- element with a list of linked
+// boards and their subtitles. (without the
- ' . + '' . + sprintf($config['board_abbreviation'], $b['uri']) . + ' - ' . + $b['title'] . + (isset($b['subtitle']) ? ' — ' . $b['subtitle'] . '' : '') . + ($mod['type'] >= $config['mod']['manageboards'] ? + ' [manage]' : '') . + ' '; + } + + if ($mod['type'] >= $config['mod']['newboard']) { + $body .= '
- ' . _('Create new board') . ' '; + } + return $body; +} + +function form_newBan($ip=null, $reason='', $continue=false, $delete=false, $board=false, $allow_public = false) { + global $config, $mod; + + $boards = listBoards(); + $__boards = '
- '; + foreach ($boards as &$_board) { + $__boards .= '
- ' . + '' . + '' . + ' '; + } + + return ''; +} + +function form_newBoard() { + return ''; +} + + +function removeBan($id) { + global $config, $memcached; + + $query = prepare("DELETE FROM `bans` WHERE `id` = :id"); + $query->bindValue(':id', $id, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + //if ($config['memcached']['enabled']) { + // Remove cached ban + // TODO + // $memcached->delete("ban_{$id}"); + //} +} + + +// Validate session + +if (isset($_COOKIE[$config['cookies']['mod']])) { + // Should be username:hash:salt + $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); + if (count($cookie) != 3) { + destroyCookies(); + error($config['error']['malformed']); + } + + $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1"); + $query->bindValue(':username', $cookie[0]); + $query->execute() or error(db_error($query)); + $user = $query->fetch(); + + // validate password hash + if ($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) { + // Malformed cookies + destroyCookies(); + error($config['error']['malformed']); + } + + $mod = Array( + 'id' => $user['id'], + 'type' => $user['type'], + 'username' => $cookie[0], + 'boards' => explode(',', $user['boards']) + ); +} + diff --git a/inc/mod.php b/inc/mod.php index 9065bb82..7b95d05d 100644 --- a/inc/mod.php +++ b/inc/mod.php @@ -4,284 +4,12 @@ * Copyright (c) 2010-2012 Tinyboard Development Group */ +// WARNING: Including this file is DEPRECIATED. It's only here to support older versions and won't exist forever. + if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) { // You cannot request this file directly. exit; } -// create a hash/salt pair for validate logins -function mkhash($username, $password, $salt = false) { - global $config; - - if (!$salt) { - // create some sort of salt for the hash - $salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15); - - $generated_salt = true; - } - - // generate hash (method is not important as long as it's strong) - $hash = substr(base64_encode(md5($username . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20); - - if (isset($generated_salt)) - return Array($hash, $salt); - else - return $hash; -} - -function login($username, $password, $makehash=true) { - global $mod; - - // SHA1 password - if ($makehash) { - $password = sha1($password); - } - - $query = prepare("SELECT `id`,`type`,`boards` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1"); - $query->bindValue(':username', $username); - $query->bindValue(':password', $password); - $query->execute() or error(db_error($query)); - - if ($user = $query->fetch()) { - return $mod = Array( - 'id' => $user['id'], - 'type' => $user['type'], - 'username' => $username, - 'hash' => mkhash($username, $password), - 'boards' => explode(',', $user['boards']) - ); - } else return false; -} - -function setCookies() { - global $mod, $config; - if (!$mod) - error('setCookies() was called for a non-moderator!'); - - setcookie($config['cookies']['mod'], - $mod['username'] . // username - ':' . - $mod['hash'][0] . // password - ':' . - $mod['hash'][1], // salt - time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true); -} - -function destroyCookies() { - global $config; - // Delete the cookies - setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true); -} - -function create_pm_header() { - global $mod; - $query = prepare("SELECT `id` FROM `pms` WHERE `to` = :id AND `unread` = 1"); - $query->bindValue(':id', $mod['id'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if ($pm = $query->fetch()) { - return Array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1); - } - - return false; -} - -function modLog($action, $_board=null) { - global $mod, $board, $config; - $query = prepare("INSERT INTO `modlogs` VALUES (:id, :ip, :board, :time, :text)"); - $query->bindValue(':id', $mod['id'], PDO::PARAM_INT); - $query->bindValue(':ip', $_SERVER['REMOTE_ADDR']); - $query->bindValue(':time', time(), PDO::PARAM_INT); - $query->bindValue(':text', $action); - if (isset($_board)) - $query->bindValue(':board', $_board); - elseif (isset($board)) - $query->bindValue(':board', $board['uri']); - else - $query->bindValue(':board', null, PDO::PARAM_NULL); - $query->execute() or error(db_error($query)); - - if ($config['syslog']) - _syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action); -} - -// Generates a
- ' . - '' . - sprintf($config['board_abbreviation'], $b['uri']) . - ' - ' . - $b['title'] . - (isset($b['subtitle']) ? ' — ' . $b['subtitle'] . '' : '') . - ($mod['type'] >= $config['mod']['manageboards'] ? - ' [manage]' : '') . - ' '; - } - - if ($mod['type'] >= $config['mod']['newboard']) { - $body .= '
- ' . _('Create new board') . ' '; - } - return $body; -} - -function form_newBan($ip=null, $reason='', $continue=false, $delete=false, $board=false, $allow_public = false) { - global $config, $mod; - - $boards = listBoards(); - $__boards = '
- '; - foreach ($boards as &$_board) { - $__boards .= '
- ' . - '' . - '' . - ' '; - } - - return ''; -} - -function form_newBoard() { - return ''; -} - - -function removeBan($id) { - global $config, $memcached; - - $query = prepare("DELETE FROM `bans` WHERE `id` = :id"); - $query->bindValue(':id', $id, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - //if ($config['memcached']['enabled']) { - // Remove cached ban - // TODO - // $memcached->delete("ban_{$id}"); - //} -} - - -// Validate session - -if (isset($_COOKIE[$config['cookies']['mod']])) { - // Should be username:hash:salt - $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); - if (count($cookie) != 3) { - destroyCookies(); - error($config['error']['malformed']); - } - - $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1"); - $query->bindValue(':username', $cookie[0]); - $query->execute() or error(db_error($query)); - $user = $query->fetch(); - - // validate password hash - if ($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) { - // Malformed cookies - destroyCookies(); - error($config['error']['malformed']); - } - - $mod = Array( - 'id' => $user['id'], - 'type' => $user['type'], - 'username' => $cookie[0], - 'boards' => explode(',', $user['boards']) - ); -} +require 'inc/mod/auth.php'; diff --git a/inc/mod/auth.php b/inc/mod/auth.php new file mode 100644 index 00000000..d200c23f --- /dev/null +++ b/inc/mod/auth.php @@ -0,0 +1,152 @@ +bindValue(':username', $username); + $query->bindValue(':password', $password); + $query->execute() or error(db_error($query)); + + if ($user = $query->fetch()) { + return $mod = Array( + 'id' => $user['id'], + 'type' => $user['type'], + 'username' => $username, + 'hash' => mkhash($username, $password), + 'boards' => explode(',', $user['boards']) + ); + } else return false; +} + +function setCookies() { + global $mod, $config; + if (!$mod) + error('setCookies() was called for a non-moderator!'); + + setcookie($config['cookies']['mod'], + $mod['username'] . // username + ':' . + $mod['hash'][0] . // password + ':' . + $mod['hash'][1], // salt + time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true); +} + +function destroyCookies() { + global $config; + // Delete the cookies + setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true); +} + +function modLog($action, $_board=null) { + global $mod, $board, $config; + $query = prepare("INSERT INTO `modlogs` VALUES (:id, :ip, :board, :time, :text)"); + $query->bindValue(':id', $mod['id'], PDO::PARAM_INT); + $query->bindValue(':ip', $_SERVER['REMOTE_ADDR']); + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->bindValue(':text', $action); + if (isset($_board)) + $query->bindValue(':board', $_board); + elseif (isset($board)) + $query->bindValue(':board', $board['uri']); + else + $query->bindValue(':board', null, PDO::PARAM_NULL); + $query->execute() or error(db_error($query)); + + if ($config['syslog']) + _syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action); +} + +// Validate session + +if (isset($_COOKIE[$config['cookies']['mod']])) { + // Should be username:hash:salt + $cookie = explode(':', $_COOKIE[$config['cookies']['mod']]); + if (count($cookie) != 3) { + destroyCookies(); + error($config['error']['malformed']); + } + + $query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1"); + $query->bindValue(':username', $cookie[0]); + $query->execute() or error(db_error($query)); + $user = $query->fetch(); + + // validate password hash + if ($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) { + // Malformed cookies + destroyCookies(); + error($config['error']['malformed']); + } + + $mod = Array( + 'id' => $user['id'], + 'type' => $user['type'], + 'username' => $cookie[0], + 'boards' => explode(',', $user['boards']) + ); +} + +function create_pm_header() { + global $mod, $config; + + if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) !== false) { + if ($header === true) + return false; + + return $header; + } + + $query = prepare("SELECT `id` FROM `pms` WHERE `to` = :id AND `unread` = 1"); + $query->bindValue(':id', $mod['id'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if ($pm = $query->fetch()) + $header = Array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1); + else + $header = true; + + if ($config['cache']['enabled']) + cache::set('pm_unread_' . $mod['id'], $header); + + if ($header === true) + return false; + + return $header; +} + diff --git a/inc/mod/ban.php b/inc/mod/ban.php new file mode 100644 index 00000000..51befe27 --- /dev/null +++ b/inc/mod/ban.php @@ -0,0 +1,95 @@ +bindValue(':ip', $mask); + $query->bindValue(':mod', $mod['id']); + $query->bindValue(':time', time()); + if ($reason !== '') { + markup($reason); + $query->bindValue(':reason', $reason); + } else + $query->bindValue(':reason', null, PDO::PARAM_NULL); + + if ($length > 0) + $query->bindValue(':expires', $length); + else + $query->bindValue(':expires', null, PDO::PARAM_NULL); + + if ($board) + $query->bindValue(':board', $board); + else + $query->bindValue(':board', null, PDO::PARAM_NULL); + + $query->execute() or error(db_error($query)); + + modLog('Created a new ' . + ($length > 0 ? preg_replace('/^(\d+) (\w+?)s?$/', '$1-$2', until($length)) : 'permanent') . + ' ban (#' . $pdo->lastInsertId() . ') for ' . + (filter_var($mask, FILTER_VALIDATE_IP) !== false ? "$mask" : utf8tohtml($mask)) . + ' with ' . ($reason ? 'reason: ' . utf8tohtml($reason) . '' : 'no reason')); +} + +function unban($id) { + $query = prepare("DELETE FROM `bans` WHERE `id` = :id"); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + modLog("Removed ban #{$id}"); +} + diff --git a/inc/mod/config-editor.php b/inc/mod/config-editor.php new file mode 100644 index 00000000..484bd908 --- /dev/null +++ b/inc/mod/config-editor.php @@ -0,0 +1,75 @@ + false, + 'comment' => array(), + 'default' => false, + 'default_temp' => false + ); + $temp_comment = false; + foreach ($config_file as $line) { + if ($temp_comment) { + $var['comment'][] = $temp_comment; + $temp_comment = false; + } + + if (preg_match('!^\s*// (.*)$!', $line, $matches)) { + if ($var['default'] !== false) { + $line = ''; + $temp_comment = $matches[1]; + } else { + $var['comment'][] = $matches[1]; + } + } else if ($var['default_temp'] !== false) { + $var['default_temp'] .= "\n" . $line; + } elseif (preg_match('!^\s*\$config\[(.+?)\] = (.+?)(;( //.+)?)?$!', $line, $matches)) { + $var['name'] = explode('][', $matches[1]); + if (count($var['name']) == 1) { + $var['name'] = preg_replace('/^\'(.*)\'$/', '$1', end($var['name'])); + } else { + foreach ($var['name'] as &$i) + $i = preg_replace('/^\'(.*)\'$/', '$1', $i); + } + + if (isset($matches[3])) + $var['default'] = $matches[2]; + else + $var['default_temp'] = $matches[2]; + } + + if (trim($line) === '') { + if ($var['name'] !== false) { + if ($var['default_temp']) + $var['default'] = $var['default_temp']; + + $temp = eval('return ' . $var['default'] . ';'); + if (!isset($temp)) + $var['type'] = 'unknown'; + else + $var['type'] = gettype($temp); + + unset($var['default_temp']); + + if (!is_array($var['name']) || (end($var['name']) != '' && !in_array(reset($var['name']), array('stylesheets')))) { + $conf[] = $var; + } + } + + $var = array( + 'name' => false, + 'comment' => array(), + 'default' => false, + 'default_temp' => false + ); + } + } + + return $conf; +} + diff --git a/inc/mod/pages.php b/inc/mod/pages.php new file mode 100644 index 00000000..ad69ae39 --- /dev/null +++ b/inc/mod/pages.php @@ -0,0 +1,1796 @@ + $config, + 'mod' => $mod, + 'hide_dashboard_link' => $template == 'mod/dashboard.html', + 'title' => $title, + 'subtitle' => $subtitle, + 'body' => Element($template, + array_merge( + array('config' => $config, 'mod' => $mod), + $args + ) + ) + ) + ); +} + +function mod_login() { + global $config; + + $args = array(); + + if (isset($_POST['login'])) { + // Check if inputs are set and not empty + if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') { + $args['error'] = $config['error']['invalid']; + } elseif (!login($_POST['username'], $_POST['password'])) { + if ($config['syslog']) + _syslog(LOG_WARNING, 'Unauthorized login attempt!'); + + $args['error'] = $config['error']['invalid']; + } else { + modLog('Logged in'); + + // Login successful + // Set cookies + setCookies(); + + header('Location: ?/', true, $config['redirect_http']); + } + } + + if (isset($_POST['username'])) + $args['username'] = $_POST['username']; + + mod_page(_('Login'), 'mod/login.html', $args); +} + +function mod_confirm($request) { + mod_page(_('Confirm action'), 'mod/confirm.html', array('request' => $request)); +} + +function mod_logout() { + destroyCookies(); + + header('Location: ?/', true, $config['redirect_http']); +} + +function mod_dashboard() { + global $config, $mod; + + $args = array(); + + $args['boards'] = listBoards(); + + if (hasPermission($config['mod']['noticeboard'])) { + if (!$config['cache']['enabled'] || !$args['noticeboard'] = cache::get('noticeboard_preview')) { + $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :limit"); + $query->bindValue(':limit', $config['mod']['noticeboard_dashboard'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $args['noticeboard'] = $query->fetchAll(PDO::FETCH_ASSOC); + + if ($config['cache']['enabled']) + cache::set('noticeboard_preview', $args['noticeboard']); + } + } + + if (!$config['cache']['enabled'] || ($args['unread_pms'] = cache::get('pm_unreadcount_' . $mod['id'])) === false) { + $query = prepare('SELECT COUNT(*) FROM `pms` WHERE `to` = :id AND `unread` = 1'); + $query->bindValue(':id', $mod['id']); + $query->execute() or error(db_error($query)); + $args['unread_pms'] = $query->fetchColumn(0); + + if ($config['cache']['enabled']) + cache::set('pm_unreadcount_' . $mod['id'], $args['unread_pms']); + } + + $query = query('SELECT COUNT(*) FROM `reports`') or error(db_error($query)); + $args['reports'] = $query->fetchColumn(0); + + if ($mod['type'] >= ADMIN && $config['check_updates']) { + if (!$config['version']) + error(_('Could not find current version! (Check .installed)')); + + if (isset($_COOKIE['update'])) { + $latest = unserialize($_COOKIE['update']); + } else { + $ctx = stream_context_create(array('http' => array('timeout' => 5))); + if ($code = @file_get_contents('http://tinyboard.org/version.txt', 0, $ctx)) { + eval($code); + if (preg_match('/v(\d+)\.(\d)\.(\d+)(-dev.+)?$/', $config['version'], $matches)) { + $current = array( + 'massive' => (int) $matches[1], + 'major' => (int) $matches[2], + 'minor' => (int) $matches[3] + ); + if (isset($m[4])) { + // Development versions are always ahead in the versioning numbers + $current['minor'] --; + } + // Check if it's newer + if (!( $latest['massive'] > $current['massive'] || + $latest['major'] > $current['major'] || + ($latest['massive'] == $current['massive'] && + $latest['major'] == $current['major'] && + $latest['minor'] > $current['minor'] + ))) + $latest = false; + } else { + $latest = false; + } + } else { + // Couldn't get latest version + $latest = false; + } + + setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true); + } + + if ($latest) + $args['newer_release'] = $latest; + } + + mod_page(_('Dashboard'), 'mod/dashboard.html', $args); +} + +function mod_edit_board($boardName) { + global $board, $config; + + if (!openBoard($boardName)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['manageboards'], $board['uri'])) + error($config['error']['noaccess']); + + if (isset($_POST['title'], $_POST['subtitle'])) { + if (isset($_POST['delete'])) { + if (!hasPermission($config['mod']['manageboards'], $board['uri'])) + error($config['error']['deleteboard']); + + $query = prepare('DELETE FROM `boards` WHERE `uri` = :uri'); + $query->bindValue(':uri', $board['uri']); + $query->execute() or error(db_error($query)); + + modLog('Deleted board: ' . sprintf($config['board_abbreviation'], $board['uri']), false); + + // Delete entire board directory + rrmdir($board['uri'] . '/'); + + // Delete posting table + $query = query(sprintf('DROP TABLE IF EXISTS `posts_%s`', $board['uri'])) or error(db_error()); + + // Clear reports + $query = prepare('DELETE FROM `reports` WHERE `board` = :id'); + $query->bindValue(':id', $board['uri'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + // Delete from table + $query = prepare('DELETE FROM `boards` WHERE `uri` = :uri'); + $query->bindValue(':uri', $board['uri'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $query = prepare("SELECT `board`, `post` FROM `cites` WHERE `target_board` = :board"); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + while ($cite = $query->fetch(PDO::FETCH_ASSOC)) { + if ($board['uri'] != $cite['board']) { + if (!isset($tmp_board)) + $tmp_board = $board; + openBoard($cite['board']); + rebuildPost($cite['post']); + } + } + + $query = prepare('DELETE FROM `cites` WHERE `board` = :board OR `target_board` = :board'); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + + $query = prepare('DELETE FROM `antispam` WHERE `board` = :board'); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + } else { + $query = prepare('UPDATE `boards` SET `title` = :title, `subtitle` = :subtitle WHERE `uri` = :uri'); + $query->bindValue(':uri', $board['uri']); + $query->bindValue(':title', $_POST['title']); + $query->bindValue(':subtitle', $_POST['subtitle']); + $query->execute() or error(db_error($query)); + } + + if ($config['cache']['enabled']) { + cache::delete('board_' . $board['uri']); + cache::delete('all_boards'); + } + + rebuildThemes('boards'); + + header('Location: ?/', true, $config['redirect_http']); + } else { + mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array('board' => $board)); + } +} + +function mod_new_board() { + global $config, $board; + + if (!hasPermission($config['mod']['newboard'])) + error($config['error']['noaccess']); + + if (isset($_POST['uri'], $_POST['title'], $_POST['subtitle'])) { + if ($_POST['uri'] == '') + error(sprintf($config['error']['required'], 'URI')); + + if ($_POST['title'] == '') + error(sprintf($config['error']['required'], 'title')); + + if (!preg_match('/^\w+$/', $_POST['uri'])) + error(sprintf($config['error']['invalidfield'], 'URI')); + + if (openBoard($_POST['uri'])) { + error(sprintf($config['error']['boardexists'], $board['url'])); + } + + $query = prepare('INSERT INTO `boards` VALUES (:uri, :title, :subtitle)'); + $query->bindValue(':uri', $_POST['uri']); + $query->bindValue(':title', $_POST['title']); + $query->bindValue(':subtitle', $_POST['subtitle']); + $query->execute() or error(db_error($query)); + + modLog('Created a new board: ' . sprintf($config['board_abbreviation'], $_POST['uri'])); + + if (!openBoard($_POST['uri'])) + error(_("Couldn't open board after creation.")); + + query(Element('posts.sql', array('board' => $board['uri']))) or error(db_error()); + + if ($config['cache']['enabled']) + cache::delete('all_boards'); + + // Build the board + buildIndex(); + + rebuildThemes('boards'); + + header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']); + } + + mod_page(_('New board'), 'mod/board.html', array('new' => true)); +} + +function mod_noticeboard($page_no = 1) { + global $config, $pdo, $mod; + + if ($page_no < 1) + error($config['error']['404']); + + if (!hasPermission($config['mod']['noticeboard'])) + error($config['error']['noaccess']); + + if (isset($_POST['subject'], $_POST['body'])) { + if (!hasPermission($config['mod']['noticeboard_post'])) + error($config['error']['noaccess']); + + markup($_POST['body']); + + $query = prepare('INSERT INTO `noticeboard` VALUES (NULL, :mod, :time, :subject, :body)'); + $query->bindValue(':mod', $mod['id']); + $query->bindvalue(':time', time()); + $query->bindValue(':subject', $_POST['subject']); + $query->bindValue(':body', $_POST['body']); + $query->execute() or error(db_error($query)); + + if ($config['cache']['enabled']) + cache::delete('noticeboard_preview'); + + modLog('Posted a noticeboard entry'); + + header('Location: ?/noticeboard#' . $pdo->lastInsertId(), true, $config['redirect_http']); + } + + $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :offset, :limit"); + $query->bindValue(':limit', $config['mod']['noticeboard_page'], PDO::PARAM_INT); + $query->bindValue(':offset', ($page_no - 1) * $config['mod']['noticeboard_page'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $noticeboard = $query->fetchAll(PDO::FETCH_ASSOC); + + if (empty($noticeboard) && $page_no > 1) + error($config['error']['404']); + + $query = prepare("SELECT COUNT(*) FROM `noticeboard`"); + $query->execute() or error(db_error($query)); + $count = $query->fetchColumn(0); + + mod_page(_('Noticeboard'), 'mod/noticeboard.html', array('noticeboard' => $noticeboard, 'count' => $count)); +} + +function mod_noticeboard_delete($id) { + global $config; + + if (!hasPermission($config['mod']['noticeboard_delete'])) + error($config['error']['noaccess']); + + $query = prepare('DELETE FROM `noticeboard` WHERE `id` = :id'); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + modLog('Deleted a noticeboard entry'); + + header('Location: ?