diff options
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/comment.inc | 148 | ||||
| -rw-r--r-- | includes/common.inc | 8 | ||||
| -rw-r--r-- | includes/node.inc | 2 | ||||
| -rw-r--r-- | includes/theme.inc | 4 | ||||
| -rw-r--r-- | includes/user.inc | 18 |
5 files changed, 98 insertions, 82 deletions
diff --git a/includes/comment.inc b/includes/comment.inc index cf49b49e6..e7f14cb06 100644 --- a/includes/comment.inc +++ b/includes/comment.inc @@ -50,16 +50,16 @@ function comment_settings($mode, $order, $threshold) { function comment_form($edit) { global $REQUEST_URI, $user; - // Name field: + // name field: $form .= form_item(t("Your name"), format_username($user->userid)); - // Subject field: + // subject field: $form .= form_textfield(t("Subject"), "subject", check_input($edit[subject]), 50, 60); - // Comment field: + // comment field: $form .= form_textarea(t("Comment"), "comment", check_input($edit[comment]), 50, 10, t("Allowed HTML tags") .": ". htmlspecialchars(variable_get("allowed_html", ""))); - // Preview button: + // preview button: $form .= form_hidden("pid", check_input($edit[pid])); $form .= form_hidden("id", check_input($edit[id])); @@ -87,7 +87,12 @@ function comment_reply($pid, $id) { $pid = 0; } - $theme->box(t("Reply"), comment_form(array(pid=>$pid, id=>$id))); + if (user_access($user, "post comments")) { + $theme->box(t("Reply"), comment_form(array(pid=>$pid, id=>$id))); + } + else { + $theme->box(t("Reply"), t("You are not authorized to post comments.")); + } } function comment_preview($edit) { @@ -102,24 +107,26 @@ function comment_preview($edit) { function comment_post($edit) { global $theme, $user; - // check comment submission rate: - throttle("post comment", variable_get(max_comment_rate, 60)); + if (user_access($user, "post comments")) { + // check comment submission rate: + throttle("post comment", variable_get(max_comment_rate, 60)); - // check for duplicate comments: - $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE pid = '". check_input($edit[pid]) ."' AND lid = '". check_input($edit[id]) ."' AND subject = '". check_input($edit[subject]) ."' AND comment = '". check_input($edit[comment]) ."'"), 0); + // check for duplicate comments: + $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE pid = '". check_input($edit[pid]) ."' AND lid = '". check_input($edit[id]) ."' AND subject = '". check_input($edit[subject]) ."' AND comment = '". check_input($edit[comment]) ."'"), 0); - if ($duplicate != 0) { - watchdog("warning", "comment: duplicate '$subject'"); - } - else { - // validate subject: - $subject = ($subject) ? $subject : substr($comment, 0, 29); + if ($duplicate != 0) { + watchdog("warning", "comment: duplicate '$subject'"); + } + else { + // validate subject: + $subject = ($subject) ? $subject : substr($comment, 0, 29); - // add watchdog entry: - watchdog("special", "comment: added '$subject'"); + // add watchdog entry: + watchdog("special", "comment: added '$subject'"); - // add comment to database: - db_query("INSERT INTO comments (lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($edit[id]) ."', '". check_input($edit[pid]) ."', '$user->id', '". check_input($edit[subject]) ."', '". check_input($edit[comment]) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')"); + // add comment to database: + db_query("INSERT INTO comments (lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($edit[id]) ."', '". check_input($edit[pid]) ."', '$user->id', '". check_input($edit[subject]) ."', '". check_input($edit[comment]) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')"); + } } } @@ -250,68 +257,71 @@ function comment_thread_max($cid, $mode, $threshold, $level = 0, $dummy = 0) { } function comment_render($lid, $cid) { - global $theme, $REQUEST_URI, $user; + global $user, $theme, $REQUEST_URI; - // Pre-process variables: - $lid = empty($lid) ? 0 : $lid; - $cid = empty($cid) ? 0 : $cid; - $mode = ($user->id) ? $user->mode : variable_get(default_comment_mode, 4); - $order = ($user->id) ? $user->sort : variable_get(default_comment_order, 1); - $threshold = ($user->id) ? $user->threshold : variable_get(default_comment_threshold, 3); + if (user_access($user, "view comments")) { - if ($user->id) { - // Comment control: - $theme->box(t("Comment control"), comment_controls($threshold, $mode, $order)); + // Pre-process variables: + $lid = empty($lid) ? 