Feature 1026 step 2 :

add author_id column so that guest cannot modify old users comments

git-svn-id: http://piwigo.org/svn/trunk@3450 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
nikrou
2009-06-23 21:18:16 +00:00
parent 1ce50505e4
commit 64c872a83e
6 changed files with 127 additions and 37 deletions
+12 -2
View File
@@ -134,10 +134,12 @@ $template->assign(
$list = array();
$query = '
SELECT c.id, c.image_id, c.date, c.author, c.content, i.path, i.tn_ext
SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext
FROM '.COMMENTS_TABLE.' AS c
INNER JOIN '.IMAGES_TABLE.' AS i
ON i.id = c.image_id
LEFT JOIN '.USERS_TABLE.' AS u
ON u.id = c.author_id
WHERE validated = \'false\'
ORDER BY c.date DESC
;';
@@ -151,6 +153,14 @@ while ($row = mysql_fetch_assoc($result))
'tn_ext'=>@$row['tn_ext']
)
);
if (empty($row['author_id']))
{
$author_name = $row['author'];
}
else
{
$author_name = $row['username'];
}
$template->append(
'comments',
array(
@@ -159,7 +169,7 @@ while ($row = mysql_fetch_assoc($result))
'&image_id='.$row['image_id'],
'ID' => $row['id'],
'TN_SRC' => $thumb,
'AUTHOR' => trigger_event('render_comment_author', $row['author']),
'AUTHOR' => trigger_event('render_comment_author', $author_name),
'DATE' => format_date($row['date'], true),
'CONTENT' => trigger_event('render_comment_content',$row['content'])
)
+23 -8
View File
@@ -100,7 +100,9 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
// search a particular author
if (isset($_GET['author']) and !empty($_GET['author']))
{
$page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
$page['where_clauses'][] =
'u.username = \''.addslashes($_GET['author']).'\'
OR author = \''.addslashes($_GET['author']).'\'';
}
// search a substring among comments content
@@ -261,10 +263,12 @@ else
}
$query = '
SELECT COUNT(DISTINCT(id))
SELECT COUNT(DISTINCT(com.id))
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
INNER JOIN '.COMMENTS_TABLE.' AS com
ON ic.image_id = com.image_id
LEFT JOIN '.USERS_TABLE.' As u
ON u.id = com.author_id
WHERE '.implode('
AND ', $page['where_clauses']).'
;';
@@ -295,12 +299,16 @@ SELECT com.id AS comment_id
, com.image_id
, ic.category_id
, com.author
, com.author_id
, username
, com.date
, com.content
, com.validated
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
INNER JOIN '.COMMENTS_TABLE.' AS com
INNER JOIN '.COMMENTS_TABLE.' AS com
ON ic.image_id = com.image_id
LEFT JOIN '.USERS_TABLE.' AS u
ON u.id = com.author_id
WHERE '.implode('
AND ', $page['where_clauses']).'
GROUP BY comment_id
@@ -366,10 +374,17 @@ SELECT id, name, permalink, uppercats
)
);
$author = $comment['author'];
if (empty($comment['author']))
if (!empty($comment['author']))
{
$author = l10n('guest');
$author = $comment['author'];
if ($author == 'guest')
{
$author = l10n('guest');
}
}
else
{
$author = $comment['username'];
}
$tpl_comment =
@@ -382,7 +397,7 @@ SELECT id, name, permalink, uppercats
'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
);
if (can_manage_comment('delete', $comment['author']))
if (can_manage_comment('delete', $comment['author_id']))
{
$url = get_root_url().'comments.php'
.get_query_string_diff(array('delete','validate','edit'));
@@ -391,7 +406,7 @@ SELECT id, name, permalink, uppercats
array('delete'=>$comment['comment_id'])
);
}
if (can_manage_comment('edit', $comment['author']))
if (can_manage_comment('edit', $comment['author_id']))
{
$url = get_root_url().'comments.php'
.get_query_string_diff(array('edit', 'delete','validate'));
+25 -17
View File
@@ -91,6 +91,7 @@ function insert_user_comment( &$comm, $key, &$infos )
{
$comm['author'] = 'guest';
}
$comm['author_id'] = $conf['guest_id'];
// if a guest try to use the name of an already existing user, he must be
// rejected
if ( $comm['author'] != 'guest' )
@@ -109,8 +110,10 @@ SELECT COUNT(*) AS user_exists
}
else
{
$comm['author'] = $user['username'];
$comm['author'] = '';
$comm['author_id'] = $user['id'];
}
if ( empty($comm['content']) )
{ // empty comment content
$comment_action='reject';
@@ -134,7 +137,7 @@ SELECT COUNT(*) AS user_exists
$query = '
SELECT id FROM '.COMMENTS_TABLE.'
WHERE date > FROM_UNIXTIME('.$reference_date.')
AND author = "'.addslashes($comm['author']).'"';
AND author_id = '.$comm['author_id'];
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
{
array_push( $infos, l10n('comment_anti-flood') );
@@ -151,9 +154,10 @@ SELECT id FROM '.COMMENTS_TABLE.'
{
$query = '
INSERT INTO '.COMMENTS_TABLE.'
