Abstracting the compose box for staffpms

Allow FLS to assign to staff or forum staff Allow FLS to unresolve all FLS PMs empty commit (testing debug site) empty commit (again) Permissions can only be created up to your current level Permissions can only be altered up to your current level Image proxy should function correctly with SSL now Forums can only be altered up to your current level Adding option to delete polls Remove ghost resolver bug Fixing autocomplete escpaing improved .gitignore Adding debug to all ajax pages Fixed escaping on autocomplete pages
2024-12-13 19:06:27 +00:00 · 2011-07-13 08:00:06 +00:00 · 2011-07-13 08:00:06 +00:00 · f76e290493
commit f76e290493
parent dd04b95709
15 changed files with 107 additions and 1711 deletions
--- a/classes/ajax_start.php
+++ b/classes/ajax_start.php
@ -1,7 +1,10 @@
 <?
 require 'config.php'; //The config contains all site wide configuration information as well as memcached rules
+require(SERVER_ROOT.'/classes/class_debug.php');
 require(SERVER_ROOT.'/classes/class_cache.php'); //Require the caching class
 require(SERVER_ROOT.'/classes/class_encrypt.php'); //Require the caching class
+
+$Debug = new DEBUG;
 $Cache = NEW CACHE; //Load the caching class
 $Enc = NEW CRYPT; //Load the encryption class

@ -89,3 +92,21 @@ function display_array($Array, $DontEscape = array()) {
 	}
 	return $Array;
 }
+
+function make_secret($Length = 32) {
+	$Secret = '';
+	$Chars='abcdefghijklmnopqrstuvwxyz0123456789';
+	for($i=0; $i<$Length; $i++) {
+		$Rand = mt_rand(0, strlen($Chars)-1);
+		$Secret .= substr($Chars, $Rand, 1);
+	}
+	return str_shuffle($Secret);
+}
+
+// Send a message to an IRC bot listening on SOCKET_LISTEN_PORT
+function send_irc($Raw) {
+	$IRCSocket = fsockopen(SOCKET_LISTEN_ADDRESS, SOCKET_LISTEN_PORT);
+	$Raw = str_replace(array("\n", "\r"), '', $Raw);
+	fwrite($IRCSocket, $Raw);
+	fclose($IRCSocket);
+}
--- a/classes/class_text.php
+++ b/classes/class_text.php
@ -514,7 +514,7 @@ function to_html($Array) {
 						$Str.='[img]'.$Block['Val'].'[/img]';
 					} else {
 						if(check_perms('site_proxy_images')) {
-							$Str.='<img style="max-width: 500px;" onclick="lightbox.init(this,500);" alt="'.$Block['Val'].'" src="http://'.SITE_URL.'/image.php?i='.urlencode($Block['Val']).'" />';
+							$Str.='<img style="max-width: 500px;" onclick="lightbox.init(this,500);" alt="'.$Block['Val'].'" src="http'.($SSL?'s':'').'://'.SITE_URL.'/image.php?i='.urlencode($Block['Val']).'" />';
 						} else {
 							$Str.='<img style="max-width: 500px;" onclick="lightbox.init(this,500);" alt="'.$Block['Val'].'" src="'.$Block['Val'].'" />';
 						}
--- a/classes/script_start.php
+++ b/classes/script_start.php
@ -314,7 +314,7 @@ function user_info($UserID) {
 	
