Issues in submissions.php (master) - Issues in master - XoopsModules25x/soapbox - Measure and Improve Code Quality continuously with Scrutinizer

Issues (278)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

admin/submissions.php (1 issue)

Labels

Bug 1

Severity

<?php
/**
 * Module: Soapbox
 * Author: hsalazar
 * Licence: GNU
 */

use Xmf\Request;
use XoopsModules\Soapbox;

// ---------- General Stuff ---------- //
require_once __DIR__ . '/admin_header.php';
$adminObject = \Xmf\Module\Admin::getInstance();

$op = '';
if (\Xmf\Request::hasVar('op', 'GET')) {
    $op = trim(strip_tags($myts->stripSlashesGPC($_GET['op'])));
}
if (\Xmf\Request::hasVar('op', 'POST')) {
    $op = trim(strip_tags($myts->stripSlashesGPC($_POST['op'])));
}

//-------------------------------------
/** @var \XoopsModules\Soapbox\EntrydataHandler $entrydataHandler */
$entrydataHandler = new \XoopsModules\Soapbox\EntrydataHandler();

// -- Edit function -- //
/**
 * @param string $articleID
 */
function editarticle($articleID = '')
{
    global $indexAdmin;
    global $xoopsUser, $xoopsConfig, $xoopsModule, $xoopsLogger, $xoopsOption, $xoopsUserIsAdmin;
    /** @var Soapbox\Helper $helper */
    $helper = Soapbox\Helper::getInstance();

    $xoopsDB = \XoopsDatabaseFactory::getDatabaseConnection();
    $myts    = \MyTextSanitizer::getInstance();

    if (file_exists(XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/calendar.php')) {
        require_once XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/calendar.php';
    } else {
        require_once XOOPS_ROOT_PATH . '/language/english/calendar.php';
    }
    require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php';

    //-------------------------------------
    /** @var \XoopsModules\Soapbox\EntrydataHandler $entrydataHandler */
    $entrydataHandler = new \XoopsModules\Soapbox\EntrydataHandler();

    if (!$articleID) {
        redirect_header('index.php', 1, _AM_SOAPBOX_NOARTS);
    }
    //get entry object
    $_entryob = $entrydataHandler->getArticle($articleID);
    if (!is_object($_entryob)) {
        redirect_header('index.php', 1, _AM_SOAPBOX_NOARTTOEDIT);

    }
    //get vars mode E
    $entry_vars = $_entryob->getVars();
    foreach ($entry_vars as $k => $v) {
        $e_articles[$k] = $_entryob->getVar($k, 'E');
    }
    //xoops_cp_header();
    //$adminObject->displayNavigation(basename(__FILE__));

    // Module menu
    //adminMenu(3, _AM_SOAPBOX_SUBMITS." > '". $_entryob->getVar('headline') ."'");

    //    echo "<h3 style='color: #2F5376; '>" . _AM_SOAPBOX_SUBMITSMNGMT . "</h3>";
    $sform = new \XoopsThemeForm(_AM_SOAPBOX_AUTHART . ': ' . $_entryob->getVar('headline'), 'op', xoops_getenv('PHP_SELF'), 'post', true);

    $sform->setExtra('enctype="multipart/form-data"');

    //get category object
    $_categoryob = $entrydataHandler->getColumn($e_articles['columnID']);
    if (is_object($_categoryob)) {
        $sform->addElement(new \XoopsFormLabel(_AM_SOAPBOX_COLNAME, $_categoryob->getVar('name')));
        $sform->addElement(new \XoopsFormHidden('columnID', $e_articles['columnID']));
    } else {
        $_can_editcategoryobArray = $entrydataHandler->getColumns(null, true);
        //----------------------------
        $collist = [];
        foreach ($_can_editcategoryobArray as $key => $_can_edit_categoryob) {
            $collist[$key] = $_can_edit_categoryob->getVar('name');
        }
        $col_select = new \XoopsFormSelect('', 'columnID', (int)$e_articles['columnID']);
        $col_select->addOptionArray($collist);
        $col_select_tray = new \XoopsFormElementTray(_AM_SOAPBOX_COLNAME, '<br>');
        $col_select_tray->addElement($col_select);
        $sform->addElement($col_select_tray);
    }

    if (isset($headline)) {
        $headline = $myts->htmlSpecialChars(stripslashes($headline));
    }

    // HEADLINE, LEAD, BODYTEXT
    // This part is common to edit/add
    $sform->addElement(new \XoopsFormText(_AM_SOAPBOX_ARTHEADLINE, 'headline', 50, 50, $e_articles['headline']), true);

    // LEAD
    //    $sform -> addElement( new \XoopsFormTextArea( _AM_SOAPBOX_ARTLEAD, 'lead', $lead, 5, 60 ) );
    //    $editor_lead=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTLEAD , 'lead' , $e_articles['lead'] , '100%', '200px');
    //    $sform->addElement($editor_lead,true);

    $editor_lead = new \XoopsFormElementTray(_AM_SOAPBOX_ARTLEAD, '<br>');
    if (class_exists('XoopsFormEditor')) {
        $options['name']   = 'lead';
        $options['value']  = $e_articles['lead'];
        $options['rows']   = 5;
        $options['cols']   = '100%';
        $options['width']  = '100%';
        $options['height'] = '200px';
        $formmnote         = new \XoopsFormEditor('', $helper->getConfig('editorUser'), $options, $nohtml = false, $onfailure = 'textarea');
        $editor_lead->addElement($formmnote);
    } else {
        $formmnote = new \XoopsFormDhtmlTextArea('', 'formmnote', $item->getVar('formmnote', 'e'), '100%', '100%');
        $editor_lead->addElement($formmnote);
    }
    $sform->addElement($editor_lead, false);

