Commit 4371b627 authored by Dries's avatar Dries
Browse files

- added fine-grained user permission system which allows us to give
  certain users access to specific administration sections only.
    Ex. a FAQ maintainer can only edit the FAQ, and members of an
        "editorial board" can only edit comments, diaries and
         stories, ..
- code review => rewrote include/user.inc which is much easier now
- fixed 4 small bugs
parent c93bcff8
......@@ -3,7 +3,5 @@
- online installation guidelines
* http://drop.org/module.php?mod=drupal
- drupal project page if you would like to get involved in the
ongoing development
- drupal project page for those willing to get involved in the
ongoing development
\ No newline at end of file
......@@ -41,15 +41,9 @@ function account_create($user = "", $error = "") {
function account_session_start($userid, $passwd) {
global $user;
$user = new User($userid, $passwd);
if ($user->id) {
session_register("user");
watchdog("message", "session opened for user `$user->userid'");
}
else {
watchdog("warning", "failed login for user `$userid'");
}
if ($userid && $passwd) $user = new User($userid, $passwd);
if ($user->id) session_register("user");
watchdog("message", ($user->id ? "session opened for user `$user->userid'" : "failed login for user `$userid'"));
}
function account_session_close() {
......@@ -117,17 +111,9 @@ function account_user_edit() {
function account_user_save($edit) {
global $user;
if ($user->id) {
$data[name] = $edit[name];
$data[fake_email] = $edit[fake_email];
$data[url] = $edit[url];
$data[bio] = $edit[bio];
$data[signature] = $edit[signature];
if ($edit[pass1] && $edit[pass1] == $edit[pass2]) $data[passwd] = $edit[pass1];
user_save($data, $user->id);
$user = user_save($user, array("name" => $edit[name], "fake_email" => $edit[fake_email], "url" => $edit[url], "bio" => $edit[bio], "signature" => $edit[signature]));
if ($edit[pass1] && $edit[pass1] == $edit[pass2]) $user = user_save($user, array("passwd" => $edit[pass1]));
}
}
......@@ -188,16 +174,8 @@ function account_site_edit() {
function account_site_save($edit) {
global $user;
if ($user->id) {
$data[theme] = $edit[theme];
$data[timezone] = $edit[timezone];
$data[language] = $edit[language];
$data[stories] = $edit[stories];
$data[mode] = $edit[mode];
$data[sort] = $edit[sort];
$data[threshold] = $edit[threshold];
user_save($data, $user->id);
$user = user_save($user, array("theme" => $edit[theme], "timezone" => $edit[timezone], "language" => $edit[language], "stories" => $edit[stories], "mode" => $edit[mode], "sort" => $edit[sort], "threshold" => $edit[threshold]));
}
}
......@@ -363,10 +341,9 @@ function account_create_submit($userid, $email) {
}
else {
$new[passwd] = account_password();
$new[status] = 1;
$new[hash] = substr(md5("$new[userid]. ". time() .""), 0, 12);
$new[hash] = substr(md5("$new[userid]. ". time()), 0, 12);
user_save($new);
$user = user_save("", array("userid" => $new[userid], "real_email" => $new[real_email], "passwd" => $new[passwd], "status" => 1, "hash" => $new[hash]));
$link = $site_url ."account.php?op=confirm&name=$new[userid]&hash=$new[hash]";
$subject = strtr(t("Account details for %a"), array("%a" => $site_name));
......
......@@ -2,15 +2,15 @@
include_once "includes/common.inc";
// validate user permission:
if (!user_permission($user)) exit();
// validate user access:
if (!user_access($user)) exit();
function admin_page($mod) {
global $repository, $site_name, $menu, $modules;
global $repository, $site_name, $menu, $modules, $user;
function module($name, $module) {
global $menu, $modules;
if ($module["admin"]) $output .= "<A HREF=\"admin.php?mod=$name\">$name</A> | ";
global $menu, $modules, $user;
if ($module["admin"]) $output .= (user_access($user, $name) ? "<A HREF=\"admin.php?mod=$name\">$name</A> | " : " $name | ");
$menu .= $output;
}
......@@ -37,7 +37,7 @@ function module($name, $module) {
<HR><? echo $menu; ?><A HREF="">home</A><HR>
<?
module_execute($mod, "admin");
if (user_access($user, $mod)) module_execute($mod, "admin");
?>
</BODY>
......
