svrjs-mods-directory/includes/page_editmod.php

238 lines
No EOL
12 KiB
PHP

<?php
if (!defined('SVRJS_MOD_DIRECTORY')) die;
$errorMessage = null;
$modEdited = false;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (!isset($_POST['_csrf']) || $_POST['_csrf'] != $_SESSION['csrf']) {
$errorMessage = "Potential CSRF attack detected.";
} elseif (!isset($_POST['name'], $_POST['category'], $_POST['link']) || !$_POST['name'] || !$_POST['category'] || !$_POST['link']) {
$errorMessage = "You need to input name, category and download page URL.";
} elseif (!filter_var($_POST['link'], FILTER_VALIDATE_URL) || !preg_match('/^https?:\\/\\//', $_POST['link'])) {
$errorMessage = "Invalid download page URL.";
} elseif (isset($_POST['docslink']) && $_POST['docslink'] && (!filter_var($_POST['docslink'], FILTER_VALIDATE_URL) || !preg_match('/^https?:\\/\\//', $_POST['docslink']))) {
$errorMessage = "Invalid documentation URL.";
} elseif (!filter_var($_POST['category'], FILTER_VALIDATE_INT)) {
$errorMessage = "Invalid category.";
} else {
$categoryID = intval($_POST['category']);
$statement = $connection->prepare("SELECT id FROM categories WHERE id = ?");
if (!$statement) {
$errorMessage = "An unexpected error occurred while editing the mod.";
} else {
$statement->bind_param('i', $categoryID);
$statement->execute();
$result = $statement->get_result();
if (!$result) {
$errorMessage = "An unexpected error occurred while editing the mod.";
$statement->close();
} else {
$isCategoryPresent = boolval($result->fetch_assoc());
$statement->close();
if (!$isCategoryPresent) {
$errorMessage = "The selected category doesn't exist.";
} else {
$fileError = false;
$fileExtension = null;
$modPendingUploadDirectory = APP_FSROOT . '/img/mods_pending';
$modUploadDirectory = APP_FSROOT . '/img/mods';
if (isset($_FILES['cover']) && $_FILES['cover']['error'] != UPLOAD_ERR_NO_FILE) {
if ($_FILES['cover']['error'] != UPLOAD_ERR_OK) {
$fileError = true;
$errorMessage = "An unexpected error occurred while uploading the cover image.";
} else {
$fileTmpPath = $_FILES['cover']['tmp_name'];
$fileName = $_FILES['cover']['name'];
$fileSize = $_FILES['cover']['size'];
$fileType = $_FILES['cover']['type'];
$fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);
if ($fileSize > IMAGE_MAX_SIZE) {
$fileError = true;
$errorMessage = "The cover image is too large. Maximum cover image size: " . formatFileSize(IMAGE_MAX_SIZE);
} elseif (!in_array($fileExtension, IMAGE_EXTENSIONS_ALLOWED, true)) {
$fileError = true;
$errorMessage = "Invalid cover image extension.";
} else {
$imageType = exif_imagetype($fileTmpPath);
if (!$imageType || ($fileType && image_type_to_mime_type($imageType) != $fileType)) {
$fileError = true;
$errorMessage = "The cover image is either corrupted or of wrong type.";
} else {
if (!file_exists($modPendingUploadDirectory) && !mkdir($modPendingUploadDirectory, 0777, true)) {
$fileError = true;
$errorMessage = "An unexpected error occurred while uploading the cover image.";
}
if (!$fileError) {
$uploadedCoverImagePathname = $modPendingUploadDirectory . '/' . str_replace(['/', '\\'], '', $modDataToEdit['slug']) . '.' . $fileExtension;
if (!move_uploaded_file($fileTmpPath, $uploadedCoverImagePathname)) {
$fileError = true;
$errorMessage = "An unexpected error occurred while uploading the cover image.";
}
}
}
}
}
} else {
$fileExtension = $modDataToEdit['image_ext'] ? str_replace(['/', '\\'], '', $modDataToEdit['image_ext']) : null;
$liveCoverImagePathname = $modUploadDirectory . '/' . str_replace(['/', '\\'], '', $modDataToEdit['slug']) . '.' . $fileExtension;
if (file_exists($liveCoverImagePathname)) {
if (!file_exists($modPendingUploadDirectory) && !mkdir($modPendingUploadDirectory, 0777, true)) {
$fileError = true;
$errorMessage = "An unexpected error occurred while copying the cover image.";
}
if (!$fileError) {
$pendingCoverImagePathname = $modPendingUploadDirectory . '/' . str_replace(['/', '\\'], '', $modDataToEdit['slug']) . '.' . $fileExtension;
if (!copy($liveCoverImagePathname, $pendingCoverImagePathname)) {
$fileError = true;
$errorMessage = "An unexpected error occurred while copying the cover image.";
}
}
}
}
if (!$fileError) {
$statement = $connection->prepare("REPLACE INTO mods_pending (
id,
name,
slug,
description,
category,
link,
docs_link,
user,
image_ext,
is_paid,
is_rejected
) VALUES (
?,
?,
?,
?,
?,
?,
?,
?,
?,
?,
0
);");
if (!$statement) {
$errorMessage = "An unexpected error occurred while editing the mod.";
} else {
$modID = $modDataToEdit['pending'] ? $modDataToEdit['id'] : null;
$modName = $_POST['name'];
$modSlug = $modDataToEdit['slug'];
$modDescription = isset($_POST['description']) && $_POST['description'] ? $_POST['description'] : null;
$modCategory = $categoryID;
$modLink = $_POST['link'];
$modDocsLink = isset($_POST['docslink']) && $_POST['docslink'] ? $_POST['docslink'] : null;
$modUser = $_SESSION['user'];
$modImageExt = $fileExtension;
$modIsPaid = isset($_POST['paid']) ? 1 : 0;
$statement->bind_param('isssissisi', $modID, $modName, $modSlug, $modDescription, $modCategory, $modLink, $modDocsLink, $modUser, $modImageExt, $modIsPaid);
if (!$statement->execute()) {
$errorMessage = "An unexpected error occurred while editing the mod.";
$statement->close();
} else {
$modEdited = true;
$statement->close();
}
}
}
}
}
}
}
}
if (!$modEdited) {
$pageTitle = "Edit mod";
$pageDescription = "Edit the SVR.JS mod in SVR.JS Mods directory.";
} else {
$pageTitle = "Mod edited";
$pageDescription = "The edited mod is now awaiting moderators' approval.";
}
include 'header.php';
?>
<main class="content">
<?php if ($modEdited) { ?>
<h1>Mod edited</h1>
<p>The edited mod is now awaiting moderators' approval.</p>
<p><a href="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'pending-mods'); ?>" class="btn">View pending mods</a></p>
<?php } else { ?>
<h1>Edit mod</h1>
<p><?php echo $modDataToEdit['pending'] ? 'You are editing the pending mod entry.' : 'You are editing the mod entry as it is displayed in the mod page.'; ?></p>
<form action="<?php echo htmlspecialchars((URL_REWRITTEN ? APP_ROOT : APP_ROOT . APP_FILENAME . '/') . 'edit-mod/' . urlencode($modDataToEdit['slug'])) ?>" method="post" class="form" enctype="multipart/form-data">
<div class="form-block">
<label for="name">Mod name:</label>
<input type="text" id="name" name="name" required maxlength="255" value="<?php echo htmlspecialchars($modDataToEdit['name']); ?>">
</div>
<div class="form-block">
<label for="cover">Cover image:</label>
<input type="file" id="cover" name="cover" accept="<?php echo htmlspecialchars(implode(',', array_map(
function ($extension) {
return '.' . $extension;
},
IMAGE_EXTENSIONS_ALLOWED
))) ?>">
<p>Allowed file extensions for the cover image: <strong><?php echo htmlspecialchars(implode(', ', array_map(
function ($extension) {
return '.' . $extension;
},
IMAGE_EXTENSIONS_ALLOWED
))) ?></strong></p>
</div>
<div class="form-block">
<label for="category">Category:</label>
<select id="category" name="category" required>
<?php
$result = $connection->query('SELECT id, name FROM categories');
if ($result) {
while ($row = $result->fetch_assoc()) {
echo '<option value="' . htmlspecialchars(number_format($row['id'], 0)) . '"' . ($row['id'] == $modDataToEdit['category_id'] ? ' selected' : '') . '>' . htmlspecialchars($row['name']) . '</option>';
}
}
?>
</select>
</div>
<div class="form-block">
<label for="description">Mod description:</label>
<textarea name="description" id="description" maxlength="10000"><?php echo htmlspecialchars(isset($modDataToEdit['description']) ? $modDataToEdit['description'] : ""); ?></textarea>
</div>
<div class="form-block">
<label for="link">Download page URL:</label>
<input type="url" id="link" name="link" required maxlength="255" value="<?php echo htmlspecialchars($modDataToEdit['link']); ?>">
</div>
<div class="form-block">
<label for="docslink">Documentation URL:</label>
<input type="url" id="docslink" name="docslink" maxlength="255" value="<?php echo htmlspecialchars(isset($modDataToEdit['docs_link']) ? $modDataToEdit['docs_link'] : ""); ?>">
</div>
<div class="form-block-checkbox">
<input type="checkbox" name="paid" id="paid" <?php echo $modDataToEdit['is_paid'] ? 'checked' : '' ?>>
<label for="paid">Paid?</label>
</div>
<?php if ($errorMessage) echo '<p class="form-error">' . htmlspecialchars($errorMessage) . '</p>'; ?>
<div class="form-block">
<input type="submit" value="Edit mod">
</div>
<input type="hidden" name="_csrf" value="<?php echo htmlspecialchars($_SESSION['csrf']) ?>">
</form>
<?php } ?>
</main>
<?php
include 'footer.php';
if ($modEdited) {
$moderatorResult = $connection->query("SELECT email AS address, username AS name FROM users WHERE is_moderator = 1;");
if ($moderatorResult) {
$moderators = [];
while ($moderator = $moderatorResult->fetch_assoc()) {
array_push($moderators, $moderator);
}
sendEmail($moderators, 'A mod has been edited that requires approval', "A mod has been edited that requires approval:\n\nMod name: " . str_replace(["\r\n", "\r", "\n"], '', $_POST['name']) . "\nSlug: " . $modDataToEdit['slug'] . "\n\nPlease review the mod and approve or reject it.");
}
}
?>