    // TEASER
    $sform->addElement(new \XoopsFormTextArea(_AM_SOAPBOX_ARTTEASER, 'teaser', $e_articles['teaser'], 10, 120));
    //    $editor_teaser=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTTEASER ,'teaser', $teaser , '100%', '120px');
    //    $sform->addElement($editor_teaser,true);
    //
    $autoteaser_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_AUTOTEASER, 'autoteaser', 0, ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
    $sform->addElement($autoteaser_radio);
    $sform->addElement(new \XoopsFormText(_AM_SOAPBOX_AUTOTEASERAMOUNT, 'teaseramount', 4, 4, 100));

    // BODY
    //HACK by domifara for Wysiwyg
    //    if  (null !== ($helper->getConfig('editorUser')) ) {
    //        $editor=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTBODY, 'bodytext', $e_articles['bodytext'], '100%', '400px');
    //        $sform->addElement($editor,true);
    //    } else {
    //        $sform -> addElement( new \XoopsFormDhtmlTextArea( _AM_SOAPBOX_ARTBODY, 'bodytext', $e_articles['bodytext'], 20, 120 ) );
    //    }

    $optionsTrayNote = new \XoopsFormElementTray(_AM_SOAPBOX_ARTBODY, '<br>');
    if (class_exists('XoopsFormEditor')) {
        $options['name']   = 'bodytext';
        $options['value']  = $e_articles['bodytext'];
        $options['rows']   = 5;
        $options['cols']   = '100%';
        $options['width']  = '100%';
        $options['height'] = '400px';
        $bodynote          = new \XoopsFormEditor('', $helper->getConfig('editorUser'), $options, $nohtml = false, $onfailure = 'textarea');
        $optionsTrayNote->addElement($bodynote);
    } else {
        $bodynote = new \XoopsFormDhtmlTextArea('', 'formmnote', $item->getVar('formmnote', 'e'), '100%', '100%');
        $optionsTrayNote->addElement($bodynote);
    }
    $sform->addElement($optionsTrayNote, false);

    // IMAGE
    // The article CAN have its own image :)
    // First, if the article's image doesn't exist, set its value to the blank file

    if (empty($e_articles['artimage'])
        || !file_exists(XOOPS_ROOT_PATH . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '/' . $e_articles['artimage'])) {
        $artimage = 'blank.png';
    }

    // Code to create the image selector
    $graph_array     = \XoopsLists::getImgListAsArray(XOOPS_ROOT_PATH . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')));
    $artimage_select = new \XoopsFormSelect('', 'artimage', $e_articles['artimage']);
    $artimage_select->addOptionArray($graph_array);
    $artimage_select->setExtra("onchange='showImgSelected(\"image5\", \"artimage\", \"" . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '", "", "' . XOOPS_URL . "\")'");
    $artimage_tray = new \XoopsFormElementTray(_AM_SOAPBOX_SELECT_IMG, '&nbsp;');
    $artimage_tray->addElement($artimage_select);
    $artimage_tray->addElement(new \XoopsFormLabel('', "<br><br><img src='" . XOOPS_URL . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '/' . $e_articles['artimage'] . "' name='image5' id='image5' alt=''>"));
    $sform->addElement($artimage_tray);

    // Code to call the file browser to select an image to upload
    $sform->addElement(new \XoopsFormFile(_AM_SOAPBOX_UPLOADIMAGE, 'cimage', (int)$helper->getConfig('maxfilesize')), false);

    // WEIGHT
    $sform->addElement(new \XoopsFormText(_AM_SOAPBOX_WEIGHT, 'weight', 4, 4, $e_articles['weight']));
    //----------
    // datesub
    //----------
    $datesub_caption = $myts->htmlSpecialChars(formatTimestamp($e_articles['datesub'], $helper->getConfig('dateformat')) . '=>');
    $datesub_tray    = new \XoopsFormDateTime(_AM_SOAPBOX_POSTED . '<br>' . $datesub_caption, 'datesub', 15, time());
    // you don't want to change datesub
    $datesubnochage_checkbox = new \XoopsFormCheckBox(_AM_SOAPBOX_DATESUBNOCHANGE, 'datesubnochage', 0);
    $datesubnochage_checkbox->addOption(1, _AM_SOAPBOX_YES);
    $datesub_tray->addElement($datesubnochage_checkbox);
    $sform->addElement($datesub_tray);
    //-----------

    // COMMENTS
    if (isset($GLOBALS['xoopsModuleConfig']['globaldisplaycomments'])
        && 1 === $GLOBALS['xoopsModuleConfig']['globaldisplaycomments']) {
        // COMMENTS
        // Code to allow comments
        $addcommentable_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_ALLOWCOMMENTS, 'commentable', $e_articles['commentable'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
        $sform->addElement($addcommentable_radio);
    }

    // OFFLINE
    // Code to take article offline, for maintenance purposes
    $offline_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_SWITCHOFFLINE, 'offline', $e_articles['offline'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
    $sform->addElement($offline_radio);

    // ARTICLE IN BLOCK
    // Code to put article in block
    $block_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_BLOCK, 'block', $e_articles['block'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
    $sform->addElement($block_radio);

    // notification public
    $notifypub_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_NOTIFY, 'notifypub', $e_articles['notifypub'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
    $sform->addElement($notifypub_radio);

    // VARIOUS OPTIONS
    //----------
    $options_tray = new \XoopsFormElementTray(_AM_SOAPBOX_OPTIONS, '<br>');

