259 lines
8.1 KiB
PHP
259 lines
8.1 KiB
PHP
<?php
|
|
namespace Misuzu;
|
|
|
|
use RuntimeException;
|
|
use Misuzu\Users\User;
|
|
|
|
require_once '../misuzu.php';
|
|
|
|
// basing whether or not this is an xhr request on whether a referrer header is present
|
|
// this page is never directy accessed, under normal circumstances
|
|
$redirect = !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : url('index');
|
|
|
|
if(!is_local_url($redirect)) {
|
|
echo render_info('Possible request forgery detected.', 403);
|
|
return;
|
|
}
|
|
|
|
if(!CSRF::validateRequest()) {
|
|
echo render_info("Couldn't verify this request, please refresh the page and try again.", 403);
|
|
return;
|
|
}
|
|
|
|
$currentUserInfo = User::getCurrent();
|
|
if($currentUserInfo === null) {
|
|
echo render_info('You must be logged in to manage comments.', 401);
|
|
return;
|
|
}
|
|
|
|
if($currentUserInfo->isBanned()) {
|
|
echo render_info('You have been banned, check your profile for more information.', 403);
|
|
return;
|
|
}
|
|
if($currentUserInfo->isSilenced()) {
|
|
echo render_info('You have been silenced, check your profile for more information.', 403);
|
|
return;
|
|
}
|
|
|
|
$comments = $msz->getComments();
|
|
|
|
$commentPerms = $currentUserInfo->commentPerms();
|
|
|
|
$commentId = (string)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
|
|
$commentMode = (string)filter_input(INPUT_GET, 'm');
|
|
$commentVote = (int)filter_input(INPUT_GET, 'v', FILTER_SANITIZE_NUMBER_INT);
|
|
|
|
if(!empty($commentId)) {
|
|
try {
|
|
$commentInfo = $comments->getPostById($commentId);
|
|
} catch(RuntimeException $ex) {
|
|
echo render_info('Post not found.', 404);
|
|
return;
|
|
}
|
|
|
|
$categoryInfo = $comments->getCategoryByPost($commentInfo);
|
|
}
|
|
|
|
if($commentMode !== 'create' && empty($commentInfo)) {
|
|
echo render_error(400);
|
|
return;
|
|
}
|
|
|
|
switch($commentMode) {
|
|
case 'pin':
|
|
case 'unpin':
|
|
if(!$commentPerms['can_pin'] && !$categoryInfo->isOwner($currentUserInfo)) {
|
|
echo render_info("You're not allowed to pin comments.", 403);
|
|
break;
|
|
}
|
|
|
|
if($commentInfo->isDeleted()) {
|
|
echo render_info("This comment doesn't exist!", 400);
|
|
break;
|
|
}
|
|
|
|
if($commentInfo->isReply()) {
|
|
echo render_info("You can't pin replies!", 400);
|
|
break;
|
|
}
|
|
|
|
$isPinning = $commentMode === 'pin';
|
|
|
|
if($isPinning) {
|
|
if($commentInfo->isPinned()) {
|
|
echo render_info('This comment is already pinned.', 400);
|
|
break;
|
|
}
|
|
|
|
$comments->pinPost($commentInfo);
|
|
} else {
|
|
if(!$commentInfo->isPinned()) {
|
|
echo render_info("This comment isn't pinned yet.", 400);
|
|
break;
|
|
}
|
|
|
|
$comments->unpinPost($commentInfo);
|
|
}
|
|
|
|
redirect($redirect . '#comment-' . $commentInfo->getId());
|
|
break;
|
|
|
|
case 'vote':
|
|
if(!$commentPerms['can_vote'] && !$categoryInfo->isOwner($currentUserInfo)) {
|
|
echo render_info("You're not allowed to vote on comments.", 403);
|
|
break;
|
|
}
|
|
|
|
if($commentInfo->isDeleted()) {
|
|
echo render_info("This comment doesn't exist!", 400);
|
|
break;
|
|
}
|
|
|
|
if($commentVote > 0)
|
|
$comments->addPostPositiveVote($commentInfo, $currentUserInfo);
|
|
elseif($commentVote < 0)
|
|
$comments->addPostNegativeVote($commentInfo, $currentUserInfo);
|
|
else
|
|
$comments->removePostVote($commentInfo, $currentUserInfo);
|
|
|
|
redirect($redirect . '#comment-' . $commentInfo->getId());
|
|
break;
|
|
|
|
case 'delete':
|
|
if(!$commentPerms['can_delete'] && !$categoryInfo->isOwner($currentUserInfo)) {
|
|
echo render_info("You're not allowed to delete comments.", 403);
|
|
break;
|
|
}
|
|
|
|
if($commentInfo->isDeleted()) {
|
|
echo render_info(
|
|
$commentPerms['can_delete_any'] ? 'This comment is already marked for deletion.' : "This comment doesn't exist.",
