$relPath = "./../../pinc/"; include_once $relPath . 'base.inc'; include_once $relPath . 'misc.inc'; include_once $relPath . 'user_is.inc'; include_once $relPath . 'project_edit.inc'; include_once $relPath . 'DPage.inc'; include_once $relPath . 'Project.inc'; include_once $relPath . 'projectinfo.inc'; require_login(); $projectid = validate_projectID('project', @$_GET['project']); $loading_tpnv = @$_GET['tpnv'] == '1'; abort_if_cant_edit_project($projectid); if (!user_can_add_project_pages($projectid, $loading_tpnv == 1 ? "tp&v" : "normal")) { // abort if a load_disabled user is trying to load normal pages into an empty project check_user_can_load_projects(true); // exit if they can't // otherwise the state must have been wrong echo "<p>" . _("Pages cannot be added to the project in its current state.") . "</p>"; exit; } if ($_GET['rel_source'] == '') { die('rel_source parameter is empty or unset'); } else { $rel_source = $_GET['rel_source']; if (get_magic_quotes_gpc()) { $rel_source = stripslashes($rel_source); } // Prevent sneaky parent-link tricks. if (str_contains($rel_source, "..")) { echo "Source directory '{$rel_source}' is not acceptable.";
function do_change_state() { global $project, $pguser, $code_url, $charset; $valid_transitions = get_valid_transitions($project, $pguser); if (count($valid_transitions) == 0) { return; } echo "<h4>"; echo _("Change Project State"); echo "</h4>\n"; if ($project->state == PROJ_NEW) { echo "<p>\n"; echo _("Check for missing pages and make sure that all illustration files have been uploaded <b>before</b> moving this project into the rounds."); echo "</p>\n"; } // print out a message if PM has project loads disabled, // as they can't move a project out of the unavailable state if ($project->can_be_managed_by_current_user) { check_user_can_load_projects(false); } $here = $_SERVER['REQUEST_URI']; // If the request URI included an 'expected_state' parameter, there's a wrinkle: // If the user clicks on this button, the project's state will (normally) change. // So if we then returned the user to exactly this URI, they'd get a warning: // "The project is no longer in 'this state'. It is now in 'that state'. // So we suppress the 'expected_state' parameter from the request URI. $here = preg_replace('/expected_state=[A-Za-z._0-9]+/', '', $here); // This can leave an extra &, but I suspect browsers can handle it. foreach ($valid_transitions as $transition) { echo "<form method='POST' action='{$code_url}/tools/changestate.php'>"; echo "<input type='hidden' name='projectid' value='{$project->projectid}'>\n"; echo "<input type='hidden' name='curr_state' value='{$project->state}'>\n"; echo "<input type='hidden' name='next_state' value='{$transition->to_state}'>\n"; echo "<input type='hidden' name='confirmed' value='yes'>\n"; echo "<input type='hidden' name='return_uri' value='{$here}'>\n"; $question = $transition->confirmation_question; if (is_null($question)) { $onClick_condition = "return true;"; } else { $onClick_condition = "return confirm(\"" . javascript_safe($question, $charset) . "\");"; } $onclick_attr = "onClick='{$onClick_condition}'"; echo "<input type='submit' value='", attr_safe($transition->action_name), "' {$onclick_attr}>"; if (1) { // Say who is allowed to do this transition. echo " [{$transition->who_restriction}]"; } echo "</form>\n"; } }