diff options
| -rw-r--r-- | includes/common.inc | 9 | ||||
| -rw-r--r-- | includes/node.inc | 16 | ||||
| -rw-r--r-- | modules/book.module | 50 | ||||
| -rw-r--r-- | modules/book/book.module | 50 | ||||
| -rw-r--r-- | modules/node.module | 13 | ||||
| -rw-r--r-- | modules/node/node.module | 13 | ||||
| -rw-r--r-- | modules/system.module | 2 | ||||
| -rw-r--r-- | modules/system/system.module | 2 |
8 files changed, 111 insertions, 44 deletions
diff --git a/includes/common.inc b/includes/common.inc index fabee01bf..c1ebe193a 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -119,11 +119,16 @@ function check_query($text) { return addslashes(stripslashes($text)); } -function check_input($text) { +function filter($text) { foreach (module_list() as $name) { if (module_hook($name, "filter")) $text = module_invoke($name, "filter", $text); } - return addslashes(stripslashes(substr($text, 0, variable_get("max_input_size", 10000)))); + + return $text; +} + +function check_input($text) { + return check_query($text); } function check_output($text, $nl2br = 0) { diff --git a/includes/node.inc b/includes/node.inc index bbfd8e5d6..6af45c6d2 100644 --- a/includes/node.inc +++ b/includes/node.inc @@ -107,8 +107,8 @@ function node_load($conditions) { } /* - ** Call the node specific callback (if any) and piggy-back to - ** results to the node: + ** Call the node specific callback (if any) and piggy-back the + ** results to the node or overwrite some values: */ if ($extra = module_invoke($node->type, "load", $node)) { @@ -156,6 +156,10 @@ function node_save($node, $filter) { $node->revisions = serialize($node->revisions); } + /* + ** Apply filters to some default node fields: + */ + if (empty($node->nid)) { /* @@ -170,9 +174,7 @@ function node_save($node, $filter) { foreach ($node as $key => $value) { if (in_array($key, $fields)) { $k[] = check_query($key); - $v[] = "'". check_input($value) ."'"; - // NOTE: for the values we use 'check_input()' such that we apply - // the filters + $v[] = "'". check_query($value) ."'"; } } @@ -194,9 +196,7 @@ function node_save($node, $filter) { // prepare the query: foreach ($node as $key => $value) { if (in_array($key, $fields)) { - $q[] = check_query($key) ." = '". ($key != "revisions" ? check_input($value) : $value) ."'"; - // NOTE: for the values we use 'check_input()' such that we apply - // the filters, except revisions + $q[] = check_query($key) ." = '". check_query($value) ."'"; } } diff --git a/modules/book.module b/modules/book.module index 0073ca449..ea48b56fd 100644 --- a/modules/book.module +++ b/modules/book.module @@ -24,7 +24,7 @@ function book_access($op, $node) { return $node->status; } - if ($op == "create") { + if ($op == "create") { return 1; } @@ -36,12 +36,12 @@ function book_access($op, $node) { ** revision"-bit is set; that is, only updates that don't overwrite ** the current or pending information are allowed. */ - return !$node->moderate && $node->revision; } } function book_save($op, $node) { + global $user, $REQUEST_URI; if ($op == "approve") { return array("status" => 1); @@ -56,22 +56,25 @@ function book_save($op, $node) { } if ($op == "update") { - if (user_access("administer nodes")) { + if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) { /* - ** If a node administrator updates a book page, we don't create a - ** new revision unless we are explicitly instructed to. + ** If a regular user updates a book page, we always create a new + ** revision. All new revisions have to be approved (moderation) + ** and are not promoted by derault. See also: book_load(). */ - return array("parent", "weight"); + return array("created" => time(), "moderate" => 1, "name" => $user->name, "parent", "promote" => 0, "score" => 0, "status" => 1, "uid" => $user->uid, "users" => "", "revisions", "votes" => 0, "weight"); } - else { + else if (user_access("adminster nodes")) { /* - ** If a regular user updates a book page, we always create a new - ** revision. All new revisions have to be approved (moderation) - ** and are not promoted by derault. + ** If a node administrator updates a book page, we don't create a + ** new revision unless we are explicitly instructed to. If a node + ** administrator updates a book page using the "update this book + ** page"-link (like regular users do) then he'll be treated as a + ** regular user. */ - return array("created" => time(), "moderate" => 1, "parent", "promote" => 0, "score" => 0, "status" => 1, "users" => "", "revisions", "votes" => 0, "weight"); + return array("parent", "weight"); } } @@ -90,7 +93,29 @@ function book_link($type) { } function book_load($node) { - $book = db_fetch_object(db_query("SELECT parent, weight, revision FROM book WHERE nid = '$node->nid'")); + global $user, $REQUEST_URI; + + $book = db_fetch_object(db_query("SELECT parent, weight FROM book WHERE nid = '$node->nid'")); + + if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) { + /* + ** If a user is about to update a book page, we overload some + ** fields to reflect the changes. We use the $REQUEST_URI to + ** dectect this as we don't want to interfer with updating a + ** book page through the admin pages. See also: book_save(). + */ + + $book->name = $user->name; + $book->uid = $user->uid; + } + + /* + ** We set the revision field to indicate that we have to create + ** a new revision when updating this book page. + */ + + $book->revision = 1; + return $book; } @@ -125,7 +150,6 @@ function book_form($node, $help, $error) { $help = book_node("description"); - /* ** If a regular user updates a book page, we create a new revision ** authored by that user: diff --git a/modules/book/book.module b/modules/book/book.module index 0073ca449..ea48b56fd 100644 --- a/modules/book/book.module +++ b/modules/book/book.module @@ -24,7 +24,7 @@ function book_access($op, $node) { return $node->status; } - if ($op == "create") { + if ($op == "create") { return 1; } @@ -36,12 +36,12 @@ function book_access($op, $node) { ** revision"-bit is set; that is, only updates that don't overwrite ** the current or pending information are allowed. */ - return !$node->moderate && $node->revision; } } function book_save($op, $node) { + global $user, $REQUEST_URI; if ($op == "approve") { return array("status" => 1); @@ -56,22 +56,25 @@ function book_save($op, $node) { } if ($op == "update") { - if (user_access("administer nodes")) { + if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) { /* - ** If a node administrator updates a book page, we don't create a - ** new revision unless we are explicitly instructed to. + ** If a regular user updates a book page, we always create a new + ** revision. All new revisions have to be approved (moderation) + ** and are not promoted by derault. See also: book_load(). */ - return array("parent", "weight"); + return array("created" => time(), "moderate" => 1, "name" => $user->name, "parent", "promote" => 0, "score" => 0, "status" => 1, "uid" => $user->uid, "users" => "", "revisions", "votes" => 0, "weight"); } - else { + else if (user_access("adminster nodes")) { /* - ** If a regular user updates a book page, we always create a new - ** revision. All new revisions have to be approved (moderation) - ** and are not promoted by derault. + ** If a node administrator updates a book page, we don't create a + ** new revision unless we are explicitly instructed to. If a node + ** administrator updates a book page using the "update this book + ** page"-link (like regular users do) then he'll be treated as a + ** regular user. */ - return array("created" => time(), "moderate" => 1, "parent", "promote" => 0, "score" => 0, "status" => 1, "users" => "", "revisions", "votes" => 0, "weight"); + return array("parent", "weight"); } } @@ -90,7 +93,29 @@ function book_link($type) { } function book_load($node) { - $book = db_fetch_object(db_query("SELECT parent, weight, revision FROM book WHERE nid = '$node->nid'")); + global $user, $REQUEST_URI; + + $book = db_fetch_object(db_query("SELECT parent, weight FROM book WHERE nid = '$node->nid'")); + + if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) { + /* + ** If a user is about to update a book page, we overload some + ** fields to reflect the changes. We use the $REQUEST_URI to + ** dectect this as we don't want to interfer with updating a + ** book page through the admin pages. See also: book_save(). + */ + + $book->name = $user->name; + $book->uid = $user->uid; + } + + /* + ** We set the revision field to indicate that we have to create + ** a new revision when updating this book page. + */ + + $book->revision = 1; + return $book; } @@ -125,7 +150,6 @@ function book_form($node, $help, $error) { $help = book_node("description"); - /* ** If a regular user updates a book page, we create a new revision ** authored by that user: diff --git a/modules/node.module b/modules/node.module index 6b0dd88fe..b0e587a8b 100644 --- a/modules/node.module +++ b/modules/node.module @@ -150,7 +150,7 @@ function node_link($type, $node = 0, $main = 0) { if (module_invoke($node->type, "access", "update", $node)) { $links[] = "<a href=\"module.php?mod=node&op=edit&id=$node->nid\">". t("edit") ."</a>"; } - + if (user_access("administer nodes")) { $links[] = "<a href=\"admin.php?mod=node&op=edit&id=$node->nid\">". t("administer") ."</a>"; } @@ -232,7 +232,7 @@ function node_admin_edit($node) { $output .= "<h3>". t("Edit comments") ."</h3>"; - $result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '". $node["nid"] ."' ORDER BY c.timestamp"); + $result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '$node->nid' ORDER BY c.timestamp"); $output .= "<table border=\"1\" cellpadding=\"2\" cellspacing=\"2\">"; $output .= " <tr><th>title</th><th>author</th><th colspan=\"3\">operations</th></tr>"; @@ -474,6 +474,7 @@ function node_validate($node, $error = array()) { $node = node_object($node); + /* ** Validate the title field: */ @@ -756,6 +757,14 @@ function node_submit($node) { $node = node_validate($node); /* + ** Apply the filters: + */ + + $node->teaser = filter($node->teaser); + $node->title = filter($node->title); + $node->body = filter($node->body); + + /* ** Create a new revision when required: */ diff --git a/modules/node/node.module b/modules/node/node.module index 6b0dd88fe..b0e587a8b 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -150,7 +150,7 @@ function node_link($type, $node = 0, $main = 0) { if (module_invoke($node->type, "access", "update", $node)) { $links[] = "<a href=\"module.php?mod=node&op=edit&id=$node->nid\">". t("edit") ."</a>"; } - + if (user_access("administer nodes")) { $links[] = "<a href=\"admin.php?mod=node&op=edit&id=$node->nid\">". t("administer") ."</a>"; } @@ -232,7 +232,7 @@ function node_admin_edit($node) { $output .= "<h3>". t("Edit comments") ."</h3>"; - $result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '". $node["nid"] ."' ORDER BY c.timestamp"); + $result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '$node->nid' ORDER BY c.timestamp"); $output .= "<table border=\"1\" cellpadding=\"2\" cellspacing=\"2\">"; $output .= " <tr><th>title</th><th>author</th><th colspan=\"3\">operations</th></tr>"; @@ -474,6 +474,7 @@ function node_validate($node, $error = array()) { $node = node_object($node); + /* ** Validate the title field: */ @@ -756,6 +757,14 @@ function node_submit($node) { $node = node_validate($node); /* + ** Apply the filters: + */ + + $node->teaser = filter($node->teaser); + $node->title = filter($node->title); + $node->body = filter($node->body); + + /* ** Create a new revision when required: */ diff --git a/modules/system.module b/modules/system.module index 6a450eea9..70a28555f 100644 --- a/modules/system.module +++ b/modules/system.module @@ -50,8 +50,6 @@ function system_view_options() { // submission settings: $output .= "<h3>Submission settings</h3>\n"; - $size = array(1000 => "1.000 characters", 5000 => "5.000 characters", 10000 => "10.000 characters", 15000 => "15.000 characters", 30.000 => "30.000 characters", 50000 => "50.000 characters", 100000 => "100.000 characters"); - $output .= form_select("Maximum submission size", "max_input_size", variable_get("max_input_size", 10000), $size, "The maximum number of characters someone can enter in a form."); $rate = array(1 => "Maximum 1 every second", 5 => "Maximum 1 every 5 seconds", 15 => "Maximum 1 every 15 seconds", 30 => "Maximum 1 every 30 seconds", 60 => "Maximum 1 every minute", 300 => "Maximum 1 every 5 minutes", 900 => "Maximum 1 every 15 minutes", 1800 => "Maximum 1 every 30 minutes", 3600 => "Maximum 1 every hour", 21600 => "Maximum 1 every 6 hours", 43200 => "Maximum 1 every 12 hours"); $output .= form_select("Maximum node rate", "max_node_rate", variable_get("max_node_rate", 900), $rate, "The maximum submission rate for nodes. Its purpose is to stop potential abuse or denial of service attacks."); $output .= form_select("Maximum comment rate", "max_comment_rate", variable_get("max_comment_rate", 120), $rate, "The maximum submission rate for comments. Its purpose is to stop potential abuse or denial of service attacks."); diff --git a/modules/system/system.module b/modules/system/system.module index 6a450eea9..70a28555f 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -50,8 +50,6 @@ function system_view_options() { // submission settings: $output .= "<h3>Submission settings</h3>\n"; - $size = array(1000 => "1.000 characters", 5000 => "5.000 characters", 10000 => "10.000 characters", 15000 => "15.000 characters", 30.000 => "30.000 characters", 50000 => "50.000 characters", 100000 => "100.000 characters"); - $output .= form_select("Maximum submission size", "max_input_size", variable_get("max_input_size", 10000), $size, "The maximum number of characters someone can enter in a form."); $rate = array(1 => "Maximum 1 every second", 5 => "Maximum 1 every 5 seconds", 15 => "Maximum 1 every 15 seconds", 30 => "Maximum 1 every 30 seconds", 60 => "Maximum 1 every minute", 300 => "Maximum 1 every 5 minutes", 900 => "Maximum 1 every 15 minutes", 1800 => "Maximum 1 every 30 minutes", 3600 => "Maximum 1 every hour", 21600 => "Maximum 1 every 6 hours", 43200 => "Maximum 1 every 12 hours"); $output .= form_select("Maximum node rate", "max_node_rate", variable_get("max_node_rate", 900), $rate, "The maximum submission rate for nodes. Its purpose is to stop potential abuse or denial of service attacks."); $output .= form_select("Maximum comment rate", "max_comment_rate", variable_get("max_comment_rate", 120), $rate, "The maximum submission rate for comments. Its purpose is to stop potential abuse or denial of service attacks."); |