......@@ -170,7 +170,7 @@ CREATE TABLE users (
signature varchar(255) DEFAULT '' NOT NULL,
last_access int(10) unsigned,
last_host varchar(255),
permissions int(10) unsigned DEFAULT '0' NOT NULL,
access varchar(255) DEFAULT '' NOT NULL,
status tinyint(4) DEFAULT '0' NOT NULL,
history text NOT NULL,
hash varchar(12) DEFAULT '' NOT NULL,
......
......@@ -32,12 +32,12 @@ function comment_moderate($moderate) {
$none = $comment_votes[key($comment_votes)];
foreach ($moderate as $id=>$vote) {
if ($vote != $comment_votes[$none] && !user_get_history($user->history, "c$id")) {
if ($vote != $comment_votes[$none] && !user_get($user, "history", "c$id")) {
// Update the comment's score:
$result = db_query("UPDATE comments SET score = score $vote, votes = votes + 1 WHERE cid = $id");
// Update the user's history:
user_set_history("c$id", $vote);
$user = user_set($user, "history", "c$id", $vote);
}
}
}
......@@ -45,12 +45,7 @@ function comment_moderate($moderate) {
function comment_settings($mode, $order, $threshold) {
global $user;
if ($user->id) {
$data[mode] = $mode;
$data[sort] = $order;
$data[threshold] = $threshold;
user_save($data, $user->id);
}
if ($user->id) $user = user_save($user, array("mode" => $mode, "sort" => $order, "threshold" => $threshold));
}
function comment_reply($pid, $id) {
......@@ -180,7 +175,7 @@ function comment_moderation($comment) {
if ($op == "reply") {
$output .= "&nbsp;";
}
else if ($user->id && $user->userid != $comment->userid && !user_get_history($user->history, "c$comment->cid")) {
else if ($user->id && $user->userid != $comment->userid && !user_get($user, "history", "c$comment->cid")) {
$output .= "<SELECT NAME=\"moderate[$comment->cid]\">\n";
foreach ($comment_votes as $key=>$value) $output .= " <OPTION VALUE=\"$value\">$key</OPTION>\n";
$output .= "</SELECT>\n";
......
<?
function conf_load() {
function conf_init() {
global $HTTP_HOST, $REQUEST_URI;
$file = strtr($HTTP_HOST ."". substr($REQUEST_URI, 0, strrpos($REQUEST_URI, "/")), "/:", "..");
while ($file && !file_exists("includes/$file.conf")) {
......@@ -9,7 +9,7 @@ function conf_load() {
return $file;
}
$conf = conf_load();
$conf = conf_init();
include_once "includes/$conf.conf";
include_once "includes/database.inc";
......@@ -21,8 +21,8 @@ function conf_load() {
include_once "includes/theme.inc";
include_once "includes/user.inc";
user_load();
$locale = locale_load();
$theme = theme_load();
user_init();
$locale = locale_init();
$theme = theme_init();
?>
\ No newline at end of file
......@@ -76,7 +76,7 @@ function format_date($timestamp, $type = "medium") {
function format_username($username) {
global $user;
if ($username) return (user_permission($user) ? "<A HREF=\"admin.php?mod=account&op=view&name=$username\">$username</A>" : "<A HREF=\"account.php?op=view&name=$username\">$username</A>");
if ($username) return (user_access($user, "account") ? "<A HREF=\"admin.php?mod=account&op=view&name=$username\">$username</A>" : "<A HREF=\"account.php?op=view&name=$username\">$username</A>");
else { global $anonymous; return $anonymous; }
}
......
<?
function locale_load() {
function locale_init() {
global $languages, $user;
return ($user->id && $user->language) ? $user->language : key($languages);
}
......
......@@ -13,7 +13,7 @@ function Story($userid, $subject, $abstract, $article, $section, $timestamp) {
function story_visible($story) {
global $user;
return ($story->status == 2) || ($story->status == 1 && $user->id) || user_permission($user);
return ($story->status == 2) || ($story->status == 1 && $user->id) || user_access($user, "story");
}
?>
\ No newline at end of file
<?
function theme_load() {
function theme_init() {
global $user, $themes;
if ($user->theme && file_exists($themes[$user->theme][0])) {
......@@ -39,7 +39,7 @@ function menu($name, $module) {
$content .= "<LI><A HREF=\"account.php?op=edit&topic=content\">". t("edit your content") ."</A></LI>\n";
$content .= "<P>\n";
if (user_permission($user)) {
if (user_access($user)) {
$content .= "<LI><A HREF=\"admin.php\">administer ". $site_name ."</A></LI>\n";
$content .= "<P>\n";
}
......@@ -95,10 +95,10 @@ function theme_morelink($theme, $story) {
function theme_moderation_results($theme, $story) {
global $user;
if ($user->id && $story->id && ($user->id == $story->author || user_get_history($user->history, "s$story->id"))) {
if ($user->id && $story->id && ($user->id == $story->author || user_get($user, "history", "s$story->id"))) {
$result = db_query("SELECT * FROM users WHERE history LIKE '%s$story->id%'");
while ($account = db_fetch_object($result)) {
$output .= format_username($account->userid) ." voted `". user_get_history($account->history, "s$story->id") ."'.<BR>";
$output .= format_username($account->userid) ." voted `". user_get($account, "history", "s$story->id") ."'.<BR>";
}
$theme->box("Moderation results", ($output ? $output : "This story has not been moderated yet."));
......
......@@ -6,46 +6,46 @@ function User($userid, $passwd = 0) {
$result = db_query("SELECT * FROM users WHERE LOWER(userid) = LOWER('$userid') && passwd = PASSWORD('$passwd') && STATUS = 2");
if (db_num_rows($result) == 1) {
foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; }
db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_HOST]' WHERE id = $this->id");
db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id");
}
}
else {
$result = db_query("SELECT * FROM users WHERE userid = '$userid' && STATUS = 2");
if (db_num_rows($result) == 1) {
foreach (db_fetch_row($result) as $key=>$value) { $field = mysql_field_name($result, $key); $this->$field = stripslashes($value); $this->field[] = $field; }
db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_HOST]' WHERE id = $this->id");
db_query("UPDATE users SET last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = $this->id");
}
}
}
}
function user_load() {
function user_init() {
global $db_name;
session_name($db_name);
session_start();
}
function user_save($data, $id = 0) {
global $user;
function user_load($username) {
return new User($username);
}
foreach ($data as $key=>$value) {
function user_save($account, $array) {
// dynamically compose query:
foreach ($array as $key=>$value) {
if ($key == "passwd") $query .= "$key = PASSWORD('". addslashes($value) ."'), ";
else $query .= "$key = '". addslashes($value) ."', ";
}
if (empty($id)) {
db_query("INSERT INTO users SET $query last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_HOST]'");
}
else {
db_query("UPDATE users SET $query last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_HOST]' WHERE id = $id");
$result = db_query("SELECT * FROM users WHERE id = $id AND status = 2");