 	// Image proxy
 	if(check_perms('site_proxy_images') && !empty($UserInfo['Avatar'])) {
-		$UserInfo['Avatar'] = 'http://'.SITE_URL.'/image.php?c=1&amp;avatar='.$UserID.'&amp;i='.urlencode($UserInfo['Avatar']);
+		$UserInfo['Avatar'] = 'http'.($SSL?'s':'').'://'.SITE_URL.'/image.php?c=1&amp;avatar='.$UserID.'&amp;i='.urlencode($UserInfo['Avatar']);
 	}
 	return $UserInfo;
 }
@ -1033,7 +1033,8 @@ function delete_torrent($ID, $GroupID=0) {
 			Status='Resolved',
 			LastChangeTime='".sqltime()."',
 			ModComment='Report already dealt with (Torrent deleted)'
-		WHERE TorrentID=".$ID);
+		WHERE TorrentID=".$ID."
+			AND Status != 'Resolved'");
 	$Reports = $DB->affected_rows();
 	if($Reports) {
 		$Cache->decrement('num_torrent_reportsv2', $Reports);
--- a/classes/sphinxapi.php.bak
+++ b/classes/sphinxapi.php.bak
--- a/sections/artist/autocomplete.php
+++ b/sections/artist/autocomplete.php
@ -4,13 +4,15 @@

 if(empty($_GET['name'])) { die('["",[],[],[]]'); }

+$FullName = rawurldecode($_GET['name']);
+
 $MaxKeySize = 4;
-if (strtolower(substr($_GET['name'],0,4)) == 'the ') {
+if (strtolower(substr($FullName,0,4)) == 'the ') {
 	$MaxKeySize += 4;
 }
-$KeySize = min($MaxKeySize,max(1,strlen($_GET['name'])));
+$KeySize = min($MaxKeySize,max(1,strlen($FullName)));

-$Letters = strtolower(substr($_GET['name'],0,$KeySize));
+$Letters = strtolower(substr($FullName,0,$KeySize));
 $AutoSuggest = $Cache->get('autocomplete_artist_'.$KeySize.'_'.$Letters);
 if(!is_array($AutoSuggest)) {
 	if(!isset($DB) || !is_object($DB)) {
@ -25,7 +27,7 @@
 		FROM artists_group AS a 
 		INNER JOIN torrents_artists AS ta ON ta.ArtistID=a.ArtistID 
 		INNER JOIN torrents AS t ON t.GroupID=ta.GroupID 
-		WHERE a.Name LIKE '$Letters%' 
+		WHERE a.Name LIKE '".db_string($Letters)."%' 
 		GROUP BY ta.ArtistID 
 		ORDER BY Snatches DESC 
 		LIMIT $Limit");
@ -39,7 +41,7 @@
 $Links = array();
 foreach ($AutoSuggest as $Suggestion) {
 	list($ID,$Name, $Snatch) = $Suggestion;
-	if (stripos($Name,$_GET['name']) === 0) {
+	if (stripos($Name,$FullName) === 0) {
 		$Suggestions[] = display_str($Name);
 		$Snatches[] = number_format($Snatch).' snatches';
 		$Links[] = 'http'.($SSL?'s':'').'://'.$_SERVER['HTTP_HOST'].'/artist.php?id='.$ID;
@ -49,4 +51,4 @@
 	}
 }

-echo json_encode(array($_GET['name'],$Suggestions,$Snatches,$Links));
+echo json_encode(array($FullName,$Suggestions,$Snatches,$Links));
--- a/sections/forums/delete_poll_option.php
+++ b/sections/forums/delete_poll_option.php
@ -0,0 +1,35 @@
+<?
+authorize();
+if(!check_perms("site_moderate_forums")) {
+	error(404);
+}
+
+$ThreadID = $_GET['threadid'];
+$PollOption = $_GET['vote'];
+
+if(is_number($ThreadID) && is_number($PollOption)) {
+	$DB->query("SELECT ForumID FROM forums_topics WHERE ID = $ThreadID");
+	list($ForumID) = $DB->next_record();
+	if(!in_array($ForumID, $ForumsRevealVoters)) {
+		error(403);
+	}
+
+	$DB->query("SELECT Answers FROM forums_polls WHERE TopicID = ".$ThreadID);
+	if($DB->record_count() < 1) {
+		error(404);
+	}
+
+	list($Answers) = $DB->next_record(MYSQLI_NUM, false);
+	$Answers = unserialize($Answers);
+	unset($Answers[$PollOption]);
+	$Answers = serialize($Answers);
+
+	$DB->query("UPDATE forums_polls SET Answers = '".db_string($Answers)."' WHERE TopicID = ".$ThreadID);
+	$DB->query("DELETE FROM forums_polls_votes WHERE Vote = ".$PollOption." AND TopicID = ".$ThreadID);
+
+	$Cache->delete_value('polls_'.$ThreadID);
+	header("Location: forums.php?action=viewthread&threadid=".$ThreadID);
+	
+} else {
+	error(404);
+}
--- a/sections/forums/index.php
+++ b/sections/forums/index.php
@ -109,6 +109,9 @@
 			// Change poll vote
 			require(SERVER_ROOT.'/sections/forums/change_vote.php');
 			break;
+		case 'delete_poll_option':
+			require(SERVER_ROOT.'/sections/forums/delete_poll_option.php');
+			break;
 		case 'sticky_post':
 			require(SERVER_ROOT.'/sections/forums/sticky_post.php');
 			break;
--- a/sections/forums/thread.php
+++ b/sections/forums/thread.php
@ -245,7 +245,11 @@