    $html_checkbox = new \XoopsFormCheckBox('', 'html', $e_articles['html']);
    $html_checkbox->addOption(1, _AM_SOAPBOX_DOHTML);
    $options_tray->addElement($html_checkbox);

    $smiley_checkbox = new \XoopsFormCheckBox('', 'smiley', $e_articles['smiley']);
    $smiley_checkbox->addOption(1, _AM_SOAPBOX_DOSMILEY);
    $options_tray->addElement($smiley_checkbox);

    $xcodes_checkbox = new \XoopsFormCheckBox('', 'xcodes', $e_articles['xcodes']);
    $xcodes_checkbox->addOption(1, _AM_SOAPBOX_DOXCODE);
    $options_tray->addElement($xcodes_checkbox);

    $breaks_checkbox = new \XoopsFormCheckBox('', 'breaks', $e_articles['breaks']);
    $breaks_checkbox->addOption(1, _AM_SOAPBOX_BREAKS);
    $options_tray->addElement($breaks_checkbox);

    $sform->addElement($options_tray);
    //----------

    $sform->addElement(new \XoopsFormHidden('articleID', $e_articles['articleID']));

    $buttonTray = new \XoopsFormElementTray('', '');
    $hidden     = new \XoopsFormHidden('op', 'authart');
    $buttonTray->addElement($hidden);

    $butt_save = new \XoopsFormButton('', '', _AM_SOAPBOX_AUTHORIZE, 'submit');
    $butt_save->setExtra('onclick="this.form.elements.op.value=\'authart\'"');
    $buttonTray->addElement($butt_save);

    $butt_cancel = new \XoopsFormButton('', '', _AM_SOAPBOX_CANCEL, 'button');
    $butt_cancel->setExtra('onclick="history.go(-1)"');
    $buttonTray->addElement($butt_cancel);

    $sform->addElement($buttonTray);
    //-----------
    //    $xoopsGTicket->addTicketXoopsFormElement($sform, __LINE__);
    //-----------
    $sform->display();
    unset($hidden);
}

/* -- Available operations -- */
switch ($op) {
    case 'mod':
        require_once XOOPS_ROOT_PATH . '/class/xoopslists.php';
        require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php';
        xoops_cp_header();
        $adminObject->displayNavigation(basename(__FILE__));
        $articleID = Request::getInt('articleID', Request::getInt('articleID', 0, 'GET'), 'POST'); // (isset($_POST['articleID'])) ? (int)($_POST['articleID']) : (int)($_GET['articleID']);
        editarticle($articleID);
        Soapbox\Utility::showSubmissions();
        break;
    case 'authart':
        //-------------------------
        if (!$GLOBALS['xoopsSecurity']->check()) {
            redirect_header(XOOPS_URL . '/', 3, $GLOBALS['xoopsSecurity']->getErrors());
        }
        //-------------------------
        //articleID check
        if (Request::hasVar('articleID', 'POST')) {
            redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTCREATED);
        } else {
            $articleID = Request::getInt('articleID', 0, 'POST');
        }
        //articleID check
        if (Request::hasVar('columnID', 'POST')) {
            redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTCREATED);
        } else {
            $columnID = Request::getInt('columnID', 0, 'POST');
        }

        //get category object
        $_categoryob = $entrydataHandler->getColumn($columnID);
        if (!is_object($_categoryob)) {
            redirect_header('index.php', 1, _AM_SOAPBOX_NEEDONECOLUMN);
        }

        $_entryob = $entrydataHandler->getArticle($articleID);
        //new data or edit
        if (!is_object($_entryob)) {
            redirect_header('index.php', 1, _AM_SOAPBOX_ARTAUTHORIZED);
        }

        if (Request::hasVar('articleID', 'POST')) {
            $_entryob->setVar('articleID', $articleID);
        }

        if (Request::hasVar('columnID', 'POST')) {
            $_entryob->setVar('columnID', $columnID);
        }

        if (Request::hasVar('weight', 'POST')) {
            $_entryob->setVar('weight', Request::getInt('weight', 0, 'POST'));
        }

        if (Request::hasVar('commentable', 'POST')) {
            $_entryob->setVar('commentable', Request::getInt('commentable', 0, 'POST'));
        }

        if (Request::hasVar('block', 'POST')) {
            $_entryob->setVar('block', Request::getInt('block', 0, 'POST'));
        }

        if (Request::hasVar('offline', 'POST')) {
            $_entryob->setVar('offline', Request::getInt('offline', 0, 'POST'));
        }

        if (Request::hasVar('notifypub', 'POST')) {
            $_entryob->setVar('notifypub', Request::getInt('notifypub', 0, 'POST'));
        }

        //datesub

        $datesubnochage = Request::getInt('datesubnochage', 0, 'POST');

        //        $datesub_date_sl = isset($_POST['datesub']) ? (int)strtotime($_POST['datesub']['date']) : 0;
        //        $datesub_time_sl = isset($_POST['datesub']) ? (int)$_POST['datesub']['time'] : 0;
        //        $datesub         = isset($_POST['datesub']) ? $datesub_date_sl + $datesub_time_sl : 0;
        $temp    = Request::getArray('datesub', null, 'POST'); // get a clean array
        $datesub = null !== $temp ? strtotime($temp['date']) + $temp['time'] : 0; // put the pieces back together

        if (!$datesub || $_entryob->_isNew) {
            $_entryob->setVar('datesub', time());
        } else {
            if (!$datesubnochage) {
                $_entryob->setVar('datesub', $datesub);
            }
        }

        if (Request::hasVar('html', 'POST')) {
            $_entryob->setVar('html', Request::getInt('html', 0, 'POST'));
        }

