mirror of
https://github.com/slawkens/myaac.git
synced 2025-10-17 11:13:27 +02:00
Fixes regarding csrf + refactor some parts of AAC (guilds + forum)
Replace $account_logged->getPlayers() with getPlayersList() $_REQUEST['todo'] -> $_REQUEST['post'] $guild_errors -> $errors
This commit is contained in:
slawkens
@@ -64,7 +64,7 @@ if(!empty($action)) {
|
||||
else if($action == 'delete_board') {
|
||||
Forum::delete_board($id, $errors);
|
||||
header('Location: ' . getLink('forum'));
|
||||
$action = '';
|
||||
exit;
|
||||
}
|
||||
else if($action == 'edit_board')
|
||||
{
|
||||
@@ -78,28 +78,27 @@ if(!empty($action)) {
|
||||
else {
|
||||
Forum::update_board($id, $name, $access, $guild, $description);
|
||||
header('Location: ' . getLink('forum'));
|
||||
$action = $name = $description = '';
|
||||
$access = $guild = 0;
|
||||
exit;
|
||||
}
|
||||
}
|
||||
else if($action == 'hide_board') {
|
||||
Forum::toggleHide_board($id, $errors);
|
||||
header('Location: ' . getLink('forum'));
|
||||
$action = '';
|
||||
exit;
|
||||
}
|
||||
else if($action == 'moveup_board') {
|
||||
Forum::move_board($id, -1, $errors);
|
||||
header('Location: ' . getLink('forum'));
|
||||
$action = '';
|
||||
exit;
|
||||
}
|
||||
else if($action == 'movedown_board') {
|
||||
Forum::move_board($id, 1, $errors);
|
||||
header('Location: ' . getLink('forum'));
|
||||
$action = '';
|
||||
exit;
|
||||
}
|
||||
|
||||
if(!empty($errors)) {
|
||||
$twig->display('error_box.html.twig', array('errors' => $errors));
|
||||
$twig->display('error_box.html.twig', ['errors' => $errors]);
|
||||
$action = '';
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,15 +18,14 @@ if ($ret === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
csrfProtect();
|
||||
|
||||
if(!$logged) {
|
||||
echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
|
||||
return;
|
||||
}
|
||||
|
||||
if(Forum::canPost($account_logged))
|
||||
{
|
||||
csrfProtect();
|
||||
|
||||
if(Forum::canPost($account_logged)) {
|
||||
$post_id = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : false;
|
||||
if(!$post_id) {
|
||||
$errors[] = 'Please enter post id.';
|
||||
@@ -43,12 +42,12 @@ if(Forum::canPost($account_logged))
|
||||
$char_id = $post_topic = $text = $smile = $html = null;
|
||||
$players_from_account = $db->query("SELECT `players`.`name`, `players`.`id` FROM `players` WHERE `players`.`account_id` = ".(int) $account_logged->getId())->fetchAll();
|
||||
$saved = false;
|
||||
if(isset($_REQUEST['save'])) {
|
||||
$text = stripslashes(trim($_REQUEST['text']));
|
||||
$char_id = (int) $_REQUEST['char_id'];
|
||||
$post_topic = stripslashes(trim($_REQUEST['topic']));
|
||||
$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
|
||||
$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
|
||||
if(isset($_POST['save'])) {
|
||||
$text = stripslashes(trim($_POST['text']));
|
||||
$char_id = (int) $_POST['char_id'];
|
||||
$post_topic = stripslashes(trim($_POST['topic']));
|
||||
$smile = isset($_POST['smile']) ? (int)$_POST['smile'] : 0;
|
||||
$html = isset($_POST['html']) ? (int)$_POST['html'] : 0;
|
||||
|
||||
if (!superAdmin()) {
|
||||
$html = 0;
|
||||
|
||||
@@ -18,22 +18,22 @@ if ($ret === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
csrfProtect();
|
||||
|
||||
if(!$logged) {
|
||||
echo 'You are not logged in. <a href="' . getLink('account/manage') . '?redirect=' . urlencode(getLink('forum')) . '">Log in</a> to post on the forum.<br /><br />';
|
||||
return;
|
||||
}
|
||||
|
||||
csrfProtect();
|
||||
|
||||
if(!Forum::isModerator()) {
|
||||
echo 'You are not logged in or you are not moderator.';
|
||||
return;
|
||||
}
|
||||
|
||||
$save = isset($_REQUEST['save']) && (int)$_REQUEST['save'] == 1;
|
||||
$save = isset($_POST['save']) && (int)$_POST['save'] == 1;
|
||||
if($save) {
|
||||
