/**
 *  Check blog permissions
 *
 * @param string $page The page requested - blog, reply, mcp, install, upgrade, update, dev, resync
 * @param string $mode The mode requested - depends on the $page requested
 * @param bool $return If you would like this function to return true or false (if they have permission or not).  If it is false we give them a login box if they are not logged in, or give them the NO_AUTH error message
 * @param int $blog_id The blog_id requested (needed for some things, like blog edit, delete, etc
 * @param int $reply_id The reply_id requested, used for the same reason as $blog_id
 *
 * @return Returns
 *	- true if the user is authorized to do the requested action
 *	- false if the user is not authorized to do the requested action
 */
function check_blog_permissions($page, $mode, $return = false, $blog_id = 0, $reply_id = 0)
{
    global $user, $config, $auth, $blog_plugins;
    blog_plugins::plugin_do('function_check_blog_permissions');
    switch ($page) {
        case 'blog':
            switch ($mode) {
                case 'add':
                    $is_auth = $auth->acl_get('u_blogpost') ? true : false;
                    break;
                case 'edit':
                    $is_auth = $user->data['user_id'] != ANONYMOUS && ($auth->acl_get('u_blogedit') && $user->data['user_id'] == blog_data::$blog[$blog_id]['user_id'] || $auth->acl_get('m_blogedit')) ? true : false;
                    break;
                case 'delete':
                    if (blog_data::$blog[$blog_id]['blog_deleted'] == 0 || $auth->acl_get('a_blogdelete')) {
                        $is_auth = $user->data['user_id'] != ANONYMOUS && ($auth->acl_get('u_blogdelete') && $user->data['user_id'] == blog_data::$blog[$blog_id]['user_id'] || $auth->acl_get('m_blogdelete') || $auth->acl_get('a_blogdelete')) ? true : false;
                    } else {
                        $is_auth = false;
                    }
                    break;
                case 'undelete':
                    $is_auth = $auth->acl_gets('m_blogdelete', 'a_blogdelete') || blog_data::$blog[$blog_id]['blog_deleted'] == $user->data['user_id'] ? true : false;
                    break;
                case 'report':
                    $is_auth = $auth->acl_get('u_blogreport') ? true : false;
                    break;
                case 'approve':
                    $is_auth = $auth->acl_get('m_blogapprove') ? true : false;
                    break;
                case 'vote':
                    $is_auth = $auth->acl_get('u_blog_vote') && handle_user_blog_permissions($blog_id) ? true : false;
                    break;
            }
            break;
        case 'reply':
            switch ($mode) {
                case 'add':
                case 'quote':
                    $is_auth = $auth->acl_get('u_blogreply') && handle_user_blog_permissions($blog_id, false, 'reply') ? true : false;
                    break;
                case 'edit':
                    $is_auth = $user->data['user_id'] != ANONYMOUS && ($auth->acl_get('u_blogreplyedit') && $user->data['user_id'] == blog_data::$reply[$reply_id]['user_id'] || isset(blog_data::$blog[$blog_id]['user_id']) && $auth->acl_get('u_blogmoderate') && $user->data['user_id'] == blog_data::$blog[$blog_id]['user_id'] || $auth->acl_get('m_blogreplyedit')) ? true : false;
                    break;
                case 'delete':
                    if (blog_data::$reply[$reply_id]['reply_deleted'] == 0 || $auth->acl_get('a_blogreplydelete')) {
                        $is_auth = $user->data['user_id'] != ANONYMOUS && ($auth->acl_get('u_blogreplydelete') && $user->data['user_id'] == blog_data::$reply[$reply_id]['user_id'] || isset(blog_data::$blog[$blog_id]['user_id']) && $auth->acl_get('u_blogmoderate') && $user->data['user_id'] == blog_data::$blog[$blog_id]['user_id'] || $auth->acl_gets('a_blogreplydelete', 'm_blogreplydelete')) ? true : false;
                    } else {
                        $is_auth = false;
                    }
                    break;
