@ -267,7 +267,7 @@
)
)
);
);
} elseif(preg_match('/^\/log$/', $query)) {
} elseif(preg_match('/^\/log$/', $query)) {
if($mod['type'] < $config['mod']['modlog'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['modlog']) ) error($config['error']['noaccess']);
$boards = Array();
$boards = Array();
$_boards = listBoards();
$_boards = listBoards();
@ -309,7 +309,7 @@
)
)
);
);
} elseif(preg_match('/^\/themes\/none$/', $query, $match)) {
} elseif(preg_match('/^\/themes\/none$/', $query, $match)) {
if($mod['type'] < $config['mod']['themes'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['themes']) ) error($config['error']['noaccess']);
// Clearsettings
// Clearsettings
query("TRUNCATE TABLE `theme_settings`") or error(db_error());
query("TRUNCATE TABLE `theme_settings`") or error(db_error());
@ -322,7 +322,7 @@
)
)
);
);
} elseif(preg_match('/^\/themes(\/(\w+))?$/', $query, $match)) {
} elseif(preg_match('/^\/themes(\/(\w+))?$/', $query, $match)) {
if($mod['type'] < $config['mod']['themes'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['themes']) ) error($config['error']['noaccess']);
if(!is_dir($config['dir']['themes']))
if(!is_dir($config['dir']['themes']))
error('Themes directory doesn\'t exist!');
error('Themes directory doesn\'t exist!');
@ -476,7 +476,7 @@
);
);
}
}
} elseif(preg_match('/^\/noticeboard\/delete\/(\d+)$/', $query, $match)) {
} elseif(preg_match('/^\/noticeboard\/delete\/(\d+)$/', $query, $match)) {
if($mod['type'] < $config['mod']['noticeboard_delete']) error($config['error']['noaccess']);
if(!hasPermission( $config['mod']['noticeboard_delete']) ) error($config['error']['noaccess']);
$query = prepare("DELETE FROM `noticeboard` WHERE `id` = :id");
$query = prepare("DELETE FROM `noticeboard` WHERE `id` = :id");
$query->bindValue(':id', $match[1], PDO::PARAM_INT);
$query->bindValue(':id', $match[1], PDO::PARAM_INT);
@ -484,7 +484,7 @@
header('Location: ?/noticeboard', true, $config['redirect_http']);
header('Location: ?/noticeboard', true, $config['redirect_http']);
} elseif(preg_match('/^\/noticeboard$/', $query)) {
} elseif(preg_match('/^\/noticeboard$/', $query)) {
if($mod['type'] < $config['mod']['noticeboard'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['noticeboard']) ) error($config['error']['noaccess']);
$body = '';
$body = '';
@ -553,7 +553,7 @@
)
)
);
);
} elseif(preg_match('/^\/news\/delete\/(\d+)$/', $query, $match)) {
} elseif(preg_match('/^\/news\/delete\/(\d+)$/', $query, $match)) {
if($mod['type'] < $config['mod']['noticeboard_delete']) error($config['error']['noaccess']);
if(!hasPermission( $config['mod']['noticeboard_delete']) ) error($config['error']['noaccess']);
$query = prepare("DELETE FROM `news` WHERE `id` = :id");
$query = prepare("DELETE FROM `news` WHERE `id` = :id");
$query->bindValue(':id', $match[1], PDO::PARAM_INT);
$query->bindValue(':id', $match[1], PDO::PARAM_INT);
@ -744,7 +744,7 @@
);
);
}
}
} elseif(preg_match('/^\/new_PM\/(\d+)(\/(\d+))?$/', $query, $match)) {
} elseif(preg_match('/^\/new_PM\/(\d+)(\/(\d+))?$/', $query, $match)) {
if($mod['type'] < $config['mod']['create_pm'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['create_pm']) ) error($config['error']['noaccess']);
$to = &$match[1];
$to = &$match[1];
@ -826,7 +826,7 @@
);
);
}
}
} elseif(preg_match('/^\/search$/', $query)) {
} elseif(preg_match('/^\/search$/', $query)) {
if($mod['type'] < $config['mod']['search'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['search']) ) error($config['error']['noaccess']);
$body = '< div class = "ban" > < h2 > Search< / h2 > < form style = "display:inline" action = "?/search" method = "post" > ' .
$body = '< div class = "ban" > < h2 > Search< / h2 > < form style = "display:inline" action = "?/search" method = "post" > ' .
'< p > < label style = "display:inline" for = "search" > Phrase:< / label > ' .