        if (Request::hasVar('smiley', 'POST')) {
            $_entryob->setVar('smiley', Request::getInt('smiley', 0, 'POST'));
        }

        if (Request::hasVar('xcodes', 'POST')) {
            $_entryob->setVar('xcodes', Request::getInt('xcodes', 0, 'POST'));
        }
        if (Request::hasVar('breaks', 'POST')) {
            $_entryob->setVar('breaks', Request::getInt('breaks', 0, 'POST'));
        }
        if (Request::hasVar('artimage', 'POST')) {
            $_entryob->setVar('artimage', Request::getInt('artimage', 0, 'POST'));
        }

        if (Request::hasVar('headline', 'POST')) {
            $_entryob->setVar('headline', Request::getString('headline', '', 'POST'));
        }
        if (Request::hasVar('lead', 'POST')) {
            $_entryob->setVar('lead', Request::getText('lead', '', 'POST'));
        }
        if (Request::hasVar('bodytext', 'POST')) {
            $_entryob->setVar('bodytext', Request::getText('bodytext', '', 'POST'));
        }
        if (Request::hasVar('votes', 'POST')) {
            $_entryob->setVar('votes', Request::getInt('votes', 0, 'POST'));
        }

        if (Request::hasVar('rating', 'POST')) {
            $_entryob->setVar('rating', Request::getInt('rating', 0, 'POST'));
        }
        if (Request::hasVar('teaser', 'POST')) {
            $_entryob->setVar('teaser', Request::getInt('teaser', 0, 'POST'));
        }

        $autoteaser = Request::getInt('autoteaser', 0, 'POST');
        $charlength = Request::getInt('teaseramount', 0, 'POST');
        if ($autoteaser && $charlength) {
            $_entryob->setVar('teaser', xoops_substr($_entryob->getVar('bodytext', 'none'), 0, $charlength));
        }

        $_entryob->setVar('submit', 0);
        // Save to database
        if (!$entrydataHandler->insertArticle($_entryob)) {
            redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTUPDATED);
        } else {
            // Notify of to admin only for approve
            $entrydataHandler->newArticleTriggerEvent($_entryob, 'approve');
            redirect_header('index.php', 1, _AM_SOAPBOX_ARTAUTHORIZED);
        }
        break;
    case 'del':

        $confirm = Request::getInt('confirm', 0, 'POST');

        // confirmed, so delete
        if (1 === $confirm) {
            //-------------------------
            if (!$GLOBALS['xoopsSecurity']->check()) {
                redirect_header(XOOPS_URL . '/', 3, $GLOBALS['xoopsSecurity']->getErrors());
            }
            //-------------------------
            //articleID check
            if (!Request::hasVar('articleID', 'POST')) {
                redirect_header('index.php', 1, _NOPERM);
            } else {
                $articleID = Request::getInt('articleID', 0, 'POST');
            }

            $_entryob = $entrydataHandler->getArticle($articleID);
            if (!is_object($_entryob)) {
                redirect_header('index.php', 1, _NOPERM);
            }
            //-------------
            if (!$entrydataHandler->deleteArticle($_entryob)) {
                trigger_error('ERROR:not deleted from database');
                exit();
            }
            $headline = $myts->htmlSpecialChars($_entryob->getVar('headline'));
            redirect_header('index.php', 1, sprintf(_AM_SOAPBOX_ARTISDELETED, $headline));
        } else {
            $articleID = Request::getInt('articleID', Request::getInt('articleID', 0, 'GET'), 'POST');
            $_entryob  = $entrydataHandler->getArticle($articleID);
            if (!is_object($_entryob)) {
                redirect_header('index.php', 1, _NOPERM);
            }
            $headline = $myts->htmlSpecialChars($_entryob->getVar('headline'));
            xoops_cp_header();
            $adminObject->displayNavigation(basename(__FILE__));
            xoops_confirm([
                              'op'        => 'del',
                              'articleID' => $articleID,
                              'confirm'   => 1,
                              'headline'  => $headline,
                          ], 'article.php', _AM_SOAPBOX_DELETETHISARTICLE . '<br><br>' . $headline, _AM_SOAPBOX_DELETE);
            require_once __DIR__ . '/admin_footer.php';
        }
        exit();
        break;
    case 'default':
    default:

        xoops_cp_header();
        //adminMenu(3, _AM_SOAPBOX_SUBMITS);
        $adminObject->displayNavigation(basename(__FILE__));
        echo '<br>';
        Soapbox\Utility::showSubmissions();
        require_once __DIR__ . '/admin_footer.php';
        exit();
        break;
}
require_once __DIR__ . '/admin_footer.php';


