| [ Index ] |
PHP Cross Reference of Nucleus CMS 3.32 |
[Summary view] [Print] [Text view]
1 <?php 2 /* 3 * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) 4 * Copyright (C) 2002-2007 The Nucleus Group 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 2 9 * of the License, or (at your option) any later version. 10 * (see nucleus/documentation/index.html#license for more info) 11 */ 12 /** 13 * The code for the Nucleus admin area 14 * 15 * @license http://nucleuscms.org/license.txt GNU General Public License 16 * @copyright Copyright (C) 2002-2007 The Nucleus Group 17 * @version $Id: ADMIN.php 1189 2007-08-06 15:30:51Z kaigreve $ 18 */ 19 20 if ( !function_exists('requestVar') ) exit; 21 require_once dirname(__FILE__) . '/showlist.php'; 22 23 /** 24 * Builds the admin area and executes admin actions 25 */ 26 class ADMIN { 27 28 /** 29 * @var string $action action currently being executed ($action=xxxx -> action_xxxx method) 30 */ 31 var $action; 32 33 /** 34 * Class constructor 35 */ 36 function ADMIN() { 37 38 } 39 40 /** 41 * Executes an action 42 * 43 * @param string $action action to be performed 44 */ 45 function action($action) { 46 global $CONF, $manager; 47 48 // list of action aliases 49 $alias = array( 50 'login' => 'overview', 51 '' => 'overview' 52 ); 53 54 if (isset($alias[$action])) 55 $action = $alias[$action]; 56 57 $methodName = 'action_' . $action; 58 59 $this->action = strtolower($action); 60 61 // check ticket. All actions need a ticket, unless they are considered to be safe (a safe action 62 // is an action that requires user interaction before something is actually done) 63 // all safe actions are in this array: 64 $aActionsNotToCheck = array('showlogin', 'login', 'overview', 'itemlist', 'blogcommentlist', 'bookmarklet', 'blogsettings', 'banlist', 'deleteblog', 'editmembersettings', 'browseownitems', 'browseowncomments', 'createitem', 'itemedit', 'itemmove', 'categoryedit', 'categorydelete', 'manage', 'actionlog', 'settingsedit', 'backupoverview', 'pluginlist', 'createnewlog', 'usermanagement', 'skinoverview', 'templateoverview', 'skinieoverview', 'itemcommentlist', 'commentedit', 'commentdelete', 'banlistnewfromitem', 'banlistdelete', 'itemdelete', 'manageteam', 'teamdelete', 'banlistnew', 'memberedit', 'memberdelete', 'pluginhelp', 'pluginoptions', 'plugindelete', 'skinedittype', 'skinremovetype', 'skindelete', 'skinedit', 'templateedit', 'templatedelete', 'activate'); 65 /* 66 // the rest of the actions needs to be checked 67 $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'sendping', 'rawping', 'activatesetpwd'); 68 */ 69 if (!in_array($this->action, $aActionsNotToCheck)) 70 { 71 if (!$manager->checkTicket()) 72 $this->error(_ERROR_BADTICKET); 73 } 74 75 if (method_exists($this, $methodName)) 76 call_user_func(array(&$this, $methodName)); 77 else 78 $this->error(_BADACTION . htmlspecialchars(" ($action)")); 79 80 } 81 82 /** 83 * @todo document this 84 */ 85 function action_showlogin() { 86 global $error; 87 $this->action_login($error); 88 } 89 90 /** 91 * @todo document this 92 */ 93 function action_login($msg = '', $passvars = 1) { 94 global $member; 95 96 // skip to overview when allowed 97 if ($member->isLoggedIn() && $member->canLogin()) { 98 $this->action_overview(); 99 exit; 100 } 101 102 $this->pagehead(); 103 104 echo '<h2>', _LOGIN ,'</h2>'; 105 if ($msg) echo _MESSAGE , ': ', htmlspecialchars($msg); 106 ?