// if not logged in, redirect to the index page $login = isset($_COOKIE['mnm_user']) ? sanitize($_COOKIE['mnm_user'], 3) : ''; //$login = isset($_GET['login']) ? sanitize($_GET['login'], 3) : ''; if ($login === '') { if ($current_user->user_id > 0) { $login = $current_user->user_login; } else { header('Location: ./'); die; } } if (Allow_User_Change_Templates && file_exists("./templates/" . $_POST['template'] . "/header.tpl")) { $domain = $_SERVER['HTTP_HOST'] == 'localhost' ? '' : preg_replace('/^www/', '', $_SERVER['HTTP_HOST']); setcookie("template", $_POST['template'], time() + 60 * 60 * 24 * 30, '/', $domain); } $CSRF->check_expired('user_settings'); if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'user_settings')) { $CSRF->show_invalid_error(1); exit; } $login_user = $db->escape($login); //$login_user = $_GET['login']; $sqlGetiUserId = $db->get_var("SELECT user_id from " . table_users . " where user_login = '******';"); $select_check = $_POST['chack']; /* $geturl = $_SERVER['HTTP_REFERER']; $url = strtolower(end(explode('/', $geturl))); $vowels = array($url); $Get_URL = str_replace($vowels, "", $geturl); */ if ($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], $my_base_url . $my_pligg_base) === 0) { $geturl = $_SERVER['HTTP_REFERER']; } else {
//check group admin $canIhaveAccess = checklevel('god'); if ($current_user->user_id != get_group_creator($requestID) && $canIhaveAccess != 1) { //page redirect $redirect = ''; $redirect = getmyurl("group_story", $requestID); // header("Location: $redirect"); die; } // pagename define('pagename', 'editgroup'); $main_smarty->assign('pagename', pagename); $CSRF = new csrf(); // uploading avatar if ($_POST["avatar"] == "uploaded") { $CSRF->check_expired('edit_group'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_group')) { $user_image_path = "avatars/groups_uploaded" . "/"; $user_image_apath = "/" . $user_image_path; $allowedFileTypes = array("image/jpeg", "image/gif", "image/png", 'image/x-png', 'image/pjpeg'); unset($imagename); $myfile = $_FILES['image_file']['name']; $imagename = basename($myfile); $mytmpfile = $_FILES['image_file']['tmp_name']; if (!in_array($_FILES['image_file']['type'], $allowedFileTypes)) { $error['Type'] = 'Only these file types are allowed : jpeg, gif, png'; } if (empty($error)) { $imagesize = getimagesize($mytmpfile); $width = $imagesize[0]; $height = $imagesize[1];
// $main_smarty->display($template_dir . '/admin/admin.tpl'); header("Location: " . getmyurl('login', $_SERVER['REQUEST_URI'])); die; } // read the mysql database to get the pligg version $sql = "SELECT data FROM " . table_misc_data . " WHERE name = 'pligg_version'"; $pligg_version = $db->get_var($sql); $main_smarty->assign('version_number', $pligg_version); // sidebar $main_smarty = do_sidebar($main_smarty); if ($canIhaveAccess == 1) { // sessions used to prevent CSRF $CSRF = new csrf(); if (isset($_POST['submit'])) { if ($_POST["enabled"]) { $CSRF->check_expired('admin_users_list'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_users_list')) { foreach ($_POST["enabled"] as $id => $value) { $_GET['id'] = $id = $db->escape($id); $value = $db->escape($value); $user = $db->get_row('SELECT * FROM ' . table_users . " where user_id={$id}"); if ($user->user_enabled != $value) { canIChangeUser($user->user_level); $db->query("UPDATE " . table_users . " SET user_enabled='{$value}', user_level=IF(user_level='Spammer','normal',user_level) WHERE user_id='" . $db->escape($id) . "'"); } } } else { $CSRF->show_invalid_error(1); exit; } }
$group_date = $g_date; $group_published_date = 943941600; $group_name = $group_title; $group_description = $group_description; // $group_safename = str_replace(' ', '-', $group_title); $group_safename = makeUrlFriendly($group_title, true); if (isset($_POST['group_privacy'])) { $group_privacy = $db->escape(sanitize($_POST['group_privacy'], 3)); } if (auto_approve_group == 'true') { $group_status = 'enable'; } else { $group_status = 'disable'; } if (isset($_POST['group_title'])) { $CSRF->check_expired('submit_group'); if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'submit_group')) { $CSRF->show_invalid_error(1); exit; } $errors = ''; if (!$group_name) { $errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Empty_Title'); } else { $exists = $db->get_var("select COUNT(*) from " . table_groups . " WHERE group_name='{$group_name}'"); if ($exists) { $errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Title_Exists'); } } if (!$errors) { //to insert a group