                case 'undelete':
                    $is_auth = $auth->acl_gets('m_blogreplydelete', 'a_blogreplydelete') || blog_data::$reply[$reply_id]['reply_deleted'] == $user->data['user_id'] ? true : false;
                    break;
                case 'report':
                    $is_auth = $auth->acl_get('u_blogreport') ? true : false;
                    break;
                case 'approve':
                    $is_auth = $auth->acl_get('m_blogreplyapprove') ? true : false;
                    break;
            }
            break;
        case 'mcp':
            $is_auth = $auth->acl_gets('m_blogapprove', 'acl_m_blogreport') ? true : false;
            break;
        case 'rate':
            $is_auth = $user->data['is_registered'] ? true : false;
            break;
        case 'install':
        case 'update':
        case 'upgrade':
        case 'dev':
        case 'resync':
            $is_auth = $user->data['user_type'] == USER_FOUNDER ? true : false;
            $founder = true;
            break;
    }
    $temp = compact('is_auth', 'page', 'mode', 'blog_id', 'reply_id');
    blog_plugins::plugin_do_ref('permissions_end', $temp);
    extract($temp);
    // if $is_auth hasn't been set yet they are just viewing a blog/user/etc, if it has been set also check to make sure they can view blogs
    if (!isset($is_auth)) {
        $is_auth = $auth->acl_get('u_blogview') ? true : false;
    } else {
        // if it is the install page they will not have viewing permissions, but they already need to be a founder :P
        $is_auth = !$auth->acl_get('u_blogview') && $page != 'install' ? false : $is_auth;
    }
    if (!$return) {
        if (!$is_auth) {
            if (!$user->data['is_registered']) {
                global $template;
                $template->set_template();
                // reset the template.  Required because of user styles.
                login_box();
            } else {
                if (isset($founder) && $founder) {
                    trigger_error('MUST_BE_FOUNDER');
                } else {
                    trigger_error('NO_AUTH_OPERATION');
                }
            }
        }
    } else {
        return $is_auth;
    }
}
示例#2
0
    }
    $user_id = blog_data::$blog[$blog_id]['user_id'];
}
if ($user_id) {
    blog_data::$user_queue[] = (int) $user_id;
    $blog_data->get_user_data(false, true);
    // do it this way so we get user data on editors/deleters
    if (!array_key_exists($user_id, blog_data::$user)) {
        trigger_error('NO_USER');
    }
    $username = blog_data::$user[$user_id]['username'];
}
get_user_settings(array($user_id, $user->data['user_id']));
get_zebra_info(array($user_id, $user->data['user_id']));
// Make sure the user can view this blog by checking the blog's individual permissions
if ($blog_id && !handle_user_blog_permissions($blog_id)) {
    trigger_error('NO_PERMISSIONS_READ');
}
// Put the template we want in $blog_template for easier access/use
// style= to use a board style, blogstyle= to use a custom blog style, otherwise it is set to the user's style or blank if none set
$blog_template = isset($_GET['style']) ? request_var('style', 0) : (isset($_GET['blogstyle']) ? request_var('blogstyle', '') : ($user_id && isset($user_settings[$user_id]) ? $user_settings[$user_id]['blog_style'] : ''));
/**
* Ok, now lets actually start setting up the page.
*/
/*
* A slightly (weird) way it is that I have set this up.  Only on the view blog/user page can the user set a custom style except if that custom style is also a board style.
* If the style they selected is also a board style we will also show that style on the posting/etc pages.  This is to keep it easier on the custom template developers.
*/
if ($user_style && $blog_template && !is_numeric($blog_template) && is_dir($phpbb_root_path . 'blog/styles/' . $blog_template)) {
    // Do note style developers that dots and slashes in your style names are not allowed.
    if (strpos($blog_template, '.') !== false || strpos($blog_template, '/') !== false) {