Commit eb7c5f60 authored by Dries's avatar Dries

- Bugfix: when updating a book page, the name of the author did not change.

- Bugfix: the "Edit comments" part of the node administration pages did not
  display the correct comments.

- Bugfix: somethimes, update in a book page would mess up the book.

- Improvement: when "node administrators" update a book page through the
  "update this book page"-link (like regular users do), their update will
  be subject to moderation.

- Improvement: made some intermediate changes to the filter mechanism. Needs
  more work.
parent cd401235
......@@ -119,11 +119,16 @@ function check_query($text) {
return addslashes(stripslashes($text));
}
function check_input($text) {
function filter($text) {
foreach (module_list() as $name) {
if (module_hook($name, "filter")) $text = module_invoke($name, "filter", $text);
}
return addslashes(stripslashes(substr($text, 0, variable_get("max_input_size", 10000))));
return $text;
}
function check_input($text) {
return check_query($text);
}
function check_output($text, $nl2br = 0) {
......
......@@ -107,8 +107,8 @@ function node_load($conditions) {
}
/*
** Call the node specific callback (if any) and piggy-back to
** results to the node:
** Call the node specific callback (if any) and piggy-back the
** results to the node or overwrite some values:
*/
if ($extra = module_invoke($node->type, "load", $node)) {
......@@ -156,6 +156,10 @@ function node_save($node, $filter) {
$node->revisions = serialize($node->revisions);
}
/*
** Apply filters to some default node fields:
*/
if (empty($node->nid)) {
/*
......@@ -170,9 +174,7 @@ function node_save($node, $filter) {
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$k[] = check_query($key);
$v[] = "'". check_input($value) ."'";
// NOTE: for the values we use 'check_input()' such that we apply
// the filters
$v[] = "'". check_query($value) ."'";
}
}
......@@ -194,9 +196,7 @@ function node_save($node, $filter) {
// prepare the query:
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$q[] = check_query($key) ." = '". ($key != "revisions" ? check_input($value) : $value) ."'";
// NOTE: for the values we use 'check_input()' such that we apply
// the filters, except revisions
$q[] = check_query($key) ." = '". check_query($value) ."'";
}
}
......
......@@ -24,7 +24,7 @@ function book_access($op, $node) {
return $node->status;
}
if ($op == "create") {
if ($op == "create") {
return 1;
}
......@@ -36,12 +36,12 @@ function book_access($op, $node) {
** revision"-bit is set; that is, only updates that don't overwrite
** the current or pending information are allowed.
*/
return !$node->moderate && $node->revision;
}
}
function book_save($op, $node) {
global $user, $REQUEST_URI;
if ($op == "approve") {
return array("status" => 1);
......@@ -56,22 +56,25 @@ function book_save($op, $node) {
}
if ($op == "update") {
if (user_access("administer nodes")) {
if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) {
/*
** If a node administrator updates a book page, we don't create a
** new revision unless we are explicitly instructed to.
** If a regular user updates a book page, we always create a new
** revision. All new revisions have to be approved (moderation)
** and are not promoted by derault. See also: book_load().
*/
return array("parent", "weight");
return array("created" => time(), "moderate" => 1, "name" => $user->name, "parent", "promote" => 0, "score" => 0, "status" => 1, "uid" => $user->uid, "users" => "", "revisions", "votes" => 0, "weight");
}
else {
else if (user_access("adminster nodes")) {
/*
** If a regular user updates a book page, we always create a new
** revision. All new revisions have to be approved (moderation)
** and are not promoted by derault.
** If a node administrator updates a book page, we don't create a
** new revision unless we are explicitly instructed to. If a node
** administrator updates a book page using the "update this book
** page"-link (like regular users do) then he'll be treated as a
** regular user.
*/
return array("created" => time(), "moderate" => 1, "parent", "promote" => 0, "score" => 0, "status" => 1, "users" => "", "revisions", "votes" => 0, "weight");
return array("parent", "weight");
}
}
......@@ -90,7 +93,29 @@ function book_link($type) {
}
function book_load($node) {
$book = db_fetch_object(db_query("SELECT parent, weight, revision FROM book WHERE nid = '$node->nid'"));
global $user, $REQUEST_URI;
$book = db_fetch_object(db_query("SELECT parent, weight FROM book WHERE nid = '$node->nid'"));
