|
|
@ -9,6 +9,7 @@
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
require_once __DIR__ . "/required.php";
|
|
|
|
require_once __DIR__ . "/required.php";
|
|
|
|
require_once __DIR__ . "/lib/util.php";
|
|
|
|
require_once __DIR__ . "/lib/util.php";
|
|
|
|
|
|
|
|
require_once __DIR__ . "/lib/login.php";
|
|
|
|
|
|
|
|
|
|
|
|
if ($VARS['action'] !== "signout") {
|
|
|
|
if ($VARS['action'] !== "signout") {
|
|
|
|
dieifnotloggedin();
|
|
|
|
dieifnotloggedin();
|
|
|
@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
|
|
|
|
|
|
|
|
|
|
|
|
switch ($VARS['action']) {
|
|
|
|
switch ($VARS['action']) {
|
|
|
|
case "newpage":
|
|
|
|
case "newpage":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -76,6 +80,9 @@ switch ($VARS['action']) {
|
|
|
|
returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
|
|
|
|
returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "pagesettings":
|
|
|
|
case "pagesettings":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -131,6 +138,9 @@ switch ($VARS['action']) {
|
|
|
|
returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
|
|
|
|
returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "sitesettings":
|
|
|
|
case "sitesettings":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
if (!is_empty($VARS['siteid'])) {
|
|
|
|
if (!is_empty($VARS['siteid'])) {
|
|
|
|
if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
@ -188,6 +198,9 @@ switch ($VARS['action']) {
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "saveedits":
|
|
|
|
case "saveedits":
|
|
|
|
header("Content-Type: application/json");
|
|
|
|
header("Content-Type: application/json");
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
|
|
|
|
|
|
|
|
exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)]));
|
|
|
|
|
|
|
|
}
|
|
|
|
$slug = $VARS['slug'];
|
|
|
|
$slug = $VARS['slug'];
|
|
|
|
$site = $VARS['site'];
|
|
|
|
$site = $VARS['site'];
|
|
|
|
$content = $VARS['content'];
|
|
|
|
$content = $VARS['content'];
|
|
|
@ -215,6 +228,9 @@ switch ($VARS['action']) {
|
|
|
|
exit(json_encode(["status" => "OK"]));
|
|
|
|
exit(json_encode(["status" => "OK"]));
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "deletemessage":
|
|
|
|
case "deletemessage":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
|
|
|
|
if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
returnToSender("invalid_parameters");
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -222,6 +238,9 @@ switch ($VARS['action']) {
|
|
|
|
returnToSender("message_deleted");
|
|
|
|
returnToSender("message_deleted");
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "fileupload":
|
|
|
|
case "fileupload":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
$destpath = FILE_UPLOAD_PATH . $VARS['path'];
|
|
|
|
$destpath = FILE_UPLOAD_PATH . $VARS['path'];
|
|
|
|
if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
|
|
|
|
if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
|
|
|
|
returnToSender("file_security_error");
|
|
|
|
returnToSender("file_security_error");
|
|
|
@ -291,6 +310,9 @@ switch ($VARS['action']) {
|
|
|
|
returnToSender("upload_success", "&path=" . $VARS['path']);
|
|
|
|
returnToSender("upload_success", "&path=" . $VARS['path']);
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "newfolder":
|
|
|
|
case "newfolder":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
$foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
|
|
|
|
$foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
|
|
|
|
$newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
|
|
|
|
$newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
|
|
|
|
|
|
|
|
|
|
|
@ -300,6 +322,9 @@ switch ($VARS['action']) {
|
|
|
|
returnToSender("folder_not_created", "&path=" . $VARS['path']);
|
|
|
|
returnToSender("folder_not_created", "&path=" . $VARS['path']);
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
case "filedelete":
|
|
|
|
case "filedelete":
|
|
|
|
|
|
|
|
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
|
|
|
|
|
|
|
|
returnToSender("no_permission");
|
|
|
|
|
|
|
|
}
|
|
|
|
$file = FILE_UPLOAD_PATH . $VARS['file'];
|
|
|
|
$file = FILE_UPLOAD_PATH . $VARS['file'];
|
|
|
|
if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
|
|
|
|
if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
|
|
|
|
returnToSender("file_security_error");
|
|
|
|
returnToSender("file_security_error");
|
|
|
|