/noticeboard', true, $config['redirect_http']); +} + +function mod_news($page_no = 1) { + global $config, $pdo, $mod; + + if ($page_no < 1) + error($config['error']['404']); + + if (isset($_POST['subject'], $_POST['body'])) { + if (!hasPermission($config['mod']['news'])) + error($config['error']['noaccess']); + + markup($_POST['body']); + + $query = prepare('INSERT INTO `news` VALUES (NULL, :name, :time, :subject, :body)'); + $query->bindValue(':name', isset($_POST['name']) && hasPermission($config['mod']['news_custom']) ? $_POST['name'] : $mod['username']); + $query->bindvalue(':time', time()); + $query->bindValue(':subject', $_POST['subject']); + $query->bindValue(':body', $_POST['body']); + $query->execute() or error(db_error($query)); + + modLog('Posted a news entry'); + + rebuildThemes('news'); + + header('Location: ?/news#' . $pdo->lastInsertId(), true, $config['redirect_http']); + } + + $query = prepare("SELECT * FROM `news` ORDER BY `id` DESC LIMIT :offset, :limit"); + $query->bindValue(':limit', $config['mod']['news_page'], PDO::PARAM_INT); + $query->bindValue(':offset', ($page_no - 1) * $config['mod']['news_page'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $news = $query->fetchAll(PDO::FETCH_ASSOC); + + if (empty($news) && $page_no > 1) + error($config['error']['404']); + + $query = prepare("SELECT COUNT(*) FROM `news`"); + $query->execute() or error(db_error($query)); + $count = $query->fetchColumn(0); + + mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count)); +} + +function mod_news_delete($id) { + global $config; + + if (!hasPermission($config['mod']['news_delete'])) + error($config['error']['noaccess']); + + $query = prepare('DELETE FROM `news` WHERE `id` = :id'); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + modLog('Deleted a news entry'); + + header('Location: ?/news', true, $config['redirect_http']); +} + +function mod_log($page_no = 1) { + global $config; + + if ($page_no < 1) + error($config['error']['404']); + + if (!hasPermission($config['mod']['modlog'])) + error($config['error']['noaccess']); + + $query = prepare("SELECT `username`, `mod`, `ip`, `board`, `time`, `text` FROM `modlogs` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY `time` DESC LIMIT :offset, :limit"); + $query->bindValue(':limit', $config['mod']['modlog_page'], PDO::PARAM_INT); + $query->bindValue(':offset', ($page_no - 1) * $config['mod']['modlog_page'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $logs = $query->fetchAll(PDO::FETCH_ASSOC); + + if (empty($logs) && $page_no > 1) + error($config['error']['404']); + + $query = prepare("SELECT COUNT(*) FROM `modlogs`"); + $query->execute() or error(db_error($query)); + $count = $query->fetchColumn(0); + + mod_page(_('Moderation log'), 'mod/log.html', array('logs' => $logs, 'count' => $count)); +} + +function mod_view_board($boardName, $page_no = 1) { + global $config, $mod; + + if (!openBoard($boardName)) + error($config['error']['noboard']); + + if (!$page = index($page_no, $mod)) { + error($config['error']['404']); + } + + $page['pages'] = getPages(true); + $page['pages'][$page_no-1]['selected'] = true; + $page['btn'] = getPageButtons($page['pages'], true); + $page['mod'] = true; + $page['config'] = $config; + + echo Element('index.html', $page); +} + +function mod_view_thread($boardName, $thread) { + global $config, $mod; + + if (!openBoard($boardName)) + error($config['error']['noboard']); + + $page = buildThread($thread, true, $mod); + echo $page; +} + +function mod_ip_remove_note($ip, $id) { + global $config, $mod; + + if (!hasPermission($config['mod']['remove_notes'])) + error($config['error']['noaccess']); + + if (filter_var($ip, FILTER_VALIDATE_IP) === false) + error("Invalid IP address."); + + $query = prepare('DELETE FROM `ip_notes` WHERE `ip` = :ip AND `id` = :id'); + $query->bindValue(':ip', $ip); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + modLog("Removed a note for {$ip}"); + + header('Location: ?/IP/' . $ip . '#notes', true, $config['redirect_http']); +} + +function mod_page_ip($ip) { + global $config, $mod; + + if (filter_var($ip, FILTER_VALIDATE_IP) === false) + error("Invalid IP address."); + + if (isset($_POST['ban_id'], $_POST['unban'])) { + if (!hasPermission($config['mod']['unban'])) + error($config['error']['noaccess']); + + require_once 'inc/mod/ban.php'; + + unban($_POST['ban_id']); + + header('Location: ?/IP/' . $ip . '#bans', true, $config['redirect_http']); + return; + } + + if (isset($_POST['note'])) { + if (!hasPermission($config['mod']['create_notes'])) + error($config['error']['noaccess']); + + markup($_POST['note']); + $query = prepare('INSERT INTO `ip_notes` VALUES (NULL, :ip, :mod, :time, :body)'); + $query->bindValue(':ip', $ip); + $query->bindValue(':mod', $mod['id']); + $query->bindValue(':time', time()); + $query->bindValue(':body', $_POST['note']); + $query->execute() or error(db_error($query)); + + modLog("Added a note for {$ip}"); + + header('Location: ?/IP/' . $ip . '#notes', true, $config['redirect_http']); + return; + } + + $args = array(); + $args['ip'] = $ip; + $args['posts'] = array(); + + if ($config['mod']['dns_lookup']) + $args['hostname'] = rDNS($ip); + + $boards = listBoards(); + foreach ($boards as $board) { + openBoard($board['uri']); + + $query = prepare(sprintf('SELECT * FROM `posts_%s` WHERE `ip` = :ip ORDER BY `sticky` DESC, `id` DESC LIMIT :limit', $board['uri'])); + $query->bindValue(':ip', $ip); + $query->bindValue(':limit', $config['mod']['ip_recentposts'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + while ($post = $query->fetch(PDO::FETCH_ASSOC)) { + if (!$post['thread']) { + // TODO: There is no reason why this should be such a fucking mess. + $po = new Thread( + $post['id'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['capcode'], $post['body'], + $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], + $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['sticky'], $post['locked'], + $post['sage'], $post['embed'], '?/', $mod, false + ); + } else { + $po = new Post( + $post['id'], $post['thread'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['capcode'], + $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], + $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['embed'], '?/', $mod + ); + } + + if (!isset($args['posts'][$board['uri']])) + $args['posts'][$board['uri']] = array('board' => $board, 'posts' => array()); + $args['posts'][$board['uri']]['posts'][] = $po->build(true); + } + } + + $args['boards'] = $boards; + + + if (hasPermission($config['mod']['view_ban'])) { + $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` WHERE `ip` = :ip"); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + $args['bans'] = $query->fetchAll(PDO::FETCH_ASSOC); + } + + if (hasPermission($config['mod']['view_notes'])) { + $query = prepare("SELECT `ip_notes`.*, `username` FROM `ip_notes` LEFT JOIN `mods` ON `mod` = `mods`.`id` WHERE `ip` = :ip"); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + $args['notes'] = $query->fetchAll(PDO::FETCH_ASSOC); + } + + mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']); +} + +function mod_ban() { + global $config; + + if (!hasPermission($config['mod']['ban'])) + error($config['error']['noaccess']); + + if (!isset($_POST['ip'], $_POST['reason'], $_POST['length'], $_POST['board'])) { + mod_page(_('New ban'), 'mod/ban_form.html', array()); + return; + } + + require_once 'inc/mod/ban.php'; + + ban($_POST['ip'], $_POST['reason'], parse_time($_POST['length']), $_POST['board'] == '*' ? false : $_POST['board']); + + if (isset($_POST['redirect'])) + header('Location: ' . $_POST['redirect'], true, $config['redirect_http']); + else + header('Location: ?/', true, $config['redirect_http']); +} + +function mod_bans($page_no = 1) { + global $config; + + if ($page_no < 1) + error($config['error']['404']); + + if (!hasPermission($config['mod']['view_banlist'])) + error($config['error']['noaccess']); + + if (isset($_POST['unban'])) { + if (!hasPermission($config['mod']['unban'])) + error($config['error']['noaccess']); + + $unban = array(); + foreach ($_POST as $name => $unused) { + if (preg_match('/^ban_(\d+)$/', $name, $match)) + $unban[] = $match[1]; + } + + if (!empty($unban)) { + query('DELETE FROM `bans` WHERE `id` = ' . implode(' OR `id` = ', $unban)) or error(db_error()); + + foreach ($unban as $id) { + modLog("Removed ban #{$id}"); + } + } + + header('Location: ?/bans', true, $config['redirect_http']); + } + + if ($config['mod']['view_banexpired']) { + $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY (`expires` IS NOT NULL AND `expires` < :time), `set` DESC LIMIT :offset, :limit"); + } else { + // Filter out expired bans + $query = prepare("SELECT `bans`.*, `username` FROM `bans` INNER JOIN `mods` ON `mod` = `mods`.`id` WHERE `expires` = 0 OR `expires` > :time ORDER BY `set` DESC LIMIT :offset, :limit"); + } + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->bindValue(':limit', $config['mod']['banlist_page'], PDO::PARAM_INT); + $query->bindValue(':offset', ($page_no - 1) * $config['mod']['banlist_page'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $bans = $query->fetchAll(PDO::FETCH_ASSOC); + + if (empty($bans) && $page_no > 1) + error($config['error']['404']); + + $query = prepare("SELECT COUNT(*) FROM `bans`"); + $query->execute() or error(db_error($query)); + $count = $query->fetchColumn(0); + + foreach ($bans as &$ban) { + if (filter_var($ban['ip'], FILTER_VALIDATE_IP) !== false) + $ban['real_ip'] = true; + } + + mod_page(_('Ban list'), 'mod/ban_list.html', array('bans' => $bans, 'count' => $count)); +} + + +function mod_lock($board, $unlock, $post) { + global $config; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['lock'], $board)) + error($config['error']['noaccess']); + + $query = prepare(sprintf('UPDATE `posts_%s` SET `locked` = :locked WHERE `id` = :id AND `thread` IS NULL', $board)); + $query->bindValue(':id', $post); + $query->bindValue(':locked', $unlock ? 0 : 1); + $query->execute() or error(db_error($query)); + if ($query->rowCount()) { + modLog(($unlock ? 'Unlocked' : 'Locked') . " thread #{$post}"); + buildThread($post); + buildIndex(); + } + + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_sticky($board, $unsticky, $post) { + global $config; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['sticky'], $board)) + error($config['error']['noaccess']); + + $query = prepare(sprintf('UPDATE `posts_%s` SET `sticky` = :sticky WHERE `id` = :id AND `thread` IS NULL', $board)); + $query->bindValue(':id', $post); + $query->bindValue(':sticky', $unsticky ? 0 : 1); + $query->execute() or error(db_error($query)); + if ($query->rowCount()) { + modLog(($unlock ? 'Unstickied' : 'Stickied') . " thread #{$post}"); + buildThread($post); + buildIndex(); + } + + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_bumplock($board, $unbumplock, $post) { + global $config; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['bumplock'], $board)) + error($config['error']['noaccess']); + + $query = prepare(sprintf('UPDATE `posts_%s` SET `sage` = :bumplock WHERE `id` = :id AND `thread` IS NULL', $board)); + $query->bindValue(':id', $post); + $query->bindValue(':bumplock', $unbumplock ? 0 : 1); + $query->execute() or error(db_error($query)); + if ($query->rowCount()) { + modLog(($unlock ? 'Unbumplocked' : 'Bumplocked') . " thread #{$post}"); + buildThread($post); + buildIndex(); + } + + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_move($originBoard, $postID) { + global $board, $config, $mod; + + if (!openBoard($originBoard)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['move'], $originBoard)) + error($config['error']['noaccess']); + + $query = prepare(sprintf('SELECT * FROM `posts_%s` WHERE `id` = :id AND `thread` IS NULL', $originBoard)); + $query->bindValue(':id', $postID); + $query->execute() or error(db_error($query)); + if (!$post = $query->fetch(PDO::FETCH_ASSOC)) + error($config['error']['404']); + + if (isset($_POST['board'])) { + $targetBoard = $_POST['board']; + $shadow = isset($_POST['shadow']); + + if ($targetBoard === $originBoard) + error(_('Target and source board are the same.')); + + // copy() if leaving a shadow thread behind; else, rename(). + $clone = $shadow ? 'copy' : 'rename'; + + // indicate that the post is a thread + $post['op'] = true; + + if ($post['file']) { + $post['has_file'] = true; + $post['width'] = &$post['filewidth']; + $post['height'] = &$post['fileheight']; + + $file_src = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; + $file_thumb = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; + } else { + $post['has_file'] = false; + } + + // allow thread to keep its same traits (stickied, locked, etc.) + $post['mod'] = true; + + if (!openBoard($targetBoard)) + error($config['error']['noboard']); + + // create the new thread + $newID = post($post); + + if ($post['has_file']) { + // copy image + $clone($file_src, sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); + $clone($file_thumb, sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); + } + + // go back to the original board to fetch replies + openBoard($originBoard); + + $query = prepare(sprintf('SELECT * FROM `posts_%s` WHERE `thread` = :id ORDER BY `id`', $originBoard)); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $replies = array(); + + while ($post = $query->fetch()) { + $post['mod'] = true; + $post['thread'] = $newID; + + if ($post['file']) { + $post['has_file'] = true; + $post['width'] = &$post['filewidth']; + $post['height'] = &$post['fileheight']; + + $post['file_src'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; + $post['file_thumb'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; + } else { + $post['has_file'] = false; + } + + $replies[] = $post; + } + + $newIDs = array($postID => $newID); + + openBoard($targetBoard); + + foreach ($replies as &$post) { + $query = prepare('SELECT `target` FROM `cites` WHERE `target_board` = :board AND `board` = :board AND `post` = :post'); + $query->bindValue(':board', $originBoard); + $query->bindValue(':post', $post['id'], PDO::PARAM_INT); + $query->execute() or error(db_error($qurey)); + + // correct >>X links + while ($cite = $query->fetch(PDO::FETCH_ASSOC)) { + if (isset($newIDs[$cite['target']])) { + $post['body_nomarkup'] = preg_replace( + '/(>>(>\/' . preg_quote($originBoard, '/') . '\/)?)' . preg_quote($cite['target'], '/') . '/', + '>>' . $newIDs[$cite['target']], + $post['body_nomarkup']); + + $post['body'] = $post['body_nomarkup']; + } + } + + $post['body'] = $post['body_nomarkup']; + + $post['op'] = false; + $post['tracked_cites'] = markup($post['body'], true); + + // insert reply + $newIDs[$post['id']] = $newPostID = post($post); + + if ($post['has_file']) { + // copy image + $clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); + $clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); + } + + foreach ($post['tracked_cites'] as $cite) { + $query = prepare('INSERT INTO `cites` VALUES (:board, :post, :target_board, :target)'); + $query->bindValue(':board', $board['uri']); + $query->bindValue(':post', $newPostID, PDO::PARAM_INT); + $query->bindValue(':target_board',$cite[0]); + $query->bindValue(':target', $cite[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + } + + // build new hread + buildThread($newID); + buildIndex(); + + // trigger themes + rebuildThemes('post'); + + // return to original board + openBoard($originBoard); + + if ($shadow) { + // lock old thread + $query = prepare(sprintf('UPDATE `posts_%s` SET `locked` = 1 WHERE `id` = :id', $originBoard)); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + // leave a reply, linking to the new thread + $post = array( + 'mod' => true, + 'subject' => '', + 'email' => '', + 'name' => $config['mod']['shadow_name'], + 'capcode' => $config['mod']['shadow_capcode'], + 'trip' => '', + 'password' => '', + 'has_file' => false, + // attach to original thread + 'thread' => $postID, + 'op' => false + ); + + $post['body'] = $post['body_nomarkup'] = sprintf($config['mod']['shadow_mesage'], '>>>/' . $targetBoard . '/' . $newID); + + markup($post['body']); + + $botID = post($post); + buildThread($postID); + + buildIndex(); + + header('Location: ?/' . sprintf($config['board_path'], $originBoard) . $config['dir']['res'] .sprintf($config['file_page'], $postID) . + '#' . $botID, true, $config['redirect_http']); + } else { + deletePost($postID); + buildIndex(); + + openBoard($targetBoard); + header('Location: ?/' . sprintf($config['board_path'], $board['uri']) . $config['dir']['res'] . sprintf($config['file_page'], $newID), true, $config['redirect_http']); + } + } + + $boards = listBoards(); + if (count($boards) <= 1) + error(_('Impossible to move thread; there is only one board.')); + + mod_page(_('Move thread'), 'mod/move.html', array('post' => $postID, 'board' => $originBoard, 'boards' => $boards)); +} + +function mod_ban_post($board, $delete, $post) { + global $config, $mod; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['delete'], $board)) + error($config['error']['noaccess']); + + $query = prepare(sprintf('SELECT `ip`, `thread` FROM `posts_%s` WHERE `id` = :id', $board)); + $query->bindValue(':id', $post); + $query->execute() or error(db_error($query)); + if (!$_post = $query->fetch(PDO::FETCH_ASSOC)) + error($config['error']['404']); + + $thread = $_post['thread']; + $ip = $_post['ip']; + + if (isset($_POST['new_ban'], $_POST['reason'], $_POST['length'], $_POST['board'])) { + require_once 'inc/mod/ban.php'; + + if (isset($_POST['ip'])) + $ip = $_POST['ip']; + + ban($ip, $_POST['reason'], parse_time($_POST['length']), $_POST['board'] == '*' ? false : $_POST['board']); + + if (isset($_POST['public_message'], $_POST['message'])) { + // public ban message + $query = prepare(sprintf('UPDATE `posts_%s` SET `body` = CONCAT(`body`, :body) WHERE `id` = :id', $board)); + $query->bindValue(':id', $post); + $query->bindValue(':body', sprintf($config['mod']['ban_message'], utf8tohtml($_POST['message']))); + $query->execute() or error(db_error($query)); + + modLog("Attached a public ban message to post #{$post}: " . utf8tohtml($_POST['message'])); + buildThread($thread ? $thread : $post); + buildIndex(); + } elseif (isset($_POST['delete']) && (int) $_POST['delete']) { + // Delete post + deletePost($post); + modLog("Deleted post #{$post}"); + // Rebuild board + buildIndex(); + } + + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); + } + + $args = array( + 'ip' => $ip, + 'hide_ip' => !hasPermission($config['mod']['show_ip'], $board), + 'post' => $post, + 'board' => $board, + 'delete' => (bool)$delete, + 'boards' => listBoards() + ); + + mod_page(_('New ban'), 'mod/ban_form.html', $args); +} + +function mod_delete($board, $post) { + global $config, $mod; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['delete'], $board)) + error($config['error']['noaccess']); + + // Delete post + deletePost($post); + // Record the action + modLog("Deleted post #{$post}"); + // Rebuild board + buildIndex(); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_deletefile($board, $post) { + global $config, $mod; + + if (!openBoard($board)) + error($config['error']['noboard']); + + if (!hasPermission($config['mod']['deletefile'], $board)) + error($config['error']['noaccess']); + + // Delete file + deleteFile($post); + // Record the action + modLog("Deleted file from post #{$post}"); + // Rebuild thread + buildThread($post); + // Rebuild board + buildIndex(); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $board) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_deletebyip($boardName, $post, $global = false) { + global $config, $mod, $board; + + $global = (bool)$global; + + if (!openBoard($boardName)) + error($config['error']['noboard']); + + if (!$global && !hasPermission($config['mod']['deletebyip'], $boardName)) + error($config['error']['noaccess']); + + if ($global && !hasPermission($config['mod']['deletebyip_global'], $boardName)) + error($config['error']['noaccess']); + + // Find IP address + $query = prepare(sprintf('SELECT `ip` FROM `posts_%s` WHERE `id` = :id', $boardName)); + $query->bindValue(':id', $post); + $query->execute() or error(db_error($query)); + if (!$ip = $query->fetchColumn(0)) + error($config['error']['invalidpost']); + + $boards = $global ? listBoards() : array(array('uri' => $boardName)); + + $query = ''; + foreach ($boards as $_board) { + $query .= sprintf("SELECT `id`, '%s' AS `board` FROM `posts_%s` WHERE `ip` = :ip UNION ALL ", $_board['uri'], $_board['uri']); + } + $query = preg_replace('/UNION ALL $/', '', $query); + + $query = prepare($query); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + + if ($query->rowCount() < 1) + error($config['error']['invalidpost']); + + $boards = array(); + while ($post = $query->fetch()) { + openBoard($post['board']); + $boards[] = $post['board']; + + deletePost($post['id'], false); + } + + $boards = array_unique($boards); + + foreach ($boards as $_board) { + openBoard($_board); + buildIndex(); + } + + if ($global) { + $board = false; + } + + // Record the action + modLog("Deleted all posts by IP address: $ip"); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); +} + +function mod_user($uid) { + global $config, $mod; + + if (!hasPermission($config['mod']['editusers']) && !(hasPermission($config['mod']['change_password']) && $uid == $mod['id'])) + error($config['error']['noaccess']); + + $query = prepare('SELECT * FROM `mods` WHERE `id` = :id'); + $query->bindValue(':id', $uid); + $query->execute() or error(db_error($query)); + if (!