diff options
Diffstat (limited to 'manage_post.php')
| -rw-r--r-- | manage_post.php | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/manage_post.php b/manage_post.php new file mode 100644 index 0000000..8c6129b --- /dev/null +++ b/manage_post.php @@ -0,0 +1,113 @@ +<?php + +include_once 'includes/db_inc.php'; +include_once 'model/Post.php'; + +function delete_post($dbc, $post) { + $sql = "DELETE FROM posts WHERE post_id = $post->id"; + mysqli_query($dbc, $sql); + + $sql = "UPDATE categories SET `cat_post_count` = `cat_post_count` - '1' WHERE cat_id = " . $post->thread->category->id . ";"; + mysqli_query($dbc, $sql); +} + +session_start(); + +if ($_SERVER['REQUEST_METHOD'] == 'GET') { + $current = new Post(); + + if (!isset($_GET['id']) || !filter_var($_GET['id'], FILTER_VALIDATE_INT)) { + http_response_code(404); + include_once 'templates/404.php'; + die(); + } else { + $result = $current->get_from_database($_GET['id'], $dbc); + if ($result == 0) { + http_response_code(404); + include_once 'templates/404.php'; + die(); + } + } +} else { + $id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT); + $delete = filter_input(INPUT_POST, 'delete', FILTER_SANITIZE_STRING); + $post_content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING); + + $post = new Post(); + $post->get_from_database($id, $dbc); + + if (!isset($_SESSION['signed_in'])) { + echo 'You must be <a href="signin.php">signed in</a> to manage a post.'; + goto end; + } + + + if ($_SESSION['user_id'] != $post->author->id) { + echo "You can't manage another user's post!"; + goto end; + } + + if (strcasecmp($delete, "on") == 0) { + delete_post($dbc, $post); + } else { + $sql = "UPDATE posts SET post_content = ?, post_date_edited = CONVERT_TZ(NOW(), 'SYSTEM', '+00:00') WHERE post_id = ?;"; + $stmt = mysqli_stmt_init($dbc); + + if (!mysqli_stmt_prepare($stmt, $sql)) { + die('Could not create post due to internal error: ' . mysqli_error($dbc)); + } + + mysqli_stmt_bind_param($stmt, "si", $post_content, $id); + mysqli_stmt_execute($stmt); + mysqli_stmt_close($stmt); + } + + end: + header("Location: /viewthread.php?id=" . $post->thread->id); +} +?> +<!DOCTYPE html> +<html> +<head> + <title>Manage a post - cflip.net forum</title> + <link rel="stylesheet" href="/styles/style.css"> +</head> +<body> + <?php include_once 'templates/header.php' ?> + <h1>Manage a post</h1> + <?php + $current->display_content($dbc); + echo '<hr>'; + + $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); + + if (!isset($_SESSION['signed_in'])) { + echo 'You must be <a href="signin.php">signed in</a> to manage a post.'; + return; + } + + $current_user = new User(); + $current_user->get_by_id($_SESSION['user_id'], $dbc); + + // Admin users should be able to delete posts, but they should not be able to edit them + // Or should they?? + if ($current_user->id != $current->author->id/* && $current_user->level < 1*/) { + echo "You can't manage another user's post!"; + return; + } + + // TODO: Disallow editing/deleting posts if they have been around for a while + ?> + <form action="manage_post.php" method="post"> + <h3>Edit post</h3> + <input type="hidden" name="id" value="<?= $current->id ?>"> + <textarea name="post_content" rows="10" cols="50"><?= $current->content; ?></textarea> + <p>Edited posts will show a timestamp above the post showing when the last edit was made.</p> + <p> + <input type="checkbox" id="delete" name="delete"> + <label for="delete">Delete this post</label> + </p> + <input type="submit" value="Apply Changes"> + </form> +</body> +</html> |