Add post editing page (#12)

1 files changed, 113 insertions, 0 deletions

diff --git a/manage_post.php b/manage_post.php
new file mode 100644
index 0000000..8c6129b
--- /dev/null
+++ b/manage_post.php
@@ -0,0 +1,113 @@
+<?php
+
+include_once 'includes/db_inc.php';
+include_once 'model/Post.php';
+
+function delete_post($dbc, $post) {
+	$sql = "DELETE FROM posts WHERE post_id = $post->id";
+	mysqli_query($dbc, $sql);
+
+	$sql = "UPDATE categories SET `cat_post_count` = `cat_post_count` - '1' WHERE cat_id = " . $post->thread->category->id . ";";
+	mysqli_query($dbc, $sql);
+}
+
+session_start();
+
+if ($_SERVER['REQUEST_METHOD'] == 'GET') {
+	$current = new Post();
+
+	if (!isset($_GET['id']) || !filter_var($_GET['id'], FILTER_VALIDATE_INT)) {
+		http_response_code(404);
+		include_once 'templates/404.php';
+		die();
+	} else {
+		$result = $current->get_from_database($_GET['id'], $dbc);
+		if ($result == 0) {
+			http_response_code(404);
+			include_once 'templates/404.php';
+			die();
+		}
+	}
+} else {
+	$id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);
+	$delete = filter_input(INPUT_POST, 'delete', FILTER_SANITIZE_STRING);
+	$post_content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING);
+
+	$post = new Post();
+	$post->get_from_database($id, $dbc);
+
+	if (!isset($_SESSION['signed_in'])) {
+		echo 'You must be <a href="signin.php">signed in</a> to manage a post.';
+		goto end;
+	}
+
+
+	if ($_SESSION['user_id'] != $post->author->id) {
+		echo "You can't manage another user's post!";
+		goto end;
+	}
+
+	if (strcasecmp($delete, "on") == 0) {
+		delete_post($dbc, $post);
+	} else {
+		$sql = "UPDATE posts SET post_content = ?, post_date_edited = CONVERT_TZ(NOW(), 'SYSTEM', '+00:00') WHERE post_id = ?;";
+		$stmt = mysqli_stmt_init($dbc);
+
+		if (!mysqli_stmt_prepare($stmt, $sql)) {
+			die('Could not create post due to internal error: ' . mysqli_error($dbc));
+		}
+
+		mysqli_stmt_bind_param($stmt, "si", $post_content, $id);
+		mysqli_stmt_execute($stmt);
+		mysqli_stmt_close($stmt);
+	}
+
+	end:
+	header("Location: /viewthread.php?id=" . $post->thread->id);
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Manage a post - cflip.net forum</title>
+	<link rel="stylesheet" href="/styles/style.css">
+</head>
+<body>
+	<?php include_once 'templates/header.php' ?>
+	<h1>Manage a post</h1>
+	<?php
+	$current->display_content($dbc);
+	echo '<hr>';
+
+	$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
+
+	if (!isset($_SESSION['signed_in'])) {
+		echo 'You must be <a href="signin.php">signed in</a> to manage a post.';
+		return;
+	}
+
+	$current_user = new User();
+	$current_user->get_by_id($_SESSION['user_id'], $dbc);
+
+	// Admin users should be able to delete posts, but they should not be able to edit them
+	// Or should they??
+	if ($current_user->id != $current->author->id/* && $current_user->level < 1*/) {
+		echo "You can't manage another user's post!";
+		return;
+	}
+
+	// TODO: Disallow editing/deleting posts if they have been around for a while
+	?>
+	<form action="manage_post.php" method="post">
+		<h3>Edit post</h3>
+		<input type="hidden" name="id" value="<?= $current->id ?>">
+		<textarea name="post_content" rows="10" cols="50"><?= $current->content; ?></textarea>
+		<p>Edited posts will show a timestamp above the post showing when the last edit was made.</p>
+		<p>
+			<input type="checkbox" id="delete" name="delete">
+			<label for="delete">Delete this post</label>
+		</p>
+		<input type="submit" value="Apply Changes">
+	</form>
+</body>
+</html>