From 0c77fa438e549c98c34cb4becfa41a6fe97ca93b Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Thu, 22 Oct 2015 16:24:18 +0200
Subject: [PATCH] r20151022

Signed-off-by: Flashwave <me@flash.moe>
---
 _sakura/components/Users.php               | 15 +++-
 _sakura/sakura.php                         |  3 +-
 _sakura/templates/yuuno/forum/posting.tpl  |  5 ++
 _sakura/templates/yuuno/global/confirm.tpl | 22 ++++++
 public/authenticate.php                    | 12 +++
 public/content/data/yuuno/css/yuuno.css    |  6 ++
 public/posting.php                         | 92 +++++++++++++++++++++-
 7 files changed, 150 insertions(+), 5 deletions(-)
 create mode 100644 _sakura/templates/yuuno/global/confirm.tpl

diff --git a/_sakura/components/Users.php b/_sakura/components/Users.php
index 1100b83..63368fb 100755
--- a/_sakura/components/Users.php
+++ b/_sakura/components/Users.php
@@ -137,6 +137,17 @@ class Users
             return [0, 'AUTH_LOCKED'];
         }
 
+        // Check if we haven't hit the rate limit
+        $rates = Database::fetch('login_attempts', true, [
+            'attempt_ip' => [Main::getRemoteIP(), '='],
+            'attempt_timestamp' => [time() - 1800, '>'],
+            'attempt_success' => [0, '='],
+        ]);
+
+        if (count($rates) > 4) {
+            return [0, 'RATE_LIMIT'];
+        }
+
         // Check if the user that's trying to log in actually exists
         if (!$uid = self::userExists($username, false)) {
             return [0, 'USER_NOT_EXIST'];
@@ -159,14 +170,14 @@ class Users
                     $user['password_salt'],
                     $user['password_hash'],
                 ])) {
-                    return [0, 'INCORRECT_PASSWORD', $user['password_chan']];
+                    return [0, 'INCORRECT_PASSWORD', $user['user_id'], $user['password_chan']];
                 }
 
         }
 
         // Check if the user has the required privs to log in
         if (Permissions::check('SITE', 'DEACTIVATED', $user['user_id'], 1)) {
-            return [0, 'NOT_ALLOWED'];
+            return [0, 'NOT_ALLOWED', $user['user_id']];
         }
 
         // Create a new session
diff --git a/_sakura/sakura.php b/_sakura/sakura.php
index 067318a..ae136c2 100755
--- a/_sakura/sakura.php
+++ b/_sakura/sakura.php
@@ -8,7 +8,7 @@
 namespace Sakura;
 
 // Define Sakura version
-define('SAKURA_VERSION', '20151020');
+define('SAKURA_VERSION', '20151022');
 define('SAKURA_VLABEL', 'Eminence');
 define('SAKURA_COLOUR', '#6C3082');
 define('SAKURA_STABLE', false);
@@ -161,6 +161,7 @@ if (!defined('SAKURA_NO_TPL')) {
             'siteTags' => implode(", ", json_decode(Configuration::getConfig('sitetags'), true)),
             'dateFormat' => Configuration::getConfig('date_format'),
             'currentPage' => '//' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'],
+            'referrer' => (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : null),
 
             'recaptchaPublic' => Configuration::getConfig('recaptcha_public'),
             'recaptchaEnabled' => Configuration::getConfig('recaptcha'),
diff --git a/_sakura/templates/yuuno/forum/posting.tpl b/_sakura/templates/yuuno/forum/posting.tpl
index 68678d4..762b83c 100755
--- a/_sakura/templates/yuuno/forum/posting.tpl
+++ b/_sakura/templates/yuuno/forum/posting.tpl
@@ -58,6 +58,11 @@
                 <input class="inputStyling" type="submit" name="post" value="Post" />
                 <input class="inputStyling" type="button" onclick="history.go(-1);" value="Cancel" />
             </div>
+            {% if posting.id %}
+                <input type="hidden" name="id" value="posting.id" />
+            {% endif %}
+            <input type="hidden" name="sessionid" value="{{ php.sessionid }}" />
+            <input type="hidden" name="timestamp" value="{{ php.time }}" />
         </form>
     </div>
 </div>
diff --git a/_sakura/templates/yuuno/global/confirm.tpl b/_sakura/templates/yuuno/global/confirm.tpl
new file mode 100644
index 0000000..97b02fd
--- /dev/null
+++ b/_sakura/templates/yuuno/global/confirm.tpl
@@ -0,0 +1,22 @@
+{% extends 'global/master.tpl' %}
+
+{% block title %}Confirmation{% endblock %}
+
+{% block content %}
+    <div class="content standalone">
+        <div>
+            <h1>{% block header %}Confirmation{% endblock %}</h1>
+            <hr class="default" />
+            {{ message }}
+            <form method="post" action="{{ sakura.currentPage }}" id="confirmationForm">
+                <input type="hidden" name="sessionid" value="{{ php.sessionid }}" />
+                <input type="hidden" name="timestamp" value="{{ php.time }}" />
+                {% for key,value in conditions %}
+                    <input type="hidden" name="{{ key }}" value="{{ value }}" />
+                {% endfor %}
+                <input type="submit" class="inputStyling" name="yes" value="Yes" />
+                <input type="submit" class="inputStyling" name="no" value="No" />
+            </form>
+        </div>
+    </div>
+{% endblock %}
diff --git a/public/authenticate.php b/public/authenticate.php
index 0a5205c..ea646c6 100755
--- a/public/authenticate.php
+++ b/public/authenticate.php
@@ -178,10 +178,22 @@ if (isset($_REQUEST['mode'])) {
                     'INCORRECT_PASSWORD' => 'The password you entered was invalid.',
                     'NOT_ALLOWED' => 'Your account does not have the required permissions to log in.',
                     'NO_LOGIN' => 'Logging into this account is disabled.',
+                    'RATE_LIMIT' => 'Your IP has hit the login rate limit, try again later.',
                     'LOGIN_SUCCESS' => 'Login successful!',
 
                 ];
 
+                // Check if we're not RATE_LIMIT
+                if ($login[1] != 'RATE_LIMIT') {
+                    // Add to database
+                    Database::insert('login_attempts', [
+                        'attempt_success' => $login[0],
+                        'attempt_timestamp' => time(),
+                        'attempt_ip' => Main::getRemoteIP(),
+                        'user_id' => isset($login[2]) ? $login[2] : 0,
+                    ]);
+                }
+
                 // Add page specific things
                 $renderData['page'] = [
 
diff --git a/public/content/data/yuuno/css/yuuno.css b/public/content/data/yuuno/css/yuuno.css
index 834b494..f05a083 100755
--- a/public/content/data/yuuno/css/yuuno.css
+++ b/public/content/data/yuuno/css/yuuno.css
@@ -1824,6 +1824,12 @@ textarea.inputStyling {
     padding-left: 5px;
 }
 
+@media (max-width: 512px) {
+    .forum .forumList .forumForum .forumLastColumn {
+        display: none;
+    }
+}
+
 .forum .topicList {
     width: 100%;
     border-spacing: 0;
diff --git a/public/posting.php b/public/posting.php
index 3354728..b711e47 100755
--- a/public/posting.php
+++ b/public/posting.php
@@ -40,7 +40,7 @@ if ($mode != 'f') {
         // Add page specific things
         $renderData['page'] = [
             'redirect' => (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $urls->format('FORUM_INDEX')),
-            'message' => 'The requested thread does not exist.',
+            'message' => 'The requested post does not exist.',
         ];
 
         // Render information page
@@ -55,10 +55,98 @@ if ($mode != 'f') {
 
         // Add subject to render data
         $posting['text'] = '[quote]' . $post['post_text'] . '[/quote]';
+
+    // Post editing
+    } elseif ($mode == 'p' && isset($_GET['edit']) && $_GET['edit'] == $_GET['p'] && array_key_exists($_GET['p'], $topic['posts'])) {
+        // Checks
+        if ($topic['posts'][$_GET['p']]['poster_id'] != $currentUser->data['user_id']) {
+            // Add page specific things
+            $renderData['page'] = [
+                'redirect' => (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $urls->format('FORUM_INDEX')),
+                'message' => 'You can only edit your own posts!',
+            ];
+
+            // Render information page
+            print Templates::render('global/information.tpl', $renderData);
+            exit;
+        }
+
+        // Reassign post for ease
+        $post = $topic['posts'][$_GET['p']];
+
+        // Set variables
+        $posting = array_merge($posting, [
+            'subject' => $post['post_subject'],
+            'text' => $post['post_text'],
+            'id' => $post['post_id']
+        ]);
+    // Post deletion
+    } elseif ($mode == 'p' && isset($_GET['delete']) && $_GET['delete'] == $_GET['p'] && array_key_exists($_GET['p'], $topic['posts'])) {
+        // Checks
+        if ($topic['posts'][$_GET['p']]['poster_id'] != $currentUser->data['user_id']) {
+            // Add page specific things
+            $renderData['page'] = [
+                'redirect' => (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $urls->format('FORUM_INDEX')),
+                'message' => 'You can only delete your own posts!',
+            ];
+
+            // Render information page
+            print Templates::render('global/information.tpl', $renderData);
+            exit;
+        }
+
+        // Submit mode
+        if (isset($_POST['timestamp'], $_POST['sessionid'], $_POST['post_id'])) {
+            // Post deletion code
+            if (isset($_POST['yes'])) {
+                // Delete the post
+                Database::delete('posts', [
+                    'post_id' => [$_POST['post_id'], '='],
+                ]);
+
+                // Reload the topic
+                $topic = Forum::getTopic($topicId, true);
+
+                // If there's no more posts left in the topic delete it as well
+                if (!count($topic['posts'])) {
+                    Database::delete('topics', [
+                        'topic_id' => [$topic['topic']['topic_id'], '='],
+                    ]);
+                }
+
+                // Add page specific things
+                $renderData['page'] = [
+                    'redirect' => (count($topic['posts']) ? $urls->format('FORUM_THREAD', [$topic['topic']['topic_id']]) : $urls->format('FORUM_INDEX')),
+                    'message' => 'Your post has been deleted!',
+                ];
+
+                // Render information page
+                print Templates::render('global/information.tpl', $renderData);
+                exit;
+            // Return to previous page
+            } else {
+                header('Location: '. $urls->format('FORUM_POST', [$_POST['post_id']]));
+                exit;
+            }
+        }
+
+        // Form mode
+        $renderData = array_merge($renderData, [
+            'message' => 'Are you sure you want to delete your reply to ' . $topic['topic']['topic_title'] . '?',
+            'conditions' => [
+                'post_id' => $topic['posts'][$_GET['p']]['post_id']
+            ]
+        ]);
+
+        // Render confirmation form
+        print Templates::render('global/confirm.tpl', $renderData);
+        exit;
     }
 
     // Add subject to render data
-    $posting['subject'] = 'Re: '. $topic['topic']['topic_title'];
+    if(!isset($posting['subject'])) {
+        $posting['subject'] = 'Re: ' . $topic['topic']['topic_title'];
+    }
 }
 
 // Check if a post is being made