1			<?php
2			/**
3			* Module: Soapbox
4			* Author: hsalazar
5			* Licence: GNU
6			*/
7
8			use Xmf\Request;
9			use XoopsModules\Soapbox;
10
11			// ---------- General Stuff ---------- //
12			require_once __DIR__ . '/admin_header.php';
13			$adminObject = \Xmf\Module\Admin::getInstance();
14
15			$op = '';
16			if (\Xmf\Request::hasVar('op', 'GET')) {
17			$op = trim(strip_tags($myts->stripSlashesGPC($_GET['op'])));
18			}
19			if (\Xmf\Request::hasVar('op', 'POST')) {
20			$op = trim(strip_tags($myts->stripSlashesGPC($_POST['op'])));
21			}
22
23			//-------------------------------------
24			/** @var \XoopsModules\Soapbox\EntrydataHandler $entrydataHandler */
25			$entrydataHandler = new \XoopsModules\Soapbox\EntrydataHandler();
26
27			// -- Edit function -- //
28			/**
29			* @param string $articleID
30			*/
31			function editarticle($articleID = '')
32			{
33			global $indexAdmin;
34			global $xoopsUser, $xoopsConfig, $xoopsModule, $xoopsLogger, $xoopsOption, $xoopsUserIsAdmin;
35			/** @var Soapbox\Helper $helper */
36			$helper = Soapbox\Helper::getInstance();
37
38			$xoopsDB = \XoopsDatabaseFactory::getDatabaseConnection();
39			$myts = \MyTextSanitizer::getInstance();
40
41			if (file_exists(XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/calendar.php')) {
42			require_once XOOPS_ROOT_PATH . '/language/' . $xoopsConfig['language'] . '/calendar.php';
43			} else {
44			require_once XOOPS_ROOT_PATH . '/language/english/calendar.php';
45			}
46			require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php';
47
48			//-------------------------------------
49			/** @var \XoopsModules\Soapbox\EntrydataHandler $entrydataHandler */
50			$entrydataHandler = new \XoopsModules\Soapbox\EntrydataHandler();
51
52			if (!$articleID) {
53			redirect_header('index.php', 1, _AM_SOAPBOX_NOARTS);
54			}
55			//get entry object
56			$_entryob = $entrydataHandler->getArticle($articleID);
57			if (!is_object($_entryob)) {
58			redirect_header('index.php', 1, _AM_SOAPBOX_NOARTTOEDIT);
			0 ignored issues – show Bug introduced 2019-02-19 19:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this The constant `_AM_SOAPBOX_NOARTTOEDIT` was not found. Maybe you did not declare it correctly or list all dependencies? Loading history...
59			}
60			//get vars mode E
61			$entry_vars = $_entryob->getVars();
62			foreach ($entry_vars as $k => $v) {
63			$e_articles[$k] = $_entryob->getVar($k, 'E');
64			}
65			//xoops_cp_header();
66			//$adminObject->displayNavigation(basename(__FILE__));
67
68			// Module menu
69			//adminMenu(3, _AM_SOAPBOX_SUBMITS." > '". $_entryob->getVar('headline') ."'");
70
71			// echo "<h3 style='color: #2F5376; '>" . _AM_SOAPBOX_SUBMITSMNGMT . "</h3>";
72			$sform = new \XoopsThemeForm(_AM_SOAPBOX_AUTHART . ': ' . $_entryob->getVar('headline'), 'op', xoops_getenv('PHP_SELF'), 'post', true);
73
74			$sform->setExtra('enctype="multipart/form-data"');
75
76			//get category object
77			$_categoryob = $entrydataHandler->getColumn($e_articles['columnID']);
78			if (is_object($_categoryob)) {
79			$sform->addElement(new \XoopsFormLabel(_AM_SOAPBOX_COLNAME, $_categoryob->getVar('name')));
80			$sform->addElement(new \XoopsFormHidden('columnID', $e_articles['columnID']));
81			} else {
82			$_can_editcategoryobArray = $entrydataHandler->getColumns(null, true);
83			//----------------------------
84			$collist = [];
85			foreach ($_can_editcategoryobArray as $key => $_can_edit_categoryob) {
86			$collist[$key] = $_can_edit_categoryob->getVar('name');
87			}
88			$col_select = new \XoopsFormSelect('', 'columnID', (int)$e_articles['columnID']);
89			$col_select->addOptionArray($collist);
90			$col_select_tray = new \XoopsFormElementTray(_AM_SOAPBOX_COLNAME, '<br>');
91			$col_select_tray->addElement($col_select);
92			$sform->addElement($col_select_tray);
93			}
94
95			if (isset($headline)) {
96			$headline = $myts->htmlSpecialChars(stripslashes($headline));
97			}
98
99			// HEADLINE, LEAD, BODYTEXT
100			// This part is common to edit/add
101			$sform->addElement(new \XoopsFormText(_AM_SOAPBOX_ARTHEADLINE, 'headline', 50, 50, $e_articles['headline']), true);
102
103			// LEAD
104			// $sform -> addElement( new \XoopsFormTextArea( _AM_SOAPBOX_ARTLEAD, 'lead', $lead, 5, 60 ) );
105			// $editor_lead=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTLEAD , 'lead' , $e_articles['lead'] , '100%', '200px');
106			// $sform->addElement($editor_lead,true);
107
108			$editor_lead = new \XoopsFormElementTray(_AM_SOAPBOX_ARTLEAD, '<br>');
109			if (class_exists('XoopsFormEditor')) {
110			$options['name'] = 'lead';
111			$options['value'] = $e_articles['lead'];
112			$options['rows'] = 5;
113			$options['cols'] = '100%';
114			$options['width'] = '100%';
115			$options['height'] = '200px';
116			$formmnote = new \XoopsFormEditor('', $helper->getConfig('editorUser'), $options, $nohtml = false, $onfailure = 'textarea');
117			$editor_lead->addElement($formmnote);
118			} else {