0 : $lid; + $cid = empty($cid) ? 0 : $cid; + $mode = ($user->id) ? $user->mode : variable_get(default_comment_mode, 4); + $order = ($user->id) ? $user->sort : variable_get(default_comment_order, 1); + $threshold = ($user->id) ? $user->threshold : variable_get(default_comment_threshold, 3); - // Print moderation form: - print "<FORM METHOD=\"post\" ACTION=\"$REQUEST_URI\">\n"; - } + if ($user->id) { + // Comment control: + $theme->box(t("Comment control"), comment_controls($threshold, $mode, $order)); - if ($cid > 0) { - $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = '$cid'"); - if ($comment = db_fetch_object($result)) { - comment_view($comment, comment_link($comment)); + // Print moderation form: + print "<FORM METHOD=\"post\" ACTION=\"$REQUEST_URI\">\n"; } - } - else { - if ($mode == 1) { - $result = comment_query($lid, $order); - print "<TABLE BORDER=\"0\" CELLPADDING=\"2\" CELLSPACING=\"2\">\n"; - print " <TR><TH>Subject</TH><TH>Author</TH><TH>Date</TH><TH>Score</TH></TR>\n"; - while ($comment = db_fetch_object($result)) { - if (comment_visible($comment, $threshold)) { - print " <TR><TD><A HREF=\"". comment_uri("id=$comment->lid&cid=$comment->cid#$comment->cid") ."\">". check_output($comment->subject) ."</A></TD><TD>". format_username($comment->userid) ."</TD><TD>". format_date($comment->timestamp, "small") ."</TD><TD>". comment_score($comment) ."</TD></TR>\n"; - } + + if ($cid > 0) { + $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = '$cid'"); + if ($comment = db_fetch_object($result)) { + comment_view($comment, comment_link($comment)); } - print "</TABLE>\n"; } - else if ($mode == 2) { - $result = comment_query($lid, $order); - while ($comment = db_fetch_object($result)) { - comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0)); + else { + if ($mode == 1) { + $result = comment_query($lid, $order); + print "<TABLE BORDER=\"0\" CELLPADDING=\"2\" CELLSPACING=\"2\">\n"; + print " <TR><TH>Subject</TH><TH>Author</TH><TH>Date</TH><TH>Score</TH></TR>\n"; + while ($comment = db_fetch_object($result)) { + if (comment_visible($comment, $threshold)) { + print " <TR><TD><A HREF=\"". comment_uri("id=$comment->lid&cid=$comment->cid#$comment->cid") ."\">". check_output($comment->subject) ."</A></TD><TD>". format_username($comment->userid) ."</TD><TD>". format_date($comment->timestamp, "small") ."</TD><TD>". comment_score($comment) ."</TD></TR>\n"; + } + } + print "</TABLE>\n"; } - } - else if ($mode == 3) { - $result = comment_query($lid, $order, 0); - while ($comment = db_fetch_object($result)) { - comment_view($comment); - comment_thread_min($comment->cid, $threshold); + else if ($mode == 2) { + $result = comment_query($lid, $order); + while ($comment = db_fetch_object($result)) { + comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0)); + } } - } - else { - $result = comment_query($lid, $order, 0); - while ($comment = db_fetch_object($result)) { - comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0)); - comment_thread_max($comment->cid, $mode, $threshold, $level + 1); + else if ($mode == 3) { + $result = comment_query($lid, $order, 0); + while ($comment = db_fetch_object($result)) { + comment_view($comment); + comment_thread_min($comment->cid, $threshold); + } + } + else { + $result = comment_query($lid, $order, 0); + while ($comment = db_fetch_object($result)) { + comment_view($comment, (comment_visible($comment, $threshold) ? comment_link($comment, 0) : 0)); + comment_thread_max($comment->cid, $mode, $threshold, $level + 1); + } } } - } - if ($user->id) { - // Print moderation form: - print " <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$lid\">\n"; - print " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". t("Moderate comments") ."\">\n"; - print "</FORM>\n"; + if ($user->id) { + // Print moderation form: + print " <INPUT TYPE=\"hidden\" NAME=\"id\" VALUE=\"$lid\">\n"; + print " <INPUT TYPE=\"submit\" NAME=\"op\" VALUE=\"". t("Moderate comments") ."