suwako
/
076server
アーカイブ
1
0
フォーク 0
コード イシュー プルリクエスト プロジェクト リリース Wiki アクティビティ

Secured almost all user and board calls.

このコミットが含まれているのは:
テクニカル諏訪子 2018-04-12 20:33:31 +09:00
5dd674e088
コミット 92b0e972cf
2個のファイルの変更250行の追加159行の削除
統計情報を表示 Patchファイルをダウンロード Diffファイルをダウンロード すべてのファイルを展開 すべてのファイルを折り畳む

304
app/Http/Controllers/BoardController.php
ファイルの表示

@ -9,7 +9,7 @@ use Illuminate\Support\Facades\Log;
use App\Http\Controllers\AuthController;
use App\Http\Controllers\UserController;
use App\Http\Controllers\PermissionController;
use App\Http\Controllers\PermissionController; // Remove permission controller soon.
class BoardController extends Controller {
private $objAuth;
@ -300,7 +300,34 @@ class BoardController extends Controller {
return $get;
}
public function getPostsofUser($user_id, $from, $to) {
public function getPostsofUser($user_id, $from, $to, Request $request) {
$getting = array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
);
// $valid = $this->objAuth->getPermissions($request->username, $request->password);
return DB::table('for_posts')
->join('users', 'for_posts.user_id', '=', 'users.id')
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
@ -310,33 +337,37 @@ class BoardController extends Controller {
->offset($from)
->limit($to)
->orderBy('for_posts.post_date', 'asc')
->get(array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
));
->get($getting);
}
public function getUserPosts($top_id, $from, $to) { // /api/rpc/board/post/getuserposts/top/from/to
public function getUserPosts($top_id, $from, $to, Request $request) { // /api/rpc/board/post/getuserposts/top/from/to
$getting = array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
);
$valid = $this->objAuth->getPermissions($request->username, $request->password);
return DB::table('for_posts')
->join('users', 'for_posts.user_id', '=', 'users.id')
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
@ -346,33 +377,37 @@ class BoardController extends Controller {
->offset($from)
->limit($to)
->orderBy('for_posts.post_date', 'asc')
->get(array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
));
->get($getting);
}
public function getUserPost($id) { // /api/rpc/board/post/getuserpost/id
public function getUserPost($id, Request $request) { // /api/rpc/board/post/getuserpost/id
$getting = array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
);
$valid = $this->objAuth->getPermissions($request->username, $request->password);
return DB::table('for_posts')
->join('users', 'for_posts.user_id', '=', 'users.id')
->join('usr_details', 'usr_details.user_id', '=', 'for_posts.user_id')
@ -380,83 +415,107 @@ class BoardController extends Controller {
->join('usr_perm_id', 'usr_perm_id.user_id', '=', 'for_posts.user_id')
->where('for_posts.id', $id)
->orderBy('for_posts.post_date', 'asc')
->get(array(
'for_posts.id',
'top_id',
'for_posts.user_id',
'post_date',
'message',
'delete',
'lastedit',
'ipaddress',
'delreason',
'nolayout',
'postcount',
'username',
'perm_id',
'total_posts',
'header',
'footer',
'member_title',
'gender',
'avatar',
'name_style',
'display_name',
'country'
));
->get($getting);
}
public function addPost(Request $request) { // /api/rpc/board/post/addpost
$add = DB::table('for_posts')
->insert([
'top_id' => $request->top_id,
'user_id' => $request->user_id,
'post_date' => $request->post_date,
'message' => $request->message,
'delete' => 0,
'lastedit' => 0,
'ipaddress' => $request->ipaddress,
'delreason' => '',
'nolayout' => $request->nolayout,
'postcount' => $request->postcount,
// Deprecated: remove like and read stuff after full release!
'likes' => 0,
'likers' => '',
'read' => ''
]);
$check = $this->objAuth->checkLegit($request->username, $request->password);
return \Response::json($add);
if ($check == 0) {
return 'Err!';
}
else {
$valid = $this->objAuth->getPermissions($request->username, $request->password);
if ($valid['for_post'] == 1) {
$add = DB::table('for_posts')
->insert([
'top_id' => $request->top_id,
'user_id' => $request->user_id,
'post_date' => $request->post_date,
'message' => $request->message,
'delete' => 0,
'lastedit' => 0,
'ipaddress' => $request->ipaddress,
'delreason' => '',
'nolayout' => $request->nolayout,
'postcount' => $request->postcount,
// Deprecated: remove like and read stuff after full release!
'likes' => 0,
'likers' => '',
'read' => ''
]);
return \Response::json($add);
}
else {
return 'Permission denied.';
}
}
}
public function editPost(Request $request) { // /api/rpc/board/post/editpost