119			$formmnote = new \XoopsFormDhtmlTextArea('', 'formmnote', $item->getVar('formmnote', 'e'), '100%', '100%');
120			$editor_lead->addElement($formmnote);
121			}
122			$sform->addElement($editor_lead, false);
123
124			// TEASER
125			$sform->addElement(new \XoopsFormTextArea(_AM_SOAPBOX_ARTTEASER, 'teaser', $e_articles['teaser'], 10, 120));
126			// $editor_teaser=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTTEASER ,'teaser', $teaser , '100%', '120px');
127			// $sform->addElement($editor_teaser,true);
128			//
129			$autoteaser_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_AUTOTEASER, 'autoteaser', 0, ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
130			$sform->addElement($autoteaser_radio);
131			$sform->addElement(new \XoopsFormText(_AM_SOAPBOX_AUTOTEASERAMOUNT, 'teaseramount', 4, 4, 100));
132
133			// BODY
134			//HACK by domifara for Wysiwyg
135			// if (null !== ($helper->getConfig('editorUser')) ) {
136			// $editor=soapbox_getWysiwygForm($helper->getConfig('editorUser') , _AM_SOAPBOX_ARTBODY, 'bodytext', $e_articles['bodytext'], '100%', '400px');
137			// $sform->addElement($editor,true);
138			// } else {
139			// $sform -> addElement( new \XoopsFormDhtmlTextArea( _AM_SOAPBOX_ARTBODY, 'bodytext', $e_articles['bodytext'], 20, 120 ) );
140			// }
141
142			$optionsTrayNote = new \XoopsFormElementTray(_AM_SOAPBOX_ARTBODY, '<br>');
143			if (class_exists('XoopsFormEditor')) {
144			$options['name'] = 'bodytext';
145			$options['value'] = $e_articles['bodytext'];
146			$options['rows'] = 5;
147			$options['cols'] = '100%';
148			$options['width'] = '100%';
149			$options['height'] = '400px';
150			$bodynote = new \XoopsFormEditor('', $helper->getConfig('editorUser'), $options, $nohtml = false, $onfailure = 'textarea');
151			$optionsTrayNote->addElement($bodynote);
152			} else {
153			$bodynote = new \XoopsFormDhtmlTextArea('', 'formmnote', $item->getVar('formmnote', 'e'), '100%', '100%');
154			$optionsTrayNote->addElement($bodynote);
155			}
156			$sform->addElement($optionsTrayNote, false);
157
158			// IMAGE
159			// The article CAN have its own image :)
160			// First, if the article's image doesn't exist, set its value to the blank file
161
162			if (empty($e_articles['artimage'])
163			\|\| !file_exists(XOOPS_ROOT_PATH . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '/' . $e_articles['artimage'])) {
164			$artimage = 'blank.png';
165			}
166
167			// Code to create the image selector
168			$graph_array = \XoopsLists::getImgListAsArray(XOOPS_ROOT_PATH . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')));
169			$artimage_select = new \XoopsFormSelect('', 'artimage', $e_articles['artimage']);
170			$artimage_select->addOptionArray($graph_array);
171			$artimage_select->setExtra("onchange='showImgSelected(\"image5\", \"artimage\", \"" . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '", "", "' . XOOPS_URL . "\")'");
172			$artimage_tray = new \XoopsFormElementTray(_AM_SOAPBOX_SELECT_IMG, ' ');
173			$artimage_tray->addElement($artimage_select);
174			$artimage_tray->addElement(new \XoopsFormLabel('', "<br><br><img src='" . XOOPS_URL . '/' . $myts->htmlSpecialChars($helper->getConfig('sbuploaddir')) . '/' . $e_articles['artimage'] . "' name='image5' id='image5' alt=''>"));
175			$sform->addElement($artimage_tray);
176
177			// Code to call the file browser to select an image to upload
178			$sform->addElement(new \XoopsFormFile(_AM_SOAPBOX_UPLOADIMAGE, 'cimage', (int)$helper->getConfig('maxfilesize')), false);
179
180			// WEIGHT
181			$sform->addElement(new \XoopsFormText(_AM_SOAPBOX_WEIGHT, 'weight', 4, 4, $e_articles['weight']));
182			//----------
183			// datesub
184			//----------
185			$datesub_caption = $myts->htmlSpecialChars(formatTimestamp($e_articles['datesub'], $helper->getConfig('dateformat')) . '=>');
186			$datesub_tray = new \XoopsFormDateTime(_AM_SOAPBOX_POSTED . '<br>' . $datesub_caption, 'datesub', 15, time());
187			// you don't want to change datesub
188			$datesubnochage_checkbox = new \XoopsFormCheckBox(_AM_SOAPBOX_DATESUBNOCHANGE, 'datesubnochage', 0);
189			$datesubnochage_checkbox->addOption(1, _AM_SOAPBOX_YES);
190			$datesub_tray->addElement($datesubnochage_checkbox);
191			$sform->addElement($datesub_tray);
192			//-----------
193
194			// COMMENTS
195			if (isset($GLOBALS['xoopsModuleConfig']['globaldisplaycomments'])
196			&& 1 === $GLOBALS['xoopsModuleConfig']['globaldisplaycomments']) {
197			// COMMENTS
198			// Code to allow comments
199			$addcommentable_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_ALLOWCOMMENTS, 'commentable', $e_articles['commentable'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
200			$sform->addElement($addcommentable_radio);
201			}
202
203			// OFFLINE
204			// Code to take article offline, for maintenance purposes
205			$offline_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_SWITCHOFFLINE, 'offline', $e_articles['offline'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
206			$sform->addElement($offline_radio);
207
208			// ARTICLE IN BLOCK