$post_id = (int)$_REQUEST['id'];
|
||||
$board = (int)$_REQUEST['section'];
|
||||
$post_id = (int)$_POST['id'];
|
||||
$board = (int)$_POST['section'];
|
||||
if(!Forum::hasAccess($board)) {
|
||||
$errors[] = "You don't have access to this board.";
|
||||
displayErrorBoxWithBackButton($errors, getLink('forum'));
|
||||
|
||||
@@ -45,11 +45,11 @@ if(Forum::canPost($account_logged)) {
|
||||
echo '<a href="' . getLink('forum') . '">Boards</a> >> <a href="' . getForumBoardLink($thread['section']) . '">'.$sections[$thread['section']]['name'].'</a> >> <a href="' . getForumThreadLink($thread_id) . '">'.htmlspecialchars($thread['post_topic']).'</a> >> <b>Post new reply</b><br /><h3>'.htmlspecialchars($thread['post_topic']).'</h3>';
|
||||
|
||||
$quote = isset($_REQUEST['quote']) ? (int) $_REQUEST['quote'] : NULL;
|
||||
$text = isset($_REQUEST['text']) ? stripslashes(trim($_REQUEST['text'])) : NULL;
|
||||
$char_id = (int) ($_REQUEST['char_id'] ?? 0);
|
||||
$post_topic = isset($_REQUEST['topic']) ? stripslashes(trim($_REQUEST['topic'])) : '';
|
||||
$smile = (int)($_REQUEST['smile'] ?? 0);
|
||||
$html = (int)($_REQUEST['html'] ?? 0);
|
||||
$text = isset($_POST['text']) ? stripslashes(trim($_POST['text'])) : NULL;
|
||||
$char_id = (int) ($_POST['char_id'] ?? 0);
|
||||
$post_topic = isset($_POST['topic']) ? stripslashes(trim($_POST['topic'])) : '';
|
||||
$smile = (int)($_POST['smile'] ?? 0);
|
||||
$html = (int)($_POST['html'] ?? 0);
|
||||
$saved = false;
|
||||
|
||||
if (!superAdmin()) {
|
||||
@@ -62,10 +62,10 @@ if(Forum::canPost($account_logged)) {
|
||||
$text = '[i]Originally posted by ' . $quoted_post[0]['name'] . ' on ' . date('d.m.y H:i:s', $quoted_post[0]['post_date']) . ':[/i][quote]' . $quoted_post[0]['post_text'] . '[/quote]';
|
||||
}
|
||||
}
|
||||
elseif(isset($_REQUEST['save'])) {
|
||||
elseif(isset($_POST['save'])) {
|
||||
$length = strlen($text);
|
||||
if($length < 1 || strlen($text) > 15000) {
|
||||
$errors[] = 'Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.';
|
||||
$errors[] = "Too short or too long post (Length: $length letters). Minimum 1 letter, maximum 15000 letters.";
|
||||
}
|
||||
|
||||
if($char_id == 0) {
|
||||
@@ -81,15 +81,14 @@ if(Forum::canPost($account_logged)) {
|
||||
}
|
||||
|
||||
if(!$player_on_account) {
|
||||
$errors[] = 'Player with selected ID ' . $char_id . ' doesn\'t exist or isn\'t on your account';
|
||||
$errors[] = "Player with selected ID $char_id doesn't exist or isn't on your account";
|
||||
}
|
||||
}
|
||||
|
||||
if(count($errors) == 0) {
|
||||
$last_post = 0;
|
||||
$query = $db->query('SELECT post_date FROM ' . FORUM_TABLE_PREFIX . 'forum ORDER BY post_date DESC LIMIT 1');
|
||||
if($query->rowCount() > 0)
|
||||
{
|
||||
if($query->rowCount() > 0) {
|
||||
$query = $query->fetch();
|
||||
$last_post = $query['post_date'];
|
||||
}
|
||||
|
||||
@@ -40,19 +40,18 @@ if(Forum::canPost($account_logged)) {
|
||||
if ($sections[$section_id]['closed'] && !Forum::isModerator())
|
||||
$errors[] = 'You cannot create topic on this board.';
|
||||
|
||||
$quote = (int)(isset($_REQUEST['quote']) ? $_REQUEST['quote'] : 0);
|
||||
$text = isset($_REQUEST['text']) ? stripslashes($_REQUEST['text']) : '';
|
||||
$char_id = (int)(isset($_REQUEST['char_id']) ? $_REQUEST['char_id'] : 0);
|
||||
$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
|
||||
$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
|
||||
$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
|
||||
$text = isset($_POST['text']) ? stripslashes($_POST['text']) : '';
|
||||
$char_id = (int)(isset($_POST['char_id']) ? $_POST['char_id'] : 0);
|
||||
$post_topic = isset($_POST['topic']) ? stripslashes($_POST['topic']) : '';
|
||||
$smile = (isset($_POST['smile']) ? (int)$_POST['smile'] : 0);
|
||||
$html = (isset($_POST['html']) ? (int)$_POST['html'] : 0);