> 107 108 <form action="index.php" method="post"><p> 109 <?php echo _LOGIN_NAME?>: <br /><input name="login" tabindex="10" /> 110 <br /> 111 <?php echo _LOGIN_PASSWORD?>: <br /><input name="password" tabindex="20" type="password" /> 112 <br /> 113 <input name="action" value="login" type="hidden" /> 114 <br /> 115 <input type="submit" value="<?php echo _LOGIN?>" tabindex="30" /> 116 <br /> 117 <small> 118 <input type="checkbox" value="1" name="shared" tabindex="40" id="shared" /><label for="shared"><?php echo _LOGIN_SHARED?></label> 119 <br /><a href="forgotpassword.html"><?php echo _LOGIN_FORGOT?></a> 120 </small> 121 <?php // pass through vars 122 123 $oldaction = postVar('oldaction'); 124 if ( ($oldaction != 'logout') && ($oldaction != 'login') && $passvars ) { 125 passRequestVars(); 126 } 127 128 129 ?> 130 </p></form> 131 <?php $this->pagefoot(); 132 } 133 134 135 /** 136 * provides a screen with the overview of the actions available 137 * @todo document parameter 138 */ 139 function action_overview($msg = '') { 140 global $member; 141 142 $this->pagehead(); 143 144 if ($msg) 145 echo _MESSAGE , ': ', $msg; 146 147 /* ---- add items ---- */ 148 echo '<h2>' . _OVERVIEW_YRBLOGS . '</h2>'; 149 150 $showAll = requestVar('showall'); 151 152 if (($member->isAdmin()) && ($showAll == 'yes')) { 153 // Super-Admins have access to all blogs! (no add item support though) 154 $query = 'SELECT bnumber, bname, 1 as tadmin, burl, bshortname' 155 . ' FROM ' . sql_table('blog') 156 . ' ORDER BY bname'; 157 } else { 158 $query = 'SELECT bnumber, bname, tadmin, burl, bshortname' 159 . ' FROM ' . sql_table('blog') . ', ' . sql_table('team') 160 . ' WHERE tblog=bnumber and tmember=' . $member->getID() 161 . ' ORDER BY bname'; 162 } 163 $template['content'] = 'bloglist'; 164 $template['superadmin'] = $member->isAdmin(); 165 $amount = showlist($query,'table',$template); 166 167 if (($showAll != 'yes') && ($member->isAdmin())) { 168 $total = quickQuery('SELECT COUNT(*) as result FROM ' . sql_table('blog')); 169 if ($total > $amount) 170 echo '<p><a href="index.php?action=overview&showall=yes">Show all blogs</a></p>'; 171 } 172 173 if ($amount == 0) 174 echo _OVERVIEW_NOBLOGS; 175 176 if ($amount != 0) { 177 echo '<h2>' . _OVERVIEW_YRDRAFTS . '</h2>'; 178 $query = 'SELECT ititle, inumber, bshortname' 179 . ' FROM ' . sql_table('item'). ', ' . sql_table('blog') 180 . ' WHERE iauthor='.$member->getID().' and iblog=bnumber and idraft=1'; 181 $template['content'] = 'draftlist'; 182 $amountdrafts = showlist($query, 'table', $template); 183 if ($amountdrafts == 0) 184 echo _OVERVIEW_NODRAFTS; 185 } 186 187 /* ---- user settings ---- */ 188 echo '<h2>' . _OVERVIEW_YRSETTINGS . '</h2>'; 189 echo '<ul>'; 190 echo '<li><a href="index.php?action=editmembersettings">' . _OVERVIEW_EDITSETTINGS. '</a></li>'; 191 echo '<li><a href="index.php?action=browseownitems">' . _OVERVIEW_BROWSEITEMS.'</a></li>'; 192 echo '<li><a href="index.php?action=browseowncomments">'._OVERVIEW_BROWSECOMM.'</a></li>'; 193 echo '</ul>'; 194 195 /* ---- general settings ---- */ 196 if ($member->isAdmin()) { 197 echo '<h2>' . _OVERVIEW_MANAGEMENT. '</h2>'; 198 echo '<ul>'; 199 echo '<li><a href="index.php?action=manage">',_OVERVIEW_MANAGE,'</a></li>'; 200 echo '</ul>'; 201 } 202 203 204 $this->pagefoot(); 205 } 206 207 /** 208 * Returns a link to a weblog 209 * @param object BLOG 210 */ 211 function bloglink(&$blog) { 212 return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'. htmlspecialchars( $blog->getName() ) .'