209			// Code to put article in block
210			$block_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_BLOCK, 'block', $e_articles['block'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
211			$sform->addElement($block_radio);
212
213			// notification public
214			$notifypub_radio = new \XoopsFormRadioYN(_AM_SOAPBOX_NOTIFY, 'notifypub', $e_articles['notifypub'], ' ' . _AM_SOAPBOX_YES . '', ' ' . _AM_SOAPBOX_NO . '');
215			$sform->addElement($notifypub_radio);
216
217			// VARIOUS OPTIONS
218			//----------
219			$options_tray = new \XoopsFormElementTray(_AM_SOAPBOX_OPTIONS, '<br>');
220
221			$html_checkbox = new \XoopsFormCheckBox('', 'html', $e_articles['html']);
222			$html_checkbox->addOption(1, _AM_SOAPBOX_DOHTML);
223			$options_tray->addElement($html_checkbox);
224
225			$smiley_checkbox = new \XoopsFormCheckBox('', 'smiley', $e_articles['smiley']);
226			$smiley_checkbox->addOption(1, _AM_SOAPBOX_DOSMILEY);
227			$options_tray->addElement($smiley_checkbox);
228
229			$xcodes_checkbox = new \XoopsFormCheckBox('', 'xcodes', $e_articles['xcodes']);
230			$xcodes_checkbox->addOption(1, _AM_SOAPBOX_DOXCODE);
231			$options_tray->addElement($xcodes_checkbox);
232
233			$breaks_checkbox = new \XoopsFormCheckBox('', 'breaks', $e_articles['breaks']);
234			$breaks_checkbox->addOption(1, _AM_SOAPBOX_BREAKS);
235			$options_tray->addElement($breaks_checkbox);
236
237			$sform->addElement($options_tray);
238			//----------
239
240			$sform->addElement(new \XoopsFormHidden('articleID', $e_articles['articleID']));
241
242			$buttonTray = new \XoopsFormElementTray('', '');
243			$hidden = new \XoopsFormHidden('op', 'authart');
244			$buttonTray->addElement($hidden);
245
246			$butt_save = new \XoopsFormButton('', '', _AM_SOAPBOX_AUTHORIZE, 'submit');
247			$butt_save->setExtra('onclick="this.form.elements.op.value=\'authart\'"');
248			$buttonTray->addElement($butt_save);
249
250			$butt_cancel = new \XoopsFormButton('', '', _AM_SOAPBOX_CANCEL, 'button');
251			$butt_cancel->setExtra('onclick="history.go(-1)"');
252			$buttonTray->addElement($butt_cancel);
253
254			$sform->addElement($buttonTray);
255			//-----------
256			// $xoopsGTicket->addTicketXoopsFormElement($sform, __LINE__);
257			//-----------
258			$sform->display();
259			unset($hidden);
260			}
261
262			/* -- Available operations -- */
263			switch ($op) {
264			case 'mod':
265			require_once XOOPS_ROOT_PATH . '/class/xoopslists.php';
266			require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php';
267			xoops_cp_header();
268			$adminObject->displayNavigation(basename(__FILE__));
269			$articleID = Request::getInt('articleID', Request::getInt('articleID', 0, 'GET'), 'POST'); // (isset($_POST['articleID'])) ? (int)($_POST['articleID']) : (int)($_GET['articleID']);
270			editarticle($articleID);
271			Soapbox\Utility::showSubmissions();
272			break;
273			case 'authart':
274			//-------------------------
275			if (!$GLOBALS['xoopsSecurity']->check()) {
276			redirect_header(XOOPS_URL . '/', 3, $GLOBALS['xoopsSecurity']->getErrors());
277			}
278			//-------------------------
279			//articleID check
280			if (Request::hasVar('articleID', 'POST')) {
281			redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTCREATED);
282			} else {
283			$articleID = Request::getInt('articleID', 0, 'POST');
284			}
285			//articleID check
286			if (Request::hasVar('columnID', 'POST')) {
287			redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTCREATED);
288			} else {
289			$columnID = Request::getInt('columnID', 0, 'POST');
290			}
291
292			//get category object
293			$_categoryob = $entrydataHandler->getColumn($columnID);
294			if (!is_object($_categoryob)) {
295			redirect_header('index.php', 1, _AM_SOAPBOX_NEEDONECOLUMN);
296			}
297
298			$_entryob = $entrydataHandler->getArticle($articleID);
299			//new data or edit
300			if (!is_object($_entryob)) {
301			redirect_header('index.php', 1, _AM_SOAPBOX_ARTAUTHORIZED);
302			}
303
304			if (Request::hasVar('articleID', 'POST')) {
305			$_entryob->setVar('articleID', $articleID);
306			}
307
308			if (Request::hasVar('columnID', 'POST')) {
309			$_entryob->setVar('columnID', $columnID);
310			}
311
312			if (Request::hasVar('weight', 'POST')) {
313			$_entryob->setVar('weight', Request::getInt('weight', 0, 'POST'));
314			}
315
316			if (Request::hasVar('commentable', 'POST')) {
317			$_entryob->setVar('commentable', Request::getInt('commentable', 0, 'POST'));
318			}
319
320			if (Request::hasVar('block', 'POST')) {
321			$_entryob->setVar('block', Request::getInt('block', 0, 'POST'));
322			}
323
324			if (Request::hasVar('offline', 'POST')) {
325			$_entryob->setVar('offline', Request::getInt('offline', 0, 'POST'));
326			}
327
328			if (Request::hasVar('notifypub', 'POST')) {
329			$_entryob->setVar('notifypub', Request::getInt('notifypub', 0, 'POST'));
330			}
331
332			//datesub
333
334			$datesubnochage = Request::getInt('datesubnochage', 0, 'POST');
335
336			// $datesub_date_sl = isset($_POST['datesub']) ? (int)strtotime($_POST['datesub']['date']) : 0;