|
||||
|
||||
if (!superAdmin()) {
|
||||
$html = 0;
|
||||
}
|
||||
|
||||
$saved = false;
|
||||
if (isset($_REQUEST['save'])) {
|
||||
if (isset($_POST['save'])) {
|
||||
$length = strlen($post_topic);
|
||||
if ($length < 1 || $length > 60) {
|
||||
$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";
|
||||
|
||||
@@ -26,10 +26,10 @@ if(!$logged) {
|
||||
csrfProtect();
|
||||
|
||||
if(Forum::isModerator()) {
|
||||
$id = (int) $_REQUEST['id'];
|
||||
$id = (int) ($_POST['id'] ?? 0);
|
||||
$post = $db->query("SELECT `id`, `first_post`, `section` FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$id." LIMIT 1")->fetch();
|
||||
|
||||
if($post['id'] == $id && Forum::hasAccess($post['section'])) {
|
||||
if($post && $post['id'] == $id && Forum::hasAccess($post['section'])) {
|
||||
if($post['id'] == $post['first_post']) {
|
||||
$db->query("DELETE FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `first_post` = ".$post['id']);
|
||||
header('Location: ' . getForumBoardLink($post['section']));
|
||||
@@ -38,7 +38,7 @@ if(Forum::isModerator()) {
|
||||
$post_page = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` < ".$id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $post['first_post'])->fetch();
|
||||
$_page = (int) ceil($post_page['posts_count'] / setting('core.forum_threads_per_page')) - 1;
|
||||
$db->query("DELETE FROM `" . FORUM_TABLE_PREFIX . "forum` WHERE `id` = ".$post['id']);
|
||||
header('Location: ' . getForumThreadLink($post['first_post'], (int) $_page));
|
||||
header('Location: ' . getForumThreadLink($post['first_post'], $_page));
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -33,7 +33,7 @@ if(!Forum::hasAccess($section_id)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$_page = (int) (isset($_REQUEST['page']) ? $_REQUEST['page'] : 0);
|
||||
$_page = (int) ($_REQUEST['page'] ?? 0);
|
||||
$threads_count = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS threads_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`section` = ".(int) $section_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = `" . FORUM_TABLE_PREFIX . "forum`.`id`")->fetch();
|
||||
for($i = 0; $i < $threads_count['threads_count'] / setting('core.forum_threads_per_page'); $i++) {
|
||||
if($i != $_page)
|
||||
@@ -50,7 +50,7 @@ if($logged && (!$sections[$section_id]['closed'] || Forum::isModerator())) {
|
||||
}
|
||||
|
||||
echo '<br /><br />Page: '.$links_to_pages.'<br />';
|
||||
$last_threads = $db->query("SELECT `players`.`id` as `player_id`, `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`last_post`, `" . FORUM_TABLE_PREFIX . "forum`.`replies`, `" . FORUM_TABLE_PREFIX . "forum`.`views`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`section` = ".$section_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = `" . FORUM_TABLE_PREFIX . "forum`.`id` ORDER BY `" . FORUM_TABLE_PREFIX . "forum`.`last_post` DESC LIMIT ".setting('core.forum_threads_per_page')." OFFSET ".($_page * setting('core.forum_threads_per_page')))->fetchAll();
|
||||
$last_threads = $db->query("SELECT `players`.`id` as `player_id`, `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`last_post`, `" . FORUM_TABLE_PREFIX . "forum`.`replies`, `" . FORUM_TABLE_PREFIX . "forum`.`views`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`section` = ".$section_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = `" . FORUM_TABLE_PREFIX . "forum`.`id` ORDER BY `" . FORUM_TABLE_PREFIX . "forum`.`last_post` DESC LIMIT ".setting('core.forum_threads_per_page')." OFFSET ".($_page * setting('core.forum_threads_per_page')))->fetchAll(PDO::FETCH_ASSOC);
|
||||
|
||||
if(isset($last_threads[0])) {
|
||||
echo '<table width="100%">
|
||||
@@ -67,8 +67,8 @@ if(isset($last_threads[0])) {
|
||||
foreach($last_threads as $thread) {
|
||||
