misuzu/public-legacy/comments.php
flashwave 383e2ed0e0 Rewrote the user information class.
This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time.
The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates.
If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe.
2023-08-02 22:12:47 +00:00

252 lines
7.9 KiB
PHP

<?php
namespace Misuzu;
use RuntimeException;
// basing whether or not this is an xhr request on whether a referrer header is present
// this page is never directy accessed, under normal circumstances
$redirect = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : url('index');
if(!is_local_url($redirect)) {
echo render_info('Possible request forgery detected.', 403);
return;
}
if(!CSRF::validateRequest()) {
echo render_info("Couldn't verify this request, please refresh the page and try again.", 403);
return;
}
if(!$msz->isLoggedIn()) {
echo render_info('You must be logged in to manage comments.', 403);
return;
}
if($msz->hasActiveBan()) {
echo render_info('You have been banned, check your profile for more information.', 403);
return;
}
$currentUserInfo = $msz->getActiveUser();
$comments = $msz->getComments();
$commentPerms = perms_for_comments($currentUserInfo->getId());
$commentId = (string)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
$commentMode = (string)filter_input(INPUT_GET, 'm');
$commentVote = (int)filter_input(INPUT_GET, 'v', FILTER_SANITIZE_NUMBER_INT);
if(!empty($commentId)) {
try {
$commentInfo = $comments->getPostById($commentId);
} catch(RuntimeException $ex) {
echo render_info('Post not found.', 404);
return;
}
$categoryInfo = $comments->getCategoryByPost($commentInfo);
}
if($commentMode !== 'create' && empty($commentInfo)) {
echo render_error(400);
return;
}
switch($commentMode) {
case 'pin':
case 'unpin':
if(!$commentPerms['can_pin'] && !$categoryInfo->isOwner($currentUserInfo)) {
echo render_info("You're not allowed to pin comments.", 403);
break;
}
if($commentInfo->isDeleted()) {
echo render_info("This comment doesn't exist!", 400);
break;
}
if($commentInfo->isReply()) {
echo render_info("You can't pin replies!", 400);
break;
}
$isPinning = $commentMode === 'pin';
if($isPinning) {
if($commentInfo->isPinned()) {
echo render_info('This comment is already pinned.', 400);
break;
}
$comments->pinPost($commentInfo);
} else {
if(!$commentInfo->isPinned()) {
echo render_info("This comment isn't pinned yet.", 400);
break;
}
$comments->unpinPost($commentInfo);
}
redirect($redirect . '#comment-' . $commentInfo->getId());
break;
case 'vote':
if(!$commentPerms['can_vote'] && !$categoryInfo->isOwner($currentUserInfo)) {
echo render_info("You're not allowed to vote on comments.", 403);
break;
}
if($commentInfo->isDeleted()) {
echo render_info("This comment doesn't exist!", 400);
break;
}
if($commentVote > 0)
$comments->addPostPositiveVote($commentInfo, $currentUserInfo);
elseif($commentVote < 0)
$comments->addPostNegativeVote($commentInfo, $currentUserInfo);
else
$comments->removePostVote($commentInfo, $currentUserInfo);
redirect($redirect . '#comment-' . $commentInfo->getId());
break;
case 'delete':
if(!$commentPerms['can_delete'] && !$categoryInfo->isOwner($currentUserInfo)) {
echo render_info("You're not allowed to delete comments.", 403);
break;
}
if($commentInfo->isDeleted()) {
echo render_info(
$commentPerms['can_delete_any'] ? 'This comment is already marked for deletion.' : "This comment doesn't exist.",
400
);
break;
}
$isOwnComment = $commentInfo->getUserId() === $currentUserInfo->getId();
$isModAction = $commentPerms['can_delete_any'] && !$isOwnComment;
if(!$isModAction && !$isOwnComment) {
echo render_info("You're not allowed to delete comments made by others.", 403);
break;
}
$comments->deletePost($commentInfo);
if($isModAction) {
$msz->createAuditLog('COMMENT_ENTRY_DELETE_MOD', [
$commentInfo->getId(),
$commentUserId = $commentInfo->getUserId(),
'<username>',
]);
} else {
$msz->createAuditLog('COMMENT_ENTRY_DELETE', [$commentInfo->getId()]);
}
redirect($redirect);
break;
case 'restore':
if(!$commentPerms['can_delete_any']) {
echo render_info("You're not allowed to restore deleted comments.", 403);
break;
}
if(!$commentInfo->isDeleted()) {
echo render_info("This comment isn't in a deleted state.", 400);
break;
}
$comments->restorePost($commentInfo);
$msz->createAuditLog('COMMENT_ENTRY_RESTORE', [
$commentInfo->getId(),
$commentUserId = $commentInfo->getUserId(),
'<username>',
]);
redirect($redirect . '#comment-' . $commentInfo->getId());
break;
case 'create':
if(!$commentPerms['can_comment'] && !$categoryInfo->isOwner($currentUserInfo)) {
echo render_info("You're not allowed to post comments.", 403);
break;
}
if(empty($_POST['comment']) || !is_array($_POST['comment'])) {
echo render_info('Missing data.', 400);
break;
}
try {
$categoryId = isset($_POST['comment']['category']) && is_string($_POST['comment']['category'])
? (int)$_POST['comment']['category']
: 0;
$categoryInfo = $comments->getCategoryById($categoryId);
} catch(RuntimeException $ex) {
echo render_info('This comment category doesn\'t exist.', 404);
break;
}
if($categoryInfo->isLocked() && !$commentPerms['can_lock']) {
echo render_info('This comment category has been locked.', 403);
break;
}
$commentText = !empty($_POST['comment']['text']) && is_string($_POST['comment']['text']) ? $_POST['comment']['text'] : '';
$commentReply = (string)(!empty($_POST['comment']['reply']) && is_string($_POST['comment']['reply']) ? (int)$_POST['comment']['reply'] : 0);
$commentLock = !empty($_POST['comment']['lock']) && $commentPerms['can_lock'];
$commentPin = !empty($_POST['comment']['pin']) && $commentPerms['can_pin'];
if($commentLock) {
if($categoryInfo->isLocked())
$comments->unlockCategory($categoryInfo);
else
$comments->lockCategory($categoryInfo);
}
if(strlen($commentText) > 0) {
$commentText = preg_replace("/[\r\n]{2,}/", "\n", $commentText);
} else {
if($commentPerms['can_lock']) {
echo render_info('The action has been processed.', 400);
} else {
echo render_info('Your comment is too short.', 400);
}
break;
}
if(mb_strlen($commentText) > 5000) {
echo render_info('Your comment is too long.', 400);
break;
}
if($commentReply > 0) {
try {
$parentInfo = $comments->getPostById($commentReply);
} catch(RuntimeException $ex) {}
if(!isset($parentInfo) || $parentInfo->isDeleted()) {
echo render_info('The comment you tried to reply to does not exist.', 404);
break;
}
}
$commentInfo = $comments->createPost(
$categoryInfo,
$parentInfo ?? null,
$currentUserInfo,
$commentText,
$commentPin
);
redirect($redirect . '#comment-' . $commentInfo->getId());
break;
default:
echo render_info('Not found.', 404);
}