source: admin/posts.php @ 3649:3b0b868d58b0

Visit:

Revision 3649:3b0b868d58b0, 11.2 KB checked in by franck <carnet.franck.paul@…>, 8 years ago (diff)
Fix potential XSS - thank's Trí Chim Trích for report

Rev	Line
[0]	1	<?php
	2	# -- BEGIN LICENSE BLOCK ---------------------------------------
	3	#
	4	# This file is part of Dotclear 2.
	5	#
[1179]	6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
[0]	7	# Licensed under the GPL version 2.0 license.
	8	# See LICENSE file or
	9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
	10	#
	11	# -- END LICENSE BLOCK -----------------------------------------
	12
	13	require dirname(__FILE__).'/../inc/admin/prepend.php';
	14
	15	dcPage::check('usage,contentadmin');
	16
	17	# Getting categories
	18	try {
[3209]	19	$categories = $core->blog->getCategories();
[0]	20	} catch (Exception $e) {
	21	$core->error->add($e->getMessage());
	22	}
	23
	24	# Getting authors
	25	try {
	26	$users = $core->blog->getPostsUsers();
	27	} catch (Exception $e) {
	28	$core->error->add($e->getMessage());
	29	}
	30
	31	# Getting dates
	32	try {
	33	$dates = $core->blog->getDates(array('type'=>'month'));
	34	} catch (Exception $e) {
	35	$core->error->add($e->getMessage());
	36	}
	37
	38	# Getting langs
	39	try {
	40	$langs = $core->blog->getLangs();
	41	} catch (Exception $e) {
	42	$core->error->add($e->getMessage());
	43	}
	44
	45	# Creating filter combo boxes
	46	if (!$core->error->flag())
	47	{
	48	# Filter form we'll put in html_block
[3105]	49	$users_combo = dcAdminCombos::getUsersCombo($users);
	50	dcUtils::lexicalKeySort($users_combo);
[1719]	51	$users_combo = array_merge(
	52	array('-' => ''),
[3105]	53	$users_combo
[1719]	54	);
	55
	56	$categories_combo = array_merge(
[1775]	57	array(
	58	new formSelectOption('-',''),
[2566]	59	new formSelectOption(__('(No cat)'),'NULL')),
[1775]	60	dcAdminCombos::getCategoriesCombo($categories,false)
[1719]	61	);
[1775]	62	$categories_values = array();
	63	foreach ($categories_combo as $cat) {
	64	if (isset($cat->value)) {
	65	$categories_values[$cat->value]=true;
[0]	66	}
	67	}
[2566]	68
[1719]	69	$status_combo = array_merge(
	70	array('-' => ''),
[2566]	71	dcAdminCombos::getPostStatusesCombo()
[0]	72	);
[2566]	73
[0]	74	$selected_combo = array(
	75	'-' => '',
[1353]	76	__('Selected') => '1',
	77	__('Not selected') => '0'
[0]	78	);
[2566]	79
[3117]	80	$comment_combo = array(
	81	'-' => '',
	82	__('Opened') => '1',
	83	__('Closed') => '0'
	84	);
	85
	86	$trackback_combo = array(
	87	'-' => '',
	88	__('Opened') => '1',
	89	__('Closed') => '0'
	90	);
	91
[2309]	92	$attachment_combo = array(
	93	'-' => '',
	94	__('With attachments') => '1',
	95	__('Without attachments') => '0'
	96	);
	97
[3033]	98	$password_combo = array(
	99	'-' => '',
	100	__('With password') => '1',
	101	__('Without password') => '0'
	102	);
	103
[0]	104	# Months array
[1719]	105	$dt_m_combo = array_merge(
	106	array('-' => ''),
	107	dcAdminCombos::getDatesCombo($dates)
	108	);
[2566]	109
[1719]	110	$lang_combo = array_merge(
	111	array('-' => ''),
[2566]	112	dcAdminCombos::getLangsCombo($langs,false)
[1719]	113	);
[2566]	114
[3033]	115	# Post formats
	116	$core_formaters = $core->getFormaters();
	117	$available_formats = array();
	118	foreach ($core_formaters as $editor => $formats) {
	119	foreach ($formats as $format) {
	120	$available_formats[$format] = $format;
	121	}
	122	}
	123	$format_combo = array_merge(
	124	array('-' => ''),
	125	$available_formats
	126	);
	127
[0]	128	$sortby_combo = array(