if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) {
/*
** If a user is about to update a book page, we overload some
** fields to reflect the changes. We use the $REQUEST_URI to
** dectect this as we don't want to interfer with updating a
** book page through the admin pages. See also: book_save().
*/
$book->name = $user->name;
$book->uid = $user->uid;
}
/*
** We set the revision field to indicate that we have to create
** a new revision when updating this book page.
*/
$book->revision = 1;
return $book;
}
......@@ -125,7 +150,6 @@ function book_form($node, $help, $error) {
$help = book_node("description");
/*
** If a regular user updates a book page, we create a new revision
** authored by that user:
......
......@@ -24,7 +24,7 @@ function book_access($op, $node) {
return $node->status;
}
if ($op == "create") {
if ($op == "create") {
return 1;
}
......@@ -36,12 +36,12 @@ function book_access($op, $node) {
** revision"-bit is set; that is, only updates that don't overwrite
** the current or pending information are allowed.
*/
return !$node->moderate && $node->revision;
}
}
function book_save($op, $node) {
global $user, $REQUEST_URI;
if ($op == "approve") {
return array("status" => 1);
......@@ -56,22 +56,25 @@ function book_save($op, $node) {
}
if ($op == "update") {
if (user_access("administer nodes")) {
if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) {
/*
** If a node administrator updates a book page, we don't create a
** new revision unless we are explicitly instructed to.
** If a regular user updates a book page, we always create a new
** revision. All new revisions have to be approved (moderation)
** and are not promoted by derault. See also: book_load().
*/
return array("parent", "weight");
return array("created" => time(), "moderate" => 1, "name" => $user->name, "parent", "promote" => 0, "score" => 0, "status" => 1, "uid" => $user->uid, "users" => "", "revisions", "votes" => 0, "weight");
}
else {
else if (user_access("adminster nodes")) {
/*
** If a regular user updates a book page, we always create a new
** revision. All new revisions have to be approved (moderation)
** and are not promoted by derault.
** If a node administrator updates a book page, we don't create a
** new revision unless we are explicitly instructed to. If a node
** administrator updates a book page using the "update this book
** page"-link (like regular users do) then he'll be treated as a
** regular user.
*/
return array("created" => time(), "moderate" => 1, "parent", "promote" => 0, "score" => 0, "status" => 1, "users" => "", "revisions", "votes" => 0, "weight");
return array("parent", "weight");
}
}
......@@ -90,7 +93,29 @@ function book_link($type) {
}
function book_load($node) {
$book = db_fetch_object(db_query("SELECT parent, weight, revision FROM book WHERE nid = '$node->nid'"));
global $user, $REQUEST_URI;
$book = db_fetch_object(db_query("SELECT parent, weight FROM book WHERE nid = '$node->nid'"));
if (strstr($REQUEST_URI, "module.php?mod=node&op=edit")) {
/*
** If a user is about to update a book page, we overload some
** fields to reflect the changes. We use the $REQUEST_URI to
** dectect this as we don't want to interfer with updating a
** book page through the admin pages. See also: book_save().
*/
$book->name = $user->name;
$book->uid = $user->uid;
}
/*
** We set the revision field to indicate that we have to create
** a new revision when updating this book page.
*/
$book->revision = 1;
return $book;
}
......@@ -125,7 +150,6 @@ function book_form($node, $help, $error) {
$help = book_node("description");
/*
** If a regular user updates a book page, we create a new revision
** authored by that user:
......
......@@ -150,7 +150,7 @@ function node_link($type, $node = 0, $main = 0) {
if (module_invoke($node->type, "access", "update", $node)) {
$links[] = "<a href=\"module.php?mod=node&op=edit&id=$node->nid\">". t("edit") ."</a>";
}
if (user_access("administer nodes")) {
$links[] = "<a href=\"admin.php?mod=node&op=edit&id=$node->nid\">". t("administer") ."</a>";
}
......@@ -232,7 +232,7 @@ function node_admin_edit($node) {
$output .= "<h3>". t("Edit comments") ."</h3>";
$result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '". $node["nid"] ."' ORDER BY c.timestamp");
$result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '$node->nid' ORDER BY c.timestamp");
$output .= "<table border=\"1\" cellpadding=\"2\" cellspacing=\"2\">";
$output .= " <tr><th>title</th><th>author</th><th colspan=\"3\">operations</th></tr>";
