diff options
Diffstat (limited to 'src/index.php')
-rw-r--r-- | src/index.php | 151 |
1 files changed, 136 insertions, 15 deletions
diff --git a/src/index.php b/src/index.php index 1cc0d01..6258131 100644 --- a/src/index.php +++ b/src/index.php @@ -148,7 +148,7 @@ $GLOBALS["currentUser"] = &$currentUser; if ($_action === "auth") { if ($currentUser) { - header("Location: ."); + header("Location: " . $_GET["next"] ?? "."); exit; } @@ -167,7 +167,7 @@ if ($_action === "auth") { } RequestUtils::setAuthorizedUser($user); - header("Location: ."); + header("Location: " . $_GET["next"] ?? "."); } else { _view("template_start", ["_title" => "Forum"]); _view("template_navigation_start"); @@ -178,7 +178,7 @@ if ($_action === "auth") { } } elseif ($_action === "register") { if ($currentUser) { - header("Location: ."); + header("Location: " . $_GET["next"] ?? "."); exit; } @@ -259,7 +259,7 @@ if ($_action === "auth") { } } elseif ($_action === "logout") { RequestUtils::unsetAuthorizedUser(); - header("Location: ."); + header("Location: " . $_GET["next"] ?? "."); } elseif ($_action === "viewtopic") { $topicId = $_GET["topic"] ?? throw new Exception("Missing topic id"); $topic = new Topic(); @@ -343,8 +343,8 @@ if ($_action === "auth") { /** @var Post $post */ foreach ($posts as $post) { - /** @var ?User $postAuthor */ - $postAuthor = null; + /** @var ?User $topicAuthor */ + $topicAuthor = null; if ($post->authorId !== null && !isset($userCache[$post->authorId])) { $usr = new User(); $usr->id = $post->authorId; @@ -352,13 +352,13 @@ if ($_action === "auth") { $userCache[$post->authorId] = &$usr; } if (isset($userCache[$post->authorId])) - $postAuthor = &$userCache[$post->authorId]; + $topicAuthor = &$userCache[$post->authorId]; $attachments = $db->fetchCustom(Attachment::class, 'WHERE post_id = $1', [ $post->id ]); _view("view_post", [ "post" => $post, - "postAuthor" => $postAuthor, + "postAuthor" => $topicAuthor, "attachments" => $attachments, ]); } @@ -418,6 +418,20 @@ if ($_action === "auth") { _view("form_newtopic"); _view("template_end"); } +} elseif ($_action === "lookupuser") { + RequestUtils::ensureRequestMethod("GET"); + $userHandle = $_GET["handle"] ?? throw new Exception("Missing handle"); + + $user = new User(); + $user->name = $userHandle; + + if (!$db->fetchWhere($user, "name")) { + http_response_code(404); + Messaging::error("No user with name @$userHandle"); + exit; + } + + header("Location: ./?_action=viewuser&user=" . urlencode($user->id)); } elseif ($_action === "viewuser") { $userId = $_GET["user"] ?? throw new Exception("Missing user id"); $user = new User(); @@ -663,16 +677,16 @@ if ($_action === "auth") { exit; } - $postAuthor = new User(); - $postAuthor->id = $post->authorId; + $topicAuthor = new User(); + $topicAuthor->id = $post->authorId; - if (!$db->fetch($postAuthor)) - $postAuthor = null; + if (!$db->fetch($topicAuthor)) + $topicAuthor = null; - $canDelete = ($currentUser->id === $postAuthor?->id && $postAuthor?->hasPermission(UserPermissions::DELETE_OWN_POST)) + $canEdit = ($currentUser->id === $topicAuthor?->id && $topicAuthor?->hasPermission(UserPermissions::DELETE_OWN_POST)) || ($currentUser->hasPermission(UserPermissions::DELETE_OTHER_POST)); - if (!$canDelete) { + if (!$canEdit) { http_response_code(403); Messaging::error("You don't have permission to delete this post"); exit; @@ -714,11 +728,118 @@ if ($_action === "auth") { _view("template_navigation_end"); _view("form_delete_post_confirm", [ "post" => $post, - "postAuthor" => $postAuthor, + "postAuthor" => $topicAuthor, "attachments" => $attachments, ]); _view("template_end"); } +} elseif ($_action === "deletetopic") { + RequestUtils::ensureRequestMethod("POST"); + + if (!$currentUser) { + http_response_code(403); + Messaging::error("You need to be logged in to delete topics!"); + exit; + } + + $topicId = RequestUtils::getRequiredField("topic"); + + $topic = new Topic(); + $topic->id = $topicId; + + if (!$db->fetch($topic)) { + http_response_code(404); + Messaging::error("No topic exists with this id"); + exit; + } + + $topicAuthor = new User(); + $topicAuthor->id = $topic->createdBy; + + if (!$db->fetch($topicAuthor)) + $topicAuthor = null; + + $canEdit = ($currentUser->id === $topicAuthor?->id && $topicAuthor?->hasPermission(UserPermissions::DELETE_OWN_TOPIC)) + || ($currentUser->hasPermission(UserPermissions::DELETE_OTHER_TOPIC)); + + if (!$canEdit) { + http_response_code(403); + Messaging::error("You don't have permission to delete this topic"); + exit; + } + + $confirm = $_POST["confirm"] ?? null; + if ($confirm !== null) { + $expectedConfirm = base64_encode(hash("sha256", "confirm" . $topic->id, true)); + if ($confirm !== $expectedConfirm) { + http_response_code(400); + Messaging::error("Invalid confirmation"); + exit; + } + + if (!$db->delete($topic)) { + http_response_code(500); + Messaging::error("Failed to delete topic"); + exit; + } + + header("Location: ."); + } else { + _view("template_start", ["_title" => "Forum"]); + _view("template_navigation_start"); + _view("template_navigation", ["user" => RequestUtils::getAuthorizedUser($db)]); + _view("template_navigation_end"); + _view("form_delete_topic_confirm", [ + "topic" => $topic, + "topicAuthor" => $topicAuthor, + ]); + _view("template_end"); + } +} elseif ($_action === "updatetopic") { + RequestUtils::ensureRequestMethod("POST"); + + if (!$currentUser) { + http_response_code(403); + Messaging::error("You need to be logged in to update topics!"); + exit; + } + + $topicId = RequestUtils::getRequiredField("topic"); + $title = RequestUtils::getRequiredField("title"); + + $topic = new Topic(); + $topic->id = $topicId; + + if (!$db->fetch($topic)) { + http_response_code(404); + Messaging::error("No topic exists with this id"); + exit; + } + + $topicAuthor = new User(); + $topicAuthor->id = $topic->createdBy; + + if (!$db->fetch($topicAuthor)) + $topicAuthor = null; + + $canEdit = ($currentUser->id === $topicAuthor?->id && $topicAuthor?->hasPermission(UserPermissions::EDIT_OWN_TOPIC)) + || ($currentUser->hasPermission(UserPermissions::EDIT_OTHER_TOPIC)); + + if (!$canEdit) { + http_response_code(403); + Messaging::error("You don't have permission to update this topic"); + exit; + } + + $topic->title = $title; + + if (!$db->update($topic)) { + http_response_code(500); + Messaging::error("Failed to update topic"); + exit; + } + + header("Location: ./?_action=viewtopic&topic=" . urlencode($topicId)); } elseif ($_action === null) { _view("template_start", ["_title" => "Forum"]); _view("template_navigation_start"); |