</a>'; 213 } 214 215 /** 216 * @todo document this 217 */ 218 function action_manage($msg = '') { 219 global $member; 220 221 $member->isAdmin() or $this->disallow(); 222 223 $this->pagehead(); 224 225 echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>'; 226 227 if ($msg) 228 echo '<p>' , _MESSAGE , ': ', $msg , '</p>'; 229 230 231 echo '<h2>' . _MANAGE_GENERAL. '</h2>'; 232 233 echo '<ul>'; 234 echo '<li><a href="index.php?action=createnewlog">'._OVERVIEW_NEWLOG.'</a></li>'; 235 echo '<li><a href="index.php?action=settingsedit">'._OVERVIEW_SETTINGS.'</a></li>'; 236 echo '<li><a href="index.php?action=usermanagement">'._OVERVIEW_MEMBERS.'</a></li>'; 237 echo '<li><a href="index.php?action=actionlog">'._OVERVIEW_VIEWLOG.'</a></li>'; 238 echo '</ul>'; 239 240 echo '<h2>' . _MANAGE_SKINS . '</h2>'; 241 echo '<ul>'; 242 echo '<li><a href="index.php?action=skinoverview">'._OVERVIEW_SKINS.'</a></li>'; 243 echo '<li><a href="index.php?action=templateoverview">'._OVERVIEW_TEMPLATES.'</a></li>'; 244 echo '<li><a href="index.php?action=skinieoverview">'._OVERVIEW_SKINIMPORT.'</a></li>'; 245 echo '</ul>'; 246 247 echo '<h2>' . _MANAGE_EXTRA . '</h2>'; 248 echo '<ul>'; 249 echo '<li><a href="index.php?action=backupoverview">'._OVERVIEW_BACKUP.'</a></li>'; 250 echo '<li><a href="index.php?action=pluginlist">'._OVERVIEW_PLUGINS.'</a></li>'; 251 echo '</ul>'; 252 253 $this->pagefoot(); 254 } 255 256 /** 257 * @todo document this 258 */ 259 function action_itemlist($blogid = '') { 260 global $member, $manager; 261 262 if ($blogid == '') 263 $blogid = intRequestVar('blogid'); 264 265 $member->teamRights($blogid) or $member->isAdmin() or $this->disallow(); 266 267 $this->pagehead(); 268 $blog =& $manager->getBlog($blogid); 269 270 echo '<p><a href="index.php?action=overview">(',_BACKHOME,')</a></p>'; 271 echo '<h2>' . _ITEMLIST_BLOG . ' ' . $this->bloglink($blog) . '</h2>'; 272 273 // start index 274 if (postVar('start')) 275 $start = intPostVar('start'); 276 else 277 $start = 0; 278 279 if ($start == 0) 280 echo '<p><a href="index.php?action=createitem&blogid='.$blogid.'">',_ITEMLIST_ADDNEW,'</a></p>'; 281 282 // amount of items to show 283 if (postVar('amount')) 284 $amount = intPostVar('amount'); 285 else 286 $amount = 10; 287 288 $search = postVar('search'); // search through items 289 290 $query = 'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime' 291 . ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category') 292 . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid; 293 294 if ($search) 295 $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))'; 296 297 // non-blog-admins can only edit/delete their own items 298 if (!$member->blogAdminRights($blogid)) 299 $query .= ' and iauthor=' . $member->getID(); 300 301 302 $query .