'< p > < label style = "display:inline" for = "search" > Phrase:< / label > ' .
@ -920,9 +920,9 @@
)
)
);
);
} elseif(preg_match('/^\/users$/', $query)) {
} elseif(preg_match('/^\/users$/', $query)) {
if($mod['type'] < $config['mod']['manageusers'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['manageusers']) ) error($config['error']['noaccess']);
$body = '< form action = "" method = "post" > < table > < tr > < th > ID< / th > < th > Username< / th > < th > Type< / th > < th > Last action< / th > < th > …< / th > < / tr > ';
$body = '< form action = "" method = "post" > < table > < tr > < th > ID< / th > < th > Username< / th > < th > Type< / th > < th > Boards< / th > < th > Last action< / th > < th > …< / th > < / tr > ';
$query = query("SELECT *, (SELECT `time` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM `mods` ORDER BY `type` DESC,`id`") or error(db_error());
$query = query("SELECT *, (SELECT `time` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM `modlogs` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM `mods` ORDER BY `type` DESC,`id`") or error(db_error());
while($_mod = $query->fetch()) {
while($_mod = $query->fetch()) {
@ -940,6 +940,10 @@
$type .
$type .
'< / td > ' .
'< / td > ' .
'< td > ' .
str_replace(',', ', ', $_mod['boards']) .
'< / td > ' .
'< td > ' .
'< td > ' .
($_mod['last'] ?
($_mod['last'] ?
'< span title = "' . htmlentities($_mod['action']) . '" > ' . ago($_mod['last']) . '< / span > '
'< span title = "' . htmlentities($_mod['action']) . '" > ' . ago($_mod['last']) . '< / span > '
@ -982,7 +986,7 @@
)
)
);
);
} elseif(preg_match('/^\/users\/new$/', $query)) {
} elseif(preg_match('/^\/users\/new$/', $query)) {
if($mod['type'] < $config['mod']['createusers'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['createusers']) ) error($config['error']['noaccess']);
if(isset($_POST['username']) & & isset($_POST['password'])) {
if(isset($_POST['username']) & & isset($_POST['password'])) {
if(!isset($_POST['type'])) {
if(!isset($_POST['type'])) {
@ -1002,15 +1006,36 @@
error(sprintf($config['error']['modexists'], $_mod['id']));
error(sprintf($config['error']['modexists'], $_mod['id']));
}
}
$query = prepare("INSERT INTO `mods` VALUES (NULL, :username, :password, :type)");
$boards = Array();
foreach($_POST as $name => $null) {
if(preg_match('/^board_(\w+)/', $name, $m))
$boards[] = $m[1];
}
$boards = implode(',', $boards);
$query = prepare("INSERT INTO `mods` VALUES (NULL, :username, :password, :type, :boards)");
$query->bindValue(':username', $_POST['username']);
$query->bindValue(':username', $_POST['username']);
$query->bindValue(':password', sha1($_POST['password']));
$query->bindValue(':password', sha1($_POST['password']));
$query->bindValue(':type', $_POST['type'], PDO::PARAM_INT);
$query->bindValue(':type', $_POST['type'], PDO::PARAM_INT);
$query->bindValue(':boards', $boards);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
modLog('Create a new user: "' . $_POST['username'] . '"');
modLog('Create a new user: "' . $_POST['username'] . '"');
}
}
$__boards = '< ul style = "list-style:none;padding:2px 5px" > ';
$boards = listBoards();
foreach($boards as & $_board) {
$__boards .= '< li > ' .
'< input type = "checkbox" name = "board_' . $_board['uri'] . '" id = "board_' . $_board['uri'] . '" / > ' .
'< label style = "display:inline" for = "board_' . $_board['uri'] . '" > ' .
sprintf($config['board_abbreviation'], $_board['uri']) .
' - ' . $_board['title'] .
'< / label > ' .
'< / li > ';
}
$__boards .= '< / ul > ';
$body = '< fieldset > < legend > New user< / legend > ' .
$body = '< fieldset > < legend > New user< / legend > ' .
// Begin form
// Begin form
@ -1025,6 +1050,7 @@
'< div > < label for = "mod" > Mod< / label > < input type = "radio" id = "mod" name = "type" value = "' . MOD . '" / > < / div > ' .
'< div > < label for = "mod" > Mod< / label > < input type = "radio" id = "mod" name = "type" value = "' . MOD . '" / > < / div > ' .
'< div > < label for = "admin" > Admin< / label > < input type = "radio" id = "admin" name = "type" value = "' . ADMIN . '" / > < / div > ' .
