) { $cid = COM_applyFilter($_GET[CMT_CID], true); } $type = ''; if (isset($_GET[CMT_TYPE])) { $type = COM_applyFilter($_GET[CMT_TYPE]); } if ($cid <= 0 || empty($type)) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $retval .= CMT_reportAbusiveComment($cid, $type); $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[27])); } break; case 'sendreport': if (SEC_checkToken()) { $cid = 0; if (isset($_POST[CMT_CID])) { $cid = COM_applyFilter($_POST[CMT_CID], true); } $type = ''; if (isset($_POST[CMT_TYPE])) { $type = COM_applyFilter($_POST[CMT_TYPE]); } if ($cid <= 0 || empty($type)) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $retval .= CMT_sendReport($cid, $type); } else { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } break; case 'editsubmission': if (!SEC_hasRights('comment.moderate')) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } // deliberate fall-through // deliberate fall-through case 'edit': $retval .= CMT_handleEdit($commentmode, $postmode, $format, $order, $cpage); if ($is_comment_page) { $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1])); } break; case 'unsubscribe': $cid = 0; $key = COM_applyFilter($_GET['key']); if (!empty($key)) { $key = DB_escapeString($key); $cid = DB_getItem($_TABLES['commentnotifications'], 'cid', "deletehash = '{$key}'"); if (!empty($cid)) { $redirecturl = $_CONF['site_url'] . '/comment.php?mode=view&cid=' . $cid . '&format=nested&msg=16'; DB_delete($_TABLES['commentnotifications'], 'deletehash', $key, $redirecturl); exit; } } echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; break; case $LANG_ADMIN['cancel']: if ($formtype == 'editsubmission') { echo COM_refresh($_CONF['site_admin_url'] . '/moderation.php'); exit; } else { $retval .= CMT_handleCancel(); // moved to function for readibility } break; default: // New Comment or Reply Comment $abort = false; // Check to make sure comment type exists if ($type != 'article' && !in_array($type, $_PLUGINS)) { $abort = true; } // Check article permissions if (!$abort && $type == 'article' && !empty($sid)) { $dbTitle = DB_getItem($_TABLES['stories'], 'title', "(sid = '{$sid}') AND (draft_flag = 0) AND (date <= NOW()) AND (commentcode = 0)" . COM_getPermSQL('AND')); // if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid) < 2) { // Make sure have at least read access to topics to post comment if ($dbTitle === null || TOPIC_hasMultiTopicAccess('article', $sid, $topic) < 2) { // Make sure have at least read access to current topic of article to post comment // no permissions, or no story of that title $abort = true; } } if (!$abort && !empty($sid) && !empty($type)) { if ($pid > 0 && empty($title)) { $atype = DB_escapeString($type); $title = DB_getItem($_TABLES['comments'], 'title', "(cid = {$pid}) AND (type = '{$atype}')"); } if (empty($title)) { $title = PLG_getItemInfo($type, $sid, 'title'); // Check title, if for some reason blank assume no access allowed to plugin item (therefore cannot add comment) so return to homepage if (is_array($title) || empty($title) || $title == false) { echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } $title = str_replace('$', '$', $title); // CMT_commentForm expects non-htmlspecial chars for title... $title = str_replace('&', '&', $title); $title = str_replace('"', '"', $title); $title = str_replace('<', '<', $title); $title = str_replace('>', '>', $title); } $retval .= CMT_commentForm($title, '', $sid, $pid, $type, $commentmode, $postmode, $format, $order, $cpage); } else { if (COMMENT_ON_SAME_PAGE) { // Do nothing and do not show comment form (happens most likely when admin viewing draft article) } else { // For comments not displayed on same page (probably owner pushed the post comment button on a draft article) echo COM_refresh($_CONF['site_url'] . '/index.php'); exit; } } if ($is_comment_page) { $noindex = '<meta name="robots" content="noindex"' . XHTML . '>'; $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG03[1], 'headercode' => $noindex)); } break; } return $retval; }
/** * article: saves a comment * * @param string $title comment title * @param string $comment comment text * @param string $id Item id to which $cid belongs * @param int $pid comment parent * @param string $postmode 'html' or 'text' * @return mixed false for failure, HTML string (redirect?) for success */ function plugin_savecomment_article($title, $comment, $id, $pid, $postmode) { global $_CONF, $_TABLES, $LANG03, $_USER; $retval = ''; $commentcode = DB_getItem($_TABLES['stories'], 'commentcode', "(sid = '" . DB_escapeString($id) . "') AND (draft_flag = 0) AND (date <= NOW())" . COM_getPermSQL('AND')); if (!isset($commentcode) || $commentcode != 0) { return COM_refresh($_CONF['site_url'] . '/index.php'); } $ret = CMT_saveComment($title, $comment, $id, $pid, 'article', $postmode); if ($ret > 0) { // failure $msg = ''; if (SESS_isSet('glfusion.commentpresave.error')) { $msg = COM_showMessageText(SESS_getVar('glfusion.commentpresave.error'), '', 1, 'error'); SESS_unSet('glfusion.commentpresave.error'); } else { if (empty($title) || empty($comment)) { $msg = COM_showMessageText($LANG03[12], '', 1, 'error'); } } $retval .= $msg . CMT_commentForm($title, $comment, $id, $pid, 'article', $LANG03[14], $postmode); } else { // success $comments = DB_count($_TABLES['comments'], array('type', 'sid'), array('article', $id)); DB_change($_TABLES['stories'], 'comments', $comments, 'sid', $id); COM_olderStuff(); // update comment count in Older Stories block $retval = COM_refresh(COM_buildUrl($_CONF['site_url'] . "/article.php?story={$id}#comments")); } return $retval; }