if (db_num_rows($result) == 1) foreach (db_fetch_array($result) as $key=>$value) { $user->$key = stripslashes($value); }
else $user = 0;
}
// update or instert account:
if ($account->id) db_query("UPDATE users SET $query last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]' WHERE id = '$account->id'");
else db_query("INSERT INTO users SET $query last_access = '". time() ."', last_host = '$GLOBALS[REMOTE_ADDR]'");
// return account:
return user_load(($account->userid ? $account->userid : $array["userid"]));
}
function user_get_history($history, $field) {
$data = explode(";", $history);
function user_get($account, $column, $field) {
$data = explode(";", $account->$column);
for (reset($data); current($data); next($data)) {
$entry = explode(":", current($data));
if (reset($entry) == $field) $rval = end($entry);
......@@ -53,46 +53,38 @@ function user_get_history($history, $field) {
return $rval;
}
function user_set_history($field, $value) {
global $user;
$history = $user->history;
function user_set($account, $column, $name, $value) {
$field = $account->$column;
if (!$value) {
// remove entry:
$data = explode(";", $history);
$data = explode(";", $field);
for (reset($data); current($data); next($data)) {
$entry = explode(":", current($data));
if ($entry[0] != $field) $rval .= "$entry[0]:$entry[1];";
if ($entry[0] != $name) $rval .= "$entry[0]:$entry[1];";
}
}
else if (strstr($history, "$field:")) {
else if (strstr($field, "$name:")) {
// found: update exsisting entry:
$data = explode(";", $history);
$data = explode(";", $field);
for (reset($data); current($data); next($data)) {
$entry = explode(":", current($data));
if ($entry[0] == $field) $entry[1] = $value;
if ($entry[0] == $name) $entry[1] = $value;
$rval .= "$entry[0]:$entry[1];";
}
}
else {
// not found: add new entry:
$rval = "$history$field:$value;";
// not found:
$rval = "$field$name:$value;";
}
$user->history = $rval;
// save new history:
$query .= "UPDATE users SET ";
foreach ($user->field as $key=>$field) { $value = $user->$field; $query .= "$field = '". addslashes($value) ."', "; }
$query .= " id = $user->id WHERE id = $user->id";
db_query($query);
}
function user_rehash() {
global $user;
if ($user->id) $user = new User($user->userid);
return user_save($account, array($column => $rval));
}
function user_permission($account) {
return ($account->permissions == 1 || $account->id == 1);
function user_access($account, $section = 0) {
// print $account->userid ." ". $account->access ."<P>";
if ($section) return (user_get($account, "access", $section) || $account->id == 1);
else return ($account->access || $account->id == 1);
}
?>
\ No newline at end of file
......@@ -9,8 +9,8 @@
function watchdog($id, $message) {
global $user, $watchdog, $watchdog_history;
/*
if ($watchdog[$id][1] && !user_permission($user)) {
if ($watchdog[$id][1] && !user_access($user, "watchdog")) {
if ($log = db_fetch_object(db_query("SELECT * FROM watchdog WHERE hostname = '". getenv("REMOTE_ADDR") ."' AND level = '". $watchdog[$id][0] ."'"))) {
if (time() - $log->timestamp < $watchdog[$id][1]) {
watchdog("warning", "'". getenv("REMOTE_ADDR") ."' exceeded '$id' submission rate");
......@@ -19,7 +19,7 @@ function watchdog($id, $message) {
}
}
}
*/
// Perform query to add new watchdog entry:
db_query("INSERT INTO watchdog (level, timestamp, user, message, location, hostname) VALUES ('". $watchdog[$id][0] ."', '". time() ."', '". check_input($user->id) ."', '". check_input($message) ."', '". check_input(getenv("REQUEST_URI")) ."', '". check_input(getenv("REMOTE_ADDR")) ."')");
}
......