= ' ORDER BY itime DESC' 303 . " LIMIT $start,$amount"; 304 305 $template['content'] = 'itemlist'; 306 $template['now'] = $blog->getCorrectTime(time()); 307 308 $manager->loadClass("ENCAPSULATE"); 309 $navList =& new NAVLIST('itemlist', $start, $amount, 0, 1000, $blogid, $search, 0); 310 $navList->showBatchList('item',$query,'table',$template); 311 312 313 $this->pagefoot(); 314 } 315 316 /** 317 * @todo document this 318 */ 319 function action_batchitem() { 320 global $member, $manager; 321 322 // check if logged in 323 $member->isLoggedIn() or $this->disallow(); 324 325 // more precise check will be done for each performed operation 326 327 // get array of itemids from request 328 $selected = requestIntArray('batch'); 329 $action = requestVar('batchaction'); 330 331 // Show error when no items were selected 332 if (!is_array($selected) || sizeof($selected) == 0) 333 $this->error(_BATCH_NOSELECTION); 334 335 // On move: when no destination blog/category chosen, show choice now 336 $destCatid = intRequestVar('destcatid'); 337 if (($action == 'move') && (!$manager->existsCategory($destCatid))) 338 $this->batchMoveSelectDestination('item',$selected); 339 340 // On delete: check if confirmation has been given 341 if (($action == 'delete') && (requestVar('confirmation') != 'yes')) 342 $this->batchAskDeleteConfirmation('item',$selected); 343 344 $this->pagehead(); 345 346 echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>'; 347 echo '<h2>',_BATCH_ITEMS,'</h2>'; 348 echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>'; 349 echo '<ul>'; 350 351 352 // walk over all itemids and perform action 353 foreach ($selected as $itemid) { 354 $itemid = intval($itemid); 355 echo '<li>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b> ',_BATCH_ONITEM,' <b>', $itemid, '</b>...'; 356 357 // perform action, display errors if needed 358 switch($action) { 359 case 'delete': 360 $error = $this->deleteOneItem($itemid); 361 break; 362 case 'move': 363 $error = $this->moveOneItem($itemid, $destCatid); 364 break; 365 default: 366 $error = _BATCH_UNKNOWN . htmlspecialchars($action); 367 } 368 369 echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>'; 370 echo '</li>'; 371 } 372 373 echo '</ul>'; 374 echo '<b>',_BATCH_DONE,'</b>'; 375 376 $this->pagefoot(); 377 378 379 } 380 381 /** 382 * @todo document this 383 */ 384 function action_batchcomment() { 385 global $member; 386 387 // check if logged in 388 $member->isLoggedIn() or $this->disallow(); 389 390 // more precise check will be done for each performed operation 391 392 // get array of itemids from request 393 $selected = requestIntArray('batch'); 394 $action = requestVar('batchaction'); 395 396 // Show error when no items were selected 397 if (!is_array($selected) || sizeof($selected) == 0) 398 $this->error(_BATCH_NOSELECTION); 399 400 // On delete: check if confirmation has been given 401 if (($action == 'delete') && (requestVar('confirmation') != 'yes')) 402 $this->batchAskDeleteConfirmation('comment',$selected); 403 404 $this->pagehead(); 405 406 echo '<a href="index.php?action=overview">(',_BACKHOME,')</a>'; 407 echo '<h2>',_BATCH_COMMENTS,'</h2>'; 408 echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>'; 409 echo '<ul>'; 410 411 // walk over all itemids and perform action 412 foreach ($selected as $commentid) { 413 $commentid = intval($commentid); 414 echo '<li>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b> ',_BATCH_ONCOMMENT,' <b>', $commentid, '</b>...'; 415 416 // perform action, display errors if needed 417 switch($action) { 418 case 'delete': 419 $error = $this->deleteOneComment($commentid); 420 break; 421 default: 422 $error = _BATCH_UNKNOWN . htmlspecialchars($action); 423 } 424 425 echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>'; 426 echo '</li>'; 427 } 428 429 echo '</ul>'; 430 echo '<b>',_BATCH_DONE,'</b>'; 431 432 $this->pagefoot(); 433 