echo '<tr bgcolor="' . getStyle($number_of_rows++) . '"><td>';
|
||||
if(Forum::isModerator()) {
|
||||
echo '<a href="' . getLink('forum') . '?action=move_thread&id='.$thread['id'].'"\')"><span style="color:darkgreen">[MOVE]</span></a>';
|
||||
echo '<a href="' . getLink('forum') . '?action=remove_post&id='.$thread['id'].'" onclick="return confirm(\'Are you sure you want remove thread > '.htmlspecialchars($thread['post_topic']).' <?\')"><span style="color: red">[REMOVE]</span></a> ';
|
||||
echo '<a href="' . getLink('forum') . '?action=move_thread&id=' . $thread['id'] . '" title="Move Thread"><img src="images/icons/arrow_right.gif"/></a>';
|
||||
$twig->display('forum.remove_post.html.twig', ['post' => $thread]);
|
||||
}
|
||||
|
||||
$player->load($thread['player_id']);
|
||||
@@ -82,10 +82,13 @@ if(isset($last_threads[0])) {
|
||||
echo '<a href="' . getForumThreadLink($thread['id']) . '">'.htmlspecialchars($thread['post_topic']). '</a><br /><small>'.($canEditForum ? substr(strip_tags($thread['post_text']), 0, 50) : htmlspecialchars(substr($thread['post_text'], 0, 50))).'...</small></td><td>' . getPlayerLink($thread['name']) . '</td><td>'.(int) $thread['replies'].'</td><td>'.(int) $thread['views'].'</td><td>';
|
||||
if($thread['last_post'] > 0) {
|
||||
$last_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread['id']." AND `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` ORDER BY `post_date` DESC LIMIT 1")->fetch();
|
||||
if(isset($last_post['name']))
|
||||
echo date('d.m.y H:i:s', $last_post['post_date']).'<br />by ' . getPlayerLink($last_post['name']);
|
||||
else
|
||||
|
||||
if(isset($last_post['name'])) {
|
||||
echo date('d.m.y H:i:s', $last_post['post_date']) . '<br />by ' . getPlayerLink($last_post['name']);
|
||||
}
|
||||
else {
|
||||
echo 'No posts.';
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo date('d.m.y H:i:s', $thread['post_date']) . '<br />by ' . getPlayerLink($thread['name']);
|
||||
|
||||
@@ -35,7 +35,7 @@ if(!Forum::hasAccess($thread_starter['section'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
$posts_count = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread_id)->fetch();
|
||||
$posts_count = $db->query("SELECT COUNT(`" . FORUM_TABLE_PREFIX . "forum`.`id`) AS posts_count FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id)->fetch();
|
||||
for($i = 0; $i < $posts_count['posts_count'] / setting('core.forum_threads_per_page'); $i++) {
|
||||
if($i != $_page)
|
||||
$links_to_pages .= '<a href="' . getForumThreadLink($thread_id, $i) . '">'.($i + 1).'</a> ';
|
||||
@@ -46,7 +46,7 @@ for($i = 0; $i < $posts_count['posts_count'] / setting('core.forum_threads_per_p
|
||||
$posts = $db->query("SELECT `players`.`id` as `player_id`, `" . FORUM_TABLE_PREFIX . "forum`.`id`,`" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`section`,`" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` AS `date`, `" . FORUM_TABLE_PREFIX . "forum`.`post_smile`, `" . FORUM_TABLE_PREFIX . "forum`.`post_html`, `" . FORUM_TABLE_PREFIX . "forum`.`author_aid`, `" . FORUM_TABLE_PREFIX . "forum`.`author_guid`, `" . FORUM_TABLE_PREFIX . "forum`.`last_edit_aid`, `" . FORUM_TABLE_PREFIX . "forum`.`edit_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".$thread_id." ORDER BY `" . FORUM_TABLE_PREFIX . "forum`.`post_date` LIMIT " . setting('core.forum_posts_per_page') . " OFFSET ".($_page * setting('core.forum_posts_per_page')))->fetchAll();
|
||||
|
||||
if(isset($posts[0]['player_id'])) {
|
||||
$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `views`=`views`+1 WHERE `id` = ".(int) $thread_id);
|
||||
$db->query("UPDATE `" . FORUM_TABLE_PREFIX . "forum` SET `views`=`views`+1 WHERE `id` = " . $thread_id);
|
||||
}
|
||||
|
||||
$lookaddons = $db->hasColumn('players', 'lookaddons');
|
||||
|
||||
Reference in New Issue
Block a user