This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
1 | <?php declare(strict_types=1); |
||
2 | /* |
||
3 | You may not change or alter any portion of this comment or credits |
||
4 | of supporting developers from this source code or any supporting source code |
||
5 | which is considered copyrighted (c) material of the original comment or credit authors. |
||
6 | |||
7 | This program is distributed in the hope that it will be useful, |
||
8 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
||
10 | */ |
||
11 | |||
12 | /** |
||
13 | * @copyright XOOPS Project (https://xoops.org) |
||
14 | * @license https://www.fsf.org/copyleft/gpl.html GNU public license |
||
15 | * @since 1.0 |
||
16 | * @author trabis <[email protected]> |
||
17 | * @author The SmartFactory <www.smartfactory.ca> |
||
18 | */ |
||
19 | |||
20 | use Xmf\Request; |
||
21 | use XoopsModules\Publisher\{ |
||
22 | Category, |
||
23 | Constants, |
||
24 | GroupPermHandler, |
||
25 | Helper, |
||
26 | Item, |
||
27 | Utility, |
||
28 | }; |
||
29 | |||
30 | |||
31 | require_once __DIR__ . '/header.php'; |
||
32 | $helper->loadLanguage('admin'); |
||
33 | |||
34 | // Get the total number of categories |
||
35 | $categoriesArray = $helper->getHandler('Category') |
||
36 | ->getCategoriesForSubmit(); |
||
37 | |||
38 | if (!$categoriesArray) { |
||
39 | redirect_header('index.php', 1, _MD_PUBLISHER_NEED_CATEGORY_ITEM); |
||
40 | } |
||
41 | |||
42 | $groups = $GLOBALS['xoopsUser'] ? $GLOBALS['xoopsUser']->getGroups() : XOOPS_GROUP_ANONYMOUS; |
||
43 | /** @var GroupPermHandler $grouppermHandler */ |
||
44 | $grouppermHandler = Helper::getInstance() |
||
45 | ->getHandler('GroupPerm'); //xoops_getModuleHandler('groupperm'); |
||
46 | $moduleId = $helper->getModule() |
||
47 | ->getVar('mid'); |
||
48 | |||
49 | $itemId = Request::getInt('itemid', Request::getInt('itemid', 0, 'POST'), 'GET'); |
||
50 | if (0 != $itemId) { |
||
51 | // We are editing or deleting an article |
||
52 | /** @var Item $itemObj */ |
||
53 | $itemObj = $helper->getHandler('Item') |
||
54 | ->get($itemId); |
||
55 | if (!(Utility::userIsAdmin() || Utility::userIsAuthor($itemObj) || Utility::userIsModerator($itemObj))) { |
||
56 | redirect_header('index.php', 1, _NOPERM); |
||
57 | } |
||
58 | if (!Utility::userIsAdmin() || !Utility::userIsModerator($itemObj)) { |
||
59 | if ('del' === Request::getString('op', '', 'GET') && !$helper->getConfig('perm_delete')) { |
||
60 | redirect_header('index.php', 1, _NOPERM); |
||
61 | } elseif (!$helper->getConfig('perm_edit')) { |
||
62 | redirect_header('index.php', 1, _NOPERM); |
||
63 | } |
||
64 | } |
||
65 | /** @var Category $categoryObj */ |
||
66 | $categoryObj = $itemObj->getCategory(); |
||
67 | } else { |
||
68 | // we are submitting a new article |
||
69 | // if the user is not admin AND we don't allow user submission, exit |
||
70 | if (!(Utility::userIsAdmin() || (1 == $helper->getConfig('perm_submit') && (is_object($GLOBALS['xoopsUser']) || (1 == $helper->getConfig('perm_anon_submit')))))) { |
||
71 | redirect_header('index.php', 1, _NOPERM); |
||
72 | } |
||
73 | /** @var Item $itemObj */ |