$user = $query->fetch(PDO::FETCH_ASSOC)) + error($config['error']['404']); + + if (hasPermission($config['mod']['editusers']) && isset($_POST['username'], $_POST['password'])) { + if (isset($_POST['allboards'])) { + $boards = array('*'); + } else { + $_boards = listBoards(); + foreach ($_boards as &$board) { + $board = $board['uri']; + } + + $boards = array(); + foreach ($_POST as $name => $value) { + if (preg_match('/^board_(\w+)$/', $name, $matches) && in_array($matches[1], $_boards)) + $boards[] = $matches[1]; + } + } + + if (isset($_POST['delete'])) { + if (!hasPermission($config['mod']['deleteusers'])) + error($config['error']['noaccess']); + + $query = prepare('DELETE FROM `mods` WHERE `id` = :id'); + $query->bindValue(':id', $uid); + $query->execute() or error(db_error($query)); + + modLog('Deleted user ' . utf8tohtml($user['username']) . ' (#' . $user['id'] . ')'); + + header('Location: ?/users', true, $config['redirect_http']); + + return; + } + + if ($_POST['username'] == '') + error(sprintf($config['error']['required'], 'username')); + + $query = prepare('UPDATE `mods` SET `username` = :username, `boards` = :boards WHERE `id` = :id'); + $query->bindValue(':id', $uid); + $query->bindValue(':username', $_POST['username']); + $query->bindValue(':boards', implode(',', $boards)); + $query->execute() or error(db_error($query)); + + if ($user['username'] !== $_POST['username']) { + // account was renamed + modLog('Renamed user "' . utf8tohtml($user['username']) . '" (#' . $user['id'] . ') to "' . utf8tohtml($_POST['username']) . '"'); + } + + if ($_POST['password'] != '') { + $query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id'); + $query->bindValue(':id', $uid); + $query->bindValue(':password', $_POST['password']); + $query->execute() or error(db_error($query)); + + modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' (#' . $user['id'] . ')'); + + if ($uid == $mod['id']) { + login($_POST['username'], $_POST['password']); + setCookies(); + } + } + + if (hasPermission($config['mod']['manageusers'])) + header('Location: ?/users', true, $config['redirect_http']); + else + header('Location: ?/', true, $config['redirect_http']); + + return; + } + + if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) { + if ($_POST['password'] != '') { + $query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id'); + $query->bindValue(':id', $uid); + $query->bindValue(':password', $_POST['password']); + $query->execute() or error(db_error($query)); + + modLog('Changed own password'); + + login($user['username'], $_POST['password']); + setCookies(); + } + + if (hasPermission($config['mod']['manageusers'])) + header('Location: ?/users', true, $config['redirect_http']); + else + header('Location: ?/', true, $config['redirect_http']); + + return; + } + + if (hasPermission($config['mod']['modlog'])) { + $query = prepare('SELECT * FROM `modlogs` WHERE `mod` = :id ORDER BY `time` DESC LIMIT 5'); + $query->bindValue(':id', $uid); + $query->execute() or error(db_error($query)); + $log = $query->fetchAll(PDO::FETCH_ASSOC); + } else { + $log = array(); + } + + $user['boards'] = explode(',', $user['boards']); + + mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards())); +} + +function mod_user_new() { + global $pdo, $config; + + if (!hasPermission($config['mod']['createusers'])) + error($config['error']['noaccess']); + + if (isset($_POST['username'], $_POST['password'], $_POST['type'])) { + if ($_POST['username'] == '') + error(sprintf($config['error']['required'], 'username')); + if ($_POST['password'] == '') + error(sprintf($config['error']['required'], 'password')); + + if (isset($_POST['allboards'])) { + $boards = array('*'); + } else { + $_boards = listBoards(); + foreach ($_boards as &$board) { + $board = $board['uri']; + } + + $boards = array(); + foreach ($_POST as $name => $value) { + if (preg_match('/^board_(\w+)$/', $name, $matches) && in_array($matches[1], $_boards)) + $boards[] = $matches[1]; + } + } + + $_POST['type'] = (int) $_POST['type']; + if ($_POST['type'] !== JANITOR && $_POST['type'] !== MOD && $_POST['type'] !== ADMIN) + error(sprintf($config['error']['invalidfield'], 'type')); + + $query = prepare('INSERT INTO `mods` VALUES (NULL, :username, SHA1(:password), :type, :boards)'); + $query->bindValue(':username', $_POST['username']); + $query->bindValue(':password', $_POST['password']); + $query->bindValue(':type', $_POST['type']); + $query->bindValue(':boards', implode(',', $boards)); + $query->execute() or error(db_error($query)); + + $userID = $pdo->lastInsertId(); + + modLog('Created a new user: ' . utf8tohtml($_POST['username']) . ' (#' . $userID . ')'); + + header('Location: ?/users', true, $config['redirect_http']); + return; + } + + mod_page(_('Edit user'), 'mod/user.html', array('new' => true, 'boards' => listBoards())); +} + + +function mod_users() { + global $config; + + if (!hasPermission($config['mod']['manageusers'])) + error($config['error']['noaccess']); + + $query = query("SELECT *, (SELECT `time` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM `mods` ORDER BY `type` DESC,`id`") or error(db_error()); + $users = $query->fetchAll(PDO::FETCH_ASSOC); + + mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users)); +} + +function mod_user_promote($uid, $action) { + global $config; + + if (!hasPermission($config['mod']['promoteusers'])) + error($config['error']['noaccess']); + + $query = prepare("UPDATE `mods` SET `type` = `type` " . ($action == 'promote' ? "+1 WHERE `type` < " . (int)ADMIN : "-1 WHERE `type` > " . (int)JANITOR) . " AND `id` = :id"); + $query->bindValue(':id', $uid); + $query->execute() or error(db_error($query)); + + modLog(($action == 'promote' ? 'Promoted' : 'Demoted') . " user #{$uid}"); + + header('Location: ?/users', true, $config['redirect_http']); +} + +function mod_pm($id, $reply = false) { + global $mod, $config; + + if ($reply && !hasPermission($config['mod']['create_pm'])) + error($config['error']['noaccess']); + + $query = prepare("SELECT `mods`.`username`, `mods_to`.`username` AS `to_username`, `pms`.* FROM `pms` LEFT JOIN `mods` ON `mods`.`id` = `sender` LEFT JOIN `mods` AS `mods_to` ON `mods_to`.`id` = `to` WHERE `pms`.`id` = :id"); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + if ((!$pm = $query->fetch(PDO::FETCH_ASSOC)) || ($pm['to'] != $mod['id'] && !hasPermission($config['mod']['master_pm']))) + error($config['error']['404']); + + if (isset($_POST['delete'])) { + $query = prepare("DELETE FROM `pms` WHERE `id` = :id"); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + if ($config['cache']['enabled']) { + cache::delete('pm_unread_' . $mod['id']); + cache::delete('pm_unreadcount_' . $mod['id']); + } + + header('Location: ?/', true, $config['redirect_http']); + return; + } + + if ($pm['unread'] && $pm['to'] == $mod['id']) { + $query = prepare("UPDATE `pms` SET `unread` = 0 WHERE `id` = :id"); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + + if ($config['cache']['enabled']) { + cache::delete('pm_unread_' . $mod['id']); + cache::delete('pm_unreadcount_' . $mod['id']); + } + + modLog('Read a PM'); + } + + if ($reply) { + if (!$pm['to_username']) + error($config['error']['404']); // deleted? + + mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array( + 'username' => $pm['username'], 'id' => $pm['sender'], 'message' => quote($pm['message']) + )); + } else { + mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm); + } +} + +function mod_inbox() { + global $config, $mod; + + $query = prepare('SELECT `unread`,`pms`.`id`, `time`, `sender`, `to`, `message`, `username` FROM `pms` LEFT JOIN `mods` ON `mods`.`id` = `sender` WHERE `to` = :mod ORDER BY `unread` DESC, `time` DESC'); + $query->bindValue(':mod', $mod['id']); + $query->execute() or error(db_error($query)); + $messages = $query->fetchAll(PDO::FETCH_ASSOC); + + $query = prepare('SELECT COUNT(*) FROM `pms` WHERE `to` = :mod AND `unread` = 1'); + $query->bindValue(':mod', $mod['id']); + $query->execute() or error(db_error($query)); + $unread = $query->fetchColumn(0); + + foreach ($messages as &$message) { + $message['snippet'] = pm_snippet($message['message']); + } + + mod_page(sprintf('%s (%s)', _('PM inbox'), count($messages) > 0 ? $unread . ' unread' : 'empty'), 'mod/inbox.html', array( + 'messages' => $messages, + 'unread' => $unread + )); +} + + +function mod_new_pm($username) { + global $config, $mod; + + if (!hasPermission($config['mod']['create_pm'])) + error($config['error']['noaccess']); + + $query = prepare("SELECT `id` FROM `mods` WHERE `username` = :username"); + $query->bindValue(':username', $username); + $query->execute() or error(db_error($query)); + if (!$id = $query->fetchColumn(0)) { + // Old style ?/PM: by user ID + $query = prepare("SELECT `username` FROM `mods` WHERE `id` = :username"); + $query->bindValue(':username', $username); + $query->execute() or error(db_error($query)); + if ($username = $query->fetchColumn(0)) + header('Location: ?/new_PM/' . $username, true, $config['redirect_http']); + else + error($config['error']['404']); + } + + if (isset($_POST['message'])) { + markup($_POST['message']); + + $query = prepare("INSERT INTO `pms` VALUES (NULL, :me, :id, :message, :time, 1)"); + $query->bindValue(':me', $mod['id']); + $query->bindValue(':id', $id); + $query->bindValue(':message', $_POST['message']); + $query->bindValue(':time', time()); + $query->execute() or error(db_error($query)); + + if ($config['cache']['enabled']) { + cache::delete('pm_unread_' . $id); + cache::delete('pm_unreadcount_' . $id); + } + + modLog('Sent a PM to ' . utf8tohtml($username)); + + header('Location: ?/', true, $config['redirect_http']); + } + + mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array('username' => $username, 'id' => $id)); +} + +function mod_rebuild() { + global $config, $twig; + + if (!hasPermission($config['mod']['rebuild'])) + error($config['error']['noaccess']); + + if (isset($_POST['rebuild'])) { + $log = array(); + $boards = listBoards(); + $rebuilt_scripts = array(); + + if (isset($_POST['rebuild_cache'])) { + if ($config['cache']['enabled']) { + $log[] = 'Flushing cache'; + Cache::flush(); + } + + $log[] = 'Clearing template cache'; + load_twig(); + $twig->clearCacheFiles(); + } + + if (isset($_POST['rebuild_themes'])) { + $log[] = 'Regenerating theme files'; + rebuildThemes('all'); + } + + if (isset($_POST['rebuild_javascript'])) { + $log[] = 'Rebuilding ' . $config['file_script'] . ''; + buildJavascript(); + $rebuilt_scripts[] = $config['file_script']; + } + + foreach ($boards as $board) { + if (!(isset($_POST['boards_all']) || isset($_POST['board_' . $board['uri']]))) + continue; + + openBoard($board['uri']); + + if (isset($_POST['rebuild_index'])) { + buildIndex(); + $log[] = '' . sprintf($config['board_abbreviation'], $board['uri']) . ': Creating index pages'; + } + + if (isset($_POST['rebuild_javascript']) && !in_array($config['file_script'], $rebuilt_scripts)) { + $log[] = '' . sprintf($config['board_abbreviation'], $board['uri']) . ': Rebuilding ' . $config['file_script'] . ''; + buildJavascript(); + $rebuilt_scripts[] = $config['file_script']; + } + + if (isset($_POST['rebuild_thread'])) { + $query = query(sprintf("SELECT `id` FROM `posts_%s` WHERE `thread` IS NULL", $board['uri'])) or error(db_error()); + while ($post = $query->fetch(PDO::FETCH_ASSOC)) { + $log[] = '' . sprintf($config['board_abbreviation'], $board['uri']) . ': Rebuilding thread #' . $post['id']; + buildThread($post['id']); + } + } + } + + mod_page(_('Rebuild'), 'mod/rebuilt.html', array('logs' => $log)); + return; + } + + mod_page(_('Rebuild'), 'mod/rebuild.html', array('boards' => listBoards())); +} + +function mod_reports() { + global $config, $mod; + + if (!hasPermission($config['mod']['reports'])) + error($config['error']['noaccess']); + + $query = prepare("SELECT * FROM `reports` ORDER BY `time` DESC LIMIT :limit"); + $query->bindValue(':limit', $config['mod']['recent_reports'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $reports = $query->fetchAll(PDO::FETCH_ASSOC); + + $report_queries = array(); + foreach ($reports as $report) { + if (!isset($report_queries[$report['board']])) + $report_queries[$report['board']] = array(); + $report_queries[$report['board']][] = $report['post']; + } + + $report_posts = array(); + foreach ($report_queries as $board => $posts) { + $report_posts[$board] = array(); + + $query = query(sprintf('SELECT * FROM `posts_%s` WHERE `id` = ' . implode(' OR `id` = ', $posts), $board)) or error(db_error()); + while ($post = $query->fetch()) { + $report_posts[$board][$post['id']] = $post; + } + } + + $count = 0; + $body = ''; + foreach ($reports as $report) { + if (!isset($report_posts[$report['board']][$report['post']])) { + // // Invalid report (post has since been deleted) + $query = prepare("DELETE FROM `reports` WHERE `post` = :id AND `board` = :board"); + $query->bindValue(':id', $report['post'], PDO::PARAM_INT); + $query->bindValue(':board', $report['board']); + $query->execute() or error(db_error($query)); + continue; + } + + openBoard($report['board']); + + $post = &$report_posts[$report['board']][$report['post']]; + + if (!$post['thread']) { + // Still need to fix this: + $po = new Thread( + $post['id'], $post['subject'], $post['email'], $post['name'], $post['trip'], + $post['capcode'], $post['body'], $post['time'], $post['thumb'], + $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], + $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['sticky'], + $post['locked'], $post['sage'], $post['embed'], '?/', $mod, false + ); + } else { + $po = new Post( + $post['id'], $post['thread'], $post['subject'], $post['email'], $post['name'], $post['trip'], $post['capcode'], + $post['body'], $post['time'], $post['thumb'], $post['thumbwidth'], $post['thumbheight'], $post['file'], $post['filewidth'], + $post['fileheight'], $post['filesize'], $post['filename'], $post['ip'], $post['embed'], '?/', $mod + ); + } + + // a little messy and inefficient + $append_html = Element('mod/report.html', array('report' => $report, 'config' => $config, 'mod' => $mod)); + + // Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21 + $po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '
- '; + + $_body = ''; + while($notice = $query->fetch()) { + $_body .= '
- ' . + ($notice['subject'] ? + $notice['subject'] + : + '' . _('no subject') . '' + ) . + ' — by ' . + (isset($notice['username']) ? + utf8tohtml($notice['username']) + : '???') . + ' at ' . + strftime($config['post_date'], $notice['time']) . + ' '; + } + if(!empty($_body)) { + $fieldset['Noticeboard'] .= '
- '; + } + if($config['cache']['enabled']) + cache::set('noticeboard_preview', $fieldset['Noticeboard']); + } + + $fieldset['Noticeboard'] .= '' . _('View all entries') . ' '; + + $query = prepare("SELECT COUNT(*) AS `count` FROM `pms` WHERE `to` = :id AND `unread` = 1"); + $query->bindValue(':id', $mod['id']); + $query->execute() or error(db_error($query)); + $count = $query->fetch(); + $count = $count['count']; + + $fieldset['Noticeboard'] .= '
- ' . _('PM Inbox') . + ($count > 0 + ? + ' (' . $count . ' unread)' + : '') . + ' '; + + $fieldset['Noticeboard'] .= '
- ' . _('News') . ' '; + } + + + if(hasPermission($config['mod']['reports'])) { + $fieldset['Administration'] .= '
- ' . _('Report queue') . ' '; + } + if(hasPermission($config['mod']['view_banlist'])) { + $fieldset['Administration'] .= '
- ' . _('Ban list') . ' '; + } + if(hasPermission($config['mod']['manageusers'])) { + $fieldset['Administration'] .= '
- ' . _('Manage users') . ' '; + } elseif(hasPermission($config['mod']['change_password'])) { + $fieldset['Administration'] .= '
- ' . _('Change own password') . ' '; + } + if(hasPermission($config['mod']['modlog'])) { + $fieldset['Administration'] .= '
- ' . _('Moderation log') . ' '; + } + if(hasPermission($config['mod']['rebuild'])) { + $fieldset['Administration'] .= '
- ' . _('Rebuild static files') . ' '; + } + if(hasPermission($config['mod']['rebuild']) && $config['cache']['enabled']) { + $fieldset['Administration'] .= '
- ' . _('Clear cache') . ' '; + } + if(hasPermission($config['mod']['show_config'])) { + $fieldset['Administration'] .= '
- ' . _('Show configuration') . ' '; + } + + if(hasPermission($config['mod']['themes'])) { + $fieldset['Themes'] .= '
- ' . _('Manage themes') . ' '; + } + + if(hasPermission($config['mod']['search'])) { + $fieldset['Search'] .= '
- ' .
+ '
' . _('(Search is case-insensitive, and based on keywords. To match exact phrases, use "quotes". Use an asterisk (*) for wildcard.)') . '
' . + ' ';
+ }
+
+ if($mod['type'] >= ADMIN && $config['check_updates']) {
+ if(!$config['version'])
+ error(_('Could not find current version! (Check .installed)'));
+ if(isset($_COOKIE['update'])) {
+ $latest = unserialize($_COOKIE['update']);
+ } else {
+ $ctx = stream_context_create(array(
+ 'http' => array(
+ 'timeout' => 3
+ )
+ )
+ );
+
+ if($code = @file_get_contents('http://tinyboard.org/version.txt', 0, $ctx)) {
+ eval($code);
+ if(preg_match('/v(\d+)\.(\d)\.(\d+)(-dev.+)?$/', $config['version'], $m)) {
+ $current = array(
+ 'massive' => (int)$m[1],
+ 'major' => (int)$m[2],
+ 'minor' => (int)$m[3]
+ );
+ if(isset($m[4])) {
+ // Development versions are always ahead in the versioning numbers
+ $current['minor'] --;
+ }
+ }
+ // Check if it's newer
+ if( $latest['massive'] > $current['massive'] ||
+ $latest['major'] > $current['major'] ||
+ ($latest['massive'] == $current['massive'] &&
+ $latest['major'] == $current['major'] &&
+ $latest['minor'] > $current['minor']
+ )) {
+ $latest = $latest;
+ } else $latest = false;
+ } else {
+ // Couldn't get latest version
+ // TODO: Display some sort of warning message
+ $latest = false;
+ }
+
+
+ setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
+ }
+
+ if($latest) {
+ $fieldset['Update'] .=
+ ' - A newer version of Tinyboard (v' . + $latest['massive'] . '.' . + $latest['major'] . '.' . + $latest['minor'] . + ') is available! See http://tinyboard.org/ for upgrade instructions. '; + } + } + + $fieldset['Logout'] .= '
- ' . _('Logout') . ' '; + + // TODO: Statistics, etc, in the dashboard. + + $body = ''; + foreach($fieldset as $title => $data) { + if($data) + $body .= ''; + } + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Dashboard'), + 'body'=>$body, + '__mod'=>true + )); + } elseif(preg_match('/^\/logout$/', $query)) { + destroyCookies(); + + header('Location: ?/', true, $config['redirect_http']); + } elseif(preg_match('/^\/confirm\/(.+)$/', $query, $matches)) { + $uri = &$matches[1]; + + $body = '
- ' . $error . ' '; + } + $body .= '
- opening and ending tags)
+function ulBoards() {
+ global $mod, $config;
+
+ $body = '';
+
+ // List of boards
+ $boards = listBoards();
+
+ foreach ($boards as &$b) {
+ $body .= '
- element with a list of linked
-// boards and their subtitles. (without the
- opening and ending tags)
-function ulBoards() {
- global $mod, $config;
-
- $body = '';
-
- // List of boards
- $boards = listBoards();
-
- foreach ($boards as &$b) {
- $body .= '
')); + + if (mb_strlen($po->body) + mb_strlen($append_html) > $config['body_truncate_char']) { + // still too long; temporarily increase limit in the config + $__old_body_truncate_char = $config['body_truncate_char']; + $config['body_truncate_char'] = mb_strlen($po->body) + mb_strlen($append_html); + } + + $po->body .= $append_html; + + $body .= $po->build(true) . '
'; + + if (isset($__old_body_truncate_char)) + $config['body_truncate_char'] = $__old_body_truncate_char; + + $count++; + } + + mod_page(sprintf('%s (%d)', _('Report queue'), $count), 'mod/reports.html', array('reports' => $body, 'count' => $count)); +} + +function mod_report_dismiss($id, $all = false) { + global $config; + + $query = prepare("SELECT `post`, `board`, `ip` FROM `reports` WHERE `id` = :id"); + $query->bindValue(':id', $id); + $query->execute() or error(db_error($query)); + if ($report = $query->fetch(PDO::FETCH_ASSOC)) { + $ip = $report['ip']; + $board = $report['board']; + $post = $report['post']; + } else + error($config['error']['404']); + + if (!$all && !hasPermission($config['mod']['report_dismiss'], $board)) + error($config['error']['noaccess']); + + if ($all && !hasPermission($config['mod']['report_dismiss_ip'], $board)) + error($config['error']['noaccess']); + + if ($all) { + $query = prepare("DELETE FROM `reports` WHERE `ip` = :ip"); + $query->bindValue(':ip', $ip); + } else { + $query = prepare("DELETE FROM `reports` WHERE `id` = :id"); + $query->bindValue(':id', $id); + } + $query->execute() or error(db_error($query)); + + + if ($all) + modLog("Dismissed all reports by $ip"); + else + modLog("Dismissed a report for post #{$id}", $board); + + header('Location: ?/reports', true, $config['redirect_http']); +} + + +function mod_config() { + global $config, $mod; + + if (!hasPermission($config['mod']['edit_config'])) + error($config['error']['noaccess']); + + require_once 'inc/mod/config-editor.php'; + + $conf = config_vars(); + + foreach ($conf as &$var) { + if (is_array($var['name'])) { + $c = &$config; + foreach ($var['name'] as $n) + $c = &$c[$n]; + } else { + $c = $config[$var['name']]; + } + + $var['value'] = $c; + } + unset($var); + + if (isset($_POST['save'])) { + $config_append = ''; + + foreach ($conf as $var) { + $field_name = 'cf_' . (is_array($var['name']) ? implode('/', $var['name']) : $var['name']); + + if ($var['type'] == 'boolean') + $value = isset($_POST[$field_name]); + elseif (isset($_POST[$field_name])) + $value = $_POST[$field_name]; + else + continue; // ??? + + if (!settype($value, $var['type'])) + continue; // invalid + + if ($value != $var['value']) { + // This value has been changed. + + $config_append .= '$config'; + + if (is_array($var['name'])) { + foreach ($var['name'] as $name) + $config_append .= '[' . var_export($name, true) . ']'; + } else { + $config_append .= '[' . var_export($var['name'], true) . ']'; + } + + $config_append .= ' = ' . var_export($value, true) . ";\n"; + } + } + + if (!empty($config_append)) { + $config_append = "\n// Changes made via web editor by \"" . $mod['username'] . "\" @ " . date('r') . ":\n" . $config_append . "\n"; + + if (!@file_put_contents('inc/instance-config.php', $config_append, FILE_APPEND)) { + $config_append = htmlentities($config_append); + + if ($config['minify_html']) + $config_append = str_replace("\n", ' ', $config_append); + $page = array(); + $page['title'] = 'Cannot write to file!'; + $page['config'] = $config; + $page['body'] = ' +
Tinyboard could not write to inc/instance-config.php with the ammended configuration, probably due to a permissions error.
