mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-06 09:52:29 +02:00
Feature 1026 step 2 :
add author_id column so that guest cannot modify old users comments git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
+12
-2
@@ -134,10 +134,12 @@ $template->assign(
|
||||
$list = array();
|
||||
|
||||
$query = '
|
||||
SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext
|
||||
SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext
|
||||
FROM '.COMMENTS_TABLE.' AS c
|
||||
INNER JOIN '.IMAGES_TABLE.' AS i
|
||||
ON i.id = c.image_id
|
||||
LEFT JOIN '.USERS_TABLE.' AS u
|
||||
ON u.id = c.author_id
|
||||
WHERE validated = \'false\'
|
||||
ORDER BY c.date DESC
|
||||
;';
|
||||
@@ -151,6 +153,14 @@ while ($row = mysql_fetch_assoc($result))
|
||||
'tn_ext'=>@$row['tn_ext']
|
||||
)
|
||||
);
|
||||
if (empty($row['author_id']))
|
||||
{
|
||||
$author_name = $row['author'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$author_name = $row['username'];
|
||||
}
|
||||
$template->append(
|
||||
'comments',
|
||||
array(
|
||||
@@ -159,7 +169,7 @@ while ($row = mysql_fetch_assoc($result))
|
||||
'&image_id='.$row['image_id'],
|
||||
'ID' => $row['id'],
|
||||
'TN_SRC' => $thumb,
|
||||
'AUTHOR' => trigger_event('render_comment_author', $row['author']),
|
||||
'AUTHOR' => trigger_event('render_comment_author', $author_name),
|
||||
'DATE' => format_date($row['date'], true),
|
||||
'CONTENT' => trigger_event('render_comment_content',$row['content'])
|
||||
)
|
||||
|
||||
+23
-8
@@ -100,7 +100,9 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
|
||||
// search a particular author
|
||||
if (isset($_GET['author']) and !empty($_GET['author']))
|
||||
{
|
||||
$page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
|
||||
$page['where_clauses'][] =
|
||||
'u.username = \''.addslashes($_GET['author']).'\'
|
||||
OR author = \''.addslashes($_GET['author']).'\'';
|
||||
}
|
||||
|
||||
// search a substring among comments content
|
||||
@@ -261,10 +263,12 @@ else
|
||||
}
|
||||
|
||||
$query = '
|
||||
SELECT COUNT(DISTINCT(id))
|
||||
SELECT COUNT(DISTINCT(com.id))
|
||||
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
ON ic.image_id = com.image_id
|
||||
LEFT JOIN '.USERS_TABLE.' As u
|
||||
ON u.id = com.author_id
|
||||
WHERE '.implode('
|
||||
AND ', $page['where_clauses']).'
|
||||
;';
|
||||
@@ -295,12 +299,16 @@ SELECT com.id AS comment_id
|
||||
, com.image_id
|
||||
, ic.category_id
|
||||
, com.author
|
||||
, com.author_id
|
||||
, username
|
||||
, com.date
|
||||
, com.content
|
||||
, com.validated
|
||||
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
ON ic.image_id = com.image_id
|
||||
LEFT JOIN '.USERS_TABLE.' AS u
|
||||
ON u.id = com.author_id
|
||||
WHERE '.implode('
|
||||
AND ', $page['where_clauses']).'
|
||||
GROUP BY comment_id
|
||||
@@ -366,10 +374,17 @@ SELECT id, name, permalink, uppercats
|
||||
)
|
||||
);
|
||||
|
||||
$author = $comment['author'];
|
||||
if (empty($comment['author']))
|
||||
if (!empty($comment['author']))
|
||||
{
|
||||
$author = l10n('guest');
|
||||
$author = $comment['author'];
|
||||
if ($author == 'guest')
|
||||
{
|
||||
$author = l10n('guest');
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$author = $comment['username'];
|
||||
}
|
||||
|
||||
$tpl_comment =
|
||||
@@ -382,7 +397,7 @@ SELECT id, name, permalink, uppercats
|
||||
'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
|
||||
);
|
||||
|
||||
if (can_manage_comment('delete', $comment['author']))
|
||||
if (can_manage_comment('delete', $comment['author_id']))
|
||||
{
|
||||
$url = get_root_url().'comments.php'
|
||||
.get_query_string_diff(array('delete','validate','edit'));
|
||||
@@ -391,7 +406,7 @@ SELECT id, name, permalink, uppercats
|
||||
array('delete'=>$comment['comment_id'])
|
||||
);
|
||||
}
|
||||
if (can_manage_comment('edit', $comment['author']))
|
||||
if (can_manage_comment('edit', $comment['author_id']))
|
||||
{
|
||||
$url = get_root_url().'comments.php'
|
||||
.get_query_string_diff(array('edit', 'delete','validate'));
|
||||
|
||||
@@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos )
|
||||
{
|
||||
$comm['author'] = 'guest';
|
||||
}
|
||||
$comm['author_id'] = $conf['guest_id'];
|
||||
// if a guest try to use the name of an already existing user, he must be
|
||||
// rejected
|
||||
if ( $comm['author'] != 'guest' )
|
||||
@@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists
|
||||
}
|
||||
else
|
||||
{
|
||||
$comm['author'] = $user['username'];
|
||||
$comm['author'] = '';
|
||||
$comm['author_id'] = $user['id'];
|
||||
}
|
||||
|
||||
if ( empty($comm['content']) )
|
||||
{ // empty comment content
|
||||
$comment_action='reject';
|
||||
@@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists
|
||||
$query = '
|
||||
SELECT id FROM '.COMMENTS_TABLE.'