......@@ -63,7 +63,7 @@ function account_find($keys) {
$find = array();
$result = db_query("SELECT * FROM users WHERE userid LIKE '%". check_input($keys) ."%' LIMIT 20");
while ($account = db_fetch_object($result)) {
array_push($find, array("subject" => $account->userid, "link" => (user_permission($user) ? "admin.php?mod=account&op=view&name=$account->userid" : "account.php?op=view&name=$account->userid"), "user" => $account->userid));
array_push($find, array("subject" => $account->userid, "link" => (user_access($user, "account") ? "admin.php?mod=account&op=view&name=$account->userid" : "account.php?op=view&name=$account->userid"), "user" => $account->userid));
}
return $find;
}
......@@ -75,7 +75,7 @@ function account_search() {
}
function account_display($order = "username") {
$sort = array("ID" => "id", "fake e-mail address" => "fake_email", "hostname" => "last_host DESC", "last access date" => "last_access DESC", "real e-mail address" => "real_email", "real name" => "name", "permissions" => "permissions", "rating" => "rating DESC", "status" => "status", "theme" => "theme", "timezone" => "timezone DESC", "username" => "userid");
$sort = array("ID" => "id", "fake e-mail address" => "fake_email", "hostname" => "last_host DESC", "last access date" => "last_access DESC", "real e-mail address" => "real_email", "real name" => "name", "rating" => "rating DESC", "status" => "status", "theme" => "theme", "timezone" => "timezone DESC", "username" => "userid");
$show = array("ID" => "id", "username" => "userid", "$order" => "$sort[$order]", "homepage" => "url");
$stat = array(0 => "blocked", 1 => "not confirmed", 2 => "open");
$perm = array(0 => "regular user", 1 => "administrator");
......@@ -118,9 +118,6 @@ function account_display($order = "username") {
case "status":
$output .= " <TD ALIGN=\"center\">". $stat[$account[$value]] ."</TD>\n";
break;
case "permissions":
$output .= " <TD ALIGN=\"center\">". $perm[$account[$value]] ."</TD>\n";
break;
case "timezone":
$output .= " <TD ALIGN=\"center\">". check_output($account[$value] / 3600) ."</TD>\n";
break;
......@@ -142,6 +139,15 @@ function account_display($order = "username") {
print $output;
}
function account_access($account) {
$data = explode(";", $account->access);
foreach ($data as $array) {
$access = explode(":", $array);
if ($access[0]) $output .= " <A HREF=\"admin.php?mod=$access[0]\">$access[0]</A>";
}
return $output;
}
function account_blocks($id) {
$result = db_query("SELECT * FROM layout WHERE user = $id");
while ($layout = db_fetch_object($result)) {
......@@ -167,17 +173,22 @@ function account_comments($id) {
}
function account_edit_save($name, $edit) {
foreach ($edit as $key=>$value) {
$query .= "$key = '". addslashes($value) ."', ";
}
foreach ($edit as $key=>$value) if ($key != "access") $query .= "$key = '". addslashes($value) ."', ";
db_query("UPDATE users SET $query last_access = '". time() ."' WHERE userid = '$name'");
foreach ($edit[access] as $key=>$value) user_set(user_load($name), "access", $value, 1);
watchdog("message", "account: modified user '$name'");
}
function account_edit($name) {
global $access, $account;
function access($name, $module) {
global $access, $account;
$access .= "<OPTION VALUE=\"$name\"". (user_access($account, $name) ? " SELECTED" : "") .">$name</OPTION>";
}
$status = array(0 => "blocked", 1 => "not confirmed", 2 => "open");
$permissions = array(0 => "regular user", 1 => "administrator");
$result = db_query("SELECT * FROM users WHERE userid = '$name'");
......@@ -187,21 +198,18 @@ function account_edit($name) {
}
$stat = "<SELECT NAME=\"edit[status]\">\n$stat</SELECT>\n";
foreach ($permissions as $key=>$value) {
$perm .= " <OPTION VALUE=\"$key\"". (($account->permissions == $key) ? " SELECTED" : "") .">$value</OPTION>\n";
}
$perm = "<SELECT NAME=\"edit[permissions]\">\n$perm</SELECT>\n";
module_iterate("access");
$output .= "<FORM ACTION=\"admin.php?mod=account\" METHOD=\"post\">\n";
$output .= "<TABLE BORDER=\"1\" CELLPADDING=\"3\" CELLSPACING=\"0\">\n";