......@@ -474,6 +474,7 @@ function node_validate($node, $error = array()) {
$node = node_object($node);
/*
** Validate the title field:
*/
......@@ -755,6 +756,14 @@ function node_submit($node) {
$node = node_validate($node);
/*
** Apply the filters:
*/
$node->teaser = filter($node->teaser);
$node->title = filter($node->title);
$node->body = filter($node->body);
/*
** Create a new revision when required:
*/
......
......@@ -150,7 +150,7 @@ function node_link($type, $node = 0, $main = 0) {
if (module_invoke($node->type, "access", "update", $node)) {
$links[] = "<a href=\"module.php?mod=node&op=edit&id=$node->nid\">". t("edit") ."</a>";
}
if (user_access("administer nodes")) {
$links[] = "<a href=\"admin.php?mod=node&op=edit&id=$node->nid\">". t("administer") ."</a>";
}
......@@ -232,7 +232,7 @@ function node_admin_edit($node) {
$output .= "<h3>". t("Edit comments") ."</h3>";
$result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '". $node["nid"] ."' ORDER BY c.timestamp");
$result = db_query("SELECT c.cid, c.subject, u.uid, u.name FROM comments c LEFT JOIN users u ON u.uid = c.uid WHERE lid = '$node->nid' ORDER BY c.timestamp");
$output .= "<table border=\"1\" cellpadding=\"2\" cellspacing=\"2\">";
$output .= " <tr><th>title</th><th>author</th><th colspan=\"3\">operations</th></tr>";
......@@ -474,6 +474,7 @@ function node_validate($node, $error = array()) {
$node = node_object($node);
/*
** Validate the title field:
*/
......@@ -755,6 +756,14 @@ function node_submit($node) {
$node = node_validate($node);
/*
** Apply the filters:
*/
$node->teaser = filter($node->teaser);
$node->title = filter($node->title);
$node->body = filter($node->body);
/*
** Create a new revision when required:
*/
......
......@@ -50,8 +50,6 @@ function system_view_options() {
// submission settings:
$output .= "<h3>Submission settings</h3>\n";
$size = array(1000 => "1.000 characters", 5000 => "5.000 characters", 10000 => "10.000 characters", 15000 => "15.000 characters", 30.000 => "30.000 characters", 50000 => "50.000 characters", 100000 => "100.000 characters");
$output .= form_select("Maximum submission size", "max_input_size", variable_get("max_input_size", 10000), $size, "The maximum number of characters someone can enter in a form.");
$rate = array(1 => "Maximum 1 every second", 5 => "Maximum 1 every 5 seconds", 15 => "Maximum 1 every 15 seconds", 30 => "Maximum 1 every 30 seconds", 60 => "Maximum 1 every minute", 300 => "Maximum 1 every 5 minutes", 900 => "Maximum 1 every 15 minutes", 1800 => "Maximum 1 every 30 minutes", 3600 => "Maximum 1 every hour", 21600 => "Maximum 1 every 6 hours", 43200 => "Maximum 1 every 12 hours");
$output .= form_select("Maximum node rate", "max_node_rate", variable_get("max_node_rate", 900), $rate, "The maximum submission rate for nodes. Its purpose is to stop potential abuse or denial of service attacks.");
$output .= form_select("Maximum comment rate", "max_comment_rate", variable_get("max_comment_rate", 120), $rate, "The maximum submission rate for comments. Its purpose is to stop potential abuse or denial of service attacks.");
......
......@@ -50,8 +50,6 @@ function system_view_options() {
// submission settings:
$output .= "<h3>Submission settings</h3>\n";
$size = array(1000 => "1.000 characters", 5000 => "5.000 characters", 10000 => "10.000 characters", 15000 => "15.000 characters", 30.000 => "30.000 characters", 50000 => "50.000 characters", 100000 => "100.000 characters");
$output .= form_select("Maximum submission size", "max_input_size", variable_get("max_input_size", 10000), $size, "The maximum number of characters someone can enter in a form.");
$rate = array(1 => "Maximum 1 every second", 5 => "Maximum 1 every 5 seconds", 15 => "Maximum 1 every 15 seconds", 30 => "Maximum 1 every 30 seconds", 60 => "Maximum 1 every minute", 300 => "Maximum 1 every 5 minutes", 900 => "Maximum 1 every 15 minutes", 1800 => "Maximum 1 every 30 minutes", 3600 => "Maximum 1 every hour", 21600 => "Maximum 1 every 6 hours", 43200 => "Maximum 1 every 12 hours");
$output .= form_select("Maximum node rate", "max_node_rate", variable_get("max_node_rate", 900), $rate, "The maximum submission rate for nodes. Its purpose is to stop potential abuse or denial of service attacks.");
$output .= form_select("Maximum comment rate", "max_comment_rate", variable_get("max_comment_rate", 120), $rate, "The maximum submission rate for comments. Its purpose is to stop potential abuse or denial of service attacks.");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment