'" . serendipity_db_escape_String($userlevel) . "')";
serendipity_db_query($query);
$cid = serendipity_db_insert_id('authors', 'authorid');
-
+
$data = array(
'authorid' => $cid,
'username' => $username,
if (!serendipity_checkPermission('adminUsersDelete')) {
return false;
}
-
+
if (serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authors WHERE authorid=" . (int)$authorid)) {
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}permalinks WHERE entry_id=" . (int)$authorid ." and type='author'");
}
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}config where name='" . serendipity_db_escape_string($name) . "' AND authorid = " . (int)$authorid);
$r = serendipity_db_insert('config', array('name' => $name, 'value' => $val, 'authorid' => $authorid));
-
+
if ($authorid === 0 || $authorid === $serendipity['authorid']) {
if ($val === 'false') {
$serendipity[$name] = false;
if ($serendipity['GET']['is_iframe'] && is_array($_SESSION['save_entry'])) {
include_once S9Y_INCLUDE_PATH . 'include/functions_entries_admin.inc.php';
// An iframe may NOT contain <html> and </html> tags, that's why we emit different headers here than on serendipity_admin.php
-?>
- <head>
- <title><?php echo SERENDIPITY_ADMIN_SUITE; ?></title>
- <meta http-equiv="Content-Type" content="text/html; charset=<?php echo LANG_CHARSET; ?>" />
- <link rel="stylesheet" type="text/css" href="<?php echo (isset($serendipity['serendipityHTTPPath']) ? $serendipity['serendipityHTTPPath'] : ''); ?>serendipity.css.php" />
- <script type="text/javascript">
- window.onload = function() {
- parent.document.getElementById('serendipity_iframe').style.height = document.getElementById('mainpane').offsetHeight
- + parseInt(document.getElementById('mainpane').style.marginTop)
- + parseInt(document.getElementById('mainpane').style.marginBottom)
- + 'px';
- parent.document.getElementById('serendipity_iframe').scrolling = 'no';
- parent.document.getElementById('serendipity_iframe').style.border = 0;
- }
- </script>
- </head>
-
- <body style="padding: 0px; margin: 0px;">
- <div id="mainpane" style="padding: 0px; margin: 5px auto 5px auto; width: 98%;">
- <div id="content" style="padding: 5px; margin: 0px;">
-<?php
+
// We need to restore GET/POST variables to that depending plugins inside the iframe
// can still fetch all that variables; and we also tighten security by not allowing
// to pass any different GET/POST variables to our iframe.
$serendipity['POST'] = &$_SESSION['save_entry_POST'];
$serendipity['GET'] = &$_SESSION['save_entry_POST']; // GET-Vars are the same as POST to ensure compatibility.
ignore_user_abort(true);
- serendipity_iframe($_SESSION['save_entry'], $iframe_mode);
-?>
- </div>
- </div>
- </body>
-<?php
+ serendipity_iframe($_SESSION['save_entry'], $iframe_mode, true);
return true;
}
return false;
}
/**
- * Prints the content of the iframe.
+ * Prints the content of the iframe.
*
* Called by serendipity_is_iframe, when preview is requested. Fetches data from session.
* An iframe is used so that a single s9y page must not timeout on intensive operations,
* @see serendipity_is_iframe()
* @param mixed The entry array (comes from session variable)
* @param string Indicates whether an entry is previewed or saved. Save performs XML-RPC calls.
+ * @param boolean Use smarty templating?
* @return boolean Indicates whether iframe data was printed
*/
-function serendipity_iframe(&$entry, $mode = null) {
+function serendipity_iframe(&$entry, $mode = null, $use_smarty = true) {
global $serendipity;
if (empty($mode) || !is_array($entry)) {
return false;
}
+ if ($use_smarty) {
+ $serendipity['smarty_raw_mode'] = true; // Force output of Smarty stuff in the backend
+ $serendipity['smarty_preview'] = true;
+ serendipity_smarty_init();
+ $serendipity['smarty']->assign('is_preview', true);
+ ob_start();
+ }
+
+ $show = false;
switch ($mode) {
case 'save':
echo '<div style="float: left; height: 75px"></div>';
}
echo '<br style="clear: both" />';
- return true;
+ $show = true;
break;
case 'preview':
echo '<div style="float: left; height: 225px"></div>';
- $serendipity['smarty_raw_mode'] = true; // Force output of Smarty stuff in the backend
- $serendipity['smarty_preview'] = true;
- serendipity_smarty_init();
- $serendipity['smarty']->assign('is_preview', true);
-
serendipity_printEntries(array($entry), ($entry['extended'] != '' ? 1 : 0), true);
echo '<br style="clear: both" />';
- return true;
+ $show = true;
break;
}
- return false;
+ if ($use_smarty) {
+ $preview = ob_get_contents();
+ ob_end_clean();
+ $serendipity['smarty']->assign('preview', $preview);
+ $serendipity['smarty']->display(serendipity_getTemplateFile('preview_iframe.tpl', 'serendipityPath'));
+ }
+
+ return $show;
}
/**
*/
function serendipity_getPermissionNames() {
return array(
- 'personalConfiguration'
+ 'personalConfiguration'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'personalConfigurationUserlevel'
+ 'personalConfigurationUserlevel'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'personalConfigurationNoCreate'
+ 'personalConfigurationNoCreate'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'personalConfigurationRightPublish'
+ 'personalConfigurationRightPublish'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'siteConfiguration'
+ 'siteConfiguration'
=> array(USERLEVEL_ADMIN),
- 'blogConfiguration'
+ 'blogConfiguration'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminEntries'
+ 'adminEntries'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminEntriesMaintainOthers'
+ 'adminEntriesMaintainOthers'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
'adminImport'
'adminCategoriesDelete'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsers'
+ 'adminUsers'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsersDelete'
+ 'adminUsersDelete'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsersEditUserlevel'
+ 'adminUsersEditUserlevel'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsersMaintainSame'
+ 'adminUsersMaintainSame'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsersMaintainOthers'
+ 'adminUsersMaintainOthers'
=> array(USERLEVEL_ADMIN),
- 'adminUsersCreateNew'
+ 'adminUsersCreateNew'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminUsersGroups'
+ 'adminUsersGroups'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminPlugins'
+ 'adminPlugins'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminPluginsMaintainOthers'
+ 'adminPluginsMaintainOthers'
=> array(USERLEVEL_ADMIN),
- 'adminImages'
+ 'adminImages'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminImagesDirectories'
+ 'adminImagesDirectories'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminImagesAdd'
+ 'adminImagesAdd'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminImagesDelete'
+ 'adminImagesDelete'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminImagesMaintainOthers'
+ 'adminImagesMaintainOthers'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminImagesViewOthers'
+ 'adminImagesViewOthers'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminImagesView'
+ 'adminImagesView'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
- 'adminImagesSync'
+ 'adminImagesSync'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminComments'
+ 'adminComments'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
- 'adminTemplates'
+ 'adminTemplates'
=> array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
);
}
*/
function serendipity_checkPermission($permName, $authorid = null, $returnMyGroups = false) {
global $serendipity;
-
+
// Define old serendipity permissions
static $permissions = null;
static $group = null;
-
+
if (IS_installed !== true) {
return true;
}
if ($group === null) {
$group = array();
}
-
+
if ($authorid === null) {
$authorid = $serendipity['authorid'];
}
-
+
if (!isset($group[$authorid])) {
$group[$authorid] = serendipity_getPermissions($authorid);
}
-
+
if ($returnMyGroups) {
return $group[$authorid]['membership'];
}
$return = false;
}
}
-
+
// If the function did not yet return it means there's a check for a permission which is not defined anywhere.
// Let's use a backwards compatible way.
if ($return && isset($permissions[$permName]) && in_array($serendipity['serendipityUserlevel'], $permissions[$permName])) {
return true;
}
-
+
return false;
}
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups WHERE authorid = " . (int)$authorid);
foreach($groups AS $group) {
- serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}authorgroups (authorid, groupid) VALUES (" . (int)$authorid . ", " . (int)$group . ")");
+ serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}authorgroups (authorid, groupid) VALUES (" . (int)$authorid . ", " . (int)$group . ")");
}
return true;
}
global $serendipity;
if ($apply_ACL_user) {
- $groups =& serendipity_db_query("SELECT g.id AS confkey,
+ $groups =& serendipity_db_query("SELECT g.id AS confkey,
g.name AS confvalue,
g.id AS id,
g.name AS name
WHERE ag.authorid = " . (int)$apply_ACL_user . "
ORDER BY g.name", false, 'assoc');
} else {
- $groups =& serendipity_db_query("SELECT g.id AS confkey,
+ $groups =& serendipity_db_query("SELECT g.id AS confkey,
g.name AS confvalue,
g.id AS id,
g.name AS name
global $serendipity;
$conf = array();
- $groups =& serendipity_db_query("SELECT g.id AS confkey,
+ $groups =& serendipity_db_query("SELECT g.id AS confkey,
g.name AS confvalue,
g.id AS id,
g.name AS name,
foreach($groups AS $group) {
$conf[$group['property']] = $group['value'];
}
-
+
// The following are unique
$conf['name'] = $groups[0]['name'];
$conf['id'] = $groups[0]['id'];
function &serendipity_getGroups($authorid, $sequence = false) {
global $serendipity;
- $groups =& serendipity_db_query("SELECT g.id AS confkey,
+ $groups =& serendipity_db_query("SELECT g.id AS confkey,
g.name AS confvalue,
g.id AS id,
g.name AS name
if (!is_array($groups)) {
$groups = array();
}
-
+
if ($sequence) {
$_groups = $groups;
$groups = array();
if (!serendipity_checkPermission('adminUsersGroups')) {
return false;
}
-
+
if (!serendipity_checkPermission('adminUsersMaintainOthers')) {
// Only groups should be accessible where a user has access rights.
$my_groups =& serendipity_getGroups($serendipity['authorid'], true);
if (!in_array($groupid, $my_groups)) {
return false;
}
- }
+ }
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groups WHERE id = " . (int)$groupid);
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups WHERE groupid = " . (int)$groupid);
/**
* Returns a list of all existing permission names.
*
- * Additional plugins might insert specific properties into the groupconfig database to
+ * Additional plugins might insert specific properties into the groupconfig database to
* handle their own privileges. This call returns an array of all available permission names
* so that it can be intersected with the list of internal permission names (serendipity_getPermissionNames())
* and the be distincted.
*/
function &serendipity_getDBPermissionNames() {
global $serendipity;
-
+
$config =& serendipity_db_query("SELECT property FROM {$serendipity['dbPrefix']}groupconfig GROUP BY property ORDER BY property", false, 'assoc');
return $config;
$DBperms =& serendipity_getDBPermissionNames();
$perms =& serendipity_getPermissionNames();
-
+
foreach($DBperms AS $perm) {
if (!isset($perms[$perm['property']])) {
$perms[$perm['property']] = array();
if ($myself === null) {
$myself = $serendipity['authorid'];
}
-
+
$my_groups =& serendipity_getGroups($myself, true);
$his_groups =& serendipity_getGroups($checkuser, true);
return true;
}
}
-
+
return false;
}
if (!in_array($groupid, $my_groups)) {
return false;
}
- }
+ }
- $storage =& serendipity_fetchGroup($groupid);
+ $storage =& serendipity_fetchGroup($groupid);
- serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groupconfig WHERE id = " . (int)$groupid);
+ serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groupconfig WHERE id = " . (int)$groupid);
foreach ($perms AS $perm => $userlevels) {
if (isset($values[$perm]) && $values[$perm] == 'true') {
$value = 'true';
} else {
$value = 'false';
}
-
+
if (!serendipity_checkPermission($perm)) {
if (!isset($storage[$perm])) {
$value = 'false';
)
);
}
-
+
serendipity_db_query("UPDATE {$serendipity['dbPrefix']}groups SET name = '" . serendipity_db_escape_string($values['name']) . "' WHERE id = " . (int)$groupid);
if (is_array($values['members'])) {
if ($perms === null) {
$perms = serendipity_getPermissionNames();
}
-
+
serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groups (name) VALUES ('" . serendipity_db_escape_string($name) . "')");
$gid = (int)serendipity_db_insert_id('groups', 'id');
serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES ($gid, 'userlevel', '" . (int)$level . "')");
$authors = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}authors WHERE userlevel = " . (int)$level);
-
+
if (is_array($authors)) {
foreach($authors AS $author) {
serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}authorgroups (authorid, groupid) VALUES ('{$author['authorid']}', '$gid')");
}
- }
+ }
foreach($perms AS $permName => $permArray) {
if (in_array($level, $permArray)) {
serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES ($gid, '" . serendipity_db_escape_string($permName) . "', 'false')");
}
}
-
+
return true;
}
if (empty($groups) || !is_array($groups)) {
return false;
}
-
+
// Delete all old existing relations.
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}access
- WHERE artifact_id = " . (int)$artifact_id . "
+ WHERE artifact_id = " . (int)$artifact_id . "
AND artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
AND artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "'");
$data['groupid'] = $group;
serendipity_db_insert('access', $data);
}
-
+
return true;
}
* An artifact in terms of Serendipity can be either a category or an entry, or
* anything beyond that for future compatibility.
* This function retrieves the ACLs.
- *
+ *
* @access public
* @param int The ID of the artifact to set the access
* @param string The type of an artifact (category|entry)
*/
function serendipity_ACLGet($artifact_id, $artifact_type, $artifact_mode) {
global $serendipity;
-
+
$sql = "SELECT groupid, artifact_index FROM {$serendipity['dbPrefix']}access
WHERE artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
AND artifact_id = '" . (int)$artifact_id . "'
AND artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "'";
$rows = serendipity_db_query($sql, false, 'assoc');
-
+
if (!is_array($rows)) {
return false;
}
foreach($rows AS $row) {
$acl[$row['groupid']] = $row['artifact_index'];
}
-
+
return $acl;
}
* An artifact in terms of Serendipity can be either a category or an entry, or
* anything beyond that for future compatibility.
* This function retrieves the ACLs for a specific user.
- *
+ *
* @access public
* @param int The ID of the author to check against.
* @param int The ID of the artifact to set the access
*/
function serendipity_ACLCheck($authorid, $artifact_id, $artifact_type, $artifact_mode) {
global $serendipity;
-
+
$artifact_sql = array();
-
- // TODO: If more artifact_types are available, the JOIN needs to be edited so that the first AND portion is not required, and the join is fully made on that conditiion.
+
+ // TODO: If more artifact_types are available, the JOIN needs to be edited so that the first AND portion is not required, and the join is fully made on that conditiion.
switch($artifact_type) {
default:
case 'category':
$artifact_sql['unique']= "atf.categoryid";
$artifact_sql['cond'] = "atf.categoryid = " . (int)$artifact_id;
- $artifact_sql['where'] = " ag.groupid = a.groupid
- OR a.groupid = 0
+ $artifact_sql['where'] = " ag.groupid = a.groupid
+ OR a.groupid = 0
OR (a.artifact_type IS NULL AND (atf.authorid = " . (int)$authorid . " OR atf.authorid = 0 OR atf.authorid IS NULL))";
$artifact_sql['table'] = 'category';
}
-
+
$sql = "SELECT {$artifact_sql['unique']} AS result
FROM {$serendipity['dbPrefix']}{$artifact_sql['table']} AS atf
LEFT OUTER JOIN {$serendipity['dbPrefix']}authorgroups AS ag
ON ag.authorid = ". (int)$authorid . "
- LEFT OUTER JOIN {$serendipity['dbPrefix']}access AS a
- ON ( a.artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
+ LEFT OUTER JOIN {$serendipity['dbPrefix']}access AS a
+ ON ( a.artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
AND a.artifact_id = " . (int)$artifact_id . "
- AND a.artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "'
+ AND a.artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "'
)
- WHERE {$artifact_sql['cond']}
+ WHERE {$artifact_sql['cond']}
AND ( {$artifact_sql['where']} )
GROUP BY result";
if (is_array($res) && !empty($res['result'])) {
return true;
}
-
+
return false;
}
$read_id = (int)$serendipity['authorid'];
$read_id_sql = 'acl_a.groupid OR acl_acc.groupid = 0';
} else {
- // "0" as category property counts as "anonymous viewers"
+ // "0" as category property counts as "anonymous viewers"
$read_id = 0;
$read_id_sql = 0;
}
$cond['joins'] .= " LEFT JOIN {$serendipity['dbPrefix']}entrycat ec
ON e.id = ec.entryid";
}
-
+
$cond['joins'] .= " LEFT JOIN {$serendipity['dbPrefix']}category c
ON ec.categoryid = c.categoryid";
}
$cond['joins'] .= " LEFT JOIN {$serendipity['dbPrefix']}authorgroups AS acl_a
ON acl_a.authorid = " . $read_id . "
LEFT JOIN {$serendipity['dbPrefix']}access AS acl_acc
- ON ( acl_acc.artifact_mode = 'read'
+ ON ( acl_acc.artifact_mode = 'read'
AND acl_acc.artifact_type = 'category'
- AND acl_acc.artifact_id = c.categoryid
+ AND acl_acc.artifact_id = c.categoryid
)";
if (empty($cond['and'])) {
// When in Admin-Mode, apply readership permissions.
$cond['and'] .= " (
- c.categoryid IS NULL
+ c.categoryid IS NULL
OR ( acl_acc.groupid = " . $read_id_sql . ")
- OR ( acl_acc.artifact_id IS NULL
- " . (isset($serendipity['GET']['adminModule']) &&
- $serendipity['GET']['adminModule'] == 'entries' &&
- !serendipity_checkPermission('adminEntriesMaintainOthers')
+ OR ( acl_acc.artifact_id IS NULL
+ " . (isset($serendipity['GET']['adminModule']) &&
+ $serendipity['GET']['adminModule'] == 'entries' &&
+ !serendipity_checkPermission('adminEntriesMaintainOthers')
? "AND (c.authorid IS NULL OR c.authorid = 0 OR c.authorid = " . $read_id . ")"
: "") . "
)
)";
return true;
- }
+ }
return false;
}
echo serendipity_reportXSRF(1, true, true);
return false;
}
-
+
// Parse the Referrer host. Abort if not parseable.
$hostinfo = @parse_url($_SERVER['HTTP_REFERER']);
if (!is_array($hostinfo)) {
echo serendipity_reportXSRF(3, true, true);
return true;
}
-
+
return false;
}
*/
function serendipity_checkFormToken() {
global $serendipity;
-
+
$token = '';
if (!empty($serendipity['POST']['token'])) {
$token = $serendipity['POST']['token'];
echo serendipity_reportXSRF('token', false);
return false;
}
-
+
return true;
}
*/
function serendipity_setFormToken($type = 'form') {
global $serendipity;
-
+
if ($type == 'form') {
return '<input type="hidden" name="serendipity[token]" value="' . md5(session_id()) . '" />';
} elseif ($type == 'url') {
projects / s9y.git / commitdiff