public static function hook_start()
{
if (!BackendUser::check()) {
if (PersistUser::check()) {
Controller::redirect();
}
}
}
public function action_create()
{
if (is_post()) {
$parameters = get_previous_parameters();
$object = new CommentObj();
$object = $object->fromRequest();
$object['foreign_id'] = empty($object['foreign_id']) ? reset($parameters) : $object['foreign_id'];
$object['foreign_table'] = empty($object['foreign_table']) ? table_name(get_previous_area()) : $object['foreign_table'];
//If we don't have a logged in user, create a dummy account
if (!BackendUser::check()) {
$query = new SelectQuery('BackendUser');
$query->filter('`email` = :email');
if ($old_user = Controller::getVar('user')) {
$existing_user = $query->fetchAssoc(array(':email' => $old_user['email']));
}
switch (true) {
case $existing_user && $existing_user['confirmed'] && $existing_user['active']:
//Attribute quote to user? Seems risque, actually, if I know a user's email address, I can just attribute to him. Auth first
Backend::addError('Comment not added. Please login first');
return false;
break;
case $existing_user && !$existing_user['confirmed'] && $existing_user['active']:
//Unregistered user commented before
$object['user_id'] = $existing_user['id'];
break;
default:
case !$existing_user:
$user_data = array('name' => $old_user['name'], 'surname' => '', 'email' => $old_user['email'], 'website' => $old_user['website'], 'username' => $old_user['email'], 'password' => get_random(), 'confirmed' => 0, 'active' => 1);
$user = self::getObject('BackendUser');
if ($user->create($user_data)) {
$object['user_id'] = $user->array['id'];
$url = SITE_LINK . '/?q=backend_user/confirm/' . $user->array['salt'];
$app_name = ConfigValue::get('Title');
$message = <<<END
Hi {$user->array['name']}!
Thank you for your comment on {$app_name}. An account has automatically been created for you. To activate it, please click on the following link:
{$url}
Please note that you don't need to do this for your comments to show, but this account will be deleted if it isn't confirmed in a weeks time.
Regards
END;
send_email($user->array['email'], 'Thank you for your comment.', $message);
} else {
Backend::addError('Could not create user to add Comment');
return false;
}
break;
}
}
$object = array_filter($object, create_function('$var', 'return !is_null($var);'));
Controller::setVar('obj', $object);
}
return parent::action_create();
}
public static function check($action = '*', $subject = '*', $subject_id = 0)
{
if (!BACKEND_WITH_DATABASE) {
return true;
}
static $cache = array();
if (is_object($subject)) {
$subject = get_class($subject);
}
$key = serialize(array($action, $subject, $subject_id));
if (array_key_exists($key, $cache)) {
//return $cache[$key];
}
$roles = GateKeeper::permittedRoles($action, class_for_url($subject), $subject_id);
$user = BackendUser::check();
$user = !$user && !empty($_SESSION['BackendUser']) ? $_SESSION['BackendUser'] : $user;
if (!$user && !in_array('anonymous', $roles)) {
if (Controller::$debug) {
Backend::addNotice('Anonymous User');
}
$cache[$key] = true;
return true;
}
if ($subject != '*' && !Component::isActive(class_name($subject))) {
if (Controller::$debug) {
Backend::addNotice('Invalid Component: ' . class_name($subject));
}
$cache[$key] = false;
return false;
}
if (empty($user->roles)) {
if (Controller::$debug) {
Backend::addNotice('No User Roles');
}
$cache[$key] = false;
return false;
}
$intersect = is_array($roles) ? array_intersect($user->roles, $roles) : $user->roles;
if (Controller::$debug >= 2) {
Backend::addNotice('Valid roles found: ' . json_encode($intersect));
}
$result = count($intersect) ? true : false;
$cache[$key] = $result;
return $result;
}
public function get_roles($userId = false)
{
if ($userId) {
$user = BackendUser::retrieve($userId);
} else {
$user = (array) BackendUser::check();
}
if (!$user) {
return false;
}
Controller::$parameters[0] = $user['id'];
return $user['roles'];
}
public static function adminLinks()
{
$result = array();
if (!($user = BackendUser::check())) {
return false;
}
if (!ConfigValue::get('AdminInstalled', false) && in_array('superadmin', $user->roles)) {
