Navigation

← Previous Changeset
Next Changeset →

Changeset 189

Timestamp:

06/09/06 11:13:19 (2 years ago)

Author:

rollercow

Message:

Users should no longer be able to delete comments that don't belong to them.

Files:

admin.lib.php (modified) (9 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

admin.lib.php

r166	r189
438	438	}
439	439	// checkbox for comment moderation, either is or isnt
440		if ($_POST['moderate'] != "") {
	440	if ($_POST['moderate'] != "") {
441	441	$moderate = "true";
442	442	}
…	…
445	445	}
446	446	// checkbox for editor, either is or isnt
447		if ($_POST['editor'] != "") {
	447	if ($_POST['editor'] != "") {
448	448	$editor = "true";
449	449	}
…	…
603	603	}
604	604	//how display each of the comments
605		if ($r['spam'] == 't')
	605	if ($r['spam'] == 't') {
606	606	echo "\t<tr class=\"errorinfo\">\n";
607		~~else~~
	607	} else {
608	608	echo "\t<tr>\n";
	609	}
609	610	echo "\t\t<td><a href=\"mailto:{$r['email']}\" title=\"IP: {$r['host']}\">{$r['name']}</a></td>\n";
610	611	echo "\t\t<td>{$r['body']}</td>\n";
611	612	echo "\t\t<td><input type=\"radio\" name=\"group[$count]\" value=\"a:{$r['id']}\" /></td>\n";
612		if ($r['spam'] == 't')
	613	if ($r['spam'] == 't') {
613	614	echo "\t\t<td><input type=\"radio\" name=\"group[".$count++."]\" value=\"d:{$r['id']}\" checked=\"checked\"/></td>\n";
614		~~else~~
	615	} else {
615	616	echo "\t\t<td><input type=\"radio\" name=\"group[".$count++."]\" value=\"d:{$r['id']}\" /></td>\n";
	617	}
616	618	echo "\t</tr>\n";
617	619	}
…	…
621	623	echo "</div>\n";
622	624	}
623		~~//got here~~
624	625	// approve or delete comments
625	626	function updateComments() {
…	…
628	629	return;
629	630	}
	631	$check = "";
630	632	$approved = "";
631	633	$acount = 0;
632	634	$deleted = "";
633	635	$dcount = 0;
	636	//get the comment numbers and requested actions.
634	637	foreach($_POST['group'] as $comment) {
635	638	$c = explode(":", $comment);
636	639	if ($c[0] == "a") {
637		$approved .= $c[1].", ";
	640	$approved .= (int)$c[1].", ";
638	641	$acount++;
639	642	} elseif ($c[0] == "d") {
640		$deleted .= $c[1].", ";
	643	$deleted .= (int)$c[1].", ";
641	644	$dcount++;
642	645	} else {
…	…
647	650	$approved = substr($approved, 0, -2);
648	651	$deleted = substr($deleted, 0, -2);
649		/*
650		* Both these querys need a user id check.. even if that means lots of nasty joins
651		*/
	652	//construct a list of comments to check
	653	if ($approved and $deleted) {
	654	$check = $deleted.", ".$approved;
	655	} else {
	656	$check = $deleted.$approved;
	657	}
	658	//check the comments exist and blong to the user
	659	$result = db_getrow(db_query("SELECT count(comments.id) from comments join entries on comments.post = entries.id where entries.user_id = ".$this->id." and comments.id IN($check);"));
	660	if($result[count] != ($acount + $dcount)) {
	661	error(1,_("Cant find the requested comments, maybe they have already been deleted."));
	662	return;
	663	}
	664	//delete comments
652	665	if($deleted!="") {
653	666	db_query("DELETE FROM comments WHERE id IN ($deleted);");
654	667	}
	668	//set moderated flag on comments
655	669	if($approved!="") {
656	670	db_query("UPDATE comments SET moderated=true WHERE id IN ($approved);");
657	671	}
	672	//reprint the form
658	673	echo "<div class=\"updateinfo\">$acount "._("comments approved").", $dcount "._("comments deleted").".</div>\n";
659	674	$this->printComments();
660	675	$this->printAuthorisedUsers();
661	676	}
662
	677	//Delete moderated comments from (a single post)
663	678	function deleteComments($entry) {
664	679	if(isset($_POST['submit'])) {
…	…
669	684	$del = "(";
670	685	foreach($_POST['comment'] as $c) {
671		$del .= "~~id = $c~~ OR ";
	686	$del .= "comments.id = ".(int)$c." OR ";
672	687	}
673	688	$del = substr($del, 0, -4).")";
	689	//check the comments exist and blong to the user
	690	$result = db_getrow(db_query("SELECT count(comments.id) from comments join entries on comments.post = entries.id where entries.user_id = ".$this->id." and $del;"));
	691	if($result[count] != count($_POST['comment'])) {
	692	error(1,_("Cant find the requested comments, maybe they have already been deleted."));
	693	return;
	694	}
	695	//delete the comments
674	696	$sql = "DELETE FROM comments WHERE $del";
675	697	if(!db_query($sql)) {
…	…
701	723	$result = db_query("SELECT name,email FROM authorised_emails WHERE user_id=".$this->id." ORDER BY email ASC");
702	724	while($r = db_getrow($result)) {
703		echo "\t<option value=\"{$r['email']}\">{$r['email']} ({$r['name']})</option>\n";
	725	echo "\t<option value=\"{$r['email']}\">{$r['email']} ({$r['name']})</option>\n";
704	726	}
705	727	echo "</select><br />\n";
…	…
844	866	if (isset($_POST['username']) && trim($_POST['username']) != "" && (int)$_POST['username'] == 0) {
845	867	if (safeuname($_POST['username'])) {
846		$username = addslashes(trim(strip_tags($_POST['username'])));
847		}
848		else {
849		$this->inputError = _("Invalid Username Provided");
850		}
	868	$username = addslashes(trim(strip_tags($_POST['username'])));
	869	}
	870	else {
	871	$this->inputError = _("Invalid Username Provided");
	872	}
851	873	} else {
852	874	$this->inputError = _("No Username Provided");

Navigation

Changeset 189

Legend:

admin.lib.php

Download in other formats: