<?php
/*
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
- * Copyright (C) 2002-2006 The Nucleus Group
+ * Copyright (C) 2002-2007 The Nucleus Group
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* The code for the Nucleus admin area
*
* @license http://nucleuscms.org/license.txt GNU General Public License
- * @copyright Copyright (C) 2002-2006 The Nucleus Group
- * @version $Id: ADMIN.php,v 1.13 2007-02-03 06:00:04 kimitake Exp $
- * @version $NucleusJP: ADMIN.php,v 1.12 2007/01/31 10:02:58 kimitake Exp $
+ * @copyright Copyright (C) 2002-2007 The Nucleus Group
+ * @version $Id: ADMIN.php,v 1.20 2007-03-22 03:30:14 kmorimatsu Exp $
+ * @version $NucleusJP: ADMIN.php,v 1.19 2007/03/20 19:31:29 kmorimatsu Exp $
*/
-require_once "showlist.php";
+if ( !function_exists('requestVar') ) exit;
+require_once dirname(__FILE__) . '/showlist.php';
/**
* Builds the admin area and executes admin actions
if (method_exists($this, $methodName))
call_user_func(array(&$this, $methodName));
else
- $this->error(_BADACTION . " ($action)");
+ $this->error(_BADACTION . htmlspecialchars(" ($action)"));
}
* @param object BLOG
*/
function bloglink(&$blog) {
- return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'.$blog->getName() .'</a>';
+ return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'. htmlspecialchars( $blog->getName() ) .'</a>';
}
/**
$error = $this->moveOneItem($itemid, $destCatid);
break;
default:
- $error = _BATCH_UNKNOWN . $action;
+ $error = _BATCH_UNKNOWN . htmlspecialchars($action);
}
echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';
$error = $this->deleteOneComment($commentid);
break;
default:
- $error = _BATCH_UNKNOWN . $action;
+ $error = _BATCH_UNKNOWN . htmlspecialchars($action);
}
echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';
sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid);
break;
default:
- $error = _BATCH_UNKNOWN . $action;
+ $error = _BATCH_UNKNOWN . htmlspecialchars($action);
}
echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';
sql_query('UPDATE '.sql_table('team').' SET tadmin=0 WHERE tblog='.$blogid.' and tmember='.$memberid);
break;
default:
- $error = _BATCH_UNKNOWN . $action;
+ $error = _BATCH_UNKNOWN . htmlspecialchars($action);
}
echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';
$error = $this->moveOneCategory($catid, $destBlogId);
break;
default:
- $error = _BATCH_UNKNOWN . $action;
+ $error = _BATCH_UNKNOWN . htmlspecialchars($action);
}
echo '<b>',($error ? 'Error: '.$error : _BATCH_SUCCESS),'</b>';
echo '<h3>' . _MEMBERS_NEW .'</h3>';
?>
- <form method="post" action="index.php"><div>
+ <form method="post" action="index.php" name="memberedit"><div>
<input type="hidden" name="action" value="memberadd" />
<?php $manager->addTicketHidden() ?>
<th colspan="2"><?php echo _MEMBERS_NEW?></th>
</tr><tr>
<td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>
- <br /><small>(This is the name used to logon)</small>
+ <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>
</td>
<td><input tabindex="10010" name="name" size="16" maxlength="16" /></td>
</tr><tr>
$mem = MEMBER::createFromID($memberid);
?>
- <form method="post" action="index.php"><div>
+ <form method="post" action="index.php" name="memberedit"><div>
<input type="hidden" name="action" value="changemembersettings" />
<input type="hidden" name="memberid" value="<?php echo $memberid; ?>" />
<td><?php $this->input_yesno('admin',$mem->isAdmin(),60); ?></td>
</tr><tr>
<td><?php echo _MEMBERS_CANLOGIN?> <?php help('canlogin'); ?></td>
- <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70); ?></td>
+ <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70,1,0,_YES,_NO,$mem->isAdmin()); ?></td>
<?php } ?>
</tr><tr>
<td><?php echo _MEMBERS_NOTES?></td>
?>
<h2><?php echo _DELETE_CONFIRM?></h2>
- <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo $teammem->getDisplayName() ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo htmlspecialchars(strip_tags($blog->getName())) ?></b>
+ <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo htmlspecialchars($teammem->getDisplayName()) ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo htmlspecialchars(strip_tags($blog->getName())) ?></b>
</p>
<h2><?php echo _DELETE_CONFIRM?></h2>
<div>
- <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo $blog->getCategoryName($catid)?></b>
+ <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo htmlspecialchars($blog->getCategoryName($catid))?></b>
</div>
<form method="post" action="index.php"><div>
?>
<h2><?php echo _DELETE_CONFIRM?></h2>
- <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo $mem->getDisplayName() ?></b>
+ <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo htmlspecialchars($mem->getDisplayName()) ?></b>
</p>
<p>
<td><input name="timeoffset" tabindex="110" size="3" value="0" /></td>
</tr><tr>
<td><?php echo _EBLOG_ADMIN?>
- <?php help('blogadmin'); ?>
+ <?php help('teamadmin'); ?>
</td>
<td><?php echo _EBLOG_ADMIN_MSG?></td>
</tr><tr>
<a href="index.php?action=templateoverview">(<?php echo _TEMPLATE_BACK?>)</a>
</p>
- <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo $templatename; ?>'</h2>
+ <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo htmlspecialchars($templatename); ?>'</h2>
<?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";
?>
$this->_templateEditRow($template, _TEMPLATE_AFOOTER, 'ARCHIVELIST_FOOTER', '', 150);
?>
</tr><tr>
+ <th colspan="2"><?php echo _TEMPLATE_BLOGLIST?> <?php help('templatebloglists'); ?></th>
+<?php $this->_templateEditRow($template, _TEMPLATE_BLOGHEADER, 'BLOGLIST_HEADER', '', 160);
+ $this->_templateEditRow($template, _TEMPLATE_BLOGITEM, 'BLOGLIST_LISTITEM', '', 170);
+ $this->_templateEditRow($template, _TEMPLATE_BLOGFOOTER, 'BLOGLIST_FOOTER', '', 180);
+?>
+ </tr><tr>
<th colspan="2"><?php echo _TEMPLATE_CATEGORYLIST?> <?php help('templatecategorylists'); ?></th>
<?php $this->_templateEditRow($template, _TEMPLATE_CATHEADER, 'CATLIST_HEADER', '', 160);
$this->_templateEditRow($template, _TEMPLATE_CATITEM, 'CATLIST_LISTITEM', '', 170);
$this->addToTemplate($templateid, 'ARCHIVELIST_HEADER', postVar('ARCHIVELIST_HEADER'));
$this->addToTemplate($templateid, 'ARCHIVELIST_LISTITEM', postVar('ARCHIVELIST_LISTITEM'));
$this->addToTemplate($templateid, 'ARCHIVELIST_FOOTER', postVar('ARCHIVELIST_FOOTER'));
+ $this->addToTemplate($templateid, 'BLOGLIST_HEADER', postVar('BLOGLIST_HEADER'));
+ $this->addToTemplate($templateid, 'BLOGLIST_LISTITEM', postVar('BLOGLIST_LISTITEM'));
+ $this->addToTemplate($templateid, 'BLOGLIST_FOOTER', postVar('BLOGLIST_FOOTER'));
$this->addToTemplate($templateid, 'CATLIST_HEADER', postVar('CATLIST_HEADER'));
$this->addToTemplate($templateid, 'CATLIST_LISTITEM', postVar('CATLIST_LISTITEM'));
$this->addToTemplate($templateid, 'CATLIST_FOOTER', postVar('CATLIST_FOOTER'));
<h2><?php echo _DELETE_CONFIRM?></h2>
<p>
- <?php echo _CONFIRMTXT_TEMPLATE?><b><?php echo $name?></b> (<?php echo htmlspecialchars($desc) ?>)
+ <?php echo _CONFIRMTXT_TEMPLATE?><b><?php echo htmlspecialchars($name)?></b> (<?php echo htmlspecialchars($desc) ?>)
</p>
<form method="post" action="index.php"><div>
$tabstart = 75;
while ($row = mysql_fetch_assoc($res)) {
- echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&skinid=' . $skinid . '&type=' . strtolower($row['stype']) . '">' . ucfirst($row['stype']) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&skinid=' . $skinid . '&type=' . strtolower($row['stype']) . '">remove</a>)</li>';
+ echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">remove</a>)</li>';
}
echo '</ul>';
?>
<p>(<a href="index.php?action=skinoverview"><?php echo _SKIN_GOBACK?></a>)</p>
- <h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo $skin->getName() ?>': <?php echo (isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?></h2>
+ <h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo htmlspecialchars($skin->getName()) ?>': <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?></h2>
<?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";
?>
<input type="submit" value="<?php echo _SKIN_UPDATE_BTN?>" onclick="return checkSubmit();" />
<input type="reset" value="<?php echo _SKIN_RESET_BTN?>" />
- (skin type: <?php echo (isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)
- <?php help('skinpart' . $type);?>
+ (skin type: <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)
+ <?php if (in_array($type, array('index', 'item', 'archivelist', 'archive', 'search', 'error', 'member', 'imagepopup'))) {
+ help('skinpart' . $type);
+ } else {
+ help('skinpartspecial');
+ }?>
<br />
<textarea class="skinedit" tabindex="10" rows="20" cols="80" name="content"><?php echo htmlspecialchars($skin->getContent($type)) ?></textarea>
<br />