+You may proceed with these changes manually by copying and pasting the following code to the end of inc/instance-config.php:
+ + '; + echo Element('page.html', $page); + exit; + } + } + + header('Location: ?/', true, $config['redirect_http']); + + exit; + } + + mod_page(_('Config editor'), 'mod/config-editor.html', array('conf' => $conf)); +} + +function mod_debug_antispam() { + global $pdo, $config; + + $args = array(); + + if (isset($_POST['board'], $_POST['thread'])) { + $where = '`board` = ' . $pdo->quote($_POST['board']); + if ($_POST['thread'] != '') + $where .= ' AND `thread` = ' . $pdo->quote($_POST['thread']); + + if (isset($_POST['purge'])) { + $query = prepare('UPDATE `antispam` SET `expires` = UNIX_TIMESTAMP() + :expires WHERE' . $where); + $query->bindValue(':expires', $config['spam']['hidden_inputs_expire']); + $query->execute() or error(db_error()); + } + + $args['board'] = $_POST['board']; + $args['thread'] = $_POST['thread']; + } else { + $where = ''; + } + + $query = query('SELECT COUNT(*) FROM `antispam`' . ($where ? " WHERE $where" : '')) or error(db_error()); + $args['total'] = number_format($query->fetchColumn(0)); + + $query = query('SELECT COUNT(*) FROM `antispam` WHERE `expires` IS NOT NULL' . ($where ? " AND $where" : '')) or error(db_error()); + $args['expiring'] = number_format($query->fetchColumn(0)); + + $query = query('SELECT * FROM `antispam` ' . ($where ? "WHERE $where" : '') . ' ORDER BY `passed` DESC LIMIT 40') or error(db_error()); + $args['top'] = $query->fetchAll(PDO::FETCH_ASSOC); + + mod_page(_('Debug: Anti-spam'), 'mod/debug/antispam.html', $args); +} + +function mod_themes_list() { + global $config; + + if (!hasPermission($config['mod']['themes'])) + error($config['error']['noaccess']); + + if(!is_dir($config['dir']['themes'])) + error(_('Themes directory doesn\'t exist!')); + if(!$dir = opendir($config['dir']['themes'])) + error(_('Cannot open themes directory; check permissions.')); + + $query = query('SELECT `theme` FROM `theme_settings` WHERE `name` IS NULL AND `value` IS NULL') or error(db_error()); + $themes_in_use = $query->fetchAll(PDO::FETCH_COLUMN); + + // Scan directory for themes + $themes = array(); + while ($file = readdir($dir)) { + if ($file[0] != '.' && is_dir($config['dir']['themes'] . '/' . $file)) { + $themes[$file] = loadThemeConfig($file); + } + } + closedir($dir); + + mod_page(_('Manage themes'), 'mod/themes.html', array( + 'themes' => $themes, + 'themes_in_use' => $themes_in_use, + )); +} + +function mod_theme_configure($theme_name) { + global $config; + + if (!hasPermission($config['mod']['themes'])) + error($config['error']['noaccess']); + + if(!$theme = loadThemeConfig($theme_name)) { + error($config['error']['invalidtheme']); + } + + if(isset($_POST['install'])) { + // Check if everything is submitted + foreach($theme['config'] as &$conf) { + if(!isset($_POST[$conf['name']]) && $conf['type'] != 'checkbox') + error(sprintf($config['error']['required'], $c['title'])); + } + + // Clear previous settings + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $theme_name); + $query->execute() or error(db_error($query)); + + foreach($theme['config'] as &$conf) { + $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, :name, :value)"); + $query->bindValue(':theme', $theme_name); + $query->bindValue(':name', $conf['name']); + $query->bindValue(':value', $_POST[$conf['name']]); + $query->execute() or error(db_error($query)); + } + + $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, NULL, NULL)"); + $query->bindValue(':theme', $theme_name); + $query->execute() or error(db_error($query)); + + $result = true; + $message = false; + if(isset($theme['install_callback'])) { + $ret = $theme['install_callback'](themeSettings($theme_name)); + if($ret && !empty($ret)) { + if(is_array($ret) && count($ret) == 2) { + $result = $ret[0]; + $message = $ret[1]; + } + } + } + + if(!$result) { + // Install failed + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $theme_name); + $query->execute() or error(db_error($query)); + } + + // Build themes + rebuildThemes('all'); + + mod_page(sprintf(_($result ? 'Installed theme: %s' : 'Installation failed: %s'), $theme['name']), 'mod/theme_installed.html', array( + 'theme_name' => $theme_name, + 'theme' => $theme, + 'result' => $result, + 'message' => $message, + )); + } + + $settings = themeSettings($theme_name); + + mod_page(sprintf(_('Configuring theme: %s'), $theme['name']), 'mod/theme_config.html', array( + 'theme_name' => $theme_name, + 'theme' => $theme, + 'settings' => $settings, + )); +} + +function mod_theme_uninstall($theme_name) { + global $config; + + if (!hasPermission($config['mod']['themes'])) + error($config['error']['noaccess']); + + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $theme_name); + $query->execute() or error(db_error($query)); + + header('Location: ?/themes', true, $config['redirect_http']); +} + +function mod_theme_rebuild($theme_name) { + global $config; + + if (!hasPermission($config['mod']['themes'])) + error($config['error']['noaccess']); + + rebuildTheme($theme_name, 'all'); + + mod_page(sprintf(_('Rebuilt theme: %s'), $theme_name), 'mod/theme_rebuilt.html', array( + 'theme_name' => $theme_name, + )); +} diff --git a/inc/template.php b/inc/template.php index 8d679d25..351bde62 100644 --- a/inc/template.php +++ b/inc/template.php @@ -27,7 +27,7 @@ function load_twig() { $twig = new Twig_Environment($loader, array( 'autoescape' => false, 'cache' => "{$config['dir']['template']}/cache", - 'debug' => ($config['debug'] ? true : false), + 'debug' => $config['debug'] )); $twig->addExtension(new Twig_Extensions_Extension_Tinyboard()); $twig->addExtension(new Twig_Extensions_Extension_I18n()); @@ -39,7 +39,7 @@ function Element($templateFile, array $options) { if (!$twig) load_twig(); - if (function_exists('create_pm_header') && ((isset($options['mod']) && $options['mod']) || isset($options['__mod']))) { + if (function_exists('create_pm_header') && ((isset($options['mod']) && $options['mod']) || isset($options['__mod'])) && !preg_match('!^mod/!', $templateFile)) { $options['pm'] = create_pm_header(); } diff --git a/install.php b/install.php index 2e732c4c..1e872911 100644 --- a/install.php +++ b/install.php @@ -1,7 +1,7 @@ str_replace('%s', '(\w{1,8})', preg_quote($config['board_path'], '/')), + 'page' => str_replace('%d', '(\d+)', preg_quote($config['file_page'], '/')), + 'img' => preg_quote($config['dir']['img'], '/'), + 'thumb' => preg_quote($config['dir']['thumb'], '/'), + 'res' => preg_quote($config['dir']['res'], '/'), + 'index' => preg_quote($config['file_index'], '/') + ); + + if(preg_match('/^\/?$/', $query)) { + // Dashboard + $fieldset = array( + 'Boards' => '', + 'Noticeboard' => '', + 'Administration' => '', + 'Themes' => '', + 'Search' => '', + 'Update' => '', + 'Logout' => '' + ); + + // Boards + $fieldset['Boards'] .= ulBoards(); + + if(hasPermission($config['mod']['noticeboard'])) { + if(!$config['cache']['enabled'] || !($fieldset['Noticeboard'] = cache::get('noticeboard_preview'))) { + $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :limit"); + $query->bindValue(':limit', $config['mod']['noticeboard_dashboard'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $fieldset['Noticeboard'] .= '- ' . $_body . '
' . + 'Are you sure you want to do that?' . + 'We were unable to serve a confirmation dialog for ' . + '?/' . utf8tohtml($uri) . '' . + ', probably due to Javascript being disabled.' . + '
' . + ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Confirm', + 'body'=>$body, + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/upgrade$/', $query)) { + if($mod['type'] != ADMIN) + error($config['error']['noaccess']); + + if(is_dir('.git')) { + // use git instead + + $body = 'git pull
'; + $body .= '' . str_replace("\n", '
', shell_exec('git pull')) . '
Error(s) upgrading
Tinyboard can not self-upgrade until the following is fixed:
- ';
+ foreach($errors as $error) {
+ $body .= '
Please fix the above errors and refresh to try again.
Upgrading seems to have gone okay. You are now at revision ' . $version . '.
' + )); + } elseif(preg_match('/^\/log(\/(\d+))?$/', $query, $match)) { + if(!hasPermission($config['mod']['modlog'])) error($config['error']['noaccess']); + + $page = isset($match[2]) ? $match[2] : 1; + + $boards = array(); + $_boards = listBoards(); + foreach($_boards as &$_b) { + $boards[$_b['id']] = $_b['uri']; + } + + $query = prepare("SELECT `mod` as `id`, `username`, `ip`, `board`, `time`, `text` FROM `modlogs` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY `time` DESC LIMIT :offset, :limit"); + $query->bindValue(':limit', $config['mod']['modlog_page'], PDO::PARAM_INT); + $query->bindValue(':offset', ($page - 1) * $config['mod']['modlog_page'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if(!$query->rowCount()) { + $body = '(Nothing to display.)
'; + } else { + $body = '| ' . _('User') . ' | ' . + '' . _('IP address') . ' | ' . + '' . _('Ago') . ' | ' . + '' . _('Board') . ' | ' . + '' . _('Action') . ' | ' . + '
|---|---|---|---|---|
| ' . + ($log['username'] ? + '' . $log['username'] . '' + : '' . ($log['id'] < 0 ? 'system' : 'deleted?') . '') . + ' | ' . + '' . ($log['id'] < 0 ? '–' : '' . $log['ip'] . '') . ' | ' . + '' . ago($log['time']) . ' | ' . + '' . + ($log['board'] ? + '' . sprintf($config['board_abbreviation'], $log['board']) . ' | ' + : '-') . + '' . $log['text'] . ' | ' . + '
'; + for($x = 0; $x < $count['count'] / $config['mod']['modlog_page']; $x ++) { + $body .= '[' . ($x + 1) . '] '; + } + $body .= '
'; + } + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Moderation log'), + 'body'=>$body, + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/themes\/none$/', $query, $match)) { + if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); + + // Clearsettings + query("TRUNCATE TABLE `theme_settings`") or error(db_error()); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'No theme', + 'body'=>'Successfully uninstalled all themes.
' . + '', + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/themes\/([\w\-]+)\/rebuild$/', $query, $match)) { + if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); + + rebuildTheme($match[1], 'all'); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Rebuilt', + 'body'=>'Successfully rebuilt the ' . $match[1] . ' theme.
' . + '', + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/themes\/(\w+)\/uninstall$/', $query, $match)) { + if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); + + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $match[1]); + $query->execute() or error(db_error($query)); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Uninstalled', + 'body'=>'Successfully uninstalled the ' . $match[1] . ' theme.
' . + '', + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/themes(\/([\w\-]+))?$/', $query, $match)) { + if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); + + if(!is_dir($config['dir']['themes'])) + error(_('Themes directory doesn\'t exist!')); + if(!$dir = opendir($config['dir']['themes'])) + error(_('Cannot open themes directory; check permissions.')); + + if(isset($match[2])) { + $_theme = &$match[2]; + + if(!$theme = loadThemeConfig($_theme)) { + error($config['error']['invalidtheme']); + } + + if(isset($_POST['install'])) { + // Check if everything is submitted + foreach($theme['config'] as &$c) { + if(!isset($_POST[$c['name']]) && $c['type'] != 'checkbox') + error(sprintf($config['error']['required'], $c['title'])); + } + + // Clear previous settings + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $_theme); + $query->execute() or error(db_error($query)); + + foreach($theme['config'] as &$c) { + $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, :name, :value)"); + $query->bindValue(':theme', $_theme); + $query->bindValue(':name', $c['name']); + $query->bindValue(':value', $_POST[$c['name']]); + $query->execute() or error(db_error($query)); + } + + $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, NULL, NULL)"); + $query->bindValue(':theme', $_theme); + $query->execute() or error(db_error($query)); + + $result = true; + $body = ''; + if(isset($theme['install_callback'])) { + $ret = $theme['install_callback'](themeSettings($_theme)); + if($ret && !empty($ret)) { + if(is_array($ret) && count($ret) == 2) { + $result = $ret[0]; + $ret = $ret[1]; + } + $body .= '' . $ret . '
';
+ }
+ }
+
+ if($result) {
+ $body .= 'Successfully installed and built theme.
'; + } else { + // install failed + $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); + $query->bindValue(':theme', $_theme); + $query->execute() or error(db_error($query)); + } + + $body .= ''; + + // Build themes + rebuildThemes('all'); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>($result ? 'Installed "' . utf8tohtml($theme['name']) . '"' : 'Installation failed!'), + 'body'=>$body, + 'mod'=>true + ) + ); + } else { + $body = '(No themes installed.)
'; + } else { + $body .= '| ' . _('Name') . ' | ' . + '' . utf8tohtml($theme['name']) . ' | ' . + '
|---|---|
| ' . _('Version') . ' | ' . + '' . utf8tohtml($theme['version']) . ' | ' . + '
| ' . _('Description') . ' | ' . + '' . $theme['description'] . ' | ' . + '
| ' . _('Thumbnail') . ' | ' . + ' | ' .
+ '
| ' . _('Actions') . ' | ' . + '
| ' .
+ '
' . _('Uninstall all themes.') . '
'; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Manage themes'), + 'body'=>$body, + 'mod'=>true + ) + ); + } + } elseif(preg_match('/^\/noticeboard\/delete\/(\d+)$/', $query, $match)) { + if(!hasPermission($config['mod']['noticeboard_delete'])) error($config['error']['noaccess']); + + $query = prepare("DELETE FROM `noticeboard` WHERE `id` = :id"); + $query->bindValue(':id', $match[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($config['cache']['enabled']) + cache::delete('noticeboard_preview'); + + header('Location: ?/noticeboard', true, $config['redirect_http']); + } elseif(preg_match('/^\/noticeboard$/', $query)) { + if(!hasPermission($config['mod']['noticeboard'])) error($config['error']['noaccess']); + + $body = ''; + + if(hasPermission($config['mod']['noticeboard_post']) && isset($_POST['subject']) && isset($_POST['body']) && !empty($_POST['body'])) { + $query = prepare("INSERT INTO `noticeboard` VALUES (NULL, :mod, :time, :subject, :body)"); + $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); + $query->bindvalue(':time', time(), PDO::PARAM_INT); + $query->bindValue(':subject', utf8tohtml($_POST['subject'])); + + markup($_POST['body']); + $query->bindValue(':body', $_POST['body']); + $query->execute() or error(db_error($query)); + + if($config['cache']['enabled']) + cache::delete('noticeboard_preview'); + + header('Location: ?/noticeboard#' . $pdo->lastInsertId(), true, $config['redirect_http']); + } else { + + if(hasPermission($config['mod']['noticeboard_post'])) { + $body .= ''; + } + + $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :limit"); + $query->bindValue(':limit', $config['mod']['noticeboard_display'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + while($notice = $query->fetch()) { + $body .= '' .
+ (hasPermission($config['mod']['noticeboard_delete']) ?
+ '[delete]'
+ : '') .
+ '
';
+ }
+
+
+ echo Element('page.html', array(
+ 'config'=>$config,
+ 'title'=>_('Noticeboard'),
+ 'body'=>$body,
+ 'mod'=>true
+ )
+ );
+ }
+ } elseif(preg_match('/^\/news\/delete\/(\d+)$/', $query, $match)) {
+ if(!hasPermission($config['mod']['noticeboard_delete'])) error($config['error']['noaccess']);
+
+ $query = prepare("DELETE FROM `news` WHERE `id` = :id");
+ $query->bindValue(':id', $match[1], PDO::PARAM_INT);
+ $query->execute() or error(db_error($query));
+
+ rebuildThemes('news');
+
+ header('Location: ?/news', true, $config['redirect_http']);
+ } elseif(preg_match('/^\/news$/', $query)) {
+ $body = '';
+
+ if(hasPermission($config['mod']['news'])) {
+ if(isset($_POST['subject']) && isset($_POST['body']) && !empty($_POST['body'])) {
+ $query = prepare("INSERT INTO `news` VALUES (NULL, :name, :time, :subject, :body)");
+
+ if(isset($_POST['name']) && hasPermission($config['mod']['news_custom']))
+ $name = &$_POST['name'];
+ else
+ $name = &$mod['username'];
+
+ $query->bindValue(':name', utf8tohtml($name), PDO::PARAM_INT);
+ $query->bindvalue(':time', time(), PDO::PARAM_INT);
+ $query->bindValue(':subject', utf8tohtml($_POST['subject']));
+
+ markup($_POST['body']);
+ $query->bindValue(':body', $_POST['body']);
+ $query->execute() or error(db_error($query));
+
+ rebuildThemes('news');
+ }
+
+ $body .= '';
+ }
+
+ $query = prepare("SELECT * FROM `news` ORDER BY `id` DESC LIMIT :limit");
+ $query->bindValue(':limit', $config['mod']['noticeboard_display'], PDO::PARAM_INT);
+ $query->execute() or error(db_error($query));
+ while($news = $query->fetch()) {
+ $body .= '' . + ($notice['subject'] ? + $notice['subject'] + : + '' . _('no subject') . '' + ) . + ' — by ' . + (isset($notice['username']) ? + utf8tohtml($notice['username']) + : + '???' + ) . + ' at ' . + strftime($config['post_date'], $notice['time']) . + '
' . $notice['body'] . '
' .
+ (hasPermission($config['mod']['news_delete']) ?
+ '[delete]'
+ : '') .
+ '
';
+ }
+
+
+ echo Element('page.html', array(
+ 'config'=>$config,
+ 'title'=>_('News'),
+ 'body'=>$body,
+ 'mod'=>true
+ )
+ );
+ } elseif(preg_match('/^\/inbox\/readall$/', $query, $match)) {
+ $query = prepare("UPDATE `pms` SET `unread` = 0 WHERE `to` = :id");
+ $query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
+ $query->execute() or error(db_error($query));
+
+ modLog('Marked all PMs as read');
+
+ header('Location: ?/inbox', true, $config['redirect_http']);
+ } elseif(preg_match('/^\/inbox$/', $query, $match)) {
+ $query = prepare("SELECT `unread`,`pms`.`id`, `time`, `sender`, `to`, `message`, `username` FROM `pms` LEFT JOIN `mods` ON `mods`.`id` = `sender` WHERE `to` = :mod ORDER BY `unread` DESC, `time` DESC");
+ $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT);
+ $query->execute() or error(db_error($query));
+
+ if($query->rowCount() == 0) {
+ $body = '' . + ($news['subject'] ? + $news['subject'] + : + '' . _('no subject') . '' + ) . + ' — by ' . + $news['name'] . + ' at ' . + strftime($config['post_date'], $news['time']) . + '
' . $news['body'] . '
(' . _('No private messages for you.') . ')
'; + } else { + $unread_pms = 0; + + $body = '| ID | From | Date | Message snippet | ' . $pm['id'] . ' | ' . + '' . + ($pm['username'] ? + '' . $pm['username'] . '' + : 'deleted?') . + ' | ' . + '' . strftime($config['post_date'], $pm['time']) . ' | ' . + '' . pm_snippet($pm['message']) . ' | ' . + ''; + + if($pm['unread']) + $unread_pms++; + } + $body .= '
|---|
Message sent successfully to ' . utf8tohtml($to['username']) . '.
', + 'mod'=>true + ) + ); + } else { + $value = ''; + if(isset($match[3])) { + $reply = &$match[3]; + + $query = prepare("SELECT `message` FROM `pms` WHERE `sender` = :sender AND `to` = :mod AND `id` = :id"); + $query->bindValue(':sender', $to['id'], PDO::PARAM_INT); + $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); + $query->bindValue(':id', $reply, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + if($pm = $query->fetch()) { + $value = quote($pm['message']); + } + } + + + $body = ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'New PM for ' . utf8tohtml($to['username']), + 'body'=>$body, + 'mod'=>true + ) + ); + } + } elseif(preg_match('/^\/search$/', $query)) { + if(!hasPermission($config['mod']['search'])) error($config['error']['noaccess']); + + $body = 'Search
' . + '(Search is case-insensitive, and based on keywords. To match exact phrases, use "quotes". Use an asterisk (*) for wildcard.)
' . + ''; + } + + if(!empty($temp)) + $_body .= ''; + } + + $body .= '
'; + if(!empty($_body)) + $body .= $_body; + else + $body .= '
(No results.)
'; + } + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Search', + 'body'=>$body, + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/users$/', $query)) { + if(!hasPermission($config['mod']['manageusers'])) error($config['error']['noaccess']); + + $body = ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Manage users'), + 'body'=>$body + ,'mod'=>true + ) + ); + } elseif(preg_match('/^\/users\/new$/', $query)) { + if(!hasPermission($config['mod']['createusers'])) error($config['error']['noaccess']); + + if(isset($_POST['username']) && isset($_POST['password'])) { + if(!isset($_POST['type'])) { + error(sprintf($config['error']['required'], 'type')); + } + + if($_POST['type'] != ADMIN && $_POST['type'] != MOD && $_POST['type'] != JANITOR) { + error(sprintf($config['error']['invalidfield'], 'type')); + } + + // Check if already exists + $query = prepare("SELECT `id` FROM `mods` WHERE `username` = :username"); + $query->bindValue(':username', $_POST['username']); + $query->execute() or error(db_error($query)); + + if($_mod = $query->fetch()) { + error(sprintf($config['error']['modexists'], $_mod['id'])); + } + + $boards = array(); + foreach($_POST as $name => $null) { + if(preg_match('/^board_(.+)$/', $name, $m)) + $boards[] = $m[1]; + } + $boards = implode(',', $boards); + + $query = prepare("INSERT INTO `mods` VALUES (NULL, :username, :password, :type, :boards)"); + $query->bindValue(':username', $_POST['username']); + $query->bindValue(':password', sha1($_POST['password'])); + $query->bindValue(':type', $_POST['type'], PDO::PARAM_INT); + $query->bindValue(':boards', $boards); + $query->execute() or error(db_error($query)); + + modLog('Create a new user: "' . $_POST['username'] . '"'); + header('Location: ?/users', true, $config['redirect_http']); + } else { + + $__boards = '- ';
+ $boards = array_merge(
+ array(array('uri' => '*', 'title' => 'All')
+ ), listBoards());
+ foreach($boards as &$_board) {
+ $__boards .= '
- ' . + '' . + '' . + ' '; + } + + $body = ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'New user', + 'body'=>$body + ,'mod'=>true + ) + ); + } + } elseif(preg_match('/^\/users\/(\d+)(\/(promote|demote|delete))?$/', $query, $matches)) { + $modID = &$matches[1]; + + if(isset($matches[2])) { + if($matches[3] == 'delete') { + if(!hasPermission($config['mod']['deleteusers'])) error($config['error']['noaccess']); + + $query = prepare("DELETE FROM `mods` WHERE `id` = :id"); + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + modLog('Deleted user #' . $modID); + } else { + // Promote/demote + if(!hasPermission($config['mod']['promoteusers'])) error($config['error']['noaccess']); + + if($matches[3] == 'promote') { + $query = prepare("UPDATE `mods` SET `type` = `type` + 1 WHERE `type` != :admin AND `id` = :id"); + $query->bindValue(':admin', ADMIN, PDO::PARAM_INT); + } else { + $query = prepare("UPDATE `mods` SET `type` = `type` - 1 WHERE `type` != :janitor AND `id` = :id"); + $query->bindValue(':janitor', JANITOR, PDO::PARAM_INT); + } + + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + header('Location: ?/users', true, $config['redirect_http']); + } else { + // Edit user + if(!hasPermission($config['mod']['editusers']) && !hasPermission($config['mod']['change_password'])) + error($config['error']['noaccess']); + + $query = prepare("SELECT * FROM `mods` WHERE `id` = :id"); + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if(!$_mod = $query->fetch()) { + error($config['error']['404']); + } + + if(!hasPermission($config['mod']['editusers']) && !(hasPermission($config['mod']['change_password']) && $mod['id'] == $_mod['id'] && $change_password_only = true)) + error($config['error']['noaccess']); + + if((isset($_POST['username']) && isset($_POST['password'])) || (isset($change_password_only) && isset($_POST['password']))) { + if(!isset($change_password_only)) { + $boards = array(); + foreach($_POST as $name => $null) { + if(preg_match('/^board_(.+)$/', $name, $m)) + $boards[] = $m[1]; + } + $boards = implode(',', $boards); + + $query = prepare("UPDATE `mods` SET `username` = :username, `boards` = :boards WHERE `id` = :id"); + $query->bindValue(':username', $_POST['username'], PDO::PARAM_STR); + $query->bindValue(':boards', $boards, PDO::PARAM_STR); + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + modLog('Edited login details for user "' . $_mod['username'] . '"'); + } else { + modLog('Changed own password'); + } + if(!empty($_POST['password'])) { + $query = prepare("UPDATE `mods` SET `password` = :password WHERE `id` = :id"); + $query->bindValue(':password', sha1($_POST['password'])); + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + + // Refresh + $query = prepare("SELECT * FROM `mods` WHERE `id` = :id"); + $query->bindValue(':id', $modID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if(!$_mod = $query->fetch()) { + error($config['error']['404']); + } + + if($_mod['id'] == $mod['id']) { + // Changed own password. Update cookies + + if(!login($_mod['username'], $_mod['password'], false, true)) + error(_('Could not re-login after changing password. (?)')); + + setCookies(); + } + + if(hasPermission($config['mod']['manageusers'])) + header('Location: ?/users', true, $config['redirect_http']); + else + header('Location: ?/', true, $config['redirect_http']); + exit; + } + + $__boards = '
- ' . + ' ' . + '' . + ' '; + } + $__boards .= '
- ';
+ $boards = array_merge(
+ array(array('uri' => '*', 'title' => 'All')
+ ), listBoards());
+
+ $_mod['boards'] = explode(',', $_mod['boards']);
+ foreach($boards as &$_board) {
+ $__boards .= '
' .
+ '
' . + 'Board: ' . sprintf($config['board_abbreviation'], $report['uri']) . '
' . + 'Reason: ' . $report['reason'] . '
' . + 'Report date: ' . strftime($config['post_date'], $report['time']) . '
' . + (hasPermission($config['mod']['show_ip']) ? + 'Reported by: ' . $report['ip'] . '
' + : '') . + '
' . + (hasPermission($config['mod']['report_dismiss']) ? + 'Dismiss | ' : '') . + (hasPermission($config['mod']['report_dismiss_ip']) ? + 'Dismiss+' : '') . + '
';
+
+ // Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
+ $po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '' . + 'Board: ' . sprintf($config['board_abbreviation'], $report['uri']) . '
' . + 'Reason: ' . $report['reason'] . '
' . + 'Report date: ' . strftime($config['post_date'], $report['time']) . '
' . + (hasPermission($config['mod']['show_ip']) ? + 'Reported by: ' . $report['ip'] . '
' + : '') . + '
' . + (hasPermission($config['mod']['report_dismiss']) ? + 'Dismiss | ' : '') . + (hasPermission($config['mod']['report_dismiss_ip']) ? + 'Dismiss+' : '') . + '
')); + + if(mb_strlen($po->body) + mb_strlen($append_html) > $config['body_truncate_char']) { + // still too long. temporarily increase limit in the config + $__old_body_truncate_char = $config['body_truncate_char']; + $config['body_truncate_char'] = mb_strlen($po->body) + mb_strlen($append_html); + } + + $po->body .= $append_html; + + $body .= $po->build(true) . '
'; + + if(isset($__old_body_truncate_char)) + $config['body_truncate_char'] = $__old_body_truncate_char; + } + + $query = query("SELECT COUNT(`id`) AS `count` FROM `reports`") or error(db_error()); + $count = $query->fetch(); + + $body .= '
Showing ' . + ($reports == $count['count'] ? 'all ' . $reports . ' reports' : $reports . ' of ' . $count['count'] . ' reports') . '.
'; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Report queue') . ' (' . $count['count'] . ')', + 'body'=>$body, + 'mod'=>true + )); + } elseif(preg_match('/^\/reports\/(\d+)\/dismiss(\/all)?$/', $query, $matches)) { + if(isset($matches[2]) && $matches[2] == '/all') { + if(!hasPermission($config['mod']['report_dismiss_ip'])) error($config['error']['noaccess']); + + $query = prepare("SELECT `ip` FROM `reports` WHERE `id` = :id"); + $query->bindValue(':id', $matches[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($report = $query->fetch()) { + $query = prepare("DELETE FROM `reports` WHERE `ip` = :ip"); + $query->bindValue(':ip', $report['ip'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + modLog('Dismissed all reports by ' . $report['ip']); + } + } else { + if(!hasPermission($config['mod']['report_dismiss'])) error($config['error']['noaccess']); + + $query = prepare("SELECT `post`, `board` FROM `reports` WHERE `id` = :id"); + $query->bindValue(':id', $matches[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($report = $query->fetch()) { + modLog('Dismissed a report for post #' . $report['post'], $report['board']); + + $query = prepare("DELETE FROM `reports` WHERE `post` = :post AND `board` = :board"); + $query->bindValue(':board', $report['board'], PDO::PARAM_INT); + $query->bindValue(':post', $report['post'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + } + + // Redirect + header('Location: ?/reports', true, $config['redirect_http']); + } elseif(preg_match('/^\/(\w+)\/edit(\/delete)?$/', $query, $matches)) { + if(!hasPermission($config['mod']['manageboards'])) error($config['error']['noaccess']); + + if(!openBoard($matches[1])) + error($config['error']['noboard']); + + if(isset($matches[2]) && $matches[2] == '/delete') { + if(!hasPermission($config['mod']['deleteboard'])) error($config['error']['noaccess']); + // Delete board + + modLog('Deleted board ' . sprintf($config['board_abbreviation'], $board['uri'])); + + // Delete entire board directory + rrmdir($board['uri'] . '/'); + + // Delete posting table + $query = query(sprintf("DROP TABLE IF EXISTS `posts_%s`", $board['uri'])) or error(db_error()); + + // Clear reports + $query = prepare("DELETE FROM `reports` WHERE `board` = :id"); + $query->bindValue(':id', $board['uri'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + // Delete from table + $query = prepare("DELETE FROM `boards` WHERE `uri` = :uri"); + $query->bindValue(':uri', $board['uri'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($config['cache']['enabled']) { + cache::delete('board_' . $board['uri']); + cache::delete('all_boards'); + } + + $query = prepare("SELECT `board`, `post` FROM `cites` WHERE `target_board` = :board"); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + while($cite = $query->fetch()) { + if($board['uri'] != $cite['board']) { + if(!isset($tmp_board)) + $tmp_board = $board; + openBoard($cite['board']); + rebuildPost($cite['post']); + } + } + + if(isset($tmp_board)) + $board = $tmp_board; + + $query = prepare("DELETE FROM `cites` WHERE `board` = :board OR `target_board` = :board"); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + + $query = prepare("DELETE FROM `antispam` WHERE `board` = :board"); + $query->bindValue(':board', $board['uri']); + $query->execute() or error(db_error($query)); + + $_board = $board; + + rebuildThemes('boards'); + + $board = $_board; + + header('Location: ?/', true, $config['redirect_http']); + } else { + if(isset($_POST['title']) && isset($_POST['subtitle'])) { + $query = prepare("UPDATE `boards` SET `title` = :title, `subtitle` = :subtitle WHERE `uri` = :uri"); + $query->bindValue(':title', utf8tohtml($_POST['title'], true)); + + if(!empty($_POST['subtitle'])) + $query->bindValue(':subtitle', utf8tohtml($_POST['subtitle'], true)); + else + $query->bindValue(':subtitle', null, PDO::PARAM_NULL); + + $query->bindValue(':id', $board['uri'], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($config['cache']['enabled']) { + cache::delete('board_' . $board['uri']); + cache::delete('all_boards'); + } + + $_board = $board; + + rebuildThemes('boards'); + + $board = $_board; + + openBoard($board['uri']); + } + + $body = + ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Manage – ' . sprintf($config['board_abbreviation'], $board['uri']), + 'body'=>$body, + 'mod'=>true + )); + } + } elseif(preg_match('/^\/bans$/', $query)) { + if(!hasPermission($config['mod']['view_banlist'])) error($config['error']['noaccess']); + + if(isset($_POST['unban'])) { + if(!hasPermission($config['mod']['unban'])) error($config['error']['noaccess']); + + foreach($_POST as $post => $value) { + if(preg_match('/^ban_(\d+)$/', $post, $m)) { + removeBan($m[1]); + } + } + } + if(hasPermission($config['mod']['view_banexpired'])) { + $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY (`expires` IS NOT NULL AND `expires` < :time), `set` DESC"); + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } else { + // Filter out expired bans + $query = prepare("SELECT `bans`.*, `username` FROM `bans` INNER JOIN `mods` ON `mod` = `mods`.`id` WHERE `expires` = 0 OR `expires` > :time ORDER BY `set` DESC"); + $query->bindValue(':time', time(), PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + + if($query->rowCount() < 1) { + $body = '(There are no active bans.)
'; + } else { + $body = '' . $body . '
', + 'mod'=>true + )); + } elseif(preg_match('/^\/rebuild$/', $query)) { + if(!hasPermission($config['mod']['rebuild'])) error($config['error']['noaccess']); + + set_time_limit($config['mod']['rebuild_timelimit']); + + $body = 'Rebuilding…
';
+
+ $body .= 'Clearing template cache…
';
+
+ load_twig();
+ $twig->clearCacheFiles();
+
+ $body .= 'Regenerating theme files…
';
+ rebuildThemes('all');
+
+ $body .= 'Generating Javascript file…
';
+ buildJavascript();
+
+ $main_js = $config['file_script'];
+
+ $boards = listBoards();
+
+ foreach($boards as &$board) {
+ $body .= "Opening board /{$board['uri']}/
";
+ openBoard($board['uri']);
+
+ $body .= 'Creating index pages
';
+ buildIndex();
+
+ if($config['file_script'] != $main_js) {
+ // different javascript file
+ $body .= 'Generating Javascript file…
';
+ buildJavascript();
+ }
+
+ $query = query(sprintf("SELECT `id` FROM `posts_%s` WHERE `thread` IS NULL", $board['uri'])) or error(db_error());
+ while($post = $query->fetch()) {
+ $body .= "Rebuilding #{$post['id']}
";
+ buildThread($post['id']);
+ }
+ }
+ $body .= 'Complete!
' . + '[Edit using web editor]' : '') . + '
'; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>_('Configuration'), + 'body'=>$body, + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/new$/', $query)) { + if(!hasPermission($config['mod']['newboard'])) error($config['error']['noaccess']); + + // New board + $body = ''; + + if(isset($_POST['new_board'])) { + // Create new board + if( !isset($_POST['uri']) || + !isset($_POST['title']) || + !isset($_POST['subtitle']) + ) error($config['error']['missedafield']); + + $b = array( + 'uri' => $_POST['uri'], + 'title' => $_POST['title'], + 'subtitle' => $_POST['subtitle'] + ); + + // HTML characters + $b['title'] = utf8tohtml($b['title'], true); + $b['subtitle'] = utf8tohtml($b['subtitle'], true); + + // Check required fields + if(empty($b['uri'])) + error(sprintf($config['error']['required'], 'URI')); + if(empty($b['title'])) + error(sprintf($config['error']['required'], 'title')); + + if(!preg_match('/^\w+$/', $b['uri'])) + error(sprintf($config['error']['invalidfield'], 'URI')); + + if(openBoard($b['uri'])) { + unset($board); + error(sprintf($config['error']['boardexists'], sprintf($config['board_abbreviation'], $b['uri']))); + } + + $query = prepare("INSERT INTO `boards` VALUES (:uri, :title, :subtitle)"); + $query->bindValue(':uri', $b['uri']); + $query->bindValue(':title', $b['title']); + if(!empty($b['subtitle'])) { + $query->bindValue(':subtitle', $b['subtitle']); + } else { + $query->bindValue(':subtitle', null, PDO::PARAM_NULL); + } + $query->execute() or error(db_error($query)); + + // Record the action + modLog("Created a new board: {$b['title']}"); + + // Open the board + openBoard($b['uri']) or error(_("Couldn't open board after creation.")); + + // Create the posts table + query(Element('posts.sql', array('board' => $board['uri']))) or error(db_error()); + + if($config['cache']['enabled']) + cache::delete('all_boards'); + + // Build the board + buildIndex(); + + rebuildThemes('boards'); + + header('Location: ?/' . $b['uri'] . '/' . $config['file_index'], true, $config['redirect_http']); + } else { + + $body .= form_newBoard(); + + // TODO: Statistics, etc, in the dashboard. + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'New board', + 'body'=>$body, + 'mod'=>true + ) + ); + } + } elseif(preg_match('/^\/' . $regex['board'] . '(' . $regex['index'] . '|' . $regex['page'] . ')?$/', $query, $matches)) { + // Board index + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + $page_no = empty($matches[2]) || $matches[2] == $config['file_index'] ? 1 : $matches[2]; + + if(!$page = index($page_no, $mod)) { + error($config['error']['404']); + } + + $page['pages'] = getPages(true); + $page['pages'][$page_no-1]['selected'] = true; + $page['btn'] = getPageButtons($page['pages'], true); + $page['mod'] = true; + echo Element('index.html', $page); + } elseif(preg_match('/^\/' . $regex['board'] . $regex['res'] . $regex['page'] . '$/', $query, $matches)) { + // View thread + + $boardName = &$matches[1]; + $thread = &$matches[2]; + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + $page = buildThread($thread, true, $mod); + + echo $page; + } elseif(preg_match('/^\/' . $regex['board'] . 'edit\/(\d+)$/', $query, $matches)) { + // Edit post body + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['editpost'], $boardName)) error($config['error']['noaccess']); + + $postID = &$matches[2]; + + $query = prepare(sprintf("SELECT `body_nomarkup`, `name`, `subject`, `thread` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $post = $query->fetch() or error($config['error']['invalidpost']); + + if(isset($_POST['submit']) && isset($_POST['body']) && isset($_POST['subject'])) { + if(mb_strlen($_POST['subject']) > 100) + error(sprintf($config['error']['toolong'], 'subject')); + + $body = $_POST['body']; + $body_nomarkup = $body; + + wordfilters($body); + $tracked_cites = markup($body, true); + + $query = prepare("DELETE FROM `cites` WHERE `board` = :board AND `post` = :post"); + $query->bindValue(':board', $board['uri']); + $query->bindValue(':post', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $query = prepare(sprintf("UPDATE `posts_%s` SET `body` = :body, `body_nomarkup` = :body_nomarkup, `subject` = :subject WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->bindValue(':body', $body); + $query->bindValue(':body_nomarkup', $body_nomarkup); + $query->bindValue(':subject', utf8tohtml($_POST['subject'])); + $query->execute() or error(db_error($query)); + + if(isset($tracked_cites)) { + foreach($tracked_cites as $cite) { + $query = prepare('INSERT INTO `cites` VALUES (:board, :post, :target_board, :target)'); + $query->bindValue(':board', $board['uri']); + $query->bindValue(':post', $postID, PDO::PARAM_INT); + $query->bindValue(':target_board',$cite[0]); + $query->bindValue(':target', $cite[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + } + + // Record the action + modLog("Edited post #{$postID}"); + + buildThread($post['thread'] ? $post['thread'] : $postID); + + // Rebuild board + buildIndex(); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + exit; + } + + $post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']); + + if($config['minify_html']) + $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); + + $body = ''; + + echo Element('page.html', array( + 'config' => $config, + 'body' => $body, + 'title' => 'Edit Post #' . $postID + )); + } elseif(preg_match('/^\/' . $regex['board'] . 'deletefile\/(\d+)$/', $query, $matches)) { + // Delete file from post + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['deletefile'], $boardName)) error($config['error']['noaccess']); + + $post = &$matches[2]; + + // Delete post + deleteFile($post); + + // Record the action + modLog("Removed file from post #{$post}"); + + // Rebuild board + buildIndex(); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/' . $regex['board'] . 'delete\/(\d+)$/', $query, $matches)) { + // Delete post + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['delete'], $boardName)) + error($config['error']['noaccess']); + + $post = &$matches[2]; + + // Delete post + deletePost($post); + + // Record the action + modLog("Deleted post #{$post}"); + + // Rebuild board + buildIndex(); + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/' . $regex['board'] . '(un)?sticky\/(\d+)$/', $query, $matches)) { + // Add/remove sticky + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['sticky'], $boardName)) error($config['error']['noaccess']); + + $post = &$matches[3]; + + $query = prepare(sprintf("UPDATE `posts_%s` SET `sticky` = :sticky WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + + if($matches[2] == 'un') { + // Record the action + modLog("Unstickied post #{$post}"); + $query->bindValue(':sticky', 0, PDO::PARAM_INT); + } else { + // Record the action + modLog("Stickied post #{$post}"); + $query->bindValue(':sticky', 1, PDO::PARAM_INT); + } + + $query->execute() or error(db_error($query)); + + buildIndex(); + buildThread($post); + + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/' . $regex['board'] . '(un)?lock\/(\d+)$/', $query, $matches)) { + // Lock/Unlock + + $boardName = &$matches[1]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['lock'], $boardName)) error($config['error']['noaccess']); + + $post = &$matches[3]; + + $query = prepare(sprintf("UPDATE `posts_%s` SET `locked` = :locked WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + + if($matches[2] == 'un') { + // Record the action + modLog("Unlocked post #{$post}"); + $query->bindValue(':locked', 0, PDO::PARAM_INT); + } else { + // Record the action + modLog("Locked post #{$post}"); + $query->bindValue(':locked', 1, PDO::PARAM_INT); + } + + $query->execute() or error(db_error($query)); + + buildIndex(); + buildThread($post); + + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/' . $regex['board'] . 'bump(un)?lock\/(\d+)$/', $query, $matches)) { + // Lock/Unlock + + $boardName = &$matches[1]; + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['bumplock'], $boardName)) error($config['error']['noaccess']); + + $post = &$matches[3]; + + $query = prepare(sprintf("UPDATE `posts_%s` SET `sage` = :bumplocked WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + + if($matches[2] == 'un') { + // Record the action + modLog("Unbumplocked post #{$post}"); + $query->bindValue(':bumplocked', 0, PDO::PARAM_INT); + } else { + // Record the action + modLog("Bumplocked post #{$post}"); + $query->bindValue(':bumplocked', 1, PDO::PARAM_INT); + } + + $query->execute() or error(db_error($query)); + + buildIndex(); + buildThread($post); + + + // Redirect + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/' . $regex['board'] . 'deletebyip\/(\d+)(\/global)?$/', $query, $matches)) { + // Delete all posts by an IP + + $boardName = &$matches[1]; + $post = &$matches[2]; + $global = isset($matches[3]) && $matches[3] == '/global'; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + $query = prepare(sprintf("SELECT `ip` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $post); + $query->execute() or error(db_error($query)); + + if(!$post = $query->fetch()) + error($config['error']['invalidpost']); + + $ip = $post['ip']; + + if($global) + $boards = listBoards(); + else + $boards = array(array('uri' => $board['uri'])); + + $query = ''; + foreach($boards as $_board) { + $query .= sprintf("SELECT `id`, '%s' AS `board` FROM `posts_%s` WHERE `ip` = :ip UNION ALL ", $_board['uri'], $_board['uri']); + } + $query = preg_replace('/UNION ALL $/', '', $query); + + $query = prepare($query); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + + if($query->rowCount() < 1) + error($config['error']['invalidpost']); + + $boards = array(); + while($post = $query->fetch()) { + openBoard($post['board']); + $boards[] = $post['board']; + + deletePost($post['id'], false); + } + + foreach($boards as &$_board) { + openBoard($_board); + buildIndex(); + } + + // Record the action + modLog("Deleted all posts by IP address: {$ip}"); + + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + } elseif(preg_match('/^\/ban$/', $query)) { + if(!hasPermission($config['mod']['ban'])) error($config['error']['noaccess']); + // Ban page + + if(isset($_POST['new_ban'])) { + if( !isset($_POST['ip']) || + !isset($_POST['reason']) || + !isset($_POST['length']) + ) error($config['error']['missedafield']); + + // Check required fields + if(empty($_POST['ip'])) + error(sprintf($config['error']['required'], 'IP address')); + + $query = prepare("INSERT INTO `bans` VALUES (NULL, :ip, :mod, :set, :expires, :reason, :board)"); + + // 1yr2hrs30mins + // 1y2h30m + $expire = 0; + if(preg_match('/^((\d+)\s?ye?a?r?s?)?\s?+((\d+)\s?mon?t?h?s?)?\s?+((\d+)\s?we?e?k?s?)?\s?+((\d+)\s?da?y?s?)?((\d+)\s?ho?u?r?s?)?\s?+((\d+)\s?mi?n?u?t?e?s?)?\s?+((\d+)\s?se?c?o?n?d?s?)?$/', $_POST['length'], $m)) { + if(isset($m[2])) { + // Years + $expire += $m[2]*60*60*24*365; + } + if(isset($m[4])) { + // Months + $expire += $m[4]*60*60*24*30; + } + if(isset($m[6])) { + // Weeks + $expire += $m[6]*60*60*24*7; + } + if(isset($m[8])) { + // Days + $expire += $m[8]*60*60*24; + } + if(isset($m[10])) { + // Hours + $expire += $m[10]*60*60; + } + if(isset($m[12])) { + // Minutes + $expire += $m[12]*60; + } + if(isset($m[14])) { + // Seconds + $expire += $m[14]; + } + } + if($expire) { + $query->bindValue(':expires', time()+$expire, PDO::PARAM_INT); + } else { + // Never expire + $query->bindValue(':expires', null, PDO::PARAM_NULL); + } + + $query->bindValue(':ip', $_POST['ip'], PDO::PARAM_STR); + $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); + $query->bindValue(':set', time(), PDO::PARAM_INT); + + + + if(!empty($_POST['reason'])) { + $reason = $_POST['reason']; + markup($reason); + $query->bindValue(':reason', $reason, PDO::PARAM_STR); + } else { + $query->bindValue(':reason', null, PDO::PARAM_NULL); + } + + if($_POST['board'] == '') { + $query->bindValue(':board', null, PDO::PARAM_NULL); + } else { + $query->bindValue(':board', $_POST['board'], PDO::PARAM_INT); + } + + // Record the action + modLog('Created a ' . ($expire ? $expire . ' second' : 'permanent') . " ban for {$_POST['ip']} with " . (!empty($_POST['reason']) ? "reason \"${reason}\"" : 'no reason')); + + $query->execute() or error(db_error($query)); + + if(isset($_POST['board'])) + openBoard($_POST['board']); + + // Delete too + if(isset($_POST['delete']) && isset($_POST['board']) && hasPermission($config['mod']['delete'], $_POST['board'])) { + $post = round($_POST['delete']); + + deletePost($post); + + // Record the action + modLog("Deleted post #{$post}"); + + // Rebuild board + buildIndex(); + } + + if(hasPermission($config['mod']['public_ban']) && isset($_POST['post']) && isset($_POST['board']) && isset($_POST['public_message']) && isset($_POST['message'])) { + $post = round($_POST['post']); + + $query = prepare(sprintf("UPDATE `posts_%s` SET `body` = CONCAT(`body`, :body) WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + $query->bindValue(':body', sprintf($config['mod']['ban_message'], utf8tohtml($_POST['message']))); + $query->execute() or error(db_error($query)); + + // Rebuild thread + $query = prepare(sprintf("SELECT `thread` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + $thread = $query->fetch(); + if($thread['thread']) + buildThread($thread['thread']); + else + buildThread($post); + + // Rebuild board + buildIndex(); + + // Record the action + modLog("Attached a public ban message for post #{$post}: " . $_POST['message']); + } + + // Redirect + if(isset($_POST['continue'])) + header('Location: ' . $_POST['continue'], true, $config['redirect_http']); + elseif(isset($board)) + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); + else + header('Location: ?/', true, $config['redirect_http']); + } + } elseif(preg_match('/^\/' . $regex['board'] . 'move\/(\d+)$/', $query, $matches)) { + + $boardName = &$matches[1]; + $postID = $matches[2]; + + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['move'], $boardName)) error($config['error']['noaccess']); + + if(isset($_POST['board'])) { + $targetBoard = $_POST['board']; + $shadow = isset($_POST['shadow']); + + if($targetBoard == $boardName) + error(_("Target and source board are the same.")); + + // copy() if leaving a shadow thread behind. otherwise, rename(). + $clone = $shadow ? 'copy' : 'rename'; + + $query = prepare(sprintf("SELECT * FROM `posts_%s` WHERE `thread` IS NULL AND `id` = :id", $board['uri'])); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + if(!