<?php\r
/**\r
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) \r
- * Copyright (C) 2002-2004 The Nucleus Group\r
+ * Copyright (C) 2002-2005 The Nucleus Group\r
*\r
* This program is free software; you can redistribute it and/or\r
* modify it under the terms of the GNU General Public License\r
* upload of new files\r
* - close the popup by selecting a file in the list. The file gets\r
* passed through to the add-item form (linkto, popupimg or inline img)\r
+ *\r
+ * $Id: media.php,v 1.3 2005-03-16 08:04:14 kimitake Exp $\r
+ * $NucleusJP$\r
*/\r
\r
$CONF = array();\r
if (mysql_num_rows($teams) == 0)\r
media_doError(_ERROR_DISALLOWEDUPLOAD);\r
\r
-// basic action:\r
+// get action\r
$action = requestVar('action');\r
+if ($action == '')\r
+ $action = 'selectmedia';\r
+ \r
+// check ticket\r
+$aActionsNotToCheck = array('selectmedia', _MEDIA_FILTER_APPLY, _MEDIA_COLLECTION_SELECT);\r
+if (!in_array($action, $aActionsNotToCheck))\r
+{\r
+ if (!$manager->checkTicket())\r
+ media_doError(_ERROR_BADTICKET);\r
+} \r
+\r
+\r
switch($action) {\r
case 'chooseupload':\r
case _MEDIA_UPLOAD_TO:\r
\r
// select a file\r
function media_select() {\r
- global $member, $CONF, $DIR_MEDIA;\r
+ global $member, $CONF, $DIR_MEDIA, $manager;\r
\r
media_head();\r
\r
</select>\r
<input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_COLLECTION_SELECT) ?>" title="<?php echo htmlspecialchars(_MEDIA_COLLECTION_TT)?>" />\r
<input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_UPLOAD_TO) ?>" title="<?php echo htmlspecialchars(_MEDIA_UPLOADLINK) ?>" />\r
+ <?php $manager->addTicketHidden() ?>\r
</div></form>\r
<?php } else {\r
?>\r
<form method="post" action="media.php" style="float:right"><div>\r
<input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />\r
<input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_UPLOAD_NEW) ?>" title="<?php echo htmlspecialchars(_MEDIA_UPLOADLINK) ?>" />\r
+ <?php $manager->addTicketHidden() ?>\r
</div></form> \r
<?php } // if sizeof\r
\r
\r
echo "<tr>";\r
echo "<td>". date("Y-m-d",$obj->timestamp) ."</td>";\r
+ \r
+ // strings for javascript\r
+ $jsCurrentCollection = str_replace("'","\\'",$currentCollection);\r
+ $jsFileName = str_replace("'","\\'",$obj->filename);\r
\r
if ($filetype != 0) {\r
// image (gif/jpg/png/swf)\r
- echo "<td><a href='media.php' onclick='chooseImage(\"$currentCollection\",\"$obj->filename\","\r
- . "\"$width\",\"$height\""\r
- . ")' title='" . htmlspecialchars($obj->filename). "'>"\r
+ echo "<td><a href=\"media.php\" onclick=\"chooseImage('", htmlspecialchars($jsCurrentCollection), "','", htmlspecialchars($jsFileName), "',"\r
+ . "'", htmlspecialchars($width), "','" , htmlspecialchars($height), "'"\r
+ . ")\" title=\"" . htmlspecialchars($obj->filename). "\">"\r
. htmlspecialchars(shorten($obj->filename,25,'...'))\r
."</a>";\r
echo ' (<a href="', htmlspecialchars($CONF['MediaURL'] . $currentCollection . '/' . $obj->filename), '" onclick="window.open(this.href); return false;" title="',htmlspecialchars(_MEDIA_VIEW_TT),'">',_MEDIA_VIEW,'</a>)';\r
echo "</td>";\r
} else {\r
// no image (e.g. mpg)\r
- echo "<td><a href='media.php' onclick='chooseOther(\"$currentCollection\",\"$obj->filename\""\r
- . ")' title='" . htmlspecialchars($obj->filename). "'>"\r
+ echo "<td><a href='media.php' onclick=\"chooseOther('" , htmlspecialchars($jsCurrentCollection), "','", htmlspecialchars($jsFileName), "'"\r
+ . ")\" title=\"" . htmlspecialchars($obj->filename). "\">"\r
. htmlspecialchars(shorten($obj->filename,30,'...'))\r
."</a></td>";\r
\r
}\r
- echo '<td>' , $width , 'x' , $height , '</td>';\r
+ echo '<td>' , htmlspecialchars($width) , 'x' , htmlspecialchars($height) , '</td>';\r
echo '</tr>';\r
}\r
} // if (sizeof($arr)>0)\r
* Shows a screen where you can select the file to upload\r
*/\r
function media_choose() {\r
- global $CONF, $member;\r
+ global $CONF, $member, $manager;\r
\r
$currentCollection = requestVar('collection');\r
\r
<form method="post" enctype="multipart/form-data" action="media.php">\r
<div>\r
<input type="hidden" name="action" value="uploadfile" />\r
+ <?php $manager->addTicketHidden() ?>\r
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $CONF['MaxUploadSize']?>" />\r
File:\r
<br />\r