$result[] = array('text' => 'Install Application', 'href' => '?q=admin/install');
}
if (!BACKEND_WITH_DATABASE) {
$result[] = array('text' => 'Install Database', 'href' => '?q=admin/install_db');
}
if (SITE_STATE != 'production') {
$result[] = array('text' => 'Scaffold', 'href' => '?q=admin/scaffold');
}
return count($result) ? $result : false;
}
/**
* If the object has an owner_id field, check that against the current user
*
* We ignore the action so that it checks every action. You can customize
* this per action by overriding this function in the model
*/
public function checkOwnership($action)
{
$data = $this->array ? $this->array : ($this->object ? (array) $this->object : false);
if (!$data) {
//Return true, otherwise invalid objects trigger permission errors
return true;
}
if (!array_key_exists('owner_id', $data)) {
//No Owner defined
return true;
}
$user = BackendUser::check();
if ($user && $user->id == $data['owner_id'] || in_array('superadmin', $user->roles)) {
return true;
}
return false;
}
<hr class="space">
<h3>Post a comment</h3>
<form method="post" action="?q=comment/create" enctype="multipart/form-data">
<?php
if (!BackendUser::check()) {
?>
<label>Name:</label><span class="quiet"> Required</span><br><input type="text" class="text" name="user[name]"><br>
<label>Email:</label><span class="quiet"> Required, won't be published</span><br><input type="text" class="text" name="user[email]"><br>
<label>Website:</label><span class="quiet"> Optional</span><br><input type="text" class="text" name="user[website]"><br>
<?php
}
?>
<input id="foreign_table" name="foreign_table" type="hidden" value="<?php
echo $foreign_table;
?>
">
<input id="foreign_id" name="foreign_id" type="hidden" value="<?php
echo $foreign_id;
?>
">
<textarea id="content" name="content" class="textarea"></textarea><br>
<input type="submit" value="Add Comment" class=""/>
</form>
public static function init()
{
if (!self::$init) {
if (self::$mode == self::MODE_REQUEST) {
if ($_SERVER['SERVER_PORT'] == 443 || !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
$secure = true;
} else {
$secure = false;
}
if (WEB_SUB_FOLDER == '/') {
//WTF?
//print_stacktrace(); die;
}
if (session_id() == '') {
session_set_cookie_params(0, WEB_SUB_FOLDER, null, $secure, true);
session_name('Controller');
@session_start();
}
date_default_timezone_set(ConfigValue::get('Timezone', 'Africa/Johannesburg'));
}
self::check_quotes();
self::$salt = ConfigValue::get('Salt', 'Change this to something random!');
//TODO jrgns: Don't know if I like this here...
$user = BackendUser::check();
//Debugging
self::$debug = false;
if (SITE_STATE != 'production' || $user && in_array('superadmin', $user->roles)) {
switch (true) {
case array_key_exists('debug', self::$query_vars):
//Default to lowest level
self::$debug = is_numeric(self::$query_vars['debug']) ? (int) self::$query_vars['debug'] : 1;
break;
}
}
if ($config_debug = ConfigValue::get('Debug', false)) {
self::$debug = $config_debug;
}
Backend::add('debug', self::$debug);
if (SITE_STATE != 'production' || self::$debug) {
ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL | E_STRICT);
} else {
ini_set('display_errors', 0);
}
//q in the payload overrides the q in the query string
$query = array_key_exists('q', self::$payload) ? self::$payload['q'] : (array_key_exists('q', self::$query_vars) ? self::$query_vars['q'] : '');
$query = self::checkQuery(Request::getQuery($query));
$query = Hook::run('init', 'pre', array($query));
self::parseQuery($query);
//View
self::$view = View::getInstance();
if (!self::$view instanceof View) {
self::$view = View::getInstance(ConfigValue::get('DefaultView', 'HtmlView'));
self::whoops('Unrecognized Request', array('message' => 'Could not find a View for the Request', 'code_hint' => 406));
if (self::$debug) {
print_stacktrace();
var_dump(self::$query_vars, $query, $_REQUEST, $_SERVER);
}
}
//Sessions
if (array_key_exists('error', $_SESSION)) {
Backend::addError($_SESSION['error']);
}
if (array_key_exists('notice', $_SESSION)) {
Backend::addNotice($_SESSION['notice']);
}
if (array_key_exists('success', $_SESSION)) {
Backend::addSuccess($_SESSION['success']);
}
Hook::run('init', 'post');
self::$init = true;
}
}