<input type="submit" tabindex="20" value="<?php echo _SKIN_UPDATE_BTN?>" onclick="return checkSubmit();" />
<input type="reset" value="<?php echo _SKIN_RESET_BTN?>" />
- (skin type: <?php echo (isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)
+ (skin type: <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)
<br /><br />
<?php echo _SKIN_ALLOWEDVARS?>
$query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;
$r = sql_query($query);
if ($o = mysql_fetch_object($r))
- $this->error(_ERROR_SKINDEFDELETE . $o->bname);
+ $this->error(_ERROR_SKINDEFDELETE . htmlspecialchars($o->bname));
$this->pagehead();
<h2><?php echo _DELETE_CONFIRM?></h2>
<p>
- <?php echo _CONFIRMTXT_SKIN?><b><?php echo $name ?></b> (<?php echo htmlspecialchars($desc)?>)
+ <?php echo _CONFIRMTXT_SKIN?><b><?php echo htmlspecialchars($name) ?></b> (<?php echo htmlspecialchars($desc)?>)
</p>
<form method="post" action="index.php"><div>
<h2><?php echo _DELETE_CONFIRM?></h2>
<p>
- <?php echo _CONFIRMTXT_SKIN_PARTS_SPECIAL; ?> <b><?php echo $skintype; ?> (<?php echo $name; ?>)</b> (<?php echo htmlspecialchars($desc)?>)
+ <?php echo _CONFIRMTXT_SKIN_PARTS_SPECIAL; ?> <b><?php echo htmlspecialchars($skintype); ?> (<?php echo htmlspecialchars($name); ?>)</b> (<?php echo htmlspecialchars($desc)?>)
</p>
<form method="post" action="index.php"><div>
<input type="hidden" name="action" value="skinremovetypeconfirm" />
<?php $manager->addTicketHidden() ?>
<input type="hidden" name="skinid" value="<?php echo $skinid; ?>" />
- <input type="hidden" name="type" value="<?php echo $skintype; ?>" />
+ <input type="hidden" name="type" value="<?php echo htmlspecialchars($skintype); ?>" />
<input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />
</div></form>
<?php
if ($manager->pluginInstalled($name))
$this->error(_ERROR_DUPPLUGIN);
if (!checkPlugin($name))
- $this->error(_ERROR_PLUGFILEERROR . ' (' . $name . ')');
+ $this->error(_ERROR_PLUGFILEERROR . ' (' . htmlspecialchars($name) . ')');
// get number of currently installed plugins
$res = sql_query('SELECT * FROM '.sql_table('plugin'));
$this->deleteOnePlugin($plugin->getID());
// ...and show error
- $this->error(_ERROR_NUCLEUSVERSIONREQ . $plugin->getMinNucleusVersion());
+ $this->error(_ERROR_NUCLEUSVERSIONREQ . htmlspecialchars($plugin->getMinNucleusVersion()));
}
// check if plugin needs a newer Nucleus version
$this->deleteOnePlugin($plugin->getID());
// ...and show error
- $this->error(_ERROR_NUCLEUSVERSIONREQ . $plugin->getMinNucleusVersion() . ' patch ' . $plugin->getMinNucleusPatchLevel());
+ $this->error(_ERROR_NUCLEUSVERSIONREQ . htmlspecialchars( $plugin->getMinNucleusVersion() . ' patch ' . $plugin->getMinNucleusPatchLevel() ) );
}
$pluginList = $plugin->getPluginDep();
// uninstall plugin again...
$this->deleteOnePlugin($plugin->getID());
- $this->error(_ERROR_INSREQPLUGIN . $pluginName);
+ $this->error(_ERROR_INSREQPLUGIN . htmlspecialchars($pluginName));
}
}
* Helper functions to create option forms etc.
* @todo document parameters
*/
- function input_yesno($name, $checkedval,$tabindex = 0, $value1 = 1, $value2 = 0, $yesval = _YES, $noval = _NO) {
+ function input_yesno($name, $checkedval,$tabindex = 0, $value1 = 1, $value2 = 0, $yesval = _YES, $noval = _NO, $isAdmin = 0) {
$id = htmlspecialchars($name);
$id = str_replace('[','-',$id);
$id = str_replace(']','-',$id);
$id1 = $id . htmlspecialchars($value1);
$id2 = $id . htmlspecialchars($value2);
- echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';
+ if ($name=="admin") {
+ echo '<input onclick="selectCanLogin(true);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';
+ } else {
+ echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';
+ }
+
if ($checkedval == $value1)
echo "tabindex='$tabindex' checked='checked'";
echo ' id="'.$id1.'" /><label for="'.$id1.'">' . $yesval . '</label>';
echo ' ';
- echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';
+ if ($name=="admin") {
+ echo '<input onclick="selectCanLogin(false);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';
+ } else {
+ echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';
+ }
if ($checkedval != $value1)
echo "tabindex='$tabindex' checked='checked'";
+ if ($isAdmin && $name=="canlogin")
+ echo " disabled='true'";
echo ' id="'.$id2.'" /><label for="'.$id2.'">' . $noval . '</label>';
}
} // class ADMIN
-?>
+?>
\ No newline at end of file