	129	__('Date') => 'post_dt',
	130	__('Title') => 'post_title',
	131	__('Category') => 'cat_title',
	132	__('Author') => 'user_id',
	133	__('Status') => 'post_status',
[2305]	134	__('Selected') => 'post_selected',
	135	__('Number of comments') => 'nb_comment',
[3033]	136	__('Number of trackbacks') => 'nb_trackback'
[0]	137	);
[2566]	138
[3360]	139	$sortby_lex = array(
	140	// key in sorty_combo (see above) => field in SQL request
	141	'post_title' => 'post_title',
	142	'cat_title' => 'cat_title',
	143	'user_id' => 'P.user_id');
	144
[0]	145	$order_combo = array(
	146	__('Descending') => 'desc',
	147	__('Ascending') => 'asc'
	148	);
	149	}
	150
	151	# Actions combo box
	152
[2720]	153	$posts_actions_page = new dcPostsActionsPage($core,$core->adminurl->get("admin.posts"));
[1796]	154
[2072]	155	if ($posts_actions_page->process()) {
	156	return;
	157	}
[0]	158
[2072]	159	/* Get posts
	160	-------------------------------------------------------- */
[3033]	161	$user_id = !empty($_GET['user_id']) ? $_GET['user_id'] : '';
	162	$cat_id = !empty($_GET['cat_id']) ? $_GET['cat_id'] : '';
	163	$status = isset($_GET['status']) ? $_GET['status'] : '';
	164	$password = isset($_GET['password']) ? $_GET['password'] : '';
	165	$selected = isset($_GET['selected']) ? $_GET['selected'] : '';
[3117]	166	$comment = isset($_GET['comment']) ? $_GET['comment'] : '';
	167	$trackback = isset($_GET['trackback']) ? $_GET['trackback'] : '';
[3033]	168	$attachment = isset($_GET['attachment']) ? $_GET['attachment'] : '';
	169	$month = !empty($_GET['month']) ? $_GET['month'] : '';
	170	$lang = !empty($_GET['lang']) ? $_GET['lang'] : '';
	171	$format = !empty($_GET['format']) ? $_GET['format'] : '';
[2072]	172	$sortby = !empty($_GET['sortby']) ? $_GET['sortby'] : 'post_dt';
[3033]	173	$order = !empty($_GET['order']) ? $_GET['order'] : 'desc';
[0]	174
[2072]	175	$show_filters = false;
[0]	176
[2072]	177	$page = !empty($_GET['page']) ? max(1,(integer) $_GET['page']) : 1;
	178	$nb_per_page = 30;
[0]	179
[2072]	180	if (!empty($_GET['nb']) && (integer) $_GET['nb'] > 0) {
[3649]	181	if ($nb_per_page != (integer) $_GET['nb']) {
[2072]	182	$show_filters = true;
[2048]	183	}
[2072]	184	$nb_per_page = (integer) $_GET['nb'];
	185	}
[2048]	186
[2072]	187	$params['limit'] = array((($page-1)*$nb_per_page),$nb_per_page);
	188	$params['no_content'] = true;
[3033]	189	$params['where'] = '';
[2048]	190
[2072]	191	# - User filter
	192	if ($user_id !== '' && in_array($user_id,$users_combo)) {
	193	$params['user_id'] = $user_id;
	194	$show_filters = true;
	195	} else {
	196	$user_id='';
	197	}
	198
	199	# - Categories filter
	200	if ($cat_id !== '' && isset($categories_values[$cat_id])) {
	201	$params['cat_id'] = $cat_id;
	202	$show_filters = true;
	203	} else {
	204	$cat_id='';
	205	}
	206
	207	# - Status filter
	208	if ($status !== '' && in_array($status,$status_combo)) {
	209	$params['post_status'] = $status;
	210	$show_filters = true;
	211	} else {
	212	$status='';
	213	}
	214
[3033]	215	# - Password filter
	216	if ($password !== '' && in_array($password,$password_combo)) {
	217	$params['where'] .= ' AND post_password IS '.($password ? 'NOT ' : '').'NULL ';
	218	$show_filters = true;
	219	} else {
	220	$password='';
	221	}
	222
[2072]	223	# - Selected filter
	224	if ($selected !== '' && in_array($selected,$selected_combo)) {
	225	$params['post_selected'] = $selected;
	226	$show_filters = true;
	227	} else {
	228	$selected='';
	229	}
	230
[3117]	231	# - Comment filter
	232	if ($comment !== '' && in_array($comment,$comment_combo)) {