337			// $datesub_time_sl = isset($_POST['datesub']) ? (int)$_POST['datesub']['time'] : 0;
338			// $datesub = isset($_POST['datesub']) ? $datesub_date_sl + $datesub_time_sl : 0;
339			$temp = Request::getArray('datesub', null, 'POST'); // get a clean array
340			$datesub = null !== $temp ? strtotime($temp['date']) + $temp['time'] : 0; // put the pieces back together
341
342			if (!$datesub \|\| $_entryob->_isNew) {
343			$_entryob->setVar('datesub', time());
344			} else {
345			if (!$datesubnochage) {
346			$_entryob->setVar('datesub', $datesub);
347			}
348			}
349
350			if (Request::hasVar('html', 'POST')) {
351			$_entryob->setVar('html', Request::getInt('html', 0, 'POST'));
352			}
353
354			if (Request::hasVar('smiley', 'POST')) {
355			$_entryob->setVar('smiley', Request::getInt('smiley', 0, 'POST'));
356			}
357
358			if (Request::hasVar('xcodes', 'POST')) {
359			$_entryob->setVar('xcodes', Request::getInt('xcodes', 0, 'POST'));
360			}
361			if (Request::hasVar('breaks', 'POST')) {
362			$_entryob->setVar('breaks', Request::getInt('breaks', 0, 'POST'));
363			}
364			if (Request::hasVar('artimage', 'POST')) {
365			$_entryob->setVar('artimage', Request::getInt('artimage', 0, 'POST'));
366			}
367
368			if (Request::hasVar('headline', 'POST')) {
369			$_entryob->setVar('headline', Request::getString('headline', '', 'POST'));
370			}
371			if (Request::hasVar('lead', 'POST')) {
372			$_entryob->setVar('lead', Request::getText('lead', '', 'POST'));
373			}
374			if (Request::hasVar('bodytext', 'POST')) {
375			$_entryob->setVar('bodytext', Request::getText('bodytext', '', 'POST'));
376			}
377			if (Request::hasVar('votes', 'POST')) {
378			$_entryob->setVar('votes', Request::getInt('votes', 0, 'POST'));
379			}
380
381			if (Request::hasVar('rating', 'POST')) {
382			$_entryob->setVar('rating', Request::getInt('rating', 0, 'POST'));
383			}
384			if (Request::hasVar('teaser', 'POST')) {
385			$_entryob->setVar('teaser', Request::getInt('teaser', 0, 'POST'));
386			}
387
388			$autoteaser = Request::getInt('autoteaser', 0, 'POST');
389			$charlength = Request::getInt('teaseramount', 0, 'POST');
390			if ($autoteaser && $charlength) {
391			$_entryob->setVar('teaser', xoops_substr($_entryob->getVar('bodytext', 'none'), 0, $charlength));
392			}
393
394			$_entryob->setVar('submit', 0);
395			// Save to database
396			if (!$entrydataHandler->insertArticle($_entryob)) {
397			redirect_header('index.php', 1, _AM_SOAPBOX_ARTNOTUPDATED);
398			} else {
399			// Notify of to admin only for approve
400			$entrydataHandler->newArticleTriggerEvent($_entryob, 'approve');
401			redirect_header('index.php', 1, _AM_SOAPBOX_ARTAUTHORIZED);
402			}
403			break;
404			case 'del':
405
406			$confirm = Request::getInt('confirm', 0, 'POST');
407
408			// confirmed, so delete
409			if (1 === $confirm) {
410			//-------------------------
411			if (!$GLOBALS['xoopsSecurity']->check()) {
412			redirect_header(XOOPS_URL . '/', 3, $GLOBALS['xoopsSecurity']->getErrors());
413			}
414			//-------------------------
415			//articleID check
416			if (!Request::hasVar('articleID', 'POST')) {
417			redirect_header('index.php', 1, _NOPERM);
418			} else {
419			$articleID = Request::getInt('articleID', 0, 'POST');
420			}
421
422			$_entryob = $entrydataHandler->getArticle($articleID);
423			if (!is_object($_entryob)) {
424			redirect_header('index.php', 1, _NOPERM);
425			}
426			//-------------
427			if (!$entrydataHandler->deleteArticle($_entryob)) {
428			trigger_error('ERROR:not deleted from database');
429			exit();
430			}
431			$headline = $myts->htmlSpecialChars($_entryob->getVar('headline'));
432			redirect_header('index.php', 1, sprintf(_AM_SOAPBOX_ARTISDELETED, $headline));
433			} else {
434			$articleID = Request::getInt('articleID', Request::getInt('articleID', 0, 'GET'), 'POST');
435			$_entryob = $entrydataHandler->getArticle($articleID);
436			if (!is_object($_entryob)) {
437			redirect_header('index.php', 1, _NOPERM);
438			}
439			$headline = $myts->htmlSpecialChars($_entryob->getVar('headline'));
440			xoops_cp_header();
441			$adminObject->displayNavigation(basename(__FILE__));
442			xoops_confirm([
443			'op' => 'del',
444			'articleID' => $articleID,
445			'confirm' => 1,
446			'headline' => $headline,
447			], 'article.php', _AM_SOAPBOX_DELETETHISARTICLE . '<br><br>' . $headline, _AM_SOAPBOX_DELETE);
448			require_once __DIR__ . '/admin_footer.php';
449			}
450			exit();
451			break;
452			case 'default':
453			default:
454
455			xoops_cp_header();
456			//adminMenu(3, _AM_SOAPBOX_SUBMITS);
457			$adminObject->displayNavigation(basename(__FILE__));
458			echo '<br>';
459			Soapbox\Utility::showSubmissions();
460			require_once __DIR__ . '/admin_footer.php';
461			exit();
462			break;
463			}
464			require_once __DIR__ . '/admin_footer.php';
465

XoopsModules25x / soapbox

Issues (278)

Security Analysis not enabled

admin/submissions.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like