|
||||
WHERE date > FROM_UNIXTIME('.$reference_date.')
|
||||
AND author = "'.addslashes($comm['author']).'"';
|
||||
AND author_id = '.$comm['author_id'];
|
||||
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
|
||||
{
|
||||
array_push( $infos, l10n('comment_anti-flood') );
|
||||
@@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.'
|
||||
{
|
||||
$query = '
|
||||
INSERT INTO '.COMMENTS_TABLE.'
|
||||
(author, content, date, validated, validation_date, image_id)
|
||||
(author, author_id, content, date, validated, validation_date, image_id)
|
||||
VALUES (
|
||||
"'.addslashes($comm['author']).'",
|
||||
'.$comm['author_id'].',
|
||||
"'.addslashes($comm['content']).'",
|
||||
NOW(),
|
||||
"'.($comment_action=='validate' ? 'true':'false').'",
|
||||
@@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
|
||||
|
||||
$comm['id'] = mysql_insert_id();
|
||||
|
||||
if
|
||||
(
|
||||
($comment_action=='validate' and $conf['email_admin_on_comment'])
|
||||
or
|
||||
($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
|
||||
)
|
||||
if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
|
||||
($comment_action!='validate'
|
||||
and $conf['email_admin_on_comment_validation']))
|
||||
{
|
||||
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
|
||||
|
||||
$del_url =
|
||||
get_absolute_root_url().'comments.php?delete='.$comm['id'];
|
||||
$del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
|
||||
|
||||
if (empty($comm['author']))
|
||||
{
|
||||
$author_name = $user['username'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$author_name = $comm['author'];
|
||||
}
|
||||
$keyargs_content = array
|
||||
(
|
||||
get_l10n_args('Author: %s', $comm['author']),
|
||||
get_l10n_args('Author: %s', $author_name),
|
||||
get_l10n_args('Comment: %s', $comm['content']),
|
||||
get_l10n_args('', ''),
|
||||
get_l10n_args('Delete: %s', $del_url)
|
||||
@@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.'
|
||||
|
||||
pwg_mail_notification_admins
|
||||
(
|
||||
get_l10n_args('Comment by %s', $comm['author']),
|
||||
get_l10n_args('Comment by %s', $author_name),
|
||||
$keyargs_content
|
||||
);
|
||||
}
|
||||
@@ -218,7 +226,7 @@ function delete_user_comment($comment_id) {
|
||||
$user_where_clause = '';
|
||||
if (!is_admin())
|
||||
{
|
||||
$user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\'';
|
||||
$user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\'';
|
||||
}
|
||||
$query = '
|
||||
DELETE FROM '.COMMENTS_TABLE.'
|
||||
@@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) {
|
||||
$query = '
|
||||
SELECT id FROM '.COMMENTS_TABLE.'
|
||||
WHERE date > FROM_UNIXTIME('.$reference_date.')
|
||||
AND author = "'.$GLOBALS['user']['username'].'"';
|
||||
AND author_id = '.$comm['author_id'];
|
||||
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
|
||||
{
|
||||
array_push( $infos, l10n('comment_anti-flood') );
|
||||
@@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.'
|
||||
$user_where_clause = '';
|
||||
if (!is_admin())
|
||||
{
|
||||
$user_where_clause = ' AND author = \''.
|
||||
$GLOBALS['user']['username'].'\'';
|
||||
$user_where_clause = ' AND author_id = \''.
|
||||
$GLOBALS['user']['id'].'\'';
|
||||
}
|
||||
$query = '
|
||||
UPDATE '.COMMENTS_TABLE.'