 			foreach($Answers as $i => $Answer) {
 ?>
-				<li><a href="forums.php?action=change_vote&amp;threadid=<?=$ThreadID?>&amp;auth=<?=$LoggedUser['AuthKey']?>&amp;vote=<?=(int) $i?>"><?=display_str($Answer == '' ? "Blank" : $Answer)?></a> - <?=$StaffVotes[$i]?>&nbsp;(<?=number_format(((float) $Votes[$i]/$TotalVotes)*100, 2)?>%)</li>
+				<li>
+					<a href="forums.php?action=change_vote&amp;threadid=<?=$ThreadID?>&amp;auth=<?=$LoggedUser['AuthKey']?>&amp;vote=<?=(int) $i?>"><?=display_str($Answer == '' ? "Blank" : $Answer)?></a>
+					 - <?=$StaffVotes[$i]?>&nbsp;(<?=number_format(((float) $Votes[$i]/$TotalVotes)*100, 2)?>%)
+					 <a href="forums.php?action=delete_poll_option&amp;threadid=<?=$ThreadID?>&amp;auth=<?=$LoggedUser['AuthKey']?>&amp;vote=<?=(int) $i?>">[X]</a>
+</li>
 <?			} ?>
 				<li><a href="forums.php?action=change_vote&amp;threadid=<?=$ThreadID?>&amp;auth=<?=$LoggedUser['AuthKey']?>&amp;vote=0">Blank</a> - <?=$StaffVotes[0]?>&nbsp;(<?=number_format(((float) $Votes[0]/$TotalVotes)*100, 2)?>%)</li>
 			</ul>
--- a/sections/friends/friends.php
+++ b/sections/friends/friends.php
@ -94,7 +94,7 @@
 	if(empty($HeavyInfo['DisableAvatars'])) {
 		if(!empty($Avatar)) {
 			if(check_perms('site_proxy_images')) {
-				$Avatar = 'http://'.SITE_URL.'/image.php?c=1&i='.urlencode($Avatar);
+				$Avatar = 'http'.($SSL?'s':'').'://'.SITE_URL.'/image.php?c=1&i='.urlencode($Avatar);
 			}
 	?> 
 					<img src="<?=$Avatar?>" alt="<?=$Username?>'s avatar" width="50px" />
--- a/sections/staff/index.php
+++ b/sections/staff/index.php
@ -50,7 +50,7 @@
 	</div>
 	<br />
 	<div class="box pad" style="padding:0px 10px 10px 10px;">
-		<h3>Forum moderators</h3>
+		<h3>Forum Moderators</h3>
 		<p>Forum Mods are users who have been promoted to help moderate the forums. They can only help with forum oriented questions</p>
 		<table class="staff" width="100%">
 			<tr class="colhead">
--- a/sections/tools/index.php
+++ b/sections/tools/index.php
@ -155,9 +155,16 @@
 				$DB->query("SELECT p.ID,p.Name,p.Level,p.Values,p.DisplayStaff,COUNT(u.ID) FROM permissions AS p LEFT JOIN users_main AS u ON u.PermissionID=p.ID WHERE p.ID='".db_string($_REQUEST['id'])."' GROUP BY p.ID");
 				list($ID,$Name,$Level,$Values,$DisplayStaff,$UserCount)=$DB->next_record(MYSQLI_NUM, array(3));