||
74 | $itemObj = $helper->getHandler('Item') |
||
75 | ->create(); |
||
76 | /** @var Category $categoryObj */ |
||
77 | $categoryObj = $helper->getHandler('Category') |
||
78 | ->create(); |
||
79 | } |
||
80 | |||
81 | if ('clone' === Request::getString('op', '', 'GET')) { |
||
82 | $formtitle = _MD_PUBLISHER_SUB_CLONE; |
||
83 | $itemObj->setNew(); |
||
84 | $itemObj->setVar('itemid', 0); |
||
85 | } else { |
||
86 | $formtitle = _MD_PUBLISHER_SUB_SMNAME; |
||
87 | } |
||
88 | |||
89 | //$op = ''; |
||
90 | $op = 'add'; |
||
91 | if (Request::getString('additem', '', 'POST')) { |
||
92 | $op = 'post'; |
||
93 | } elseif (Request::getString('preview', '', 'POST')) { |
||
94 | $op = 'preview'; |
||
95 | } |
||
96 | |||
97 | $tokenError = false; |
||
98 | if ('POST' === Request::getMethod() && !$GLOBALS['xoopsSecurity']->check()) { |
||
99 | if ('preview' !== $op) { |
||
100 | $op = 'preview'; |
||
101 | $tokenError = true; |
||
102 | } |
||
103 | } |
||
104 | |||
105 | $op = Request::getString('op', Request::getString('op', $op, 'POST'), 'GET'); |
||
106 | |||
107 | $allowedEditors = Utility::getEditors($grouppermHandler->getItemIds('editors', $groups, $moduleId)); |
||
108 | $formView = $grouppermHandler->getItemIds('form_view', $groups, $moduleId); |
||
109 | |||
110 | // This code makes sure permissions are not manipulated |
||
111 | $elements = [ |
||
112 | 'summary', |
||
113 | 'available_page_wrap', |
||
114 | 'item_tag', |
||
115 | 'image_item', |
||
116 | 'item_upload_file', |
||
117 | 'uid', |
||
118 | 'datesub', |
||
119 | 'status', |
||
120 | 'item_short_url', |
||
121 | 'item_meta_keywords', |
||
122 | 'item_meta_description', |
||
123 | 'weight', |
||
124 | 'allowcomments', |
||
125 | 'dohtml', |
||
126 | 'dosmiley', |
||
127 | 'doxcode', |
||
128 | 'doimage', |
||
129 | 'dolinebreak', |
||
130 | 'notify', |
||
131 | 'subtitle', |
||
132 | 'author_alias', |
||
133 | ]; |
||
134 | foreach ($elements as $element) { |
||
135 | $classname = Constants::class; |
||
136 | if (Request::hasVar($element, 'POST') && !in_array(constant($classname . '::' . 'PUBLISHER_' . \mb_strtoupper($element)), $formView, true)) { |
||
137 | redirect_header('index.php', 1, _MD_PUBLISHER_SUBMIT_ERROR); |
||
138 | } |
||
139 | } |
||
140 | //unset($element); |
||
141 | |||
142 | $itemUploadFile = Request::getArray('item_upload_file', [], 'FILES'); |
||
143 | |||
144 | //stripcslashes |
||
145 | switch ($op) { |
||
146 | case 'del': |
||
147 | $confirm = Request::getInt('confirm', '', 'POST'); |
||
0 ignored issues
–
show
Bug
introduced
by
![]() |
|||
148 | |||
149 | if ($confirm) { |
||
150 | if (!$helper->getHandler('Item') |
||
151 | ->delete($itemObj)) { |
||
152 | redirect_header('index.php', 2, _AM_PUBLISHER_ITEM_DELETE_ERROR . Utility::formatErrors($itemObj->getErrors())); |
||
153 | } |
||
154 | redirect_header('index.php', 2, sprintf(_AM_PUBLISHER_ITEMISDELETED, $itemObj->getTitle())); |
||
155 | } else { |
||
156 | require_once XOOPS_ROOT_PATH . '/header.php'; |
||