$output .= " <TR><TD ALIGN=\"right\"><B>ID:</B></TD><TD>$account->id</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Status:</B></TD><TD>$stat</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Access:</B></TD><TD><SELECT NAME=\"edit[access][]\" MULTIPLE=\"true\" SIZE=\"10\">$access</SELECT></TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Username:</B></TD><TD>$account->userid</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real name:</B></TD><TD>". check_output($account->name) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real e-mail address:</B></TD><TD>". format_email($account->real_email) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Fake e-mail address:</B></TD><TD><INPUT NAME=\"edit[fake_email]\" SIZE=\"55\" VALUE=\"$account->fake_email\"></TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>URL of homepage:</B></TD><TD><INPUT NAME=\"edit[url]\" SIZE=\"55\" VALUE=\"$account->url\"></TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Permissions:</B></TD><TD>$perm</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Last access:</B></TD><TD>". format_date($account->last_access) ." from ". check_output($account->last_host) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>User rating:</B></TD><TD>". check_output($account->rating) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Bio information:</B></TD><TD><TEXTAREA NAME=\"edit[bio]\" COLS=\"35\" ROWS=\"5\" WRAP=\"virtual\">$account->bio</TEXTAREA></TD></TR>\n";
......@@ -221,7 +229,6 @@ function account_edit($name) {
function account_view($name) {
$status = array(0 => "blocked", 1 => "not confirmed", 2 => "open");
$permissions = array(0 => "regular user", 1 => "administrator");
$result = db_query("SELECT * FROM users WHERE userid = '$name'");
......@@ -229,12 +236,12 @@ function account_view($name) {
$output .= "<TABLE BORDER=\"1\" CELLPADDING=\"3\" CELLSPACING=\"0\">\n";
$output .= " <TR><TD ALIGN=\"right\"><B>ID:</B></TD><TD><A HREF=\"admin.php?mod=account&op=edit&name=$account->userid\">$account->id</A></TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Status:</B></TD><TD>". $status[$account->status] ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Access:</B></TD><TD>". check_output(account_access($account)) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Username:</B></TD><TD>$account->userid</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real name:</B></TD><TD>". check_output($account->name) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Real e-mail address:</B></TD><TD>". format_email($account->real_email) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Fake e-mail address:</B></TD><TD>". check_output($account->fake_email) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>URL of homepage:</B></TD><TD>". format_url($account->url) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Permissions:</B></TD><TD>". $permissions[$account->permissions] ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Last access:</B></TD><TD>". format_date($account->last_access) ." from ". check_output($account->last_host) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>User rating:</B></TD><TD>". check_output($account->rating) ."</TD></TR>\n";
$output .= " <TR><TD ALIGN=\"right\"><B>Bio information:</B></TD><TD>". check_output($account->bio) ."</TD></TR>\n";
......
......@@ -8,7 +8,7 @@ function comment_find($keys) {
$find = array();
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%". check_input($keys) ."%' OR c.comment LIKE '%". check_input($keys) ."%' ORDER BY c.timestamp DESC LIMIT 20");
while ($comment = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_permission($user) ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_access($user, "comment") ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
}
return $find;
}
......
......@@ -8,7 +8,7 @@ function comment_find($keys) {
$find = array();
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%". check_input($keys) ."%' OR c.comment LIKE '%". check_input($keys) ."%' ORDER BY c.timestamp DESC LIMIT 20");
while ($comment = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_permission($user) ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_access($user, "comment") ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
}
return $find;
}
......
......@@ -16,7 +16,7 @@ function diary_find($keys) {
$find = array();
$result = db_query("SELECT d.*, u.userid FROM diaries d LEFT JOIN users u ON d.author = u.id WHERE d.text LIKE '%". check_input($keys) ."%' ORDER BY d.timestamp DESC LIMIT 20");
while ($diary = db_fetch_object($result)) {
array_push($find, array("subject" => "$diary->userid's diary", "link" => (user_permission($user) ? "admin.php?mod=diary&op=edit&id=$diary->id" : "module.php?mod=diary&op=view&name=$diary->userid"), "user" => $diary->userid, "date" => $diary->timestamp));
array_push($find, array("subject" => "$diary->userid's diary", "link" => (user_access($user, "diary") ? "admin.php?mod=diary&op=edit&id=$diary->id" : "module.php?mod=diary&op=view&name=$diary->userid"), "user" => $diary->userid, "date" => $diary->timestamp));
}
return $find;
......