+				if($Level > $LoggedUser['Class']  || $_REQUEST['level'] > $LoggedUser['Class']) {
+					error(403);
+				}
+
+
 				$Values=unserialize($Values);
 			}
 			
+		
+
 			if (!empty($_POST['submit'])) {
 				$Err = $Val->ValidateForm($_POST);

--- a/sections/tools/managers/forum_alter.php
+++ b/sections/tools/managers/forum_alter.php
@ -17,8 +17,23 @@
 	$Err=$Val->ValidateForm($_POST); // Validate the form
 	if($Err){ error($Err); }

+	if($P['minclassread'] > $LoggedUser['Class'] || $P['minclasswrite'] > $LoggedUser['Class'] || $P['minclasscreate'] > $LoggedUser['Class']) {
+		error(403);
+	}
+
+
 	if($_POST['submit'] == 'Edit'){ //Edit
 		if(!is_number($_POST['id']) || $_POST['id'] == ''){ error(0); }
+		$DB->query("SELECT MinClassRead FROM forums WHERE ID=".$P['id']);
+		if($DB->record_count() < 1) {
+			error(404);
+		} else {
+			list($MinClassRead) = $DB->next_record();
+			if($MinClassRead > $LoggedUser['Class']) {
+				error(403);
+			}
+		}
+
 		$DB->query("UPDATE forums SET
 			Sort='$P[sort]',
 			CategoryID='$P[categoryid]',
--- a/sections/user/user.php
+++ b/sections/user/user.php
@ -180,7 +180,7 @@ function check_paranoia_here($Setting) {
 	<div class="sidebar">
 <?	if ($Avatar && empty($HeavyInfo['DisableAvatars'])) {
 		if(check_perms('site_proxy_images') && !empty($Avatar)) {
-			$Avatar = 'http://'.SITE_URL.'/image.php?c=1&avatar='.$UserID.'&i='.urlencode($Avatar);
+			$Avatar = 'http'.($SSL?'s':'').'://'.SITE_URL.'/image.php?c=1&avatar='.$UserID.'&i='.urlencode($Avatar);
 		}
 ?>
 		<div class="box">
--- a/sections/userhistory/post_history.php
+++ b/sections/userhistory/post_history.php
@ -47,7 +47,7 @@
 }

 if(check_perms('site_proxy_images') && !empty($Avatar)) {
-	$Avatar = 'http://'.SITE_URL.'/image.php?c=1&i='.urlencode($Avatar);
+	$Avatar = 'http'.($SSL?'s':'').'://'.SITE_URL.'/image.php?c=1&i='.urlencode($Avatar);
 }

 show_header('Post history for '.$Username,'subscriptions,comments,bbcode');
--- a/static/functions/autocomplete.js
+++ b/static/functions/autocomplete.js
@ -37,7 +37,7 @@ var autocomp = {
 			case 8: //backspace
 				this.href = null;
 				this.list.style.visibility = 'hidden';
-				this.timer = setTimeout("autocomp.get('" + this.input.value + "');",500);
+				this.timer = setTimeout("autocomp.get('" + escape(this.input.value) + "');",500);
 				break;
 			case 38: //up
 			case 40: //down
@ -52,7 +52,7 @@ var autocomp = {
 				return 0;
 			default:
 				this.href = null;
-				this.timer = setTimeout("autocomp.get('"+this.input.value+"');",300);
+				this.timer = setTimeout("autocomp.get('" + escape(this.input.value) + "');",300);
 				return 1;
 		}
 		return 0;