	233	$params['where'] .= " AND post_open_comment = '".$comment."' ";
	234	$show_filters = true;
	235	} else {
	236	$comment='';
	237	}
	238
	239	# - Comment filter
	240	if ($trackback !== '' && in_array($trackback,$trackback_combo)) {
	241	$params['where'] .= " AND post_open_tb = '".$trackback."' ";
	242	$show_filters = true;
	243	} else {
	244	$trackback='';
	245	}
	246
[3033]	247	# - Attachment filter
[2309]	248	if ($attachment !== '' && in_array($attachment,$attachment_combo)) {
	249	$params['media'] = $attachment;
[2312]	250	$params['link_type'] = 'attachment';
[2309]	251	$show_filters = true;
	252	} else {
	253	$attachment='';
	254	}
	255
[2072]	256	# - Month filter
	257	if ($month !== '' && in_array($month,$dt_m_combo)) {
	258	$params['post_month'] = substr($month,4,2);
	259	$params['post_year'] = substr($month,0,4);
	260	$show_filters = true;
	261	} else {
	262	$month='';
	263	}
	264
	265	# - Lang filter
	266	if ($lang !== '' && in_array($lang,$lang_combo)) {
	267	$params['post_lang'] = $lang;
	268	$show_filters = true;
	269	} else {
	270	$lang='';
	271	}
	272
[3033]	273	# - Format filter
	274	if ($format !== '' && in_array($format,$format_combo)) {
	275	$params['where'] .= " AND post_format = '".$format."' ";
	276	$show_filters = true;
	277	} else {
	278	$format='';
	279	}
	280
[2072]	281	# - Sortby and order filter
	282	if ($sortby !== '' && in_array($sortby,$sortby_combo)) {
[3360]	283	if (array_key_exists($sortby,$sortby_lex)) {
	284	$params['order'] = $core->con->lexFields($sortby_lex[$sortby]);
	285	} else {
	286	$params['order'] = $sortby;
	287	}
[2072]	288	if ($order !== '' && in_array($order,$order_combo)) {
[3360]	289	$params['order'] .= ' '.$order;
[2048]	290	} else {
[796]	291	$order='desc';
[0]	292	}
[2566]	293
[2072]	294	if ($sortby != 'post_dt' \|\| $order != 'desc') {
	295	$show_filters = true;
	296	}
	297	} else {
	298	$sortby='post_dt';
	299	$order='desc';
	300	}
[2048]	301
[2072]	302	# Get posts
	303	try {
	304	$posts = $core->blog->getPosts($params);
	305	$counter = $core->blog->getPosts($params,true);
	306	$post_list = new adminPostList($core,$posts,$counter->f(0));
	307	} catch (Exception $e) {
	308	$core->error->add($e->getMessage());
	309	}
	310
	311	/* DISPLAY
	312	-------------------------------------------------------- */
[2136]	313
[3397]	314	dcPage::open(__('Entries'),
	315	dcPage::jsLoad('js/_posts_list.js').dcPage::jsFilterControl($show_filters),
[2072]	316	dcPage::breadcrumb(
	317	array(
	318	html::escapeHTML($core->blog->name) => '',
[2166]	319	__('Entries') => ''
[2072]	320	))
	321	);
	322	if (!empty($_GET['upd'])) {
	323	dcPage::success(__('Selected entries have been successfully updated.'));
	324	} elseif (!empty($_GET['del'])) {
	325	dcPage::success(__('Selected entries have been successfully deleted.'));
	326	}
	327	if (!$core->error->flag())
	328	{
	329	echo
[2720]	330	'<p class="top-add"><a class="button add" href="'.$core->adminurl->get("admin.post").'">'.__('New entry').'</a></p>'.
	331	'<form action="'.$core->adminurl->get("admin.posts").'" method="get" id="filters-form">'.
[3397]	332	'<h3 class="out-of-screen-if-js">'.__('Show filters and display options').'</h3>'.
[2048]	333
[2072]	334	'<div class="table">'.
	335	'<div class="cell">'.
	336	'<h4>'.__('Filters').'</h4>'.
	337	'<p><label for="user_id" class="ib">'.__('Author:').'</label> '.
	338	form::combo('user_id',$users_combo,$user_id).'</p>'.
	339	'<p><label for="cat_id" class="ib">'.__('Category:').'</label> '.
