Secured almost all user and board calls.
このコミットが含まれているのは:
コミット
92b0e972cf
|
@ -9,7 +9,7 @@ use Illuminate\Support\Facades\Log;
|
|||
|
||||
use App\Http\Controllers\AuthController;
|
||||
use App\Http\Controllers\UserController;
|
||||
use App\Http\Controllers\PermissionController;
|
||||
use App\Http\Controllers\PermissionController; // Remove permission controller soon.
|
||||
|
||||
class BoardController extends Controller {
|
||||
private $objAuth;
|
||||
|
@ -300,7 +300,34 @@ class BoardController extends Controller {
|
|||
return $get;
|
||||
}
|
||||
|
||||
public function getPostsofUser($user_id, $from, $to) {
|
||||
public function getPostsofUser($user_id, $from, $to, Request $request) {
|
||||
$getting = array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
);
|
||||
|
||||
// $valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
return DB::table('for_posts')
|
||||
->join('users', 'for_posts.user_id', '=', 'users.id')
|
||||
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
|
||||
|
@ -310,33 +337,37 @@ class BoardController extends Controller {
|
|||
->offset($from)
|
||||
->limit($to)
|
||||
->orderBy('for_posts.post_date', 'asc')
|
||||
->get(array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
));
|
||||
->get($getting);
|
||||
}
|
||||
|
||||
public function getUserPosts($top_id, $from, $to) { // /api/rpc/board/post/getuserposts/top/from/to
|
||||
public function getUserPosts($top_id, $from, $to, Request $request) { // /api/rpc/board/post/getuserposts/top/from/to
|
||||
$getting = array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
);
|
||||
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
return DB::table('for_posts')
|
||||
->join('users', 'for_posts.user_id', '=', 'users.id')
|
||||
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
|
||||
|
@ -346,33 +377,37 @@ class BoardController extends Controller {
|
|||
->offset($from)
|
||||
->limit($to)
|
||||
->orderBy('for_posts.post_date', 'asc')
|
||||
->get(array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
));
|
||||
->get($getting);
|
||||
}
|
||||
|
||||
public function getUserPost($id) { // /api/rpc/board/post/getuserpost/id
|
||||
public function getUserPost($id, Request $request) { // /api/rpc/board/post/getuserpost/id
|
||||
$getting = array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
);
|
||||
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
return DB::table('for_posts')
|
||||
->join('users', 'for_posts.user_id', '=', 'users.id')
|
||||
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
|
||||
|
@ -380,83 +415,107 @@ class BoardController extends Controller {
|
|||
->join('usr_perm_id', 'usr_perm_id.user_id', '=', 'for_posts.user_id')
|
||||
->where('for_posts.id', $id)
|
||||
->orderBy('for_posts.post_date', 'asc')
|
||||
->get(array(
|
||||
'for_posts.id',
|
||||
'top_id',
|
||||
'for_posts.user_id',
|
||||
'post_date',
|
||||
'message',
|
||||
'delete',
|
||||
'lastedit',
|
||||
'ipaddress',
|
||||
'delreason',
|
||||
'nolayout',
|
||||
'postcount',
|
||||
'username',
|
||||
'perm_id',
|
||||
'total_posts',
|
||||
'header',
|
||||
'footer',
|
||||
'member_title',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
));
|
||||
->get($getting);
|
||||
}
|
||||
|
||||
public function addPost(Request $request) { // /api/rpc/board/post/addpost
|
||||
$add = DB::table('for_posts')
|
||||
->insert([
|
||||
'top_id' => $request->top_id,
|
||||
'user_id' => $request->user_id,
|
||||
'post_date' => $request->post_date,
|
||||
'message' => $request->message,
|
||||
'delete' => 0,
|
||||
'lastedit' => 0,
|
||||
'ipaddress' => $request->ipaddress,
|
||||
'delreason' => '',
|
||||
'nolayout' => $request->nolayout,
|
||||
'postcount' => $request->postcount,
|
||||
// Deprecated: remove like and read stuff after full release!
|
||||
'likes' => 0,
|
||||
'likers' => '',
|
||||
'read' => ''
|
||||
]);
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
return \Response::json($add);
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['for_post'] == 1) {
|
||||
$add = DB::table('for_posts')
|
||||
->insert([
|
||||
'top_id' => $request->top_id,
|
||||
'user_id' => $request->user_id,
|
||||
'post_date' => $request->post_date,
|
||||
'message' => $request->message,
|
||||
'delete' => 0,
|
||||
'lastedit' => 0,
|
||||
'ipaddress' => $request->ipaddress,
|
||||
'delreason' => '',
|
||||
'nolayout' => $request->nolayout,
|
||||
'postcount' => $request->postcount,
|
||||
// Deprecated: remove like and read stuff after full release!
|
||||
'likes' => 0,
|
||||
'likers' => '',
|
||||
'read' => ''
|
||||
]);
|
||||
|
||||
return \Response::json($add);
|
||||
}
|
||||
else {
|
||||
return 'Permission denied.';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function editPost(Request $request) { // /api/rpc/board/post/editpost
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'lastedit' => $request->lastedit,
|
||||
'message' => $request->message,
|
||||
'nolayout' => $request->nolayout
|
||||
]);
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['for_editother'] == 1 || $valid['for_editown'] == 1) { // TODO: differenciate own from other.