$main_smarty->assign('version_number', $pligg_version); rebuild_the_tree(); ordernew(); // put the category tree into an array for use in the qeip dropdown $action = isset($_REQUEST['action']) && sanitize($_REQUEST['action'], 3) != '' ? sanitize($_REQUEST['action'], 3) : "view"; if ($action == "htaccess") { $htaccess = '../.htaccess'; if (file_exists($htaccess)) { echo "The file {$htaccess} already exists. To protect you from accidentally removing it, you must manually remove it from your server before moving on."; } else { rename("../htaccess.default", "../.htaccess"); echo "We have renamed htaccess.default to .htaccess for you. You still need to manually add the special category structure for it to fully work."; } } if ($action == "save") { $CSRF->check_expired('category_manager'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'category_manager')) { if (!$_POST['safename']) { $_POST['safename'] = makeCategoryFriendly($_POST['name']); $row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'], 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'"); $i = ''; while ($row->category_id > 0) { $i++; $row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'] . $i, 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'"); } $_POST['safename'] .= $i; } if ($_POST['auto_id'] && is_numeric($_POST['auto_id'])) { $id = sanitize($_POST['auto_id'], 3); $parent = sanitize($_POST['parent'], 3); if (!is_numeric($id)) {
$user->username = sanitize($_GET["user"], 3); if (!$user->read()) { echo "Invalid User"; die; } // module system hook $vars = ''; check_actions('admin_users_edit', $vars); // show the template $main_smarty->assign('tpl_center', '/admin/user_edit_center'); $main_smarty->display($template_dir . '/admin/admin.tpl'); } if (sanitize($_GET["mode"], 3) == $main_smarty->get_config_vars('PLIGG_Visual_Profile_Save')) { //save user info // code to prevent CSRF $CSRF->check_expired('admin_users_edit'); // code to prevent CSRF if ($CSRF->check_valid(sanitize($_GET['token'], 3), 'admin_users_edit')) { $user = $db->get_row('SELECT * FROM ' . table_users . ' where user_login="******"user"], 3) . '"'); canIChangeUser($user->user_level); if ($user) { $userdata = new User(); $userdata->username = $user->user_login; if (!$userdata->read()) { echo "Error reading user data."; die; } // module system hook $vars = ''; check_actions('admin_users_save', $vars); $userdata->username = trim(sanitize($_GET["login"], 3));
$linkid = isset($_POST['linkid']) && is_numeric($_POST['linkid']) ? $_POST['linkid'] : 0; $main_smarty->assign('ts_random', rand(10000000, 99999999)); $main_smarty->assign('Default_Message', Default_Message); $main_smarty->assign('link_shakebox_index', $htmlid); $main_smarty->assign('link_id', $linkid); $main_smarty->assign('instpath', my_base_url . my_pligg_base . "/"); $main_smarty->display($the_template . '/recommend_small.tpl'); } } else { // we're submitting the form and sending the emails global $current_user, $db; if (!$current_user->authenticated) { echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Logged_In') . '</div></p>'; die; } $CSRF->check_expired('recommend'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'recommend')) { $sql = 'SELECT `last_email_friend` FROM `' . table_users . '` WHERE `user_login` = "' . $current_user->user_login . '"'; $last_email = $db->get_var($sql); $time_since_last_email = time() - strtotime($last_email); if ($time_since_last_email < Recommend_Time_Limit) { echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Limit') . '</div></p>'; die; } $requestID = isset($_POST['original_id']) && is_numeric($_POST['original_id']) ? $_POST['original_id'] : 0; if ($requestID > 0) { $id = $requestID; $link = new Link(); $link->id = $requestID; $link->read(); $link_url = my_base_url . getmyurl("story", $link->id);
$cached_comments[$dbfiltered->comment_id] = $dbfiltered; $comment->read(); # $user->id = $comment->author; # $user->read(); $template_comments[] = array('comment_id' => $comment->id, 'comment_content' => txt_shorter($comment->content, 90), 'comment_content_long' => $comment->content, 'comment_votes' => $comment->votes, 'comment_author' => $dbfiltered->user_login, 'comment_link_id' => $comment->link, 'comment_status' => $comment->status, 'comment_date' => $dbfiltered->comment_date); } $main_smarty->assign('template_comments', $template_comments); } // breadcrumbs and page title $navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'); $navwhere['link1'] = getmyurl('admin', ''); $navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Comments'); $main_smarty->assign('navbar_where', $navwhere); $main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel')); if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['submit'])) { $CSRF->check_expired('admin_comments_edit'); $killspammed = array(); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_comments_edit')) { $comment = array(); foreach ($_POST["comment"] as $k => $v) { $comment[intval($k)] = sanitize($v, 3); } foreach ($comment as $key => $value) { if ($value == "published") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "published" WHERE `comment_id` = "' . $key . '"'); } elseif ($value == "moderated") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "moderated" WHERE `comment_id` = "' . $key . '"'); } elseif ($value == "discard" || $value == "delete") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "discard" WHERE `comment_id` = "' . $key . '"'); $vars = array('comment_id' => $key); check_actions('comment_discard', $vars);
