From 958681bdc95309888184d93fb0c0067c9c503f56 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Mon, 6 Feb 2023 19:36:16 +0100
Subject: [PATCH] Add verify to pages, add messages, limits, fix add

---
 admin/pages/pages.php                       | 119 +++++++++++++++-----
 system/templates/admin.pages.form.html.twig |   2 +-
 2 files changed, 89 insertions(+), 32 deletions(-)

diff --git a/admin/pages/pages.php b/admin/pages/pages.php
index 0647c7fd..8e61224b 100644
--- a/admin/pages/pages.php
+++ b/admin/pages/pages.php
@@ -18,13 +18,18 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 
 header('X-XSS-Protection:0');
 
-$name = $p_title = '';
+$name = $p_title = null;
 $groups = new OTS_Groups_List();
 
 $php = false;
 $enable_tinymce = true;
 $access = 0;
 
+// some constants, used mainly by database (cannot by modified without schema changes)
+define('PAGE_TITLE_LIMIT', 30);
+define('PAGE_NAME_LIMIT', 30);
+define('PAGE_BODY_LIMIT', 65535); // maximum page body length
+
 if (!empty($action)) {
 	if ($action == 'delete' || $action == 'edit' || $action == 'hide')
 		$id = $_REQUEST['id'];
@@ -50,12 +55,13 @@ if (!empty($action)) {
 	$errors = array();
 	$player_id = 1;
 
-	if ($action == 'add') {
-		if (Pages::add($name, $p_title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+	if ($action == 'new') {
+		if (isset($p_title) && Pages::add($name, $p_title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
 			$name = $p_title = $body = '';
 			$player_id = $access = 0;
 			$php = false;
 			$enable_tinymce = true;
+			success('Added successful.');
 		}
 	} else if ($action == 'delete') {
 		if (Pages::delete($id, $errors))
@@ -70,15 +76,18 @@ if (!empty($action)) {
 			$enable_tinymce = $_page['enable_tinymce'] == '1';
 			$access = $_page['access'];
 		} else {
-			Pages::update($id, $name, $p_title, $body, $player_id, $php, $enable_tinymce, $access);
-			$action = $name = $p_title = $body = '';
-			$player_id = 1;
-			$access = 0;
-			$php = false;
-			$enable_tinymce = true;
+			if(Pages::update($id, $name, $p_title, $body, $player_id, $php, $enable_tinymce, $access)) {
+				$action = $name = $p_title = $body = '';
+				$player_id = 1;
+				$access = 0;
+				$php = false;
+				$enable_tinymce = true;
+				success("Updated successful.");
+			}
 		}
 	} else if ($action == 'hide') {
-		Pages::toggleHidden($id, $errors);
+		Pages::toggleHidden($id, $errors, $status);
+		success(($status == 1 ? 'Show' : 'Hide') . " successful.");
 	}
 
 	if (!empty($errors))
@@ -117,6 +126,44 @@ $twig->display('admin.pages.html.twig', array(
 
 class Pages
 {
+	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!isset($title[0]) || !isset($body[0])) {
+			$errors[] = 'Please fill all inputs.';
+			return false;
+		}
+		if(strlen($name) > PAGE_NAME_LIMIT) {
+			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($title) > PAGE_TITLE_LIMIT) {
+			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($body) > PAGE_BODY_LIMIT) {
+			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
+			return false;
+		}
+		if(!isset($player_id) || $player_id == 0) {
+			$errors[] = 'Player ID is wrong.';
+			return false;
+		}
+		if(!isset($php) || ($php != 0 && $php != 1)) {
+			$errors[] = 'Enable PHP is wrong.';
+			return false;
+		}
+		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
+			$errors[] = 'Enable TinyMCE is wrong.';
+			return false;
+		}
+		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
+			$errors[] = 'Access is wrong.';
+			return false;
+		}
+
+		return true;
+	}
+
 	static public function get($id)
 	{
 		global $db;
@@ -129,31 +176,36 @@ class Pages
 
 	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
 	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
 		global $db;
-		if (isset($name[0]) && isset($title[0]) && isset($body[0]) && $player_id != 0) {
-			$query = $db->select(TABLE_PREFIX . 'pages', array('name' => $name));
-			if ($query === false)
-				$db->insert(TABLE_PREFIX . 'pages',
-					array(
-						'name' => $name,
-						'title' => $title,
-						'body' => $body,
-						'player_id' => $player_id,
-						'php' => $php ? '1' : '0',
-						'enable_tinymce' => $enable_tinymce ? '1' : '0',
-						'access' => $access
-					)
-				);
-			else
-				$errors[] = 'Page with this link already exists.';
-		} else
-			$errors[] = 'Please fill all inputs.';
+		$query = $db->select(TABLE_PREFIX . 'pages', array('name' => $name));
+		if ($query === false)
+			$db->insert(TABLE_PREFIX . 'pages',
+				array(
+					'name' => $name,
+					'title' => $title,
+					'body' => $body,
+					'player_id' => $player_id,
+					'php' => $php ? '1' : '0',
+					'enable_tinymce' => $enable_tinymce ? '1' : '0',
+					'access' => $access
+				)
+			);
+		else
+			$errors[] = 'Page with this link already exists.';
 
 		return !count($errors);
 	}
 
 	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access)
 	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
 		global $db;
 		$db->update(TABLE_PREFIX . 'pages',
 			array(
@@ -166,6 +218,8 @@ class Pages
 				'access' => $access
 			),
 			array('id' => $id));
+
+		return true;
 	}
 
 	static public function delete($id, &$errors)
@@ -182,15 +236,18 @@ class Pages
 		return !count($errors);
 	}
 
-	static public function toggleHidden($id, &$errors)
+	static public function toggleHidden($id, &$errors, &$status)
 	{
 		global $db;
 		if (isset($id)) {
 			$query = $db->select(TABLE_PREFIX . 'pages', array('id' => $id));
-			if ($query !== false)
+			if ($query !== false) {
 				$db->update(TABLE_PREFIX . 'pages', array('hidden' => ($query['hidden'] == 1 ? 0 : 1)), array('id' => $id));
-			else
+				$status = $query['hidden'];
+			}
+			else {
 				$errors[] = 'Page with id ' . $id . ' does not exists.';
+			}
 		} else
 			$errors[] = 'id not set';
 
diff --git a/system/templates/admin.pages.form.html.twig b/system/templates/admin.pages.form.html.twig
index cd96f13d..c8016ab9 100644
--- a/system/templates/admin.pages.form.html.twig
+++ b/system/templates/admin.pages.form.html.twig
@@ -3,7 +3,7 @@
 		<div class="card-header">
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
 		</div>
-		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}add{% endif %}">
+		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}">
 			{% if action == 'edit' %}
 				<input type="hidden" name="id" value="{{ id }}"/>
 			{% endif %}