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'lastedit' => $request->lastedit,
|
||||
'message' => $request->message,
|
||||
'nolayout' => $request->nolayout
|
||||
]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function deletePost(Request $request) { // /api/rpc/board/post/deletepost
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'delete' => 1,
|
||||
'delreason' => $request->delreason
|
||||
]);
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['for_del'] == 1) {
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'delete' => 1,
|
||||
'delreason' => $request->delreason
|
||||
]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function undeletePost(Request $request) { // /api/rpc/board/post/undeletepost
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'delete' => 0,
|
||||
'delreason' => ''
|
||||
]);
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['for_del'] == 1) {
|
||||
return DB::table('for_posts')
|
||||
->where('id', $request->id)
|
||||
->update([
|
||||
'delete' => 0,
|
||||
'delreason' => ''
|
||||
]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function browseCategories() { // /api/rpc/board/browse/browsecategories
|
||||
public function browseCategories(Request $request) { // /api/rpc/board/browse/browsecategories
|
||||
$cats = $this->getCategories()->toArray();
|
||||
$cols = $this->objUser->getGroupColours()->toArray();
|
||||
|
||||
|
@ -472,7 +531,8 @@ class BoardController extends Controller {
|
|||
$resF = array();
|
||||
|
||||
foreach($fors as $f) {
|
||||
$user = $this->objUser->getUser($f['last_uid'])->toArray();
|
||||
$user = $this->objUser->getUser($f['last_uid'], $request)->toArray();
|
||||
// $user = $this->objUser->getUser($f['last_uid'])->toArray();
|
||||
$showName = "";
|
||||
$showCol = "";
|
||||
|
||||
|
@ -583,7 +643,7 @@ class BoardController extends Controller {
|
|||
|
||||
}
|
||||
|
||||
public function browseTopics($mode, $id, $from, $to) { // /api/rpc/board/browse/browsetopicsmode/id/from/to
|
||||
public function browseTopics($mode, $id, $from, $to, Request $request) { // /api/rpc/board/browse/browsetopicsmode/id/from/to
|
||||
$topsUP = $this->getTopicsUnpinned($id, $from, $to);
|
||||
$topsPN = $this->getTopicsPinned($id, $from, $to);
|
||||
$topsUS = $this->getTopicsUser($id, $from, $to);
|
||||
|
@ -612,8 +672,8 @@ class BoardController extends Controller {
|
|||
$fplp = $this->getFirstAndLastPosts($t->id);
|
||||
$userFD = $fplp['first']['date'];
|
||||
$userLD = $fplp['last']['date'];
|
||||
$userFirst = $this->objUser->getUser($fplp['first']['uid'])->toArray();
|
||||
$userLast = $this->objUser->getUser($fplp['last']['uid'])->toArray();
|
||||
$userFirst = $this->objUser->getUser($fplp['first']['uid'], $request)->toArray();
|
||||
$userLast = $this->objUser->getUser($fplp['last']['uid'], $request)->toArray();
|
||||
$showNameF = "";
|
||||
$showColF = "";
|
||||
$showNameL = "";
|
||||
|
@ -830,12 +890,12 @@ class BoardController extends Controller {
|
|||
return $string;
|
||||
}
|
||||
|
||||
public function browseTopicPosts($tp, $id, $from, $to) { // /api/rpc/board/browse/browsetopicposts/tp/id/from/to
|
||||
public function browseTopicPosts($tp, $id, $from, $to, Request $request) { // /api/rpc/board/browse/browsetopicposts/tp/id/from/to
|
||||
// Load group colours.
|
||||
$ucol = $this->objUser->getGroupColours();
|
||||
|
||||
// All the user posts' user IDs.
|
||||
if ($tp == 't') $uid = $this->getUserPosts($id, $from, $to);
|
||||
if ($tp == 't') $uid = $this->getUserPosts($id, $from, $to, $request);
|
||||
else if ($tp == 'p') $uid = $this->getUserPost($id);
|
||||
else $uid = $this->getPostsOfUser($id, $from, $to);
|
||||
$udat = array();
|
||||
|
@ -909,9 +969,9 @@ class BoardController extends Controller {
|
|||
return $udat;
|
||||
}
|
||||
|
||||
public function browsePermissions($uid) { // /api/rpc/board/browse/browsepermissions/uid
|
||||
public function browsePermissions($uid, Request $request) { // /api/rpc/board/browse/browsepermissions/uid
|
||||
// Get user ID.
