* Delete a user as posted by an authorized user
*
*/
if ($do_action == 'delete-user' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
FbX::SetFeedbackLocation('user-management.Manage.php');
try {
// Only if current user has the rights
if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel'])) {
$total = isset($_POST['userID']) ? count($_POST['userID']) : 0;
if ($total == 0) {
throw new FbX($ccms['lang']['system']['error_selection']);
}
// Delete details from the database
$i = 0;
foreach ($_POST['userID'] as $user_num) {
$user_num = filterParam4Number($user_num);
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['userID'] = MySQL::SQLValue($user_num, MySQL::SQLVALUE_NUMBER);
$result = $db->DeleteRows($cfg['db_prefix'] . 'users', $values);
$i++;
}
// Check for errors
if ($result && $i == $total) {
header('Location: ' . makeAbsoluteURI('user-management.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved'])));
exit;
} else {
throw new FbX($db->MyDyingMessage());
}
} else {
throw new FbX($ccms['lang']['auth']['featnotallowed']);
* Particularly (b) plays well into our hands when we expand the notion of 'filtered page sets' in the admin section, i.e.
* an admin section which currently only shows a SUBSET of all the pages available on the site.
*/
// If all empty, we're done here
if (empty($_POST['owner'])) {
header('Location: ' . makeAbsoluteURI('./content-owners.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved'])));
exit;
}
// Otherwise, set the page owners (phase #1)
$ownership = array();
foreach ($_POST['owner'] as $value) {
// Split posted variable
$explode = explode('||', $value);
// Set variables
$userID = filterParam4Number($explode[0]);
$pageID = filterParam4Number($explode[1]);
if (empty($userID) || empty($pageID)) {
throw new FbX($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
}
if (empty($ownership[$pageID])) {
$ownership[$pageID] = '';
}
$ownership[$pageID] .= '||' . $userID;
// add user; we'll trim leading '||' in phase 2
}
// blow away the old ownership set for ALL PAGES: we need to do this as the form will only send us those owners who are ASSIGNED (not the ones we REMOVED)
$values = array();
$values['user_ids'] = MySQL::SQLValue('', MySQL::SQLVALUE_TEXT);
if (!$db->UpdateRow($cfg['db_prefix'] . 'pages', $values)) {
throw new FbX($db->MyDyingMessage());
}
/**
*
* Either INSERT or UPDATE preferences
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST) && checkAuth()) {
FbX::SetFeedbackLocation("permissions.Manage.php");
try {
// (!) Only administrators can change these values
if ($_SESSION['ccms_userLevel'] >= 4) {
// Execute UPDATE
$values = array();
// [i_a] make sure $values is an empty array to start with here
foreach ($_POST as $key => $value) {
$key = filterParam4IdOrNumber($key);
$setting = filterParam4Number($value);
if (empty($key) || empty($setting) && $value !== "0") {
throw new FbX($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
}
$perm->set($key, $value);
}
if ($perm->SavePermissions($db, $cfg['db_prefix'], false)) {
header('Location: ' . makeAbsoluteURI('permissions.Manage.php?status=notice&msg=' . rawurlencode($ccms['lang']['backend']['settingssaved'])));
exit;
} else {
throw new FbX($db->MyDyingMessage());
}
} else {
throw new FbX($ccms['lang']['auth']['featnotallowed']);
}
} catch (CcmsAjaxFbException $e) {
FbX::SetFeedbackLocation('comment.Manage.php');
try {
if (!empty($page_id)) {
FbX::SetFeedbackLocation('comment.Manage.php', 'page_id=' . $page_id);
// Only if current user has the rights
if ($perm->is_level_okay('manageModComment', $_SESSION['ccms_userLevel'])) {
// Number of selected items
$total = !empty($_POST['commentID']) && is_array($_POST['commentID']) ? count($_POST['commentID']) : 0;
// If nothing selected, throw error
if ($total == 0) {
throw new FbX($ccms['lang']['system']['error_selection']);
}
// Delete details from the database
$i = 0;
foreach ($_POST['commentID'] as $idnum) {
$idnum = filterParam4Number($idnum);
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['commentID'] = MySQL::SQLValue($idnum, MySQL::SQLVALUE_NUMBER);
/* only do this when a good pageID value was specified! */
$values["page_id"] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER);
$result = $db->DeleteRows($cfg['db_prefix'] . 'modcomment', $values);
if (!$result) {
break;
}
$i++;
}
// Check for errors
if ($result && $i == $total) {
header('Location: ' . makeAbsoluteURI('comment.Manage.php?status=notice&page_id=' . $page_id . '&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved'])));
exit;
*
* Delete a current album (including all of its files)
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'del-album') {
FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id);
try {
// Only if current user has the rights
if ($perm->is_level_okay('manageModLightbox', $_SESSION['ccms_userLevel'])) {
if (empty($_POST['albumID'])) {
throw new FbX($ccms['lang']['system']['error_selection']);
} else {
$total = count($_POST['albumID']);
$i = 0;
foreach ($_POST['albumID'] as $key => $value) {
$key = filterParam4Number($key);
$value = filterParam4Filename($value);
if (!empty($key) && !empty($value)) {
$dest = BASE_PATH . '/media/albums/' . $value;
if (is_dir($dest)) {
if (recrmdir($dest)) {
$i++;
}
}
}
}
if ($total == $i) {
header('Location: ' . makeAbsoluteURI('lightbox.Manage.php?page_id=' . $page_id . '&status=notice&msg=' . rawurlencode($ccms['lang']['backend']['fullremoved'])));
exit;
} else {
throw new FbX($ccms['lang']['system']['error_delete']);
}
} else {
die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
}
exit;
}
/**
*
* Change the page/file name inline.
*
* To make it a proper transaction, first try to change the filename, and only if that succeeds edit the database record.
*
*/
if ($do_action == 'liverename' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
$page_idcode = explode('-', getPOSTparam4IdOrNumber('id'), 2);
$page_id = filterParam4Number(count($page_idcode) == 2 ? $page_idcode[1] : 0);
if ($page_id > 0) {
$row = $db->SelectSingleRow($cfg['db_prefix'] . 'pages', array('page_id' => MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER)));
if (!$row) {
$db->Kill();
}
$owner = explode('||', strval($row->user_ids));
$oldname = $row->urlpage;
if (checkSpecialPageName($row->urlpage, SPG_IS_NONREMOVABLE) || in_array($row->urlpage, $cfg['restrict']) && !in_array($_SESSION['ccms_userID'], $owner) && !$perm->is_level_okay('managePages', $_SESSION['ccms_userLevel']) || !$perm->is_level_okay('managePages', $_SESSION['ccms_userLevel'])) {
die($ccms['lang']['system']['error_forged'] . ' (' . __FILE__ . ', ' . __LINE__ . ')');
// feature not allowed, really...
} else {
$newname = getPOSTparam4Filename('newname');
if (empty($newname) || strlen($newname) < 3 || strlen($newname) > 240) {
die($ccms['lang']['system']['error_value']);
}
function getPOSTparam4Number($name, $def = null)
{
if (!isset($_POST[$name])) {
return $def;
}
return filterParam4Number($_POST[$name], $def);
}