$post = $query->fetch()) { + error($config['error']['nonexistant']); + } + $post['op'] = true; + + if($post['file']) { + $post['has_file'] = true; + $post['width'] = &$post['filewidth']; + $post['height'] = &$post['fileheight']; + + $file_src = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; + $file_thumb = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; + } else $post['has_file'] = false; + + // allow thread to keep its same traits (stickied, locked, etc.) + $post['mod'] = true; + + if(!openBoard($targetBoard)) + error($config['error']['noboard']); + + $newID = post($post); + + if($post['has_file']) { + $clone($file_src, sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); + $clone($file_thumb, sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); + } + + // move replies too... + openBoard($boardName); + + $query = prepare(sprintf("SELECT * FROM `posts_%s` WHERE `thread` = :id ORDER BY `id`", $board['uri'])); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $replies = array(); + while($post = $query->fetch()) { + $post['mod'] = true; + $post['thread'] = $newID; + + if($post['file']) { + $post['has_file'] = true; + $post['width'] = &$post['filewidth']; + $post['height'] = &$post['fileheight']; + + $post['file_src'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; + $post['file_thumb'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; + } else $post['has_file'] = false; + + $replies[] = $post; + } + + $newIDs = array($postID => $newID); + + openBoard($targetBoard); + foreach($replies as &$post) { + $query = prepare("SELECT `target` FROM `cites` WHERE `target_board` = :board AND `board` = :board AND `post` = :post"); + $query->bindValue(':board', $boardName); + $query->bindValue(':post', $post['id'], PDO::PARAM_INT); + $query->execute() or error(db_error($qurey)); + while($cite = $query->fetch(PDO::FETCH_ASSOC)) { + if(isset($newIDs[$cite['target']])) { + $post['body_nomarkup'] = preg_replace( + '/(>>(>\/' . preg_quote($boardName, '/') . '\/)?)' . preg_quote($cite['target'], '/') . '/', + '>>' . $newIDs[$cite['target']], + $post['body_nomarkup']); + + $post['body'] = $post['body_nomarkup']; + } + } + $post['op'] = false; + $post['tracked_cites'] = markup($post['body'], true); + + $newIDs[$post['id']] = $newPostID = post($post); + + if($post['has_file']) { + $clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); + $clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); + } + + foreach($post['tracked_cites'] as $cite) { + $query = prepare('INSERT INTO `cites` VALUES (:board, :post, :target_board, :target)'); + $query->bindValue(':board', $board['uri']); + $query->bindValue(':post', $newPostID, PDO::PARAM_INT); + $query->bindValue(':target_board',$cite[0]); + $query->bindValue(':target', $cite[1], PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + } + } + + // build thread + buildThread($newID); + buildIndex(); + + // trigger themes + rebuildThemes('post'); + + openBoard($boardName); + + if($shadow) { + // lock thread + $query = prepare(sprintf("UPDATE `posts_%s` SET `locked` = 1 WHERE `id` = :id", $board['uri'])); + $query->bindValue(':id', $postID, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + $post = array( + 'mod' => true, + 'subject' => '', + 'email' => '', + 'name' => $config['mod']['shadow_name'], + 'capcode' => $config['mod']['shadow_capcode'], + 'trip' => '', + 'body' => sprintf($config['mod']['shadow_mesage'], '>>>/' . $targetBoard . '/' . $newID), + 'password' => '', + 'has_file' => false, + // attach to original thread + 'thread' => $postID, + 'op' => false + ); + + markup($post['body']); + + $botID = post($post); + buildThread($postID); + + header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['dir']['res'] . sprintf($config['file_page'], $postID) . '#' . $botID, true, $config['redirect_http']); + } else { + deletePost($postID); + buildIndex(); + + openBoard($targetBoard); + header('Location: ?/' . sprintf($config['board_path'], $board['uri']) . $config['dir']['res'] . sprintf($config['file_page'], $newID), true, $config['redirect_http']); + } + } else { + + $body = ''; + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'Move #' . $postID, + 'body'=>$body, + 'mod'=>true + ) + ); + } + } elseif(preg_match('/^\/' . $regex['board'] . 'ban(&delete)?\/(\d+)$/', $query, $matches)) { + + // Ban by post + + $boardName = &$matches[1]; + // Open board + if(!openBoard($boardName)) + error($config['error']['noboard']); + + if(!hasPermission($config['mod']['ban'], $boardName)) error($config['error']['noaccess']); + + $delete = isset($matches[2]) && $matches[2] == '&delete'; + if($delete && !hasPermission($config['mod']['delete'], $boardName)) error($config['error']['noaccess']); + + $post = $matches[3]; + + $query = prepare(sprintf("SELECT `ip`,`id` FROM `posts_%s` WHERE `id` = :id LIMIT 1", $board['uri'])); + $query->bindValue(':id', $post, PDO::PARAM_INT); + $query->execute() or error(db_error($query)); + + if($query->rowCount() < 1) { + error($config['error']['invalidpost']); + } + + $post = $query->fetch(); + + $body = form_newBan($post['ip'], null, '?/' . sprintf($config['board_path'], $board['uri']) . $config['file_index'], $post['id'], $boardName, !$delete); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'New ban', + 'body'=>$body, + 'mod'=>true + ) + ); + } elseif(preg_match('/^\/IP\/(\d+\.\d+\.\d+\.\d+|' . $config['ipv6_regex'] . ')\/deletenote\/(?P'; + } + + if(!empty($temp)) + $body .= ''; + } + + if(hasPermission($config['mod']['view_notes'])) { + $query = prepare("SELECT * FROM `ip_notes` WHERE `ip` = :ip ORDER BY `id` DESC"); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + + if($query->rowCount() > 0 || hasPermission($config['mod']['create_notes'])) { + $body .= ''; + } + } + + if(hasPermission($config['mod']['view_ban'])) { + $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` WHERE `ip` = :ip"); + $query->bindValue(':ip', $ip); + $query->execute() or error(db_error($query)); + + if($query->rowCount() > 0) { + $body .= ''; + + } + } + + if(hasPermission($config['mod']['ip_banform'])) + $body .= form_newBan($ip, null, '?/IP/' . $ip); + + echo Element('page.html', array( + 'config'=>$config, + 'title'=>'IP: ' . $ip, + 'subtitle' => $host, + 'body'=>$body, + 'mod'=>true + ) + ); + } + } else { + error($config['error']['404']); + } +} + diff --git a/mod.php b/mod.php index e434a80d..52f340d2 100644 --- a/mod.php +++ b/mod.php @@ -4,11 +4,11 @@ * Copyright (c) 2010-2012 Tinyboard Development Group */ -// WARNING: This file is currently a clusterfuck of code. I will be rewriting it very soon. - require 'inc/functions.php'; -require 'inc/mod.php'; +require 'inc/mod/auth.php'; +require 'inc/mod/pages.php'; +// Fix for magic quotes if (get_magic_quotes_gpc()) { function strip_array($var) { return is_array($var) ? array_map('strip_array', $var) : stripslashes($var); @@ -20,3103 +20,119 @@ if (get_magic_quotes_gpc()) { $query = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : ''; -// If not logged in -if(!$mod) { - if(isset($_POST['login'])) { - // Check if inputs are set and not empty - if( !isset($_POST['username']) || - !isset($_POST['password']) || - empty($_POST['username']) || - empty($_POST['password']) - ) loginForm($config['error']['invalid'], $_POST['username'], '?' . $query); - - - if(!login($_POST['username'], $_POST['password'])) { - if($config['syslog']) - _syslog(LOG_WARNING, 'Unauthorized login attempt!'); - loginForm($config['error']['invalid'], $_POST['username'], '?' . $query); - } - - modLog("Logged in."); - - // Login successful - // Set cookies - setCookies(); - - // Redirect - if(isset($_POST['redirect'])) - header('Location: ' . $_POST['redirect'], true, $config['redirect_http']); - else - header('Location: ?' . $config['mod']['default'], true, $config['redirect_http']); - } else { - loginForm(false, false, '?' . $query); - } -} else { - // Redirect (for index pages) - if(count($_GET) == 2 && isset($_GET['status']) && isset($_GET['r'])) { - header('Location: ' . $_GET['r'], true, $_GET['status']); - exit; - } +$pages = array( + '' => ':?/', // redirect to dashboard + '/' => 'dashboard', // dashboard + '/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work) + '/logout' => 'logout', // logout - // A sort of "cache" - // Stops calling preg_quote and str_replace when not needed; only does it once - $regex = array( - 'board' => str_replace('%s', '(\w{1,8})', preg_quote($config['board_path'], '/')), - 'page' => str_replace('%d', '(\d+)', preg_quote($config['file_page'], '/')), - 'img' => preg_quote($config['dir']['img'], '/'), - 'thumb' => preg_quote($config['dir']['thumb'], '/'), - 'res' => preg_quote($config['dir']['res'], '/'), - 'index' => preg_quote($config['file_index'], '/') - ); + '/users' => 'users', // manage users + '/users/(\d+)' => 'user', // edit user + '/users/(\d+)/(promote|demote)' => 'user_promote', // prmote/demote user + '/users/new' => 'user_new', // create a new user + '/new_PM/([^/]+)' => 'new_pm', // create a new pm + '/PM/(\d+)(/reply)?' => 'pm', // read a pm + '/inbox' => 'inbox', // pm inbox - if(preg_match('/^\/?$/', $query)) { - // Dashboard - $fieldset = array( - 'Boards' => '', - 'Noticeboard' => '', - 'Administration' => '', - 'Themes' => '', - 'Search' => '', - 'Update' => '', - 'Logout' => '' - ); - - // Boards - $fieldset['Boards'] .= ulBoards(); - - if(hasPermission($config['mod']['noticeboard'])) { - if(!$config['cache']['enabled'] || !($fieldset['Noticeboard'] = cache::get('noticeboard_preview'))) { - $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :limit"); - $query->bindValue(':limit', $config['mod']['noticeboard_dashboard'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - $fieldset['Noticeboard'] .= '
- ' . $_body . '
' . _('(Search is case-insensitive, and based on keywords. To match exact phrases, use "quotes". Use an asterisk (*) for wildcard.)') . '
' . - '' . - 'Are you sure you want to do that?' . - 'We were unable to serve a confirmation dialog for ' . - '?/' . utf8tohtml($uri) . '' . - ', probably due to Javascript being disabled.' . - '
' . - ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Confirm', - 'body'=>$body, - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/upgrade$/', $query)) { - if($mod['type'] != ADMIN) - error($config['error']['noaccess']); - - if(is_dir('.git')) { - // use git instead - - $body = 'git pull
'; - $body .= '' . str_replace("\n", '
', shell_exec('git pull')) . '
Error(s) upgrading
Tinyboard can not self-upgrade until the following is fixed:
- ';
- foreach($errors as $error) {
- $body .= '
- ' . $error . ' '; - } - $body .= '
Please fix the above errors and refresh to try again.
Upgrading seems to have gone okay. You are now at revision ' . $version . '.
' - )); - } elseif(preg_match('/^\/log(\/(\d+))?$/', $query, $match)) { - if(!hasPermission($config['mod']['modlog'])) error($config['error']['noaccess']); - - $page = isset($match[2]) ? $match[2] : 1; - - $query = prepare("SELECT `mod` as `id`, `username`, `ip`, `board`, `time`, `text` FROM `modlogs` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY `time` DESC LIMIT :offset, :limit"); - $query->bindValue(':limit', $config['mod']['modlog_page'], PDO::PARAM_INT); - $query->bindValue(':offset', ($page - 1) * $config['mod']['modlog_page'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if(!$query->rowCount()) { - $body = '(Nothing to display.)
'; - } else { - $body = '| ' . _('User') . ' | ' . - '' . _('IP address') . ' | ' . - '' . _('Ago') . ' | ' . - '' . _('Board') . ' | ' . - '' . _('Action') . ' | ' . - '
|---|---|---|---|---|
| ' . - ($log['username'] ? - '' . $log['username'] . '' - : '' . ($log['id'] < 0 ? 'system' : 'deleted?') . '') . - ' | ' . - '' . ($log['id'] < 0 ? '–' : '' . $log['ip'] . '') . ' | ' . - '' . ago($log['time']) . ' | ' . - '' . - ($log['board'] ? - '' . sprintf($config['board_abbreviation'], $log['board']) . ' | ' - : '-') . - '' . $log['text'] . ' | ' . - '
'; - for($x = 0; $x < $count['count'] / $config['mod']['modlog_page']; $x ++) { - $body .= '[' . ($x + 1) . '] '; - } - $body .= '
'; - } - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>_('Moderation log'), - 'body'=>$body, - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/themes\/none$/', $query, $match)) { - if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); - - // Clearsettings - query("TRUNCATE TABLE `theme_settings`") or error(db_error()); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'No theme', - 'body'=>'Successfully uninstalled all themes.
' . - '', - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/themes\/([\w\-]+)\/rebuild$/', $query, $match)) { - if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); - - rebuildTheme($match[1], 'all'); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Rebuilt', - 'body'=>'Successfully rebuilt the ' . $match[1] . ' theme.
' . - '', - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/themes\/(\w+)\/uninstall$/', $query, $match)) { - if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); - - $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); - $query->bindValue(':theme', $match[1]); - $query->execute() or error(db_error($query)); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Uninstalled', - 'body'=>'Successfully uninstalled the ' . $match[1] . ' theme.
' . - '', - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/themes(\/([\w\-]+))?$/', $query, $match)) { - if(!hasPermission($config['mod']['themes'])) error($config['error']['noaccess']); - - if(!is_dir($config['dir']['themes'])) - error(_('Themes directory doesn\'t exist!')); - if(!$dir = opendir($config['dir']['themes'])) - error(_('Cannot open themes directory; check permissions.')); - - if(isset($match[2])) { - $_theme = &$match[2]; - - if(!$theme = loadThemeConfig($_theme)) { - error($config['error']['invalidtheme']); - } - - if(isset($_POST['install'])) { - // Check if everything is submitted - foreach($theme['config'] as &$c) { - if(!isset($_POST[$c['name']]) && $c['type'] != 'checkbox') - error(sprintf($config['error']['required'], $c['title'])); - } - - // Clear previous settings - $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); - $query->bindValue(':theme', $_theme); - $query->execute() or error(db_error($query)); - - foreach($theme['config'] as &$c) { - $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, :name, :value)"); - $query->bindValue(':theme', $_theme); - $query->bindValue(':name', $c['name']); - $query->bindValue(':value', $_POST[$c['name']]); - $query->execute() or error(db_error($query)); - } - - $query = prepare("INSERT INTO `theme_settings` VALUES(:theme, NULL, NULL)"); - $query->bindValue(':theme', $_theme); - $query->execute() or error(db_error($query)); - - $result = true; - $body = ''; - if(isset($theme['install_callback'])) { - $ret = $theme['install_callback'](themeSettings($_theme)); - if($ret && !empty($ret)) { - if(is_array($ret) && count($ret) == 2) { - $result = $ret[0]; - $ret = $ret[1]; - } - $body .= '' . $ret . '
';
- }
- }
-
- if($result) {
- $body .= 'Successfully installed and built theme.
'; - } else { - // install failed - $query = prepare("DELETE FROM `theme_settings` WHERE `theme` = :theme"); - $query->bindValue(':theme', $_theme); - $query->execute() or error(db_error($query)); - } - - $body .= ''; - - // Build themes - rebuildThemes('all'); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>($result ? 'Installed "' . utf8tohtml($theme['name']) . '"' : 'Installation failed!'), - 'body'=>$body, - 'mod'=>true - ) - ); - } else { - $body = ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Installing "' . utf8tohtml($theme['name']) . '"', - 'body'=>$body, - 'mod'=>true - ) - ); - } - } else { - - $themes_in_use = array(); - $query = query("SELECT `theme` FROM `theme_settings` WHERE `name` IS NULL AND `value` IS NULL") or error(db_error()); - while($theme = $query->fetch()) { - $themes_in_use[$theme['theme']] = true; - } - - // Scan directory for themes - $themes = array(); - while($file = readdir($dir)) { - if($file[0] != '.' && is_dir($config['dir']['themes'] . '/' . $file)) { - $themes[] = $file; - } - } - closedir($dir); - - $body = ''; - if(empty($themes)) { - $body = '(No themes installed.)
'; - } else { - $body .= '| ' . _('Name') . ' | ' . - '' . utf8tohtml($theme['name']) . ' | ' . - '
|---|---|
| ' . _('Version') . ' | ' . - '' . utf8tohtml($theme['version']) . ' | ' . - '
| ' . _('Description') . ' | ' . - '' . $theme['description'] . ' | ' . - '
| ' . _('Thumbnail') . ' | ' . - ' | ' .
- '
| ' . _('Actions') . ' | ' . - '
| ' .
- '
' . _('Uninstall all themes.') . '
'; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>_('Manage themes'), - 'body'=>$body, - 'mod'=>true - ) - ); - } - } elseif(preg_match('/^\/noticeboard\/delete\/(\d+)$/', $query, $match)) { - if(!hasPermission($config['mod']['noticeboard_delete'])) error($config['error']['noaccess']); - - $query = prepare("DELETE FROM `noticeboard` WHERE `id` = :id"); - $query->bindValue(':id', $match[1], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if($config['cache']['enabled']) - cache::delete('noticeboard_preview'); - - header('Location: ?/noticeboard', true, $config['redirect_http']); - } elseif(preg_match('/^\/noticeboard$/', $query)) { - if(!hasPermission($config['mod']['noticeboard'])) error($config['error']['noaccess']); - - $body = ''; - - if(hasPermission($config['mod']['noticeboard_post']) && isset($_POST['subject']) && isset($_POST['body']) && !empty($_POST['body'])) { - $query = prepare("INSERT INTO `noticeboard` VALUES (NULL, :mod, :time, :subject, :body)"); - $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); - $query->bindvalue(':time', time(), PDO::PARAM_INT); - $query->bindValue(':subject', utf8tohtml($_POST['subject'])); - - markup($_POST['body']); - $query->bindValue(':body', $_POST['body']); - $query->execute() or error(db_error($query)); - - if($config['cache']['enabled']) - cache::delete('noticeboard_preview'); - - header('Location: ?/noticeboard#' . $pdo->lastInsertId(), true, $config['redirect_http']); - } else { - - if(hasPermission($config['mod']['noticeboard_post'])) { - $body .= ''; - } - - $query = prepare("SELECT `noticeboard`.*, `username` FROM `noticeboard` LEFT JOIN `mods` ON `mods`.`id` = `mod` ORDER BY `id` DESC LIMIT :limit"); - $query->bindValue(':limit', $config['mod']['noticeboard_display'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - while($notice = $query->fetch()) { - $body .= '' .
- (hasPermission($config['mod']['noticeboard_delete']) ?
- '[delete]'
- : '') .
- '
';
- }
-
-
- echo Element('page.html', array(
- 'config'=>$config,
- 'title'=>_('Noticeboard'),
- 'body'=>$body,
- 'mod'=>true
- )
- );
- }
- } elseif(preg_match('/^\/news\/delete\/(\d+)$/', $query, $match)) {
- if(!hasPermission($config['mod']['noticeboard_delete'])) error($config['error']['noaccess']);
-
- $query = prepare("DELETE FROM `news` WHERE `id` = :id");
- $query->bindValue(':id', $match[1], PDO::PARAM_INT);
- $query->execute() or error(db_error($query));
-
- rebuildThemes('news');
-
- header('Location: ?/news', true, $config['redirect_http']);
- } elseif(preg_match('/^\/news$/', $query)) {
- $body = '';
-
- if(hasPermission($config['mod']['news'])) {
- if(isset($_POST['subject']) && isset($_POST['body']) && !empty($_POST['body'])) {
- $query = prepare("INSERT INTO `news` VALUES (NULL, :name, :time, :subject, :body)");
-
- if(isset($_POST['name']) && hasPermission($config['mod']['news_custom']))
- $name = &$_POST['name'];
- else
- $name = &$mod['username'];
-
- $query->bindValue(':name', utf8tohtml($name), PDO::PARAM_INT);
- $query->bindvalue(':time', time(), PDO::PARAM_INT);
- $query->bindValue(':subject', utf8tohtml($_POST['subject']));
-
- markup($_POST['body']);
- $query->bindValue(':body', $_POST['body']);
- $query->execute() or error(db_error($query));
-
- rebuildThemes('news');
- }
-
- $body .= '';
- }
-
- $query = prepare("SELECT * FROM `news` ORDER BY `id` DESC LIMIT :limit");
- $query->bindValue(':limit', $config['mod']['noticeboard_display'], PDO::PARAM_INT);
- $query->execute() or error(db_error($query));
- while($news = $query->fetch()) {
- $body .= '' . - ($notice['subject'] ? - $notice['subject'] - : - '' . _('no subject') . '' - ) . - ' — by ' . - (isset($notice['username']) ? - utf8tohtml($notice['username']) - : - '???' - ) . - ' at ' . - strftime($config['post_date'], $notice['time']) . - '
' . $notice['body'] . '
' .
- (hasPermission($config['mod']['news_delete']) ?
- '[delete]'
- : '') .
- '
';
- }
-
-
- echo Element('page.html', array(
- 'config'=>$config,
- 'title'=>_('News'),
- 'body'=>$body,
- 'mod'=>true
- )
- );
- } elseif(preg_match('/^\/inbox\/readall$/', $query, $match)) {
- $query = prepare("UPDATE `pms` SET `unread` = 0 WHERE `to` = :id");
- $query->bindValue(':id', $mod['id'], PDO::PARAM_INT);
- $query->execute() or error(db_error($query));
-
- modLog('Marked all PMs as read');
-
- header('Location: ?/inbox', true, $config['redirect_http']);
- } elseif(preg_match('/^\/inbox$/', $query, $match)) {
- $query = prepare("SELECT `unread`,`pms`.`id`, `time`, `sender`, `to`, `message`, `username` FROM `pms` LEFT JOIN `mods` ON `mods`.`id` = `sender` WHERE `to` = :mod ORDER BY `unread` DESC, `time` DESC");
- $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT);
- $query->execute() or error(db_error($query));
-
- if($query->rowCount() == 0) {
- $body = '' . - ($news['subject'] ? - $news['subject'] - : - '' . _('no subject') . '' - ) . - ' — by ' . - $news['name'] . - ' at ' . - strftime($config['post_date'], $news['time']) . - '
' . $news['body'] . '
(' . _('No private messages for you.') . ')
'; - } else { - $unread_pms = 0; - - $body = '| ID | From | Date | Message snippet | ' . $pm['id'] . ' | ' . - '' . - ($pm['username'] ? - '' . $pm['username'] . '' - : 'deleted?') . - ' | ' . - '' . strftime($config['post_date'], $pm['time']) . ' | ' . - '' . pm_snippet($pm['message']) . ' | ' . - ''; - - if($pm['unread']) - $unread_pms++; - } - $body .= '
|---|
Message sent successfully to ' . utf8tohtml($to['username']) . '.
', - 'mod'=>true - ) - ); - } else { - $value = ''; - if(isset($match[3])) { - $reply = &$match[3]; - - $query = prepare("SELECT `message` FROM `pms` WHERE `sender` = :sender AND `to` = :mod AND `id` = :id"); - $query->bindValue(':sender', $to['id'], PDO::PARAM_INT); - $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); - $query->bindValue(':id', $reply, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - if($pm = $query->fetch()) { - $value = quote($pm['message']); - } - } - - - $body = ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'New PM for ' . utf8tohtml($to['username']), - 'body'=>$body, - 'mod'=>true - ) - ); - } - } elseif(preg_match('/^\/search$/', $query)) { - if(!hasPermission($config['mod']['search'])) error($config['error']['noaccess']); - - $body = 'Search
' . - '(Search is case-insensitive, and based on keywords. To match exact phrases, use "quotes". Use an asterisk (*) for wildcard.)
' . - ''; - } - - if(!empty($temp)) - $_body .= ''; - } - - $body .= '
'; - if(!empty($_body)) - $body .= $_body; - else - $body .= '
(No results.)
'; - } - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Search', - 'body'=>$body, - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/users$/', $query)) { - if(!hasPermission($config['mod']['manageusers'])) error($config['error']['noaccess']); - - $body = ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>_('Manage users'), - 'body'=>$body - ,'mod'=>true - ) - ); - } elseif(preg_match('/^\/users\/new$/', $query)) { - if(!hasPermission($config['mod']['createusers'])) error($config['error']['noaccess']); - - if(isset($_POST['username']) && isset($_POST['password'])) { - if(!isset($_POST['type'])) { - error(sprintf($config['error']['required'], 'type')); - } - - if($_POST['type'] != ADMIN && $_POST['type'] != MOD && $_POST['type'] != JANITOR) { - error(sprintf($config['error']['invalidfield'], 'type')); - } - - // Check if already exists - $query = prepare("SELECT `id` FROM `mods` WHERE `username` = :username"); - $query->bindValue(':username', $_POST['username']); - $query->execute() or error(db_error($query)); - - if($_mod = $query->fetch()) { - error(sprintf($config['error']['modexists'], $_mod['id'])); - } - - $boards = array(); - foreach($_POST as $name => $null) { - if(preg_match('/^board_(.+)$/', $name, $m)) - $boards[] = $m[1]; - } - $boards = implode(',', $boards); - - $query = prepare("INSERT INTO `mods` VALUES (NULL, :username, :password, :type, :boards)"); - $query->bindValue(':username', $_POST['username']); - $query->bindValue(':password', sha1($_POST['password'])); - $query->bindValue(':type', $_POST['type'], PDO::PARAM_INT); - $query->bindValue(':boards', $boards); - $query->execute() or error(db_error($query)); - - modLog('Create a new user: "' . $_POST['username'] . '"'); - header('Location: ?/users', true, $config['redirect_http']); - } else { - - $__boards = '- ';
- $boards = array_merge(
- array(array('uri' => '*', 'title' => 'All')
- ), listBoards());
- foreach($boards as &$_board) {
- $__boards .= '
- ' . - '' . - '' . - ' '; - } - - $body = ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'New user', - 'body'=>$body - ,'mod'=>true - ) - ); - } - } elseif(preg_match('/^\/users\/(\d+)(\/(promote|demote|delete))?$/', $query, $matches)) { - $modID = &$matches[1]; - - if(isset($matches[2])) { - if($matches[3] == 'delete') { - if(!hasPermission($config['mod']['deleteusers'])) error($config['error']['noaccess']); - - $query = prepare("DELETE FROM `mods` WHERE `id` = :id"); - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - modLog('Deleted user #' . $modID); - } else { - // Promote/demote - if(!hasPermission($config['mod']['promoteusers'])) error($config['error']['noaccess']); - - if($matches[3] == 'promote') { - $query = prepare("UPDATE `mods` SET `type` = `type` + 1 WHERE `type` != :admin AND `id` = :id"); - $query->bindValue(':admin', ADMIN, PDO::PARAM_INT); - } else { - $query = prepare("UPDATE `mods` SET `type` = `type` - 1 WHERE `type` != :janitor AND `id` = :id"); - $query->bindValue(':janitor', JANITOR, PDO::PARAM_INT); - } - - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - header('Location: ?/users', true, $config['redirect_http']); - } else { - // Edit user - if(!hasPermission($config['mod']['editusers']) && !hasPermission($config['mod']['change_password'])) - error($config['error']['noaccess']); - - $query = prepare("SELECT * FROM `mods` WHERE `id` = :id"); - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if(!$_mod = $query->fetch()) { - error($config['error']['404']); - } - - if(!hasPermission($config['mod']['editusers']) && !(hasPermission($config['mod']['change_password']) && $mod['id'] == $_mod['id'] && $change_password_only = true)) - error($config['error']['noaccess']); - - if((isset($_POST['username']) && isset($_POST['password'])) || (isset($change_password_only) && isset($_POST['password']))) { - if(!isset($change_password_only)) { - $boards = array(); - foreach($_POST as $name => $null) { - if(preg_match('/^board_(.+)$/', $name, $m)) - $boards[] = $m[1]; - } - $boards = implode(',', $boards); - - $query = prepare("UPDATE `mods` SET `username` = :username, `boards` = :boards WHERE `id` = :id"); - $query->bindValue(':username', $_POST['username'], PDO::PARAM_STR); - $query->bindValue(':boards', $boards, PDO::PARAM_STR); - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - modLog('Edited login details for user "' . $_mod['username'] . '"'); - } else { - modLog('Changed own password'); - } - if(!empty($_POST['password'])) { - $query = prepare("UPDATE `mods` SET `password` = :password WHERE `id` = :id"); - $query->bindValue(':password', sha1($_POST['password'])); - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - - // Refresh - $query = prepare("SELECT * FROM `mods` WHERE `id` = :id"); - $query->bindValue(':id', $modID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if(!$_mod = $query->fetch()) { - error($config['error']['404']); - } - - if($_mod['id'] == $mod['id']) { - // Changed own password. Update cookies - - if(!login($_mod['username'], $_mod['password'], false, true)) - error(_('Could not re-login after changing password. (?)')); - - setCookies(); - } - - if(hasPermission($config['mod']['manageusers'])) - header('Location: ?/users', true, $config['redirect_http']); - else - header('Location: ?/', true, $config['redirect_http']); - exit; - } - - $__boards = '
- ' . - ' ' . - '' . - ' '; - } - $__boards .= '
- ';
- $boards = array_merge(
- array(array('uri' => '*', 'title' => 'All')
- ), listBoards());
-
- $_mod['boards'] = explode(',', $_mod['boards']);
- foreach($boards as &$_board) {
- $__boards .= '
' .
- '
' . - 'Board: ' . sprintf($config['board_abbreviation'], $report['board']) . '
' . - 'Reason: ' . $report['reason'] . '
' . - 'Report date: ' . strftime($config['post_date'], $report['time']) . '
' . - (hasPermission($config['mod']['show_ip']) ? - 'Reported by: ' . $report['ip'] . '
' - : '') . - '
' . - (hasPermission($config['mod']['report_dismiss']) ? - 'Dismiss | ' : '') . - (hasPermission($config['mod']['report_dismiss_ip']) ? - 'Dismiss+' : '') . - '
';
-
- // Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
- $po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '' . - 'Board: ' . sprintf($config['board_abbreviation'], $report['board']) . '
' . - 'Reason: ' . $report['reason'] . '
' . - 'Report date: ' . strftime($config['post_date'], $report['time']) . '
' . - (hasPermission($config['mod']['show_ip']) ? - 'Reported by: ' . $report['ip'] . '
' - : '') . - '
' . - (hasPermission($config['mod']['report_dismiss']) ? - 'Dismiss | ' : '') . - (hasPermission($config['mod']['report_dismiss_ip']) ? - 'Dismiss+' : '') . - '
')); - - if(mb_strlen($po->body) + mb_strlen($append_html) > $config['body_truncate_char']) { - // still too long. temporarily increase limit in the config - $__old_body_truncate_char = $config['body_truncate_char']; - $config['body_truncate_char'] = mb_strlen($po->body) + mb_strlen($append_html); - } - - $po->body .= $append_html; - - $body .= $po->build(true) . '
'; - - if(isset($__old_body_truncate_char)) - $config['body_truncate_char'] = $__old_body_truncate_char; - } - - $query = query("SELECT COUNT(`id`) AS `count` FROM `reports`") or error(db_error()); - $count = $query->fetch(); - - $body .= '
Showing ' . - ($reports == $count['count'] ? 'all ' . $reports . ' reports' : $reports . ' of ' . $count['count'] . ' reports') . '.
'; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>_('Report queue') . ' (' . $count['count'] . ')', - 'body'=>$body, - 'mod'=>true - )); - } elseif(preg_match('/^\/reports\/(\d+)\/dismiss(\/all)?$/', $query, $matches)) { - if(isset($matches[2]) && $matches[2] == '/all') { - if(!hasPermission($config['mod']['report_dismiss_ip'])) error($config['error']['noaccess']); - - $query = prepare("SELECT `ip` FROM `reports` WHERE `id` = :id"); - $query->bindValue(':id', $matches[1], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if($report = $query->fetch()) { - $query = prepare("DELETE FROM `reports` WHERE `ip` = :ip"); - $query->bindValue(':ip', $report['ip'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - modLog('Dismissed all reports by ' . $report['ip']); - } - } else { - if(!hasPermission($config['mod']['report_dismiss'])) error($config['error']['noaccess']); - - $query = prepare("SELECT `post`, `board` FROM `reports` WHERE `id` = :id"); - $query->bindValue(':id', $matches[1], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if($report = $query->fetch()) { - modLog('Dismissed a report for post #' . $report['post'], $report['board']); - - $query = prepare("DELETE FROM `reports` WHERE `post` = :post AND `board` = :board"); - $query->bindValue(':board', $report['board'], PDO::PARAM_INT); - $query->bindValue(':post', $report['post'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - } - - // Redirect - header('Location: ?/reports', true, $config['redirect_http']); - } elseif(preg_match('/^\/(\w+)\/edit(\/delete)?$/', $query, $matches)) { - if(!hasPermission($config['mod']['manageboards'])) error($config['error']['noaccess']); - - if(!openBoard($matches[1])) - error($config['error']['noboard']); - - if(isset($matches[2]) && $matches[2] == '/delete') { - if(!hasPermission($config['mod']['deleteboard'])) error($config['error']['noaccess']); - // Delete board - - modLog('Deleted board ' . sprintf($config['board_abbreviation'], $board['uri'])); - - // Delete entire board directory - rrmdir($board['uri'] . '/'); - - // Delete posting table - $query = query(sprintf("DROP TABLE IF EXISTS `posts_%s`", $board['uri'])) or error(db_error()); - - // Clear reports - $query = prepare("DELETE FROM `reports` WHERE `board` = :id"); - $query->bindValue(':id', $board['uri'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - // Delete from table - $query = prepare("DELETE FROM `boards` WHERE `uri` = :uri"); - $query->bindValue(':uri', $board['uri'], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if($config['cache']['enabled']) { - cache::delete('board_' . $board['uri']); - cache::delete('all_boards'); - } - - $query = prepare("SELECT `board`, `post` FROM `cites` WHERE `target_board` = :board"); - $query->bindValue(':board', $board['uri']); - $query->execute() or error(db_error($query)); - while($cite = $query->fetch()) { - if($board['uri'] != $cite['board']) { - if(!isset($tmp_board)) - $tmp_board = $board; - openBoard($cite['board']); - rebuildPost($cite['post']); - } - } - - if(isset($tmp_board)) - $board = $tmp_board; - - $query = prepare("DELETE FROM `cites` WHERE `board` = :board OR `target_board` = :board"); - $query->bindValue(':board', $board['uri']); - $query->execute() or error(db_error($query)); - - $query = prepare("DELETE FROM `antispam` WHERE `board` = :board"); - $query->bindValue(':board', $board['uri']); - $query->execute() or error(db_error($query)); - - $_board = $board; - - rebuildThemes('boards'); - - $board = $_board; - - header('Location: ?/', true, $config['redirect_http']); - } else { - if(isset($_POST['title']) && isset($_POST['subtitle'])) { - $query = prepare("UPDATE `boards` SET `title` = :title, `subtitle` = :subtitle WHERE `uri` = :uri"); - $query->bindValue(':title', utf8tohtml($_POST['title'], true)); - - if(!empty($_POST['subtitle'])) - $query->bindValue(':subtitle', utf8tohtml($_POST['subtitle'], true)); - else - $query->bindValue(':subtitle', null, PDO::PARAM_NULL); - - $query->bindValue(':uri', $board['uri']); - $query->execute() or error(db_error($query)); - - if($config['cache']['enabled']) { - cache::delete('board_' . $board['uri']); - cache::delete('all_boards'); - } - - $_board = $board; - - rebuildThemes('boards'); - - $board = $_board; - - openBoard($board['uri']); - } - - $body = - ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Manage – ' . sprintf($config['board_abbreviation'], $board['uri']), - 'body'=>$body, - 'mod'=>true - )); - } - } elseif(preg_match('/^\/bans$/', $query)) { - if(!hasPermission($config['mod']['view_banlist'])) error($config['error']['noaccess']); - - if(isset($_POST['unban'])) { - if(!hasPermission($config['mod']['unban'])) error($config['error']['noaccess']); - - foreach($_POST as $post => $value) { - if(preg_match('/^ban_(\d+)$/', $post, $m)) { - removeBan($m[1]); - } - } - } - if(hasPermission($config['mod']['view_banexpired'])) { - $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` ORDER BY (`expires` IS NOT NULL AND `expires` < :time), `set` DESC"); - $query->bindValue(':time', time(), PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } else { - // Filter out expired bans - $query = prepare("SELECT `bans`.*, `username` FROM `bans` INNER JOIN `mods` ON `mod` = `mods`.`id` WHERE `expires` = 0 OR `expires` > :time ORDER BY `set` DESC"); - $query->bindValue(':time', time(), PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - - if($query->rowCount() < 1) { - $body = '(There are no active bans.)
'; - } else { - $body = '' . $body . '
', - 'mod'=>true - )); - } elseif(preg_match('/^\/rebuild$/', $query)) { - if(!hasPermission($config['mod']['rebuild'])) error($config['error']['noaccess']); - - set_time_limit($config['mod']['rebuild_timelimit']); - - $body = 'Rebuilding…
';
-
- $body .= 'Clearing template cache…
';
-
- load_twig();
- $twig->clearCacheFiles();
+ '/noticeboard' => 'noticeboard', // view noticeboard
+ '/noticeboard/(\d+)' => 'noticeboard', // view noticeboard
+ '/noticeboard/delete/(\d+)' => 'noticeboard_delete',// delete from noticeboard
+ '/log' => 'log', // modlog
+ '/log/(\d+)' => 'log', // modlog
+ '/news' => 'news', // view news
+ '/news/(\d+)' => 'news', // view news
+ '/news/delete/(\d+)' => 'news_delete', // delete from news
- $body .= 'Regenerating theme files…
';
- rebuildThemes('all');
-
- $body .= 'Generating Javascript file…
';
- buildJavascript();
-
- $main_js = $config['file_script'];
-
- $boards = listBoards();
-
- foreach($boards as &$board) {
- $body .= "Opening board /{$board['uri']}/
";
- openBoard($board['uri']);
-
- $body .= 'Creating index pages
';
- buildIndex();
-
- if($config['file_script'] != $main_js) {
- // different javascript file
- $body .= 'Generating Javascript file…
';
- buildJavascript();
- }
-
- $query = query(sprintf("SELECT `id` FROM `posts_%s` WHERE `thread` IS NULL", $board['uri'])) or error(db_error());
- while($post = $query->fetch()) {
- $body .= "Rebuilding #{$post['id']}
";
- buildThread($post['id']);
- }
- }
- $body .= 'Complete!
' . - '[Edit using web editor]' : '') . - '
'; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>_('Configuration'), - 'body'=>$body, - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/new$/', $query)) { - if(!hasPermission($config['mod']['newboard'])) error($config['error']['noaccess']); - - // New board - $body = ''; - - if(isset($_POST['new_board'])) { - // Create new board - if( !isset($_POST['uri']) || - !isset($_POST['title']) || - !isset($_POST['subtitle']) - ) error($config['error']['missedafield']); - - $b = array( - 'uri' => $_POST['uri'], - 'title' => $_POST['title'], - 'subtitle' => $_POST['subtitle'] - ); - - // HTML characters - $b['title'] = utf8tohtml($b['title'], true); - $b['subtitle'] = utf8tohtml($b['subtitle'], true); - - // Check required fields - if(empty($b['uri'])) - error(sprintf($config['error']['required'], 'URI')); - if(empty($b['title'])) - error(sprintf($config['error']['required'], 'title')); - - if(!preg_match('/^\w+$/', $b['uri'])) - error(sprintf($config['error']['invalidfield'], 'URI')); - - if(openBoard($b['uri'])) { - unset($board); - error(sprintf($config['error']['boardexists'], sprintf($config['board_abbreviation'], $b['uri']))); - } - - $query = prepare("INSERT INTO `boards` VALUES (:uri, :title, :subtitle)"); - $query->bindValue(':uri', $b['uri']); - $query->bindValue(':title', $b['title']); - if(!empty($b['subtitle'])) { - $query->bindValue(':subtitle', $b['subtitle']); - } else { - $query->bindValue(':subtitle', null, PDO::PARAM_NULL); - } - $query->execute() or error(db_error($query)); - - // Record the action - modLog("Created a new board: {$b['title']}"); - - // Open the board - openBoard($b['uri']) or error(_("Couldn't open board after creation.")); - - // Create the posts table - query(Element('posts.sql', array('board' => $board['uri']))) or error(db_error()); - - if($config['cache']['enabled']) - cache::delete('all_boards'); - - // Build the board - buildIndex(); - - rebuildThemes('boards'); - - header('Location: ?/' . $b['uri'] . '/' . $config['file_index'], true, $config['redirect_http']); - } else { - - $body .= form_newBoard(); - - // TODO: Statistics, etc, in the dashboard. - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'New board', - 'body'=>$body, - 'mod'=>true - ) - ); - } - } elseif(preg_match('/^\/' . $regex['board'] . '(' . $regex['index'] . '|' . $regex['page'] . ')?$/', $query, $matches)) { - // Board index - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - $page_no = empty($matches[2]) || $matches[2] == $config['file_index'] ? 1 : $matches[2]; - - if(!$page = index($page_no, $mod)) { - error($config['error']['404']); - } - - $page['pages'] = getPages(true); - $page['pages'][$page_no-1]['selected'] = true; - $page['btn'] = getPageButtons($page['pages'], true); - $page['mod'] = true; - echo Element('index.html', $page); - } elseif(preg_match('/^\/' . $regex['board'] . $regex['res'] . $regex['page'] . '$/', $query, $matches)) { - // View thread - - $boardName = &$matches[1]; - $thread = &$matches[2]; - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - $page = buildThread($thread, true, $mod); - - echo $page; - } elseif(preg_match('/^\/' . $regex['board'] . 'edit\/(\d+)$/', $query, $matches)) { - // Edit post body - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['editpost'], $boardName)) error($config['error']['noaccess']); - - $postID = &$matches[2]; - - $query = prepare(sprintf("SELECT `body_nomarkup`, `name`, `subject`, `thread` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $postID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - $post = $query->fetch() or error($config['error']['invalidpost']); - - if(isset($_POST['submit']) && isset($_POST['body']) && isset($_POST['subject'])) { - if(mb_strlen($_POST['subject']) > 100) - error(sprintf($config['error']['toolong'], 'subject')); - - $body = $_POST['body']; - $body_nomarkup = $body; - - wordfilters($body); - $tracked_cites = markup($body, true); - - $query = prepare("DELETE FROM `cites` WHERE `board` = :board AND `post` = :post"); - $query->bindValue(':board', $board['uri']); - $query->bindValue(':post', $postID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - $query = prepare(sprintf("UPDATE `posts_%s` SET `body` = :body, `body_nomarkup` = :body_nomarkup, `subject` = :subject WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $postID, PDO::PARAM_INT); - $query->bindValue(':body', $body); - $query->bindValue(':body_nomarkup', $body_nomarkup); - $query->bindValue(':subject', utf8tohtml($_POST['subject'])); - $query->execute() or error(db_error($query)); - - if(isset($tracked_cites)) { - foreach($tracked_cites as $cite) { - $query = prepare('INSERT INTO `cites` VALUES (:board, :post, :target_board, :target)'); - $query->bindValue(':board', $board['uri']); - $query->bindValue(':post', $postID, PDO::PARAM_INT); - $query->bindValue(':target_board',$cite[0]); - $query->bindValue(':target', $cite[1], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - } + '/edit/(\w+)' => 'edit_board', // edit board details + '/new-board' => 'new_board', // create a new board - // Record the action - modLog("Edited post #{$postID}"); - - buildThread($post['thread'] ? $post['thread'] : $postID); - - // Rebuild board - buildIndex(); - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - exit; - } - - $post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']); - - if($config['minify_html']) - $post['body_nomarkup'] = str_replace("\n", ' ', $post['body_nomarkup']); - - $body = ''; - - echo Element('page.html', array( - 'config' => $config, - 'body' => $body, - 'title' => 'Edit Post #' . $postID - )); - } elseif(preg_match('/^\/' . $regex['board'] . 'deletefile\/(\d+)$/', $query, $matches)) { - // Delete file from post - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['deletefile'], $boardName)) error($config['error']['noaccess']); - - $post = &$matches[2]; - - // Delete post - deleteFile($post); - - // Record the action - modLog("Removed file from post #{$post}"); - - // Rebuild board - buildIndex(); - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/' . $regex['board'] . 'delete\/(\d+)$/', $query, $matches)) { - // Delete post - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['delete'], $boardName)) - error($config['error']['noaccess']); - - $post = &$matches[2]; - - // Delete post - deletePost($post); - - // Record the action - modLog("Deleted post #{$post}"); - - // Rebuild board - buildIndex(); - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/' . $regex['board'] . '(un)?sticky\/(\d+)$/', $query, $matches)) { - // Add/remove sticky - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['sticky'], $boardName)) error($config['error']['noaccess']); - - $post = &$matches[3]; - - $query = prepare(sprintf("UPDATE `posts_%s` SET `sticky` = :sticky WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - - if($matches[2] == 'un') { - // Record the action - modLog("Unstickied post #{$post}"); - $query->bindValue(':sticky', 0, PDO::PARAM_INT); - } else { - // Record the action - modLog("Stickied post #{$post}"); - $query->bindValue(':sticky', 1, PDO::PARAM_INT); - } - - $query->execute() or error(db_error($query)); - - buildIndex(); - buildThread($post); - - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/' . $regex['board'] . '(un)?lock\/(\d+)$/', $query, $matches)) { - // Lock/Unlock - - $boardName = &$matches[1]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['lock'], $boardName)) error($config['error']['noaccess']); - - $post = &$matches[3]; - - $query = prepare(sprintf("UPDATE `posts_%s` SET `locked` = :locked WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - - if($matches[2] == 'un') { - // Record the action - modLog("Unlocked post #{$post}"); - $query->bindValue(':locked', 0, PDO::PARAM_INT); - } else { - // Record the action - modLog("Locked post #{$post}"); - $query->bindValue(':locked', 1, PDO::PARAM_INT); - } - - $query->execute() or error(db_error($query)); - - buildIndex(); - buildThread($post); - - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/' . $regex['board'] . 'bump(un)?lock\/(\d+)$/', $query, $matches)) { - // Lock/Unlock - - $boardName = &$matches[1]; - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - if(!hasPermission($config['mod']['bumplock'], $boardName)) error($config['error']['noaccess']); - - $post = &$matches[3]; - - $query = prepare(sprintf("UPDATE `posts_%s` SET `sage` = :bumplocked WHERE `id` = :id AND `thread` IS NULL", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - - if($matches[2] == 'un') { - // Record the action - modLog("Unbumplocked post #{$post}"); - $query->bindValue(':bumplocked', 0, PDO::PARAM_INT); - } else { - // Record the action - modLog("Bumplocked post #{$post}"); - $query->bindValue(':bumplocked', 1, PDO::PARAM_INT); - } - - $query->execute() or error(db_error($query)); - - buildIndex(); - buildThread($post); - - - // Redirect - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/' . $regex['board'] . 'deletebyip\/(\d+)(\/global)?$/', $query, $matches)) { - // Delete all posts by an IP - - $boardName = &$matches[1]; - $post = &$matches[2]; - $global = isset($matches[3]) && $matches[3] == '/global'; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - - $query = prepare(sprintf("SELECT `ip` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $post); - $query->execute() or error(db_error($query)); - - if(!