- Made the node forms support "help texts": it is not possible to configure

  Drupal to display submission guidelines, or any other kind of explanation
  such as "NO TEST POSTS", for example.

- Added node versioning: it is possible to create revisions, to view old
  revisions and to roll-back to older revisions.  You'll need to apply a
  SQL update.

  I'm going to work on the book module now, so I might be changing a few
  things to enable collaborative, moderated revisions - but feel free to
  send some first feedback, if you like.

- Added some configuration options which can be used to set the minimum
  number of words a blog/story should consist of.  Hopefully this will
  be usefull to stop the (almost empty) test blogs.

- Various improvements:
   + Fine-tuned new node permission system.
   + Fine-tuned the functions in node.inc.
   + Fine-tuned some forms.
   + XHTML-ified some code.

3 files changed, 48 insertions, 34 deletions

diff --git a/includes/comment.inc b/includes/comment.inc
index ce0f20404..5d5a3e98c 100644
--- a/includes/comment.inc
+++ b/includes/comment.inc
@@ -1,12 +1,6 @@
 <?php
 // $Id$
 
-// Security check:
-if (strstr($id, " ") || strstr($pid, " ") || strstr($lid, " ") || strstr($mode, " ") || strstr($order, " ") || strstr($threshold, " ")) {
-  watchdog("error", "comment: attempt to provide malicious input through URI");
-  exit();
-}
-
 $cmodes = array(1 => "List - min", 2 => "List - max", 3 => "Threaded - min", 4 => "Threaded - max");
 $corder = array(1 => "Date - new", 2 => "Date - old", 3 => "Rate - high", 4 => "Rate - low");
 
diff --git a/includes/common.inc b/includes/common.inc
index 04c9b8a42..4f8dcaca7 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -279,7 +279,11 @@ function form($form, $method = "post", $action = 0, $options = 0) {
 }
 
 function form_item($title, $value, $description = 0) {
-  return ($description) ? "<b>$title:</b><br />$value<br /><small><i>$description</i></small><p />\n" : "<b>$title:</b><br />$value<p />\n";
+  return ($title ? "<b>$title:</b><br />" : "") . $value . ($description ? "<br /><small><i>$description</i></small>" : "") ."<p />\n";
+}
+
+function form_checkbox($title, $name, $value, $description = 0) {
+  return form_item(0, "<input type=\"checkbox\" name=\"edit[$name]\" ". ($value ? " checked=\"checked\"" : "") ." /> $title", $description);
 }
 
 function form_textfield($title, $name, $value, $size, $maxlength, $description = 0) {
diff --git a/includes/node.inc b/includes/node.inc
index 01f5c17a0..ca914a490 100644
--- a/includes/node.inc
+++ b/includes/node.inc
@@ -84,15 +84,33 @@ function node_array($node) {
 
 function node_load($conditions) {
 
-  // prepare query:
+  /*
+  ** Turn the conditions into a query:
+  */
+
   foreach ($conditions as $key => $value) {
     $cond[] = "n.". check_query($key) ." = '". check_query($value) ."'";
   }
 
-  // retrieve the node:
+  /*
+  ** Retrieve the node:
+  */
+
   $node = db_fetch_object(db_query("SELECT n.*, u.uid, u.name FROM node n LEFT JOIN users u ON u.uid = n.uid LEFT JOIN comments c ON c.lid = n.nid WHERE ". implode(" AND ", $cond)));
 
-  // call the node specific callback (if any):
+  /*
+  ** Unserialize the revisions field:
+  */
+
+  if ($node->revisions) {
+    $node->revisions = unserialize($node->revisions);
+  }
+
+  /*
+  ** Call the node specific callback (if any) and piggy-back to
+  ** results to the node:
+  */
+
   if ($extra = module_invoke($node->type, "load", $node)) {
     foreach ($extra as $key => $value) {
       $node->$key = $value;
@@ -105,7 +123,7 @@ function node_load($conditions) {
 
 function node_save($node, $filter) {
 
-  $fields = array("nid", "uid", "type", "title", "teaser", "body", "status", "comment", "promote", "moderate", "created", "changed");
+  $fields = array("nid", "uid", "type", "title", "teaser", "body", "revisions", "status", "comment", "promote", "moderate", "created", "changed");
 
   foreach ($filter as $key => $value) {
     /*
@@ -115,16 +133,31 @@ function node_save($node, $filter) {
     */
 
     if (is_numeric($key)) {
-      $edit->$value = $node->$value;
+      if (isset($node->$value)) {
+          // The above check is mandatory.
+        $edit->$value = check_query($node->$value);
+      }
     }
     else {
-      $edit->$key = $value;
+      if (isset($value)) {
+          // The above check is mandatory.
+        $edit->$key = check_query($value);
+      }
     }
   }
 
   $node = $edit;
 
+  /*
+  ** Serialize the revisions field:
+  */
+
+  if ($node->revisions) {
+    $node->revisions = serialize($node->revisions);
+  }
+
   if (empty($node->nid)) {
+
     /*
     ** Verify a user's submission rate and avoid duplicate nodes being
     ** inserted:
@@ -143,8 +176,8 @@ function node_save($node, $filter) {
     // prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $k[] = check_query($key);
-        $v[] = "'". check_query($value) ."'";
+        $k[] = $key;
+        $v[] = "'$value'";
       }
     }
 
@@ -168,12 +201,12 @@ function node_save($node, $filter) {
     // prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '". check_query($value) ."'";
+        $q[] = "$key = '$value'";
       }
     }
 
     // update the node in the database:
-    db_query("UPDATE node SET ". implode(", ", $q) ." WHERE nid = '". check_query($node->nid) ."'");
+    db_query("UPDATE node SET ". implode(", ", $q) ." WHERE nid = '$node->nid'");
 
     // call the node specific callback (if any):
     module_invoke($node->type, "update", $node);
@@ -189,23 +222,6 @@ function node_save($node, $filter) {
 
 }
 
-function node_delete($node) {
-
-  if (is_array($node)) {
-    $node = node_object($node);
-  }
-
-  // delete the node and its comments:
-  db_query("DELETE FROM node WHERE nid = '$node->nid'");
-  db_query("DELETE FROM comments WHERE lid = '$node->nid'");
-  db_query("DELETE FROM moderate WHERE nid = '$node->nid'");
-
-  // call the node specific callback (if any):
-  module_invoke($node->type, "delete", &$node);
-
-  watchdog("special", "node: deleted '$node->title'");
-}
-
 function node_view($node, $main = 0) {
   global $theme;