|
|
400
|
|
);
|
|
break;
|
|
}
|
|
|
|
$isOwnComment = $commentInfo->getUserId() === (string)$currentUserInfo->getId();
|
|
$isModAction = $commentPerms['can_delete_any'] && !$isOwnComment;
|
|
|
|
if(!$isModAction && !$isOwnComment) {
|
|
echo render_info("You're not allowed to delete comments made by others.", 403);
|
|
break;
|
|
}
|
|
|
|
$comments->deletePost($commentInfo);
|
|
|
|
if($isModAction) {
|
|
$msz->createAuditLog('COMMENT_ENTRY_DELETE_MOD', [
|
|
$commentInfo->getId(),
|
|
$commentUserId = $commentInfo->getUserId(),
|
|
'<username>',
|
|
]);
|
|
} else {
|
|
$msz->createAuditLog('COMMENT_ENTRY_DELETE', [$commentInfo->getId()]);
|
|
}
|
|
|
|
redirect($redirect);
|
|
break;
|
|
|
|
case 'restore':
|
|
if(!$commentPerms['can_delete_any']) {
|
|
echo render_info("You're not allowed to restore deleted comments.", 403);
|
|
break;
|
|
}
|
|
|
|
if(!$commentInfo->isDeleted()) {
|
|
echo render_info("This comment isn't in a deleted state.", 400);
|
|
break;
|
|
}
|
|
|
|
$comments->restorePost($commentInfo);
|
|
|
|
$msz->createAuditLog('COMMENT_ENTRY_RESTORE', [
|
|
$commentInfo->getId(),
|
|
$commentUserId = $commentInfo->getUserId(),
|
|
'<username>',
|
|
]);
|
|
|
|
redirect($redirect . '#comment-' . $commentInfo->getId());
|
|
break;
|
|
|
|
case 'create':
|
|
if(!$commentPerms['can_comment'] && !$categoryInfo->isOwner($currentUserInfo)) {
|
|
echo render_info("You're not allowed to post comments.", 403);
|
|
break;
|
|
}
|
|
|
|
if(empty($_POST['comment']) || !is_array($_POST['comment'])) {
|
|
echo render_info('Missing data.', 400);
|
|
break;
|
|
}
|
|
|
|
try {
|
|
$categoryId = isset($_POST['comment']['category']) && is_string($_POST['comment']['category'])
|
|
? (int)$_POST['comment']['category']
|
|
: 0;
|
|
$categoryInfo = $comments->getCategoryById($categoryId);
|
|
} catch(RuntimeException $ex) {
|
|
echo render_info('This comment category doesn\'t exist.', 404);
|
|
break;
|
|
}
|
|
|
|
if($categoryInfo->isLocked() && !$commentPerms['can_lock']) {
|
|
echo render_info('This comment category has been locked.', 403);
|
|
break;
|
|
}
|
|
|
|
$commentText = !empty($_POST['comment']['text']) && is_string($_POST['comment']['text']) ? $_POST['comment']['text'] : '';
|
|
$commentReply = (string)(!empty($_POST['comment']['reply']) && is_string($_POST['comment']['reply']) ? (int)$_POST['comment']['reply'] : 0);
|
|
$commentLock = !empty($_POST['comment']['lock']) && $commentPerms['can_lock'];
|
|
$commentPin = !empty($_POST['comment']['pin']) && $commentPerms['can_pin'];
|
|
|
|
if($commentLock) {
|
|
if($categoryInfo->isLocked())
|
|
$comments->unlockCategory($categoryInfo);
|
|
else
|
|
$comments->lockCategory($categoryInfo);
|
|
}
|
|
|
|
if(strlen($commentText) > 0) {
|
|
$commentText = preg_replace("/[\r\n]{2,}/", "\n", $commentText);
|
|
} else {
|
|
if($commentPerms['can_lock']) {
|
|
echo render_info('The action has been processed.', 400);
|
|
} else {
|
|
echo render_info('Your comment is too short.', 400);
|
|
}
|
|
break;
|
|
}
|
|
|
|
if(mb_strlen($commentText) > 5000) {
|
|
echo render_info('Your comment is too long.', 400);
|
|
break;
|
|
}
|
|
|
|
if($commentReply > 0) {
|
|
try {
|
|
$parentInfo = $comments->getPostById($commentReply);
|
|
} catch(RuntimeException $ex) {}
|
|
|
|
if(!isset($parentInfo) || $parentInfo->isDeleted()) {
|
|
echo render_info('The comment you tried to reply to does not exist.', 404);
|
|
break;
|
|
}
|
|
}
|
|
|
|
$commentInfo = $comments->createPost(
|
|
$categoryInfo,
|
|
$parentInfo ?? null,
|
|
$currentUserInfo,
|
|
$commentText,
|
|
$commentPin
|
|
);
|
|
|
|
redirect($redirect . '#comment-' . $commentInfo->getId());
|
|
break;
|
|
|
|
default:
|
|
echo render_info('Not found.', 404);
|
|
}
|