return DB::table('for_posts')
->where('id', $request->id)
->update([
'lastedit' => $request->lastedit,
'message' => $request->message,
'nolayout' => $request->nolayout
]);
$check = $this->objAuth->checkLegit($request->username, $request->password);
if ($check == 0) {
return 'Err!';
}
else {
$valid = $this->objAuth->getPermissions($request->username, $request->password);
if ($valid['for_editother'] == 1 || $valid['for_editown'] == 1) { // TODO: differenciate own from other.
return DB::table('for_posts')
->where('id', $request->id)
->update([
'lastedit' => $request->lastedit,
'message' => $request->message,
'nolayout' => $request->nolayout
]);
}
}
}
public function deletePost(Request $request) { // /api/rpc/board/post/deletepost
return DB::table('for_posts')
->where('id', $request->id)
->update([
'delete' => 1,
'delreason' => $request->delreason
]);
$check = $this->objAuth->checkLegit($request->username, $request->password);
if ($check == 0) {
return 'Err!';
}
else {
$valid = $this->objAuth->getPermissions($request->username, $request->password);
if ($valid['for_del'] == 1) {
return DB::table('for_posts')
->where('id', $request->id)
->update([
'delete' => 1,
'delreason' => $request->delreason
]);
}
}
}
public function undeletePost(Request $request) { // /api/rpc/board/post/undeletepost
return DB::table('for_posts')
->where('id', $request->id)
->update([
'delete' => 0,
'delreason' => ''
]);
$check = $this->objAuth->checkLegit($request->username, $request->password);
if ($check == 0) {
return 'Err!';
}
else {
$valid = $this->objAuth->getPermissions($request->username, $request->password);
if ($valid['for_del'] == 1) {
return DB::table('for_posts')
->where('id', $request->id)
->update([
'delete' => 0,
'delreason' => ''
]);
}
}
}
public function browseCategories() { // /api/rpc/board/browse/browsecategories
public function browseCategories(Request $request) { // /api/rpc/board/browse/browsecategories
$cats = $this->getCategories()->toArray();
$cols = $this->objUser->getGroupColours()->toArray();
@ -472,7 +531,8 @@ class BoardController extends Controller {
$resF = array();
foreach($fors as $f) {
$user = $this->objUser->getUser($f['last_uid'])->toArray();
$user = $this->objUser->getUser($f['last_uid'], $request)->toArray();
// $user = $this->objUser->getUser($f['last_uid'])->toArray();
$showName = "";
$showCol = "";
@ -583,7 +643,7 @@ class BoardController extends Controller {
}
public function browseTopics($mode, $id, $from, $to) { // /api/rpc/board/browse/browsetopicsmode/id/from/to
public function browseTopics($mode, $id, $from, $to, Request $request) { // /api/rpc/board/browse/browsetopicsmode/id/from/to
$topsUP = $this->getTopicsUnpinned($id, $from, $to);
$topsPN = $this->getTopicsPinned($id, $from, $to);
$topsUS = $this->getTopicsUser($id, $from, $to);
@ -612,8 +672,8 @@ class BoardController extends Controller {
$fplp = $this->getFirstAndLastPosts($t->id);
$userFD = $fplp['first']['date'];
$userLD = $fplp['last']['date'];
$userFirst = $this->objUser->getUser($fplp['first']['uid'])->toArray();
$userLast = $this->objUser->getUser($fplp['last']['uid'])->toArray();
$userFirst = $this->objUser->getUser($fplp['first']['uid'], $request)->toArray();
$userLast = $this->objUser->getUser($fplp['last']['uid'], $request)->toArray();
$showNameF = "";
$showColF = "";
$showNameL = "";
@ -830,12 +890,12 @@ class BoardController extends Controller {
return $string;
}
public function browseTopicPosts($tp, $id, $from, $to) { // /api/rpc/board/browse/browsetopicposts/tp/id/from/to
public function browseTopicPosts($tp, $id, $from, $to, Request $request) { // /api/rpc/board/browse/browsetopicposts/tp/id/from/to
// Load group colours.
$ucol = $this->objUser->getGroupColours();
// All the user posts' user IDs.
if ($tp == 't') $uid = $this->getUserPosts($id, $from, $to);
if ($tp == 't') $uid = $this->getUserPosts($id, $from, $to, $request);
else if ($tp == 'p') $uid = $this->getUserPost($id);
else $uid = $this->getPostsOfUser($id, $from, $to);
$udat = array();
@ -909,9 +969,9 @@ class BoardController extends Controller {
return $udat;
}
public function browsePermissions($uid) { // /api/rpc/board/browse/browsepermissions/uid
public function browsePermissions($uid, Request $request) { // /api/rpc/board/browse/browsepermissions/uid
// Get user ID.
$perm = $this->objUser->getUser($uid);
$perm = $this->objUser->getUser($uid, $request);
// Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
if ($uid != 0) {

