* Delete a user as posted by an authorized user * */ if ($do_action == 'delete-user' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) { FbX::SetFeedbackLocation('user-management.Manage.php'); try { // Only if current user has the rights if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel'])) { $total = isset($_POST['userID']) ? count($_POST['userID']) : 0; if ($total == 0) { throw new FbX($ccms['lang']['system']['error_selection']); } // Delete details from the database $i = 0; foreach ($_POST['userID'] as $user_num) { $user_num = filterParam4Number($user_num); $values = array(); // [i_a] make sure $values is an empty array to start with here $values['userID'] = MySQL::SQLValue($user_num, MySQL::SQLVALUE_NUMBER); $result = $db->DeleteRows($cfg['db_prefix'] . 'users', $values); $i++; } // Check for errors if ($result && $i == $total) { header('Location: ' . makeAbsoluteURI('user-management.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved']))); exit; } else { throw new FbX($db->MyDyingMessage()); } } else { throw new FbX($ccms['lang']['auth']['featnotallowed']);
* Particularly (b) plays well into our hands when we expand the notion of 'filtered page sets' in the admin section, i.e. * an admin section which currently only shows a SUBSET of all the pages available on the site. */ // If all empty, we're done here if (empty($_POST['owner'])) { header('Location: ' . makeAbsoluteURI('./content-owners.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved']))); exit; } // Otherwise, set the page owners (phase #1) $ownership = array(); foreach ($_POST['owner'] as $value) { // Split posted variable $explode = explode('||', $value); // Set variables $userID = filterParam4Number($explode[0]); $pageID = filterParam4Number($explode[1]); if (empty($userID) || empty($pageID)) { throw new FbX($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'); } if (empty($ownership[$pageID])) { $ownership[$pageID] = ''; } $ownership[$pageID] .= '||' . $userID; // add user; we'll trim leading '||' in phase 2 } // blow away the old ownership set for ALL PAGES: we need to do this as the form will only send us those owners who are ASSIGNED (not the ones we REMOVED) $values = array(); $values['user_ids'] = MySQL::SQLValue('', MySQL::SQLVALUE_TEXT); if (!$db->UpdateRow($cfg['db_prefix'] . 'pages', $values)) { throw new FbX($db->MyDyingMessage()); }
/** * * Either INSERT or UPDATE preferences * */ if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST) && checkAuth()) { FbX::SetFeedbackLocation("permissions.Manage.php"); try { // (!) Only administrators can change these values if ($_SESSION['ccms_userLevel'] >= 4) { // Execute UPDATE $values = array(); // [i_a] make sure $values is an empty array to start with here foreach ($_POST as $key => $value) { $key = filterParam4IdOrNumber($key); $setting = filterParam4Number($value); if (empty($key) || empty($setting) && $value !== "0") { throw new FbX($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'); } $perm->set($key, $value); } if ($perm->SavePermissions($db, $cfg['db_prefix'], false)) { header('Location: ' . makeAbsoluteURI('permissions.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved']))); exit; } else { throw new FbX($db->MyDyingMessage()); } } else { throw new FbX($ccms['lang']['auth']['featnotallowed']); } } catch (CcmsAjaxFbException $e) {
FbX::SetFeedbackLocation('comment.Manage.php'); try { if (!empty($page_id)) { FbX::SetFeedbackLocation('comment.Manage.php', 'page_id=' . $page_id); // Only if current user has the rights if ($perm->is_level_okay('manageModComment', $_SESSION['ccms_userLevel'])) { // Number of selected items $total = !empty($_POST['commentID']) && is_array($_POST['commentID']) ? count($_POST['commentID']) : 0; // If nothing selected, throw error if ($total == 0) { throw new FbX($ccms['lang']['system']['error_selection']); } // Delete details from the database $i = 0; foreach ($_POST['commentID'] as $idnum) { $idnum = filterParam4Number($idnum); $values = array(); // [i_a] make sure $values is an empty array to start with here $values['commentID'] = MySQL::SQLValue($idnum, MySQL::SQLVALUE_NUMBER); /* only do this when a good pageID value was specified! */ $values["page_id"] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER); $result = $db->DeleteRows($cfg['db_prefix'] . 'modcomment', $values); if (!$result) { break; } $i++; } // Check for errors if ($result && $i == $total) { header('Location: ' . makeAbsoluteURI('comment.Manage.php?status=notice&page_id=' . $page_id . '&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved']))); exit;
* * Delete a current album (including all of its files) * */ if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'del-album') { FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id); try { // Only if current user has the rights if ($perm->is_level_okay('manageModLightbox', $_SESSION['ccms_userLevel'])) { if (empty($_POST['albumID'])) { throw new FbX($ccms['lang']['system']['error_selection']); } else { $total = count($_POST['albumID']); $i = 0; foreach ($_POST['albumID'] as $key => $value) { $key = filterParam4Number($key); $value = filterParam4Filename($value); if (!empty($key) && !empty($value)) { $dest = BASE_PATH . '/media/albums/' . $value; if (is_dir($dest)) { if (recrmdir($dest)) { $i++; } } } } if ($total == $i) { header('Location: ' . makeAbsoluteURI('lightbox.Manage.php?page_id=' . $page_id . '&status=notice&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved']))); exit; } else { throw new FbX($ccms['lang']['system']['error_delete']);
} } else { die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'); } exit; } /** * * Change the page/file name inline. * * To make it a proper transaction, first try to change the filename, and only if that succeeds edit the database record. * */ if ($do_action == 'liverename' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) { $page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2); $page_id = filterParam4Number(count($page_idcode) == 2 ? $page_idcode[1] : 0); if ($page_id > 0) { $row = $db->SelectSingleRow($cfg['db_prefix'] . 'pages', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER))); if (!$row) { $db->Kill(); } $owner = explode('||', strval($row->user_ids)); $oldname = $row->urlpage; if (checkSpecialPageName($row->urlpage, SPG_IS_NONREMOVABLE) || in_array($row->urlpage, $cfg['restrict']) && !in_array($_SESSION['ccms_userID'], $owner) && !$perm->is_level_okay('managePages', $_SESSION['ccms_userLevel']) || !$perm->is_level_okay('managePages', $_SESSION['ccms_userLevel'])) { die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')'); // feature not allowed, really... } else { $newname = getPOSTparam4Filename('newname'); if (empty($newname) || strlen($newname) < 3 || strlen($newname) > 240) { die($ccms['lang']['system']['error_value']); }
function getPOSTparam4Number($name, $def = null) { if (!isset($_POST[$name])) { return $def; } return filterParam4Number($_POST[$name], $def); }