157 | xoops_confirm(['op' => 'del', 'itemid' => $itemObj->itemid(), 'confirm' => 1, 'name' => $itemObj->getTitle()], 'submit.php', _AM_PUBLISHER_DELETETHISITEM . " <br>'" . $itemObj->getTitle() . "'. <br> <br>", _AM_PUBLISHER_DELETE); |
||
158 | require_once XOOPS_ROOT_PATH . '/footer.php'; |
||
159 | } |
||
160 | exit(); |
||
161 | case 'preview': |
||
162 | // Putting the values about the ITEM in the ITEM object |
||
163 | $itemObj->setVarsFromRequest(); |
||
164 | |||
165 | $GLOBALS['xoopsOption']['template_main'] = 'publisher_submit.tpl'; |
||
166 | require_once XOOPS_ROOT_PATH . '/header.php'; |
||
167 | $xoTheme->addScript(XOOPS_URL . '/browse.php?Frameworks/jquery/jquery.js'); |
||
168 | $xoTheme->addScript(PUBLISHER_URL . '/assets/js/publisher.js'); |
||
169 | require_once PUBLISHER_ROOT_PATH . '/footer.php'; |
||
170 | |||
171 | $categoryObj = $helper->getHandler('Category') |
||
172 | ->get(Request::getInt('categoryid', 0, 'POST')); |
||
173 | |||
174 | $item = $itemObj->toArraySimple(); |
||
175 | $item['summary'] = $itemObj->body(); |
||
176 | $item['categoryPath'] = $categoryObj->getCategoryPath(true); |
||
177 | $item['who_when'] = $itemObj->getWhoAndWhen(); |
||
178 | $item['comments'] = -1; |
||
179 | $xoopsTpl->assign('item', $item); |
||
180 | |||
181 | $xoopsTpl->assign('op', 'preview'); |
||
182 | $xoopsTpl->assign('module_home', Utility::moduleHome()); |
||
183 | |||
184 | if ($itemId) { |
||
185 | $xoopsTpl->assign('categoryPath', _MD_PUBLISHER_EDIT_ARTICLE); |
||
186 | $xoopsTpl->assign('langIntroTitle', _MD_PUBLISHER_EDIT_ARTICLE); |
||
187 | $xoopsTpl->assign('langIntroText', ''); |
||
188 | } else { |
||
189 | $xoopsTpl->assign('categoryPath', _MD_PUBLISHER_SUB_SNEWNAME); |
||
190 | $xoopsTpl->assign( |
||
191 | 'langIntroTitle', sprintf( |
||
192 | _MD_PUBLISHER_SUB_SNEWNAME, ucwords( |
||
193 | $helper->getModule() |
||
194 | ->name() |
||
195 | ) |
||
196 | ) |
||
197 | ); |
||
198 | $xoopsTpl->assign('langIntroText', $helper->getConfig('submit_intro_msg')); |
||
199 | } |
||
200 | if ($tokenError) { |
||
201 | $xoopsTpl->assign('langIntroText', _CO_PUBLISHER_BAD_TOKEN); |
||
202 | } |
||
203 | |||
204 | $sform = $itemObj->getForm($formtitle, true); |
||
205 | $sform->assign($xoopsTpl); |
||
206 | require_once XOOPS_ROOT_PATH . '/footer.php'; |
||
207 | exit(); |
||
208 | case 'post': |
||
209 | // Putting the values about the ITEM in the ITEM object |
||
210 | // print_r($itemObj->getVars()); |
||
211 | $itemObj->setVarsFromRequest(); |
||
212 | //print_r($_POST); |
||
213 | //print_r($itemObj->getVars()); |
||
214 | //exit; |
||
215 | |||
216 | // Storing the item object in the database |
||
217 | if (!$itemObj->store()) { |
||
218 | redirect_header('<script>javascript:history.go(-1)</script>', 2, _MD_PUBLISHER_SUBMIT_ERROR); |
||
219 | } |
||
220 | |||
221 | // attach file if any |
||
222 | if (is_array($itemUploadFile) && '' != $itemUploadFile['name']) { |
||
223 | $fileUploadResult = Utility::uploadFile(false, true, $itemObj); |
||
224 | if (true !== $fileUploadResult) { |
||
225 | redirect_header('<script>javascript:history.go(-1)</script>', 3, $fileUploadResult); |
||
226 | } |
||
227 | } |
||
228 | |||