(author, content, date, validated, validation_date, image_id)
(author, author_id, content, date, validated, validation_date, image_id)
VALUES (
"'.addslashes($comm['author']).'",
'.$comm['author_id'].',
"'.addslashes($comm['content']).'",
NOW(),
"'.($comment_action=='validate' ? 'true':'false').'",
@@ -166,21 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
$comm['id'] = mysql_insert_id();
if
(
($comment_action=='validate' and $conf['email_admin_on_comment'])
or
($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
)
if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
($comment_action!='validate'
and $conf['email_admin_on_comment_validation']))
{
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
$del_url =
get_absolute_root_url().'comments.php?delete='.$comm['id'];
$del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
if (empty($comm['author']))
{
$author_name = $user['username'];
}
else
{
$author_name = $comm['author'];
}
$keyargs_content = array
(
get_l10n_args('Author: %s', $comm['author']),
get_l10n_args('Author: %s', $author_name),
get_l10n_args('Comment: %s', $comm['content']),
get_l10n_args('', ''),
get_l10n_args('Delete: %s', $del_url)
@@ -197,7 +205,7 @@ INSERT INTO '.COMMENTS_TABLE.'
pwg_mail_notification_admins
(
get_l10n_args('Comment by %s', $comm['author']),
get_l10n_args('Comment by %s', $author_name),
$keyargs_content
);
}
@@ -218,7 +226,7 @@ function delete_user_comment($comment_id) {
$user_where_clause = '';
if (!is_admin())
{
$user_where_clause = ' AND author = \''.$GLOBALS['user']['username'].'\'';
$user_where_clause = ' AND author_id = \''.$GLOBALS['user']['id'].'\'';
}
$query = '
DELETE FROM '.COMMENTS_TABLE.'
@@ -264,7 +272,7 @@ function update_user_comment($comment, $post_key) {
$query = '
SELECT id FROM '.COMMENTS_TABLE.'
WHERE date > FROM_UNIXTIME('.$reference_date.')
AND author = "'.$GLOBALS['user']['username'].'"';
AND author_id = '.$comm['author_id'];
if ( mysql_num_rows( pwg_query( $query ) ) > 0 )
{
array_push( $infos, l10n('comment_anti-flood') );
@@ -286,8 +294,8 @@ SELECT id FROM '.COMMENTS_TABLE.'
$user_where_clause = '';
if (!is_admin())
{
$user_where_clause = ' AND author = \''.
$GLOBALS['user']['username'].'\'';
$user_where_clause = ' AND author_id = \''.
$GLOBALS['user']['id'].'\'';
}
$query = '
UPDATE '.COMMENTS_TABLE.'
+3 -2
View File
@@ -1202,13 +1202,14 @@ function is_adviser()
* @param action edit/delete
* @return bool
*/
function can_manage_comment($action, $comment_author)
function can_manage_comment($action, $comment_author_id)
{
if (!in_array($action, array('delete','edit'))) {
return false;
}
return (is_admin() ||
(($GLOBALS['user']['username'] == $comment_author)
(($GLOBALS['user']['id'] == $comment_author_id)
&& !is_a_guest()
&& $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
}
+20 -8
View File
@@ -128,8 +128,10 @@ SELECT COUNT(*) AS nb_comments
}
$query = '
SELECT id,author,date,image_id,content,validated
FROM '.COMMENTS_TABLE.'
SELECT com.id,author,author_id,username,date,image_id,content,validated
FROM '.COMMENTS_TABLE.' AS com
LEFT JOIN '.USERS_TABLE.' AS u
ON u.id = author_id
WHERE image_id = '.$page['image_id'].
$validated_clause.'
ORDER BY date ASC
@@ -139,19 +141,29 @@ $validated_clause.'
while ($row = mysql_fetch_array($result))
{
if (!empty($row['author']))
{
$author = $row['author'];
if ($author == 'guest')
{
$author = l10n('guest');
}
}
else
{
$author = $row['username'];
}
$tpl_comment =
array(
'AUTHOR' => trigger_event('render_comment_author',
empty($row['author'])
? l10n('guest')
: $row['author']),
'AUTHOR' => trigger_event('render_comment_author', $author),
'DATE' => format_date( $row['date'], true),
'CONTENT' => trigger_event('render_comment_content',$row['content']),
);
if (can_manage_comment('delete', $row['author']))
if (can_manage_comment('delete', $row['author_id']))
{
$tpl_comment['U_DELETE'] =
add_url_params($url_self,
@@ -161,7 +173,7 @@ $validated_clause.'
)
);
}
if (can_manage_comment('edit', $row['author']))
if (can_manage_comment('edit', $row['author_id']))
{
$tpl_comment['U_EDIT'] =
add_url_params($url_self,
+44
View File
@@ -0,0 +1,44 @@
<?php
// +-----------------------------------------------------------------------+
// | Piwigo - a PHP based picture gallery |
// +-----------------------------------------------------------------------+
// | Copyright(C) 2008-2009 Piwigo Team http://piwigo.org |
// | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net |
// | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick |
// +-----------------------------------------------------------------------+
// | This program is free software; you can redistribute it and/or modify |
// | it under the terms of the GNU General Public License as published by |
// | the Free Software Foundation |
// | |
// | This program is distributed in the hope that it will be useful, but |
// | WITHOUT ANY WARRANTY; without even the implied warranty of |
// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
// | General Public License for more details. |
// | |
// | You should have received a copy of the GNU General Public License |
// | along with this program; if not, write to the Free Software |
// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
// | USA. |
// +-----------------------------------------------------------------------+
if (!defined('PHPWG_ROOT_PATH'))
{
die('Hacking attempt!');
}
$upgrade_description = 'add new column to save author_id.
Guest users names are saved in author column';
$query = '
ALTER TABLE '.PREFIX_TABLE.'comments
ADD COLUMN author_id smallint(5) DEFAULT NULL
;';
pwg_query($query);
echo
"\n"
. $upgrade_description
."\n"
;
?>