434 435 } 436 437 /** 438 * @todo document this 439 */ 440 function action_batchmember() { 441 global $member; 442 443 // check if logged in and admin 444 ($member->isLoggedIn() && $member->isAdmin()) or $this->disallow(); 445 446 // get array of itemids from request 447 $selected = requestIntArray('batch'); 448 $action = requestVar('batchaction'); 449 450 // Show error when no members selected 451 if (!is_array($selected) || sizeof($selected) == 0) 452 $this->error(_BATCH_NOSELECTION); 453 454 // On delete: check if confirmation has been given 455 if (($action == 'delete') && (requestVar('confirmation') != 'yes')) 456 $this->batchAskDeleteConfirmation('member',$selected); 457 458 $this->pagehead(); 459 460 echo '<a href="index.php?action=usermanagement">(',_MEMBERS_BACKTOOVERVIEW,')</a>'; 461 echo '<h2>',_BATCH_MEMBERS,'</h2>'; 462 echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>'; 463 echo '<ul>'; 464 465 // walk over all itemids and perform action 466 foreach ($selected as $memberid) { 467 $memberid = intval($memberid); 468 echo '<li>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b> ',_BATCH_ONMEMBER,' <b>', $memberid, '</b>...'; 469 470 // perform action, display errors if needed 471 switch($action) { 472 case 'delete': 473 $error = $this->deleteOneMember($memberid); 474 break; 475 case 'setadmin': 476 // always succeeds 477 sql_query('UPDATE ' . sql_table('member') . ' SET madmin=1 WHERE mnumber='.$memberid); 478 $error = ''; 479 break; 480 case 'unsetadmin': 481 // there should always remain at least one super-admin 482 $r = sql_query('SELECT * FROM '.sql_table('member'). ' WHERE madmin=1 and mcanlogin=1'); 483 if (mysql_num_rows($r) < 2) 484 $error = _ERROR_ATLEASTONEADMIN; 485 else 486 sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid); 487 break; 488 default: 489 $error = _BATCH_UNKNOWN . htmlspecialchars($action); 490 } 491 492 echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>'; 493 echo '</li>'; 494 } 495 496 echo '</ul>'; 497 echo '<b>',_BATCH_DONE,'</b>'; 498 499 $this->pagefoot(); 500 501 502 } 503 504 /** 505 * @todo document this 506 */ 507 function action_batchteam() { 508 global $member; 509 510 $blogid = intRequestVar('blogid'); 511 512 // check if logged in and admin 513 ($member->isLoggedIn() && $member->blogAdminRights($blogid)) or $this->disallow(); 514 515 // get array of itemids from request 516 $selected = requestIntArray('batch'); 517 $action = requestVar('batchaction'); 518 519 // Show error when no members selected 520 if (!is_array($selected) || sizeof($selected) == 0) 521 $this->error(_BATCH_NOSELECTION); 522 523 // On delete: check if confirmation has been given 524 if (($action == 'delete') && (requestVar('confirmation') != 'yes')) 525 $this->batchAskDeleteConfirmation('team',$selected); 526 527 $this->pagehead(); 528 529 echo '<p><a href="index.php?action=manageteam&blogid=',$blogid,'">(',_BACK,')</a></p>'; 530 531 echo '<h2>',_BATCH_TEAM,'</h2>'; 532 echo '<p>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b></p>'; 533 echo '<ul>'; 534 535 // walk over all itemids and perform action 536 foreach ($selected as $memberid) { 537 $memberid = intval($memberid); 538 echo '<li>',_BATCH_EXECUTING,' <b>',htmlspecialchars($action),'</b> ',_BATCH_ONTEAM,' <b>', $memberid, '</b>...'; 539 540 // perform action, display errors if needed 541 switch($action) { 542 case 'delete': 543 $error =