$post = $query->fetch()) - error($config['error']['invalidpost']); - - $ip = $post['ip']; - - if($global) - $boards = listBoards(); - else - $boards = array(array('uri' => $board['uri'])); - - $query = ''; - foreach($boards as $_board) { - $query .= sprintf("SELECT `id`, '%s' AS `board` FROM `posts_%s` WHERE `ip` = :ip UNION ALL ", $_board['uri'], $_board['uri']); - } - $query = preg_replace('/UNION ALL $/', '', $query); - - $query = prepare($query); - $query->bindValue(':ip', $ip); - $query->execute() or error(db_error($query)); - - if($query->rowCount() < 1) - error($config['error']['invalidpost']); - - $boards = array(); - while($post = $query->fetch()) { - openBoard($post['board']); - $boards[] = $post['board']; - - deletePost($post['id'], false); - } - - foreach($boards as &$_board) { - openBoard($_board); - buildIndex(); - } - - // Record the action - modLog("Deleted all posts by IP address: {$ip}"); - - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - } elseif(preg_match('/^\/ban$/', $query)) { - if(!hasPermission($config['mod']['ban'])) error($config['error']['noaccess']); - // Ban page - - if(isset($_POST['new_ban'])) { - if( !isset($_POST['ip']) || - !isset($_POST['reason']) || - !isset($_POST['length']) - ) error($config['error']['missedafield']); - - // Check required fields - if(empty($_POST['ip'])) - error(sprintf($config['error']['required'], 'IP address')); - - $query = prepare("INSERT INTO `bans` VALUES (NULL, :ip, :mod, :set, :expires, :reason, :board)"); - - // 1yr2hrs30mins - // 1y2h30m - $expire = 0; - if(preg_match('/^((\d+)\s?ye?a?r?s?)?\s?+((\d+)\s?mon?t?h?s?)?\s?+((\d+)\s?we?e?k?s?)?\s?+((\d+)\s?da?y?s?)?((\d+)\s?ho?u?r?s?)?\s?+((\d+)\s?mi?n?u?t?e?s?)?\s?+((\d+)\s?se?c?o?n?d?s?)?$/', $_POST['length'], $m)) { - if(isset($m[2])) { - // Years - $expire += $m[2]*60*60*24*365; - } - if(isset($m[4])) { - // Months - $expire += $m[4]*60*60*24*30; - } - if(isset($m[6])) { - // Weeks - $expire += $m[6]*60*60*24*7; - } - if(isset($m[8])) { - // Days - $expire += $m[8]*60*60*24; - } - if(isset($m[10])) { - // Hours - $expire += $m[10]*60*60; - } - if(isset($m[12])) { - // Minutes - $expire += $m[12]*60; - } - if(isset($m[14])) { - // Seconds - $expire += $m[14]; - } - } - if($expire) { - $query->bindValue(':expires', time()+$expire, PDO::PARAM_INT); - } else { - // Never expire - $query->bindValue(':expires', null, PDO::PARAM_NULL); - } - - $query->bindValue(':ip', $_POST['ip'], PDO::PARAM_STR); - $query->bindValue(':mod', $mod['id'], PDO::PARAM_INT); - $query->bindValue(':set', time(), PDO::PARAM_INT); - - - - if(!empty($_POST['reason'])) { - $reason = $_POST['reason']; - markup($reason); - $query->bindValue(':reason', $reason, PDO::PARAM_STR); - } else { - $query->bindValue(':reason', null, PDO::PARAM_NULL); - } - - if($_POST['board'] == '') { - $query->bindValue(':board', null, PDO::PARAM_NULL); - } else { - $query->bindValue(':board', $_POST['board'], PDO::PARAM_INT); - } - - // Record the action - modLog('Created a ' . ($expire ? $expire . ' second' : 'permanent') . " ban for {$_POST['ip']} with " . (!empty($_POST['reason']) ? "reason \"${reason}\"" : 'no reason')); - - $query->execute() or error(db_error($query)); - - if(isset($_POST['board'])) - openBoard($_POST['board']); - - // Delete too - if(isset($_POST['delete']) && isset($_POST['board']) && hasPermission($config['mod']['delete'], $_POST['board'])) { - $post = round($_POST['delete']); - - deletePost($post); - - // Record the action - modLog("Deleted post #{$post}"); - - // Rebuild board - buildIndex(); - } - - if(hasPermission($config['mod']['public_ban']) && isset($_POST['post']) && isset($_POST['board']) && isset($_POST['public_message']) && isset($_POST['message'])) { - $post = round($_POST['post']); - - $query = prepare(sprintf("UPDATE `posts_%s` SET `body` = CONCAT(`body`, :body) WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - $query->bindValue(':body', sprintf($config['mod']['ban_message'], utf8tohtml($_POST['message']))); - $query->execute() or error(db_error($query)); - - // Rebuild thread - $query = prepare(sprintf("SELECT `thread` FROM `posts_%s` WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - $thread = $query->fetch(); - if($thread['thread']) - buildThread($thread['thread']); - else - buildThread($post); - - // Rebuild board - buildIndex(); - - // Record the action - modLog("Attached a public ban message for post #{$post}: " . $_POST['message']); - } - - // Redirect - if(isset($_POST['continue'])) - header('Location: ' . $_POST['continue'], true, $config['redirect_http']); - elseif(isset($board)) - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']); - else - header('Location: ?/', true, $config['redirect_http']); + '/rebuild' => 'rebuild', // rebuild static files + '/reports' => 'reports', // report queue + '/reports/(\d+)/dismiss(all)?' => 'report_dismiss', // dismiss a report + + '/ban' => 'ban', // new ban + '/IP/([\w.:]+)' => 'ip', // view ip address + '/IP/([\w.:]+)/remove_note/(\d+)' => 'ip_remove_note', // remove note from ip address + '/bans' => 'bans', // ban list + '/bans/(\d+)' => 'bans', // ban list + + '/(\w+)/delete/(\d+)' => 'delete', // delete post + '/(\w+)/ban(&delete)?/(\d+)' => 'ban_post', // ban poster + '/(\w+)/deletefile/(\d+)' => 'deletefile', // delete file from post + '/(\w+)/deletebyip/(\d+)(/global)?' => 'deletebyip', // delete all posts by IP address + '/(\w+)/(un)?lock/(\d+)' => 'lock', // lock thread + '/(\w+)/(un)?sticky/(\d+)' => 'sticky', // sticky thread + '/(\w+)/bump(un)?lock/(\d+)' => 'bumplock', // "bumplock" thread + '/(\w+)/move/(\d+)' => 'move', // move thread + + '/themes' => 'themes_list', // manage themes + '/themes/(\w+)' => 'theme_configure', // configure/reconfigure theme + '/themes/(\w+)/rebuild' => 'theme_rebuild', // rebuild theme + '/themes/(\w+)/uninstall' => 'theme_uninstall', // uninstall theme + + '/config' => 'config', // config editor + + // these pages aren't listed in the dashboard without $config['debug'] + '/debug/antispam' => 'debug_antispam', + + // This should always be at the end: + '/(\w+)/' => 'view_board', + '/(\w+)/' . preg_quote($config['file_index'], '!') => 'view_board', + '/(\w+)/' . str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!')) => 'view_board', + '/(\w+)/' . preg_quote($config['dir']['res'], '!') . + str_replace('%d', '(\d+)', preg_quote($config['file_page'], '!')) => 'view_thread', +); + + + +if (!$mod) { + $pages = array('!!' => 'login'); +} elseif (isset($_GET['status'], $_GET['r'])) { + header('Location: ' . $_GET['r'], true, (int)$_GET['status']); + exit; +} + +if (isset($config['mod']['custom_pages'])) { + $pages = array_merge($pages, $config['mod']['custom_pages']); +} + +$new_pages = array(); +foreach ($pages as $key => $callback) { + $new_pages[@$key[0] == '!' ? $key : "!^$key$!"] = $callback; +} +$pages = $new_pages; + +foreach ($pages as $uri => $handler) { + if (preg_match($uri, $query, $matches)) { + $matches = array_slice($matches, 1); + + if ($config['debug']) { + $debug['mod_page'] = array( + 'req' => $query, + 'match' => $uri, + 'handler' => $handler + ); } - } elseif(preg_match('/^\/' . $regex['board'] . 'move\/(\d+)$/', $query, $matches)) { - - $boardName = &$matches[1]; - $postID = $matches[2]; - - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - if(!hasPermission($config['mod']['move'], $boardName)) error($config['error']['noaccess']); - - if(isset($_POST['board'])) { - $targetBoard = $_POST['board']; - $shadow = isset($_POST['shadow']); - - if($targetBoard == $boardName) - error(_("Target and source board are the same.")); - - // copy() if leaving a shadow thread behind. otherwise, rename(). - $clone = $shadow ? 'copy' : 'rename'; - - $query = prepare(sprintf("SELECT * FROM `posts_%s` WHERE `thread` IS NULL AND `id` = :id", $board['uri'])); - $query->bindValue(':id', $postID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - if(!$post = $query->fetch()) { - error($config['error']['nonexistant']); - } - $post['op'] = true; - - if($post['file']) { - $post['has_file'] = true; - $post['width'] = &$post['filewidth']; - $post['height'] = &$post['fileheight']; - - $file_src = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; - $file_thumb = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; - } else $post['has_file'] = false; - - // allow thread to keep its same traits (stickied, locked, etc.) - $post['mod'] = true; - - if(!openBoard($targetBoard)) - error($config['error']['noboard']); - - $newID = post($post); - - if($post['has_file']) { - $clone($file_src, sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); - $clone($file_thumb, sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); - } - - // move replies too... - openBoard($boardName); - - $query = prepare(sprintf("SELECT * FROM `posts_%s` WHERE `thread` = :id ORDER BY `id`", $board['uri'])); - $query->bindValue(':id', $postID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - $replies = array(); - while($post = $query->fetch()) { - $post['mod'] = true; - $post['thread'] = $newID; - - if($post['file']) { - $post['has_file'] = true; - $post['width'] = &$post['filewidth']; - $post['height'] = &$post['fileheight']; - - $post['file_src'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']; - $post['file_thumb'] = sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']; - } else $post['has_file'] = false; - - $replies[] = $post; - } - - $newIDs = array($postID => $newID); - - openBoard($targetBoard); - foreach($replies as &$post) { - $query = prepare("SELECT `target` FROM `cites` WHERE `target_board` = :board AND `board` = :board AND `post` = :post"); - $query->bindValue(':board', $boardName); - $query->bindValue(':post', $post['id'], PDO::PARAM_INT); - $query->execute() or error(db_error($qurey)); - while($cite = $query->fetch(PDO::FETCH_ASSOC)) { - if(isset($newIDs[$cite['target']])) { - $post['body_nomarkup'] = preg_replace( - '/(>>(>\/' . preg_quote($boardName, '/') . '\/)?)' . preg_quote($cite['target'], '/') . '/', - '>>' . $newIDs[$cite['target']], - $post['body_nomarkup']); - - $post['body'] = $post['body_nomarkup']; - } - } - $post['op'] = false; - $post['tracked_cites'] = markup($post['body'], true); - - $newIDs[$post['id']] = $newPostID = post($post); - - if($post['has_file']) { - $clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); - $clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); - } - - foreach($post['tracked_cites'] as $cite) { - $query = prepare('INSERT INTO `cites` VALUES (:board, :post, :target_board, :target)'); - $query->bindValue(':board', $board['uri']); - $query->bindValue(':post', $newPostID, PDO::PARAM_INT); - $query->bindValue(':target_board',$cite[0]); - $query->bindValue(':target', $cite[1], PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - } - } - - // build thread - buildThread($newID); - buildIndex(); - - // trigger themes - rebuildThemes('post'); - - openBoard($boardName); - - if($shadow) { - // lock thread - $query = prepare(sprintf("UPDATE `posts_%s` SET `locked` = 1 WHERE `id` = :id", $board['uri'])); - $query->bindValue(':id', $postID, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - $post = array( - 'mod' => true, - 'subject' => '', - 'email' => '', - 'name' => $config['mod']['shadow_name'], - 'capcode' => $config['mod']['shadow_capcode'], - 'trip' => '', - 'body' => sprintf($config['mod']['shadow_mesage'], '>>>/' . $targetBoard . '/' . $newID), - 'password' => '', - 'has_file' => false, - // attach to original thread - 'thread' => $postID, - 'op' => false - ); - - markup($post['body']); - - $botID = post($post); - buildThread($postID); - - header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['dir']['res'] . sprintf($config['file_page'], $postID) . '#' . $botID, true, $config['redirect_http']); + if (is_string($handler)) { + if ($handler[0] == ':') { + header('Location: ' . substr($handler, 1), true, $config['redirect_http']); + } elseif (is_callable("mod_page_$handler")) { + call_user_func_array("mod_page_$handler", $matches); + } elseif (is_callable("mod_$handler")) { + call_user_func_array("mod_$handler", $matches); } else { - deletePost($postID); - buildIndex(); - - openBoard($targetBoard); - header('Location: ?/' . sprintf($config['board_path'], $board['uri']) . $config['dir']['res'] . sprintf($config['file_page'], $newID), true, $config['redirect_http']); + error("Mod page '$handler' not found!"); } + } elseif (is_callable($handler)) { + call_user_func_array($handler, $matches); } else { - - $body = ''; - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'Move #' . $postID, - 'body'=>$body, - 'mod'=>true - ) - ); + error("Mod page '$handler' not a string, and not callable!"); } - } elseif(preg_match('/^\/' . $regex['board'] . 'ban(&delete)?\/(\d+)$/', $query, $matches)) { - - // Ban by post - - $boardName = &$matches[1]; - // Open board - if(!openBoard($boardName)) - error($config['error']['noboard']); - if(!hasPermission($config['mod']['ban'], $boardName)) error($config['error']['noaccess']); - - $delete = isset($matches[2]) && $matches[2] == '&delete'; - if($delete && !hasPermission($config['mod']['delete'], $boardName)) error($config['error']['noaccess']); - - $post = $matches[3]; - - $query = prepare(sprintf("SELECT `ip`,`id` FROM `posts_%s` WHERE `id` = :id LIMIT 1", $board['uri'])); - $query->bindValue(':id', $post, PDO::PARAM_INT); - $query->execute() or error(db_error($query)); - - if($query->rowCount() < 1) { - error($config['error']['invalidpost']); - } - - $post = $query->fetch(); - - $body = form_newBan($post['ip'], null, '?/' . sprintf($config['board_path'], $board['uri']) . $config['file_index'], $post['id'], $boardName, !$delete); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'New ban', - 'body'=>$body, - 'mod'=>true - ) - ); - } elseif(preg_match('/^\/IP\/(\d+\.\d+\.\d+\.\d+|' . $config['ipv6_regex'] . ')\/deletenote\/(?P'; - } - - if(!empty($temp)) - $body .= ''; - } - - if(hasPermission($config['mod']['view_notes'])) { - $query = prepare("SELECT * FROM `ip_notes` WHERE `ip` = :ip ORDER BY `id` DESC"); - $query->bindValue(':ip', $ip); - $query->execute() or error(db_error($query)); - - if($query->rowCount() > 0 || hasPermission($config['mod']['create_notes'])) { - $body .= ''; - } - } - - if(hasPermission($config['mod']['view_ban'])) { - $query = prepare("SELECT `bans`.*, `username` FROM `bans` LEFT JOIN `mods` ON `mod` = `mods`.`id` WHERE `ip` = :ip"); - $query->bindValue(':ip', $ip); - $query->execute() or error(db_error($query)); - - if($query->rowCount() > 0) { - $body .= ''; - - } - } - - if(hasPermission($config['mod']['ip_banform'])) - $body .= form_newBan($ip, null, '?/IP/' . $ip); - - echo Element('page.html', array( - 'config'=>$config, - 'title'=>'IP: ' . $ip, - 'subtitle' => $host, - 'body'=>$body, - 'mod'=>true - ) - ); - } - } else { - error($config['error']['404']); + exit; } } +error($config['error']['404']); + diff --git a/post.php b/post.php index aa4d915b..16566b51 100644 --- a/post.php +++ b/post.php @@ -281,7 +281,7 @@ if (isset($_POST['delete'])) { $post['name'] = $_POST['name'] != '' ? $_POST['name'] : $config['anonymous']; $post['subject'] = $_POST['subject']; - $post['email'] = utf8tohtml($_POST['email']); + $post['email'] = str_replace(' ', '%20', htmlspecialchars($_POST['email'])); $post['body'] = $_POST['body']; $post['password'] = $_POST['password']; $post['has_file'] = !isset($post['embed']) && (($post['op'] && !isset($post['no_longer_require_an_image_for_op']) && $config['force_image_op']) || (isset($_FILES['file']) && $_FILES['file']['tmp_name'] != '')); @@ -313,13 +313,23 @@ if (isset($_POST['delete'])) { ))); } - if ($mod && $mod['type'] >= MOD && preg_match('/^((.+) )?## (.+)$/', $post['name'], $match)) { - if (($mod['type'] == MOD && $match[3] == 'Mod') || $mod['type'] >= ADMIN) { - $post['capcode'] = utf8tohtml($match[3]); - $post['name'] = $match[2] != '' ? $match[2] : $config['anonymous']; + + $post['capcode'] = false; + + if ($mod && preg_match('/^((.+) )?## (.+)$/', $post['name'], $matches)) { + $name = $matches[2] != '' ? $matches[2] : $config['anonymous']; + $cap = $matches[3]; + + if (isset($config['mod']['capcode'][$mod['type']])) { + if ( $config['mod']['capcode'][$mod['type']] === true || + (is_array($config['mod']['capcode'][$mod['type']]) && + in_array($cap, $config['mod']['capcode'][$mod['type']]) + )) { + + $post['capcode'] = utf8tohtml($cap); + $post['name'] = $name; + } } - } else { - $post['capcode'] = false; } $trip = generate_tripcode($post['name']); @@ -527,7 +537,11 @@ if (isset($_POST['delete'])) { } $post = (array)$post; - $id = post($post); + $post['id'] = $id = post($post); + + if (isset($post['antispam_hash'])) { + incrementSpamHash($post['antispam_hash']); + } if (isset($post['antispam_hash'])) { incrementSpamHash($post['antispam_hash']); diff --git a/stylesheets/style.css b/stylesheets/style.css index a262eb35..80042bd6 100644 --- a/stylesheets/style.css +++ b/stylesheets/style.css @@ -70,15 +70,18 @@ form table input { } input[type="text"], input[type="password"], textarea { border: 1px solid #a9a9a9; - text-indent: 0px; + text-indent: 0; text-shadow: none; text-transform: none; word-spacing: normal; } form table tr td { text-align: left; - margin: 0px; - padding: 0px; + margin: 0; + padding: 0; +} +form table.mod tr td { + padding: 2px; } form table tr th { text-align: left; @@ -104,7 +107,7 @@ form table tr td div label { } p.fileinfo { display: block; - margin: 0px; + margin: 0; padding-right: 7em; } div.banner { @@ -263,11 +266,11 @@ span.heading { color: #AF0A0F; font-size: 11pt; font-weight: bold; - display: block; } span.spoiler { background: black; color: black; + padding: 0px 1px; } div.post.reply p.body span.spoiler a { color: black; @@ -328,7 +331,7 @@ div.pages form input { hr { border: none; border-top: 1px solid #B7C5D9; - height: 0px; + height: 0; clear: left; } div.boardlist { @@ -351,7 +354,7 @@ table.modlog { } table.modlog tr td { text-align: left; - margin: 0px; + margin: 0; padding: 4px 15px 0 0; } table.modlog tr th { @@ -385,19 +388,15 @@ div.blotter { font-weight: bold; text-align: center; } - -/* Uboachan stuff */ -div.styles-sidebar { - text-align: center; - padding-bottom: 0px; -} -div.styles-sidebar a { - margin: 0 5px; +table.mod.config-editor { + font-size: 9pt; + width: 100%; } -div.styles-sidebar a.selected { - text-decoration: none; +table.mod.config-editor td { + text-align: left; + padding: 5px; + border-bottom: 1px solid #98e; } -.category { - background: #98E; - color: black; +table.mod.config-editor input[type="text"] { + width: 98%; } diff --git a/templates/generic_page.html b/templates/generic_page.html new file mode 100644 index 00000000..e834aad0 --- /dev/null +++ b/templates/generic_page.html @@ -0,0 +1,71 @@ + + + + {% block head %} + + {% if config.url_favicon %}{% endif %} +
You have an unread PM{% if pm.waiting > 0 %}, plus {{ pm.waiting }} more waiting{% endif %}.
{% endif %} + {% if config.url_banner %}
{{ board.url }} - {{ board.name }}
+
+ {% if board.title %}
+ {{ board.title|e }}
+ {% endif %}
+ {% if mod %}{% endif %}
+
+ {{ config.blotter }}
{% endif %}
+ + +
{{ btn.prev }} {% for page in pages %}
+ [{{ page.num }}]{% if loop.last %} {% endif %}
+ {% endfor %} {{ btn.next }}
+ {{ boardlist.bottom }}
+
+
+
+
diff --git a/templates/index.html b/templates/index.html
index e0fa6fe0..a28724a1 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -1,11 +1,11 @@
+
{% if config.url_favicon %}{% endif %}
You have an unread PM{% if pm.waiting > 0 %}, plus {{ pm.waiting }} more waiting{% endif %}.
{% endif %} {% if config.url_banner %}
{{ board.url }} - {{ board.name }}
+{{ board.url }} - {{ board.title|e }}
- {% if board.title %}
- {{ board.title }}
+ {% if board.subtitle %}
+ {{ board.subtitle|e }}
{% endif %}
{% if mod %}{% endif %}
diff --git a/templates/mod/ban_form.html b/templates/mod/ban_form.html
new file mode 100644
index 00000000..5d5f2b81
--- /dev/null
+++ b/templates/mod/ban_form.html
@@ -0,0 +1,91 @@
+{% if post and board %}
+ {% set action = '?/' ~ board ~ '/ban/' ~ post %}
+{% else %}
+ {% set action = '?/ban' %}
+{% endif %}
+
+
+
diff --git a/templates/mod/ban_list.html b/templates/mod/ban_list.html
new file mode 100644
index 00000000..2edb9cdf
--- /dev/null
+++ b/templates/mod/ban_list.html
@@ -0,0 +1,95 @@
+{% if bans|count == 0 %}
+ ({% trans 'There are no active bans.' %})
+{% else %} + +{% endif %} + +{% if count > bans|count %} ++ {% for i in range(0, (count - 1) / config.mod.modlog_page) %} + [{{ i + 1 }}] + {% endfor %} +
+{% endif %} + diff --git a/templates/mod/board.html b/templates/mod/board.html new file mode 100644 index 00000000..0775e421 --- /dev/null +++ b/templates/mod/board.html @@ -0,0 +1,44 @@ +{% if new %} + {% set action = '?/new-board' %} +{% else %} + {% set action = '?/edit/' ~ board.uri %} +{% endif %} + + + diff --git a/templates/mod/config-editor.html b/templates/mod/config-editor.html new file mode 100644 index 00000000..ec7213bb --- /dev/null +++ b/templates/mod/config-editor.html @@ -0,0 +1,56 @@ + + diff --git a/templates/mod/confirm.html b/templates/mod/confirm.html new file mode 100644 index 00000000..6dc4d66a --- /dev/null +++ b/templates/mod/confirm.html @@ -0,0 +1,7 @@ ++ {% trans 'Are you sure you want to do that?' %} {% trans 'Click to proceed to' %} ?/{{ request }}. +
++ {% trans 'You are seeing this message because we were unable to serve a confirmation dialog, probably due to Javascript being disabled.' %} +
+ diff --git a/templates/mod/dashboard.html b/templates/mod/dashboard.html new file mode 100644 index 00000000..30742dc1 --- /dev/null +++ b/templates/mod/dashboard.html @@ -0,0 +1,139 @@ + + + + + + + + +{% if config.debug %} + +{% endif %} + +{% if newer_release %} + +{% endif %} + + + diff --git a/templates/mod/debug/antispam.html b/templates/mod/debug/antispam.html new file mode 100644 index 00000000..a846bc17 --- /dev/null +++ b/templates/mod/debug/antispam.html @@ -0,0 +1,65 @@ ++ Most used (in active): +
+| Board | +Thread | +Hash (SHA1) | +Created | +Expires | +Passed | +
|---|---|---|---|---|---|
| {{ config.board_abbreviation|sprintf(hash.board) }} | ++ {% if hash.thread %} + {{ hash.thread }} + {% else %} + - + {% endif %} | +
+ {{ hash.hash }}
+ |
+ + {{ hash.created|ago }} ago + | ++ {% if hash.expires %} + + {{ hash.expires|until }} + + {% else %} + - + {% endif %} + | +{{ hash.passed }} | +
+ Total: {{ total }} ({{ expiring }} set to expire) +
+ + diff --git a/templates/mod/inbox.html b/templates/mod/inbox.html new file mode 100644 index 00000000..97afe446 --- /dev/null +++ b/templates/mod/inbox.html @@ -0,0 +1,36 @@ +{% if messages|count == 0 %} +({% trans 'No private messages for you.' %})
+{% else %} +| {% trans 'ID' %} | +{% trans 'From' %} | +{% trans 'Date' %} | +{% trans 'Message snippet' %} | ++ + {{ message.id }} + + | ++ {% if message.username %} + {{ message.username|e }} + {% else %} + {% trans 'deleted?' %} + {% endif %} + | ++ {{ message.time|date(config.post_date) }} + | ++ + {{ message.snippet }} + + | + + {% endfor %} +
|---|
| {% trans 'Staff' %} | +{% trans 'IP address' %} | +{% trans 'Time' %} | +{% trans 'Board' %} | +{% trans 'Action' %} | +
|---|---|---|---|---|
| + {% if log.username %} + {{ log.username|e }} + {% elseif log.mod == -1 %} + system + {% else %} + {% trans 'deleted?' %} + {% endif %} + | ++ {{ log.ip }} + | ++ {{ log.time|ago }} + | ++ {% if log.board %} + {{ config.board_abbreviation|sprintf(log.board) }} + {% else %} + - + {% endif %} + | ++ {{ log.text }} + | +
+ {% for i in range(0, (count - 1) / config.mod.modlog_page) %} + [{{ i + 1 }}] + {% endfor %} +
+{% endif %} + diff --git a/templates/login.html b/templates/mod/login.html similarity index 69% rename from templates/login.html rename to templates/mod/login.html index 709bad86..43a28d56 100644 --- a/templates/login.html +++ b/templates/mod/login.html @@ -1,18 +1,17 @@ {% if error %}