2018-08-06 22:19:35 +00:00
|
|
|
<?php
|
2018-10-04 20:30:55 +00:00
|
|
|
require_once '../misuzu.php';
|
2018-08-06 22:19:35 +00:00
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
// basing whether or not this is an xhr request on whether a referrer header is present
|
|
|
|
|
// this page is never directy accessed, under normal circumstances
|
|
|
|
|
$redirect = !empty($_SERVER['HTTP_REFERER']) && empty($_SERVER['HTTP_X_MISUZU_XHR']) ? $_SERVER['HTTP_REFERER'] : '';
|
|
|
|
|
$isXHR = !$redirect;
|
2018-08-06 22:19:35 +00:00
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
if ($isXHR) {
|
2018-08-06 22:19:35 +00:00
|
|
|
header('Content-Type: application/json; charset=utf-8');
|
2018-08-10 04:20:54 +00:00
|
|
|
} elseif (!is_local_url($redirect)) {
|
|
|
|
|
echo render_info('Possible request forgery detected.', 403);
|
|
|
|
|
return;
|
2018-08-06 22:19:35 +00:00
|
|
|
}
|
|
|
|
|
|
2018-10-02 19:16:42 +00:00
|
|
|
if (!csrf_verify('comments', $_REQUEST['csrf'] ?? '')) {
|
2018-08-12 12:55:51 +00:00
|
|
|
echo render_info_or_json($isXHR, "Couldn't verify this request, please refresh the page and try again.", 403);
|
2018-08-10 21:21:39 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-02 22:34:05 +00:00
|
|
|
if (!user_session_active()) {
|
2018-08-06 22:19:35 +00:00
|
|
|
echo render_info_or_json($isXHR, 'You must be logged in to manage comments.', 401);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-28 05:03:42 +00:00
|
|
|
$currentUserId = user_session_current('user_id', 0);
|
|
|
|
|
|
|
|
|
|
if (user_warning_check_expiration($currentUserId, MSZ_WARN_BAN) > 0) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'You have been banned, check your profile for more information.', 403);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (user_warning_check_expiration($currentUserId, MSZ_WARN_SILENCE) > 0) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'You have been silenced, check your profile for more information.', 403);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-09 23:56:36 +00:00
|
|
|
header(csrf_http_header('comments'));
|
2018-12-28 05:03:42 +00:00
|
|
|
$commentPerms = comments_get_perms($currentUserId);
|
2018-08-06 22:19:35 +00:00
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
switch ($_GET['m'] ?? null) {
|
2018-12-30 20:42:01 +00:00
|
|
|
case 'pin':
|
|
|
|
|
case 'unpin':
|
|
|
|
|
if (!$commentPerms['can_pin']) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to pin comments.", 403);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$comment = (int)($_GET['c'] ?? 0);
|
|
|
|
|
$commentInfo = comments_post_get($comment, false);
|
|
|
|
|
|
|
|
|
|
if (!$commentInfo || $commentInfo['comment_deleted'] !== null) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment doesn't exist!", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($commentInfo['comment_reply_to'] !== null) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You can't pin replies!", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$isPinning = $_GET['m'] === 'pin';
|
|
|
|
|
|
|
|
|
|
if ($isPinning && !empty($commentInfo['comment_pinned'])) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'This comment is already pinned.', 400);
|
|
|
|
|
break;
|
|
|
|
|
} elseif (!$isPinning && empty($commentInfo['comment_pinned'])) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment isn't pinned yet.", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$commentPinned = comments_pin_status($commentInfo['comment_id'], $isPinning);
|
|
|
|
|
|
|
|
|
|
if (!$isXHR) {
|
|
|
|
|
header('Location: ' . $redirect . '#comment-' . $commentInfo['comment_id']);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
echo json_encode([
|
|
|
|
|
'comment_id' => $commentInfo['comment_id'],
|
|
|
|
|
'comment_pinned' => $commentPinned,
|
|
|
|
|
]);
|
|
|
|
|
break;
|
|
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
case 'vote':
|
2018-12-28 05:03:42 +00:00
|
|
|
if (!$commentPerms['can_vote']) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to vote on comments.", 403);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-22 10:37:18 +00:00
|
|
|
$vote = (int)($_GET['v'] ?? 0);
|
2018-08-10 04:20:54 +00:00
|
|
|
|
2018-12-22 10:37:18 +00:00
|
|
|
if (!array_key_exists($vote, MSZ_COMMENTS_VOTE_TYPES)) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'Invalid vote action.', 400);
|
2018-08-10 04:20:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-22 10:37:18 +00:00
|
|
|
$comment = (int)($_GET['c'] ?? 0);
|
|
|
|
|
$commentInfo = comments_post_get($comment, false);
|
2018-08-10 04:20:54 +00:00
|
|
|
|
2018-12-22 10:37:18 +00:00
|
|
|
if (!$commentInfo || $commentInfo['comment_deleted'] !== null) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment doesn't exist!", 400);
|
2018-08-10 04:20:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$vote = MSZ_COMMENTS_VOTE_TYPES[(int)($_GET['v'] ?? 0)];
|
|
|
|
|
$voteResult = comments_vote_add(
|
|
|
|
|
$comment,
|
2018-10-02 22:34:05 +00:00
|
|
|
user_session_current('user_id', 0),
|
2018-08-10 04:20:54 +00:00
|
|
|
$vote
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (!$isXHR) {
|
|
|
|
|
header('Location: ' . $redirect . '#comment-' . $comment);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-10 21:21:39 +00:00
|
|
|
echo json_encode(comments_votes_get($comment));
|
2018-08-10 04:20:54 +00:00
|
|
|
break;
|
2018-08-10 21:21:39 +00:00
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
case 'delete':
|
2018-12-28 05:03:42 +00:00
|
|
|
if (!$commentPerms['can_delete']) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to delete comments.", 403);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-10 21:21:39 +00:00
|
|
|
$comment = (int)($_GET['c'] ?? 0);
|
2018-12-15 21:16:12 +00:00
|
|
|
$commentInfo = comments_post_get($comment, false);
|
2018-08-10 21:21:39 +00:00
|
|
|
|
2018-12-15 21:16:12 +00:00
|
|
|
if (!$commentInfo) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment doesn't exist.", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$isOwnComment = (int)$commentInfo['user_id'] === $currentUserId;
|
|
|
|
|
$isModAction = $commentPerms['can_delete_any'] && !$isOwnComment;
|
|
|
|
|
|
|
|
|
|
if ($commentInfo['comment_deleted'] !== null) {
|
|
|
|
|
echo render_info_or_json(
|
|
|
|
|
$isXHR,
|
|
|
|
|
$commentPerms['can_delete_any'] ? 'This comment is already marked for deletion.' : "This comment doesn't exist.",
|
|
|
|
|
400
|
|
|
|
|
);
|
2018-08-10 04:20:54 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-15 21:16:12 +00:00
|
|
|
if (!$isModAction && !$isOwnComment) {
|
2018-08-10 04:20:54 +00:00
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to delete comments made by others.", 403);
|
2018-08-06 22:19:35 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-10 21:21:39 +00:00
|
|
|
if (!comments_post_delete($comment)) {
|
2018-08-10 04:20:54 +00:00
|
|
|
echo render_info_or_json($isXHR, 'Failed to delete comment.', 500);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-08-06 22:19:35 +00:00
|
|
|
|
2018-12-15 21:16:12 +00:00
|
|
|
if ($isModAction) {
|
|
|
|
|
audit_log(MSZ_AUDIT_COMMENT_ENTRY_DELETE_MOD, $currentUserId, [
|
|
|
|
|
$comment,
|
|
|
|
|
(int)($commentInfo['user_id'] ?? 0),
|
|
|
|
|
$commentInfo['username'] ?? '(Deleted User)',
|
|
|
|
|
]);
|
|
|
|
|
} else {
|
|
|
|
|
audit_log(MSZ_AUDIT_COMMENT_ENTRY_DELETE, $currentUserId, [$comment]);
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
if ($redirect) {
|
|
|
|
|
header('Location: ' . $redirect);
|
|
|
|
|
break;
|
2018-08-06 22:19:35 +00:00
|
|
|
}
|
2018-08-10 04:20:54 +00:00
|
|
|
|
2018-08-10 21:21:39 +00:00
|
|
|
echo json_encode([
|
2018-12-15 21:16:12 +00:00
|
|
|
'id' => $comment,
|
2018-08-10 21:21:39 +00:00
|
|
|
]);
|
2018-08-06 22:19:35 +00:00
|
|
|
break;
|
|
|
|
|
|
2018-12-15 22:15:35 +00:00
|
|
|
case 'restore':
|
|
|
|
|
if (!$commentPerms['can_delete_any']) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to restore deleted comments.", 403);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$comment = (int)($_GET['c'] ?? 0);
|
|
|
|
|
$commentInfo = comments_post_get($comment, false);
|
|
|
|
|
|
|
|
|
|
if (!$commentInfo) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment doesn't exist.", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($commentInfo['comment_deleted'] === null) {
|
|
|
|
|
echo render_info_or_json($isXHR, "This comment isn't in a deleted state.", 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!comments_post_delete($comment, false)) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'Failed to restore comment.', 500);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
audit_log(MSZ_AUDIT_COMMENT_ENTRY_RESTORE, $currentUserId, [
|
|
|
|
|
$comment,
|
|
|
|
|
(int)($commentInfo['user_id'] ?? 0),
|
|
|
|
|
$commentInfo['username'] ?? '(Deleted User)',
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
if ($redirect) {
|
|
|
|
|
header('Location: ' . $redirect . '#comment-' . $comment);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
echo json_encode([
|
|
|
|
|
'id' => $comment,
|
|
|
|
|
]);
|
|
|
|
|
break;
|
|
|
|
|
|
2018-08-10 04:20:54 +00:00
|
|
|
case 'create':
|
2018-08-06 22:19:35 +00:00
|
|
|
if (!$commentPerms['can_comment']) {
|
|
|
|
|
echo render_info_or_json($isXHR, "You're not allowed to post comments.", 403);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (empty($_POST['comment']) || !is_array($_POST['comment'])) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'Missing data.', 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$categoryId = (int)($_POST['comment']['category'] ?? 0);
|
|
|
|
|
$category = comments_category_info($categoryId);
|
|
|
|
|
|
|
|
|
|
if (!$category) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'This comment category doesn\'t exist.', 404);
|
2018-08-10 21:21:39 +00:00
|
|
|
break;
|
2018-08-06 22:19:35 +00:00
|
|
|
}
|
|
|
|
|
|
2018-08-10 21:21:39 +00:00
|
|
|
if (!is_null($category['category_locked']) && !$commentPerms['can_lock']) {
|
2018-08-06 22:19:35 +00:00
|
|
|
echo render_info_or_json($isXHR, 'This comment category has been locked.', 403);
|
2018-08-10 21:21:39 +00:00
|
|
|
break;
|
2018-08-06 22:19:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$commentText = $_POST['comment']['text'] ?? '';
|
|
|
|
|
$commentLock = !empty($_POST['comment']['lock']) && $commentPerms['can_lock'];
|
|
|
|
|
$commentPin = !empty($_POST['comment']['pin']) && $commentPerms['can_pin'];
|
|
|
|
|
$commentReply = (int)($_POST['comment']['reply'] ?? 0);
|
|
|
|
|
|
|
|
|
|
if ($commentLock) {
|
|
|
|
|
comments_category_lock($categoryId, is_null($category['category_locked']));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen($commentText) > 0) {
|
|
|
|
|
$commentText = preg_replace("/[\r\n]{2,}/", "\n", $commentText);
|
|
|
|
|
} else {
|
|
|
|
|
if ($commentPerms['can_lock']) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'The action has been processed.');
|
|
|
|
|
} else {
|
|
|
|
|
echo render_info_or_json($isXHR, 'Your comment is too short.', 400);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-15 21:55:26 +00:00
|
|
|
if (mb_strlen($commentText) > 5000) {
|
2018-08-06 22:19:35 +00:00
|
|
|
echo render_info_or_json($isXHR, 'Your comment is too long.', 400);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($commentReply > 0 && !comments_post_exists($commentReply)) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'The comment you tried to reply to does not exist.', 404);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$commentId = comments_post_create(
|
2018-10-02 22:34:05 +00:00
|
|
|
user_session_current('user_id', 0),
|
2018-08-06 22:19:35 +00:00
|
|
|
$categoryId,
|
|
|
|
|
$commentText,
|
|
|
|
|
$commentPin,
|
|
|
|
|
$commentReply
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ($commentId < 1) {
|
|
|
|
|
echo render_info_or_json($isXHR, 'Something went horribly wrong.', 500);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($redirect) {
|
|
|
|
|
header('Location: ' . $redirect . '#comment-' . $commentId);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
echo json_encode(comments_post_get($commentId));
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
2018-08-10 04:20:54 +00:00
|
|
|
echo render_info_or_json($isXHR, 'Not found.', 404);
|
2018-08-06 22:19:35 +00:00
|
|
|
}
|