|
||||
$perm = $this->objUser->getUser($uid);
|
||||
$perm = $this->objUser->getUser($uid, $request);
|
||||
|
||||
// Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
|
||||
if ($uid != 0) {
|
||||
|
|
|
@ -58,24 +58,34 @@ class UserController extends Controller {
|
|||
]);
|
||||
}
|
||||
|
||||
public function getUsers() { // /api/rpc/user/user/getusers
|
||||
public function getUsers(Request $request) { // /api/rpc/user/user/getusers
|
||||
$getting = array(
|
||||
'users.id',
|
||||
'username',
|
||||
'perm_id',
|
||||
'reg_date',
|
||||
'gender',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
);
|
||||
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['usr_emailshow'] == 1) {
|
||||
array_push($getting, 'email');
|
||||
}
|
||||
|
||||
if ($valid['usr_ipshow'] == 1) {
|
||||
array_push($getting, 'ip_address');
|
||||
}
|
||||
|
||||
return DB::table('users')
|
||||
->join('usr_details', 'usr_details.user_id', '=', 'users.id')
|
||||
->join('usr_profile', 'usr_profile.user_id', '=', 'users.id')
|
||||
->join('usr_perm_id', 'usr_perm_id.user_id', '=', 'users.id')
|
||||
->get(array(
|
||||
'id',
|
||||
'username',
|
||||
'perm_id',
|
||||
'email',
|
||||
'reg_date',
|
||||
'gender',
|
||||
'ip_address',
|
||||
'avatar',
|
||||
'name_style',
|
||||
'display_name',
|
||||
'country'
|
||||
));
|
||||
->get($getting);
|
||||
}
|
||||
|
||||
public function getUser($id, Request $request) { // /api/rpc/user/user/getuser/id/uid
|
||||
|
@ -264,37 +274,58 @@ class UserController extends Controller {
|
|||
}
|
||||
|
||||
public function addOwner(Request $request) { // /api/rpc/user/owner/addowner
|
||||
$add = DB::table('str_owners')
|
||||
->insert([
|
||||
'user_id' => $request->user_id,
|
||||
'file_id' => $request->file_id
|
||||
]);
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
return \Response::json($add);
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$add = DB::table('str_owners')
|
||||
->insert([
|
||||
'user_id' => $request->user_id,
|
||||
'file_id' => $request->file_id
|
||||
]);
|
||||
|
||||
return \Response::json($add);
|
||||
}
|
||||
}
|
||||
|
||||
public function updateTotalPostCount(Request $request) { // /api/rpc/user/user/updatetotalpostcount
|
||||
$getPC = $this->getTotalPostCount($request->user_id);
|
||||
$getPC++;
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
return DB::table('usr_details')
|
||||
->where('user_id', $request->user_id)
|
||||
->update([
|
||||
'total_posts' => $getPC
|
||||
]);
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$getPC = $this->getTotalPostCount($request->user_id);
|
||||
$getPC++;
|
||||
|
||||
return DB::table('usr_details')
|
||||
->where('user_id', $request->user_id)
|
||||
->update([
|
||||
'total_posts' => $getPC
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
public function updateTotalTopicCount(Request $request) { // /api/rpc/user/user/updatetotaltopiccount
|
||||
$getPC = $this->getTotalPostCount($request->user_id);
|
||||
$getTC = $this->getTotalTopicCount($request->user_id);
|
||||
$getPC++;
|
||||
$getTC++;
|
||||
$check = $this->objAuth->checkLegit($request->username, $request->password);
|
||||
|
||||
return DB::table('usr_details')
|
||||
->where('user_id', $request->user_id)
|
||||
->update([
|
||||
'total_posts' => $getPC,
|
||||
'total_threads' => $getTC
|
||||
]);
|
||||
if ($check == 0) {
|
||||
return 'Err!';
|
||||
}
|
||||
else {
|
||||
$getPC = $this->getTotalPostCount($request->user_id);
|
||||
$getTC = $this->getTotalTopicCount($request->user_id);
|
||||
$getPC++;
|
||||
$getTC++;
|
||||
|
||||
return DB::table('usr_details')
|
||||
->where('user_id', $request->user_id)
|
||||
->update([
|
||||
'total_posts' => $getPC,
|
||||
'total_threads' => $getTC
|
||||
]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
新しいイシューから参照