......@@ -20,7 +20,7 @@ function story_find($keys) {
$find = array();
$result = db_query("SELECT s.*, u.userid FROM stories s LEFT JOIN users u ON s.author = u.id WHERE s.status = 2 AND (s.subject LIKE '%". check_input($keys) ."%' OR s.abstract LIKE '%". check_input($keys) ."%' OR s.article LIKE '%". check_input($keys) ."%') ORDER BY s.timestamp DESC LIMIT 20");
while ($story = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($story->subject), "link" => (user_permission($user) ? "admin.php?mod=story&op=edit&id=$story->id" : "story.php?id=$story->id"), "user" => $story->userid, "date" => $story->timestamp));
array_push($find, array("subject" => check_output($story->subject), "link" => (user_access($user, "story") ? "admin.php?mod=story&op=edit&id=$story->id" : "story.php?id=$story->id"), "user" => $story->userid, "date" => $story->timestamp));
}
return $find;
}
......
......@@ -20,7 +20,7 @@ function story_find($keys) {
$find = array();
$result = db_query("SELECT s.*, u.userid FROM stories s LEFT JOIN users u ON s.author = u.id WHERE s.status = 2 AND (s.subject LIKE '%". check_input($keys) ."%' OR s.abstract LIKE '%". check_input($keys) ."%' OR s.article LIKE '%". check_input($keys) ."%') ORDER BY s.timestamp DESC LIMIT 20");
while ($story = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($story->subject), "link" => (user_permission($user) ? "admin.php?mod=story&op=edit&id=$story->id" : "story.php?id=$story->id"), "user" => $story->userid, "date" => $story->timestamp));
array_push($find, array("subject" => check_output($story->subject), "link" => (user_access($user, "story") ? "admin.php?mod=story&op=edit&id=$story->id" : "story.php?id=$story->id"), "user" => $story->userid, "date" => $story->timestamp));
}
return $find;
}
......
......@@ -22,7 +22,7 @@ function submission_score($id) {
function submission_vote($id, $vote, $comment) {
global $user;
if (!user_get_history($user->history, "s$id")) {
if (!user_get($user, "history", "s$id")) {
// Update submission's score- and votes-field:
db_query("UPDATE stories SET score = score $vote, votes = votes + 1 WHERE id = $id");
......@@ -33,7 +33,7 @@ function submission_vote($id, $vote, $comment) {
}
// Update user's history record:
user_set_history("s$id", $vote);
$user = user_set($user, "history", "s$id", $vote);
// Update story table (if required):
$result = db_query("SELECT * FROM stories WHERE id = $id");
......@@ -65,7 +65,7 @@ function submission_page_main() {
$content .= "<TABLE BORDER=\"0\" CELLSPACING=\"4\" CELLPADDING=\"4\">\n";
$content .= " <TR BGCOLOR=\"$bgcolor1\"><TH>". t("Subject") ."</TH><TH>". t("Section") ."</TH><TH>". t("Date") ."</TH><TH>". t("Author") ."</TH><TH>". t("Score") ."</TH></TR>\n";
while ($submission = db_fetch_object($result)) {
if ($user->id == $submission->author || user_get_history($user->history, "s$submission->id")) $content .= " <TR><TD WIDTH=\"100%\"><A HREF=\"module.php?mod=submission&op=view&id=$submission->id\">". check_output($submission->subject) ."</A></TD><TD>$submission->section</TD><TD ALIGN=\"center\">". date("Y-m-d", $submission->timestamp) ."<BR>". date("H:m:s", $submission->timestamp) ."</TD><TD ALIGN=\"center\">". format_username($submission->userid) ."</TD><TD ALIGN=\"center\">". submission_score($submission->id) ."</TD></TR>\n";