	340	form::combo('cat_id',$categories_combo,$cat_id).'</p>'.
	341	'<p><label for="status" class="ib">'.__('Status:').'</label> ' .
	342	form::combo('status',$status_combo,$status).'</p> '.
[3033]	343	'<p><label for="format" class="ib">'.__('Format:').'</label> '.
	344	form::combo('format',$format_combo,$format).'</p>'.
	345	'<p><label for="password" class="ib">'.__('Password:').'</label> '.
	346	form::combo('password',$password_combo,$password).'</p>'.
[2072]	347	'</div>'.
[2566]	348
[2072]	349	'<div class="cell filters-sibling-cell">'.
	350	'<p><label for="selected" class="ib">'.__('Selected:').'</label> '.
	351	form::combo('selected',$selected_combo,$selected).'</p>'.
[2309]	352	'<p><label for="attachment" class="ib">'.__('Attachments:').'</label> '.
	353	form::combo('attachment',$attachment_combo,$attachment).'</p>'.
[2072]	354	'<p><label for="month" class="ib">'.__('Month:').'</label> '.
	355	form::combo('month',$dt_m_combo,$month).'</p>'.
	356	'<p><label for="lang" class="ib">'.__('Lang:').'</label> '.
	357	form::combo('lang',$lang_combo,$lang).'</p> '.
[3117]	358	'<p><label for="comment" class="ib">'.__('Comments:').'</label> '.
	359	form::combo('comment',$comment_combo,$comment).'</p>'.
	360	'<p><label for="trackback" class="ib">'.__('Trackbacks:').'</label> '.
	361	form::combo('trackback',$trackback_combo,$trackback).'</p>'.
[2072]	362	'</div>'.
[2566]	363
[2072]	364	'<div class="cell filters-options">'.
	365	'<h4>'.__('Display options').'</h4>'.
	366	'<p><label for="sortby" class="ib">'.__('Order by:').'</label> '.
	367	form::combo('sortby',$sortby_combo,$sortby).'</p>'.
	368	'<p><label for="order" class="ib">'.__('Sort:').'</label> '.
	369	form::combo('order',$order_combo,$order).'</p>'.
	370	'<p><span class="label ib">'.__('Show').'</span> <label for="nb" class="classic">'.
	371	form::field('nb',3,3,$nb_per_page).' '.
	372	__('entries per page').'</label></p>'.
	373	'</div>'.
	374	'</div>'.
[2048]	375
[3560]	376	'<p><input type="submit" value="'.__('Apply filters and display options').'" />'.
	377	'<br class="clear" /></p>'. //Opera sucks
[2072]	378	'</form>';
[2566]	379
[2072]	380	# Show posts
	381	$post_list->display($page,$nb_per_page,
[2720]	382	'<form action="'.$core->adminurl->get("admin.posts").'" method="post" id="form-entries">'.
[2566]	383
[2072]	384	'%s'.
[2566]	385
[2072]	386	'<div class="two-cols">'.
	387	'<p class="col checkboxes-helpers"></p>'.
[2566]	388
[2072]	389	'<p class="col right"><label for="action" class="classic">'.__('Selected entries action:').'</label> '.
	390	form::combo('action',$posts_actions_page->getCombo()).
[3182]	391	'<input id="do-action" type="submit" value="'.__('ok').'" disabled /></p>'.
[2072]	392	form::hidden(array('user_id'),$user_id).
	393	form::hidden(array('cat_id'),$cat_id).
	394	form::hidden(array('status'),$status).
[3033]	395	form::hidden(array('password'),$password).
[2072]	396	form::hidden(array('selected'),$selected).
[3117]	397	form::hidden(array('comment'),$comment).
	398	form::hidden(array('trackback'),$trackback).
[2309]	399	form::hidden(array('attachment'),$attachment).
[2072]	400	form::hidden(array('month'),$month).
	401	form::hidden(array('lang'),$lang).
	402	form::hidden(array('sortby'),$sortby).
	403	form::hidden(array('order'),$order).
	404	form::hidden(array('page'),$page).
	405	form::hidden(array('nb'),$nb_per_page).
	406	$core->formNonce().
	407	'</div>'.
[2134]	408	'</form>',
	409	$show_filters
[2048]	410	);
[2072]	411	}
[2048]	412
[2072]	413	dcPage::helpBlock('core_posts');
	414	dcPage::close();

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/posts.php @ 3649:3b0b868d58b0

Download in other formats:

Sites map