|
||||
|
||||
@@ -1202,13 +1202,14 @@ function is_adviser()
|
||||
* @param action edit/delete
|
||||
* @return bool
|
||||
*/
|
||||
function can_manage_comment($action, $comment_author)
|
||||
function can_manage_comment($action, $comment_author_id)
|
||||
{
|
||||
if (!in_array($action, array('delete','edit'))) {
|
||||
return false;
|
||||
}
|
||||
return (is_admin() ||
|
||||
(($GLOBALS['user']['username'] == $comment_author)
|
||||
(($GLOBALS['user']['id'] == $comment_author_id)
|
||||
&& !is_a_guest()
|
||||
&& $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
|
||||
}
|
||||
|
||||
|
||||
@@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments
|
||||
}
|
||||
|
||||
$query = '
|
||||
SELECT id,author,date,image_id,content,validated
|
||||
FROM '.COMMENTS_TABLE.'
|
||||
SELECT com.id,author,author_id,username,date,image_id,content,validated
|
||||
FROM '.COMMENTS_TABLE.' AS com
|
||||
LEFT JOIN '.USERS_TABLE.' AS u
|
||||
ON u.id = author_id
|
||||
WHERE image_id = '.$page['image_id'].
|
||||
$validated_clause.'
|
||||
ORDER BY date ASC
|
||||
@@ -139,19 +141,29 @@ $validated_clause.'
|
||||
|
||||
while ($row = mysql_fetch_array($result))
|
||||
{
|
||||
if (!empty($row['author']))
|
||||
{
|
||||
$author = $row['author'];
|
||||
if ($author == 'guest')
|
||||
{
|
||||
$author = l10n('guest');
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$author = $row['username'];
|
||||
}
|
||||
|
||||
$tpl_comment =
|
||||
array(
|
||||
'AUTHOR' => trigger_event('render_comment_author',
|
||||
empty($row['author'])
|
||||
? l10n('guest')
|
||||
: $row['author']),
|
||||
'AUTHOR' => trigger_event('render_comment_author', $author),
|
||||
|
||||
'DATE' => format_date( $row['date'], true),
|
||||
|
||||
'CONTENT' => trigger_event('render_comment_content',$row['content']),
|
||||
);
|
||||
|
||||
if (can_manage_comment('delete', $row['author']))
|
||||
if (can_manage_comment('delete', $row['author_id']))
|
||||
{
|
||||
$tpl_comment['U_DELETE'] =
|
||||
add_url_params($url_self,
|
||||
@@ -161,7 +173,7 @@ $validated_clause.'
|
||||
)
|
||||
);
|
||||
}
|
||||
if (can_manage_comment('edit', $row['author']))
|
||||
if (can_manage_comment('edit', $row['author_id']))
|
||||
{
|
||||
$tpl_comment['U_EDIT'] =
|
||||
add_url_params($url_self,
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
<?php
|
||||
// +-----------------------------------------------------------------------+
|
||||
// | Piwigo - a PHP based picture gallery |
|
||||
// +-----------------------------------------------------------------------+
|
||||
// | Copyright(C) 2008-2009 Piwigo Team http://piwigo.org |
|
||||
// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net |
|
||||
// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick |
|
||||
// +-----------------------------------------------------------------------+
|
||||
// | This program is free software; you can redistribute it and/or modify |
|
||||
// | it under the terms of the GNU General Public License as published by |
|
||||
// | the Free Software Foundation |
|
||||
// | |
|
||||
// | This program is distributed in the hope that it will be useful, but |
|
||||
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
|
||||
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
||||
// | General Public License for more details. |
|
||||
// | |
|
||||
// | You should have received a copy of the GNU General Public License |
|
||||
// | along with this program; if not, write to the Free Software |
|
||||
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
|
||||
// | USA. |
|
||||
// +-----------------------------------------------------------------------+
|
||||
|
||||
if (!defined('PHPWG_ROOT_PATH'))
|
||||
{
|
||||
die('Hacking attempt!');
|
||||
}
|
||||
|
||||
$upgrade_description = 'add new column to save author_id.
|
||||
Guest users names are saved in author column';
|
||||
|
||||
$query = '
|
||||
ALTER TABLE '.PREFIX_TABLE.'comments
|
||||
ADD COLUMN author_id smallint(5) DEFAULT NULL
|
||||
;';
|
||||
|
||||
pwg_query($query);
|
||||
|
||||
echo
|
||||
"\n"
|
||||
. $upgrade_description
|
||||
."\n"
|
||||
;
|
||||
?>
|
||||
Reference in New Issue
Block a user