105
app/Http/Controllers/UserController.php
ファイルの表示

@ -58,24 +58,34 @@ class UserController extends Controller {
]);
}
public function getUsers() { // /api/rpc/user/user/getusers
public function getUsers(Request $request) { // /api/rpc/user/user/getusers
$getting = array(
'users.id',
'username',
'perm_id',
'reg_date',
'gender',
'avatar',
'name_style',
'display_name',
'country'
);
$valid = $this->objAuth->getPermissions($request->username, $request->password);
if ($valid['usr_emailshow'] == 1) {
array_push($getting, 'email');
}
if ($valid['usr_ipshow'] == 1) {
array_push($getting, 'ip_address');
}
return DB::table('users')
->join('usr_details', 'usr_details.user_id', '=', 'users.id')
->join('usr_profile', 'usr_profile.user_id', '=', 'users.id')
->join('usr_perm_id', 'usr_perm_id.user_id', '=', 'users.id')
->get(array(
'id',
'username',
'perm_id',
'email',
'reg_date',
'gender',
'ip_address',
'avatar',
'name_style',
'display_name',
'country'
));
->get($getting);
}
public function getUser($id, Request $request) { // /api/rpc/user/user/getuser/id/uid
@ -264,37 +274,58 @@ class UserController extends Controller {
}
public function addOwner(Request $request) { // /api/rpc/user/owner/addowner
$add = DB::table('str_owners')
->insert([
'user_id' => $request->user_id,
'file_id' => $request->file_id
]);
$check = $this->objAuth->checkLegit($request->username, $request->password);
return \Response::json($add);
if ($check == 0) {
return 'Err!';
}
else {
$add = DB::table('str_owners')
->insert([
'user_id' => $request->user_id,
'file_id' => $request->file_id
]);
return \Response::json($add);
}
}
public function updateTotalPostCount(Request $request) { // /api/rpc/user/user/updatetotalpostcount
$getPC = $this->getTotalPostCount($request->user_id);
$getPC++;
$check = $this->objAuth->checkLegit($request->username, $request->password);
return DB::table('usr_details')
->where('user_id', $request->user_id)
->update([
'total_posts' => $getPC
]);
if ($check == 0) {
return 'Err!';
}
else {
$getPC = $this->getTotalPostCount($request->user_id);
$getPC++;
return DB::table('usr_details')
->where('user_id', $request->user_id)
->update([
'total_posts' => $getPC
]);
}
}
public function updateTotalTopicCount(Request $request) { // /api/rpc/user/user/updatetotaltopiccount
$getPC = $this->getTotalPostCount($request->user_id);
$getTC = $this->getTotalTopicCount($request->user_id);
$getPC++;
$getTC++;
$check = $this->objAuth->checkLegit($request->username, $request->password);
return DB::table('usr_details')
->where('user_id', $request->user_id)
->update([
'total_posts' => $getPC,
'total_threads' => $getTC
]);
if ($check == 0) {
return 'Err!';
}
else {
$getPC = $this->getTotalPostCount($request->user_id);
$getTC = $this->getTotalTopicCount($request->user_id);
$getPC++;
$getTC++;
return DB::table('usr_details')
->where('user_id', $request->user_id)
->update([
'total_posts' => $getPC,
'total_threads' => $getTC
]);
}
}
}