\">\n"; + print "</FORM>\n"; + } } } diff --git a/includes/common.inc b/includes/common.inc index 2fc7c8a42..778f87a39 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -25,7 +25,7 @@ function watchdog($type, $message) { function throttle($type, $rate) { global $user; - if (!user_access($user)) { + if (!user_access($user, "access administration pages")) { if ($throttle = db_fetch_object(db_query("SELECT * FROM watchdog WHERE type = '$type' AND hostname = '". getenv("REMOTE_ADDR") ."' AND ". time() ." - timestamp < $rate"))) { watchdog("warning", "throttle: '". getenv("REMOTE_ADDR") ."' exceeded submission rate - $throttle->type"); die(message_throttle()); @@ -46,8 +46,8 @@ function path_img() { return "./images/"; } -function message_account() { - return t("This page requires a valid user account. Please <A HREF=\"account.php\">create a user account</A> and <A HREF=\"account.php\">login</A> prior to accessing it."); +function message_access() { + return t("You are not authorized to access to this page."); } function message_throttle() { @@ -136,7 +136,7 @@ function format_date($timestamp, $type = "medium", $format = "") { function format_username($username) { global $user; - if ($username) return (user_access($user, "account") ? "<A HREF=\"admin.php?mod=account&op=view&name=". urlencode($username) ."\">$username</A>" : "<A HREF=\"account.php?op=view&name=". urlencode($username) ."\">$username</A>"); + if ($username) return (user_access($user, "add and edit user accounts") ? "<A HREF=\"admin.php?mod=account&op=view&name=". urlencode($username) ."\">$username</A>" : "<A HREF=\"account.php?op=view&name=". urlencode($username) ."\">$username</A>"); else return variable_get(anonymous, "Anonymous"); } diff --git a/includes/node.inc b/includes/node.inc index 20c47cde6..affb44371 100644 --- a/includes/node.inc +++ b/includes/node.inc @@ -236,7 +236,7 @@ function node_index($node) { function node_visible($node) { global $user, $status; - return ($node->status == $status[posted]) || ($node->status == $status[queued] && $user->id) || user_access($user, $node->type) || user_access($user, "node"); + return ($node->status == $status[posted]) || ($node->status == $status[queued] && $user->id) || user_access($user, $node->type) || user_access($user, "add and edit nodes"); } function node_access($account, $node) { diff --git a/includes/theme.inc b/includes/theme.inc index ff0e93167..68c2d5adf 100644 --- a/includes/theme.inc +++ b/includes/theme.inc @@ -59,9 +59,9 @@ function theme_account($theme) { $content .= "<A HREF=\"account.php?op=edit&topic=content\">". t("edit your content") ."</A><BR>\n"; $content .= "<P>\n"; - if (user_access($user)) { + if (user_access($user, "access administration pages")) { $content .= "<A HREF=\"admin.php\">". strtr(t("administer %a"), array("%a" => variable_get("site_name", "drupal"))) ."</A><BR>\n"; - $content .= "<P>\n"; + $content .= "<P>\n"; } foreach (module_list() as $name) { diff --git a/includes/user.inc b/includes/user.inc index 73d3243bd..2abdf094a 100644 --- a/includes/user.inc +++ b/includes/user.inc @@ -3,14 +3,14 @@ class User { function User($userid, $passwd = 0) { if ($passwd) { - $result = db_query("SELECT * FROM users WHERE LOWER(userid) = LOWER('$userid') && passwd = PASSWORD('$passwd') && STATUS = 2"); + $result = db_query("SELECT u.*, r.perm FROM users u LEFT JOIN role r ON u.role = r.name WHERE LOWER(userid) = LOWER('$userid') && passwd = PASSWORD('$passwd') AND status = 2"); if (db_num_rows($result) == 1) { foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; } db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id"); } } else { - $result = db_query("SELECT * FROM users WHERE userid = '$userid' && STATUS = 2"); + $result = db_query("SELECT u.*, r.perm FROM users u LEFT JOIN role r ON u.role = r.name WHERE u.userid = '$userid' AND u.status = 2"); if (db_num_rows($result) == 1) { foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; } db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id"); @@ -52,10 +52,16 @@ function user_save($account, $array) { return user_load(($account->userid ? $account->userid : $array[userid])); } -function user_access($account, $section = 0) { - global $user; - if ($section) return (field_get($account->access, $section) || $account->id == 1); - else return ($account->access || $account->id == 1); +function user_access($account, $perm) { + if ($account->id == 1) { + return 1; + } + else if ($account->perm) { + return strstr($account->perm, $perm); + } + else { + return db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user' AND perm LIKE '%$perm%'")); + } } function user_ban($mask, $type) { |