'< div > < label for = "admin" > Admin< / label > < input type = "radio" id = "admin" name = "type" value = "' . ADMIN . '" / > < / div > ' .
'< / td > < / tr > ' .
'< / td > < / tr > ' .
'< tr > < th > Boards< / th > < td > ' . $__boards . '< / td > < / tr > ' .
'< / table > ' .
'< / table > ' .
'< input style = "margin-top:10px" type = "submit" value = "Create user" / > ' .
'< input style = "margin-top:10px" type = "submit" value = "Create user" / > ' .
@ -1044,7 +1070,7 @@
if(isset($matches[2])) {
if(isset($matches[2])) {
if($matches[3] == 'delete') {
if($matches[3] == 'delete') {
if($mod['type'] < $config['mod']['deleteusers'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['deleteusers']) ) error($config['error']['noaccess']);
$query = prepare("DELETE FROM `mods` WHERE `id` = :id");
$query = prepare("DELETE FROM `mods` WHERE `id` = :id");
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->bindValue(':id', $modID, PDO::PARAM_INT);
@ -1053,7 +1079,7 @@
modLog('Deleted user #' . $modID);
modLog('Deleted user #' . $modID);
} else {
} else {
// Promote/demote
// Promote/demote
if($mod['type'] < $config['mod']['promoteusers'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['promoteusers']) ) error($config['error']['noaccess']);
if($matches[3] == 'promote') {
if($matches[3] == 'promote') {
$query = prepare("UPDATE `mods` SET `type` = `type` + 1 WHERE `type` != :admin AND `id` = :id");
$query = prepare("UPDATE `mods` SET `type` = `type` + 1 WHERE `type` != :admin AND `id` = :id");
@ -1069,7 +1095,7 @@
header('Location: ?/users', true, $config['redirect_http']);
header('Location: ?/users', true, $config['redirect_http']);
} else {
} else {
// Edit user
// Edit user
if($mod['type'] < $config['mod']['editusers'] & & $mod['type'] < $config['mod']['change_password'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['editusers']) || !hasPermission($config['mod']['change_password']) ) error($config['error']['noaccess']);
$query = prepare("SELECT * FROM `mods` WHERE `id` = :id");
$query = prepare("SELECT * FROM `mods` WHERE `id` = :id");
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->bindValue(':id', $modID, PDO::PARAM_INT);
@ -1084,8 +1110,16 @@
if((isset($_POST['username']) & & isset($_POST['password'])) || (isset($change_password_only) & & isset($_POST['password']))) {
if((isset($_POST['username']) & & isset($_POST['password'])) || (isset($change_password_only) & & isset($_POST['password']))) {
if(!isset($change_password_only)) {
if(!isset($change_password_only)) {
$query = prepare("UPDATE `mods` SET `username` = :username WHERE `id` = :id");
$boards = Array();
$query->bindValue(':username', $_POST['username']);
foreach($_POST as $name => $null) {
if(preg_match('/^board_(\w+)/', $name, $m))
$boards[] = $m[1];
}
$boards = implode(',', $boards);
$query = prepare("UPDATE `mods` SET `username` = :username, `boards` = :boards WHERE `id` = :id");
$query->bindValue(':username', $_POST['username'], PDO::PARAM_STR);
$query->bindValue(':boards', $boards, PDO::PARAM_STR);
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
modLog('Edited login details for user "' . $_mod['username'] . '"');
modLog('Edited login details for user "' . $_mod['username'] . '"');
@ -1114,6 +1148,24 @@
}
}
}
}
$__boards = '< ul style = "list-style:none;padding:2px 5px" > ';
$boards = listBoards();
$_mod['boards'] = explode(',', $_mod['boards']);
foreach($boards as & $_board) {
$__boards .= '< li > ' .
'< input type = "checkbox" name = "board_' . $_board['uri'] . '" id = "board_' . $_board['uri'] . '" ' .
(in_array($_board['uri'], $_mod['boards']) ?
' checked="checked"'
: '') .
'/> ' .
'< label style = "display:inline" for = "board_' . $_board['uri'] . '" > ' .
sprintf($config['board_abbreviation'], $_board['uri']) .
' - ' . $_board['title'] .
'< / label > ' .
'< / li > ';
}
$__boards .= '< / ul > ';
$body = '< fieldset > < legend > Edit user< / legend > ' .
$body = '< fieldset > < legend > Edit user< / legend > ' .
// Begin form
// Begin form
@ -1129,6 +1181,11 @@
'< / td > < / tr > ' .
'< / td > < / tr > ' .