$link->read(); $user->id = $link->author; $user->read(); $template_stories[] = array('link_title_url' => $link->title_url, 'link_id' => $link->id, 'link_title' => $link->title, 'link_status' => $link->status, 'link_author' => $user->username, 'link_date' => date("d-m-Y", $link->date)); } $main_smarty->assign('template_stories', $template_stories); } // breadcrumbs and page title $navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'); $navwhere['link1'] = getmyurl('admin', ''); $navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Links'); $main_smarty->assign('navbar_where', $navwhere); $main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel')); // if admin changes the link status if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['admin_acction'])) { $CSRF->check_expired('admin_links_edit'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_links_edit')) { $comment = array(); $admin_acction = $_POST['admin_acction']; foreach ($_POST["link"] as $key => $v) { if ($admin_acction == "published" || $admin_acction == "new" || $admin_acction == "discard" || $admin_acction == "spam") { $link_status = $db->get_var('select link_status from ' . table_links . ' WHERE link_id = "' . $key . '"'); if ($link_status != $admin_acction) { if ($admin_acction == "published") { $db->query('UPDATE `' . table_links . '` SET `link_status` = "published", link_published_date = now() WHERE `link_id` = "' . $key . '"'); $vars = array('link_id' => $key); check_actions('link_published', $vars); } elseif ($admin_acction == "new") { $db->query('UPDATE `' . table_links . '` SET `link_status` = "new", link_published_date=0 WHERE `link_id` = "' . $key . '"'); } elseif ($admin_acction == "discard") { $db->query('UPDATE `' . table_links . '` SET `link_status` = "discard" WHERE `link_id` = "' . $key . '"');
$link = $db->get_row("SELECT link_id, link_author, UNIX_TIMESTAMP(link_date) AS date FROM " . table_links . " WHERE link_id=" . $theid . ";"); ///// if ($link) { if ($link->link_author == $current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god") { // DB 11/11/08 if ($current_user->user_level != "god" && $current_user->user_level != "admin" && limit_time_to_edit != 0 && (time() - $link->date) / 60 > edit_time_limit) { echo "<br /><br />" . sprintf($main_smarty->get_config_vars('PLIGG_Visual_EditLink_Timeout'), edit_time_limit) . "<br/ ><br /><a href=" . my_base_url . my_pligg_base . ">" . $main_smarty->get_config_vars('PLIGG_Visual_Name') . " home</a>"; exit; } ///// $CSRF = new csrf(); if (isset($_POST["id"])) { //print_r($_POST); //exit; echo $_POST['title']; $CSRF->check_expired('edit_link'); if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_link')) { $linkres = new Link(); $linkres->id = $link_id = sanitize($_GET['id'], 3); if (!is_numeric($link_id)) { die; } $linkres->read(); // if notify link submitter is selected if (isset($_POST["notify"])) { if (sanitize($_POST["notify"], 3) == "yes") { $link_author = $db->get_col("SELECT link_author FROM " . table_links . " WHERE link_id=" . $theid . ";"); $user = $db->get_row("SELECT * FROM " . table_users . " WHERE user_id=" . $link_author[0] . ";"); $to = $user->user_email; $subject = $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_Subject'); $body = $user->user_login . ", \r\n\r\n" . $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_AdminMadeChange') . "\r\n";
$cached_comments[$dbfiltered->comment_id] = $dbfiltered; $comment->read(); # $user->id = $comment->author; # $user->read(); $template_comments[] = array('comment_id' => $comment->id, 'comment_content' => txt_shorter($comment->content, 90), 'comment_content_long' => $comment->content, 'comment_votes' => $comment->votes, 'comment_author' => $dbfiltered->user_login, 'comment_link_id' => $comment->link, 'comment_status' => $comment->status, 'comment_date' => $dbfiltered->comment_date); } $main_smarty->assign('template_comments', $template_comments); } // breadcrumbs and page title $navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'); $navwhere['link1'] = getmyurl('admin', ''); $navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Comments'); $main_smarty->assign('navbar_where', $navwhere); $main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel')); if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['admin_acction'])) { $CSRF->check_expired('comments_edit'); $killspammed = array(); $admin_acction = $_POST['admin_acction']; if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'comments_edit')) { foreach ($_POST["comment"] as $key => $value) { $comment_status = $db->get_var('select comment_status from ' . table_comments . ' WHERE comment_id = "' . $key . '"'); if ($comment_status != $admin_acction) { if ($admin_acction == "published") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "published" WHERE `comment_id` = "' . $key . '"'); } elseif ($admin_acction == "moderated") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "moderated" WHERE `comment_id` = "' . $key . '"'); } elseif ($admin_acction == "discard" || $admin_acction == "delete") { $db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "discard" WHERE `comment_id` = "' . $key . '"'); $vars = array('comment_id' => $key); check_actions('comment_discard', $vars); } elseif ($admin_acction == "spam" && !$killspammed[$user_id]) {