229 | // if autoapprove_submitted. This does not apply if we are editing an article |
||
230 | if ($itemId) { |
||
231 | $redirectMsg = _MD_PUBLISHER_ITEMMODIFIED; |
||
232 | redirect_header($itemObj->getItemUrl(), 2, $redirectMsg); |
||
233 | } elseif (Constants::PUBLISHER_STATUS_PUBLISHED == $itemObj->getVar('status') /*$helper->getConfig('perm_autoapprove'] == 1*/) { |
||
234 | // We do not not subscribe user to notification on publish since we publish it right away |
||
235 | |||
236 | // Send notifications |
||
237 | $itemObj->sendNotifications([Constants::PUBLISHER_NOTIFY_ITEM_PUBLISHED]); |
||
238 | |||
239 | $redirectMsg = _MD_PUBLISHER_ITEM_RECEIVED_AND_PUBLISHED; |
||
240 | redirect_header($itemObj->getItemUrl(), 2, $redirectMsg); |
||
241 | } else { |
||
242 | // Subscribe the user to On Published notification, if requested |
||
243 | if ($itemObj->getVar('notifypub')) { |
||
244 | require_once \dirname(__DIR__, 2) . '/include/notification_constants.php'; |
||
245 | /** @var \XoopsNotificationHandler $notificationHandler */ |
||
246 | $notificationHandler = xoops_getHandler('notification'); |
||
247 | $notificationHandler->subscribe('item', $itemObj->itemid(), 'approved', XOOPS_NOTIFICATION_MODE_SENDONCETHENDELETE); |
||
248 | } |
||
249 | // Send notifications |
||
250 | $itemObj->sendNotifications([Constants::PUBLISHER_NOTIFY_ITEM_SUBMITTED]); |
||
251 | |||
252 | $redirectMsg = _MD_PUBLISHER_ITEM_RECEIVED_NEED_APPROVAL; |
||
253 | } |
||
254 | redirect_header('index.php', 2, $redirectMsg); |
||
255 | |||
256 | break; |
||
257 | case 'add': |
||
258 | default: |
||
259 | $GLOBALS['xoopsOption']['template_main'] = 'publisher_submit.tpl'; |
||
260 | require_once XOOPS_ROOT_PATH . '/header.php'; |
||
261 | $GLOBALS['xoTheme']->addScript(XOOPS_URL . '/browse.php?Frameworks/jquery/jquery.js'); |
||
262 | $GLOBALS['xoTheme']->addScript(PUBLISHER_URL . '/assets/js/publisher.js'); |
||
263 | require_once PUBLISHER_ROOT_PATH . '/footer.php'; |
||
264 | |||
265 | //mb $itemObj->setVarsFromRequest(); |
||
266 | |||
267 | $xoopsTpl->assign('module_home', Utility::moduleHome()); |
||
268 | if ('clone' === Request::getString('op', '', 'GET')) { |
||
269 | $xoopsTpl->assign('categoryPath', _CO_PUBLISHER_CLONE); |
||
270 | $xoopsTpl->assign('langIntroTitle', _CO_PUBLISHER_CLONE); |
||
271 | } elseif ($itemId) { |
||
272 | $xoopsTpl->assign('categoryPath', _MD_PUBLISHER_EDIT_ARTICLE); |
||
273 | $xoopsTpl->assign('langIntroTitle', _MD_PUBLISHER_EDIT_ARTICLE); |
||
274 | $xoopsTpl->assign('langIntroText', ''); |
||
275 | } else { |
||
276 | $xoopsTpl->assign('categoryPath', _MD_PUBLISHER_SUB_SNEWNAME); |
||
277 | $xoopsTpl->assign( |
||
278 | 'langIntroTitle', sprintf( |
||
279 | _MD_PUBLISHER_SUB_SNEWNAME, ucwords( |
||
280 | $helper->getModule() |
||
281 | ->name() |
||
282 | ) |
||
283 | ) |
||
284 | ); |
||
285 | $xoopsTpl->assign('langIntroText', $helper->getConfig('submit_intro_msg')); |
||
286 | } |
||
287 | $sform = $itemObj->getForm($formtitle, true); |
||
288 | $sform->assign($xoopsTpl); |
||
289 | |||
290 | require_once XOOPS_ROOT_PATH . '/footer.php'; |
||
291 | break; |
||
292 | } |
||
293 |