'< tr > < th > Password < span class = "unimportant" > (new; optional)< / span > < / th > < td > < input size = "20" maxlength = "30" type = "password" name = "password" value = "" autocomplete = "off" / > < / td > < / tr > ' .
'< tr > < th > Password < span class = "unimportant" > (new; optional)< / span > < / th > < td > < input size = "20" maxlength = "30" type = "password" name = "password" value = "" autocomplete = "off" / > < / td > < / tr > ' .
(isset($change_password_only) ? '' :
'< tr > < th > Boards< / th > < td > ' . $__boards . '< / td > < / tr > '
) .
'< / table > ' .
'< / table > ' .
'< input type = "submit" value = "Save changes" / > ' .
'< input type = "submit" value = "Save changes" / > ' .
@ -1751,10 +1808,11 @@
// Redirect
// Redirect
header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']);
header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']);
} elseif(preg_match('/^\/' . $regex['board'] . '(un)?lock\/(\d+)$/', $query, $matches)) {
} elseif(preg_match('/^\/' . $regex['board'] . '(un)?lock\/(\d+)$/', $query, $matches)) {
if($mod['type'] < $config['mod']['lock']) error($config['error']['noaccess']);
// Lock/Unlock
// Lock/Unlock
$boardName = &$matches[1];
$boardName = &$matches[1];
if(!hasPermission($config['mod']['lock'], $boardName)) error($config['error']['noaccess']);
$post = &$matches[3];
$post = &$matches[3];
// Open board
// Open board
if(!openBoard($boardName))
if(!openBoard($boardName))
@ -1817,7 +1875,7 @@
header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']);
header('Location: ?/' . sprintf($config['board_path'], $boardName) . $config['file_index'], true, $config['redirect_http']);
} elseif(preg_match('/^\/ban$/', $query)) {
} elseif(preg_match('/^\/ban$/', $query)) {
if($mod['type'] < $config['mod']['ban'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['ban']) ) error($config['error']['noaccess']);
// Ban page
// Ban page
if(isset($_POST['new_ban'])) {
if(isset($_POST['new_ban'])) {
@ -1888,7 +1946,7 @@
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
// Delete too
// Delete too
if($mod['type'] >= $config['mod']['delete'] & & isset($_POST['delete ']) & & isset( $_POST['board'])) {
if(isset($_POST['delete']) & & isset($_POST['boar d']) & & hasPermission($config['mod']['delete'], $_POST['board'])) {
openBoard($_POST['board']);
openBoard($_POST['board']);
$post = round($_POST['delete']);
$post = round($_POST['delete']);
@ -1938,12 +1996,14 @@
header('Location: ?/', true, $config['redirect_http']);
header('Location: ?/', true, $config['redirect_http']);
}
}
} elseif(preg_match('/^\/' . $regex['board'] . 'ban(& delete)?\/(\d+)$/', $query, $matches)) {
} elseif(preg_match('/^\/' . $regex['board'] . 'ban(& delete)?\/(\d+)$/', $query, $matches)) {
if($mod['type'] < $config['mod']['ban']) error($config['error']['noaccess']);
// Ban by post
// Ban by post
$boardName = &$matches[1];
$boardName = &$matches[1];
if(!hasPermission($config['mod']['ban'], $boardName)) error($config['error']['noaccess']);
$delete = isset($matches[2]) & & $matches[2] == '&delete';
$delete = isset($matches[2]) & & $matches[2] == '&delete';
if($delete & & $mod['type'] < $config['mod']['delete']) error($config['error']['noaccess']);
if($delete & & !hasPermission($config['mod']['delete'], $boardName) ) error($config['error']['noaccess']);
$post = $matches[3];
$post = $matches[3];
// Open board
// Open board
@ -1970,7 +2030,7 @@
)
)
);
);
} elseif(preg_match('/^\/IP\/(\d+\.\d+\.\d+\.\d+|' . $config['ipv6_regex'] . ')\/deletenote\/(?P< id > \d+)$/', $query, $matches)) {
} elseif(preg_match('/^\/IP\/(\d+\.\d+\.\d+\.\d+|' . $config['ipv6_regex'] . ')\/deletenote\/(?P< id > \d+)$/', $query, $matches)) {
if($mod['type'] < $config['mod']['remove_notes'] ) error($config['error']['noaccess']);
if(!hasPermission($config['mod']['remove_notes']) ) error($config['error']['noaccess']);
$ip = $matches[1];
$ip = $matches[1];
$id = $matches['id'];
$id = $matches['id'];