diff --git a/data/templates/bookmarks-vote.inc.tpl.php b/data/templates/bookmarks-vote.inc.tpl.php new file mode 100644 index 0000000..89818f8 --- /dev/null +++ b/data/templates/bookmarks-vote.inc.tpl.php @@ -0,0 +1,26 @@ +'; +if (!$row['hasVoted']) { + echo '+'; +} else { + echo '+'; +} +echo '' . $row['bVoting'] . ''; +if (!$row['hasVoted']) { + echo '-'; +} else { + echo '-'; +} +echo ''; +?> \ No newline at end of file diff --git a/data/templates/bookmarks.tpl.php b/data/templates/bookmarks.tpl.php index 2314b75..f35139a 100644 --- a/data/templates/bookmarks.tpl.php +++ b/data/templates/bookmarks.tpl.php @@ -301,6 +301,7 @@ if($currenttag!= '') { //echo ''; echo ''; } + include 'bookmarks-vote.inc.tpl.php'; echo '
';; diff --git a/src/SemanticScuttle/functions.php b/src/SemanticScuttle/functions.php index 663ed25..8823752 100644 --- a/src/SemanticScuttle/functions.php +++ b/src/SemanticScuttle/functions.php @@ -92,6 +92,30 @@ function createURL($page = '', $ending = '') { return ROOT . $page; } } +/** + * Creates a "vote for/against this bookmark" URL. + * Also runs htmlspecialchars() on them to prevent XSS. + * We need to use ENT_QUOTES since otherwise we would not be + * protected when the attribute is used in single quotes. + * + * @param boolean $for For the bookmark (true) or against (false) + * @param integer $bId Bookmark ID + * + * @return string URL to use + */ +function createVoteURL($for, $bId) +{ + //FIXME: we need a "current url" variable that is + //filled with a safe version of the current url. + //all this specialchars stuff is bit of a hack. + return htmlspecialchars( + createURL( + 'vote', + ($for ? 'for' : 'against') . '/' . $bId + ) . '?from=' . urlencode($_SERVER['REQUEST_URI']), + ENT_QUOTES + ); +} /* Shorten a string like a URL for example by cutting the middle of it */ function shortenString($string, $maxSize=75) { diff --git a/www/vote.php b/www/vote.php new file mode 100644 index 0000000..91f5c34 --- /dev/null +++ b/www/vote.php @@ -0,0 +1,69 @@ +isLoggedOn()) { + header('HTTP/1.0 400 Bad Request'); + echo 'need a logged on user'; + exit(1); +} +$user = $us->getCurrentUser(); +$user = $user['uId']; + +if (!isset($_SERVER['PATH_INFO'])) { + //we got a problem + header('HTTP/1.0 500 Internal Server Error'); + echo 'PATH_INFO not found'; + exit(2); +} + +//we should really use net_url_mapper here +list($url, $type, $bookmark) = explode('/', $_SERVER['PATH_INFO']); + +if ($type != 'for' && $type != 'against') { + header('HTTP/1.0 400 Bad Request'); + echo 'type has to be "for" or "against"'; + exit(3); +} +if (!is_numeric($bookmark)) { + header('HTTP/1.0 400 Bad Request'); + echo 'Bookmark must be numeric'; + exit(4); +} +$bookmark = (int)$bookmark; + +if (!isset($_GET['from']) || $_GET['from'] == '') { + header('HTTP/1.0 400 Bad Request'); + echo 'Missing "from" parameter'; + exit(5); +} +$from = $_GET['from']; + + +if ($vs->hasVoted($bookmark, $user)) { + //already voted + header('HTTP/1.0 412 Precondition failed'); + echo 'Bookmark has been already voted for'; + exit(6); +} + +$vs->vote($bookmark, $user, $type == 'for' ? 1 : -1); +header('Location: ' . $from); +?> \ No newline at end of file