Add blog comments and CSRF protection

12 years ago · 061c32ac8b
parent 70d81e1b78
commit 061c32ac8b
7 changed files with 289 additions and 4 deletions
--- a/public_html/classes/blogcomment.php
+++ b/public_html/classes/blogcomment.php
@ -21,7 +21,6 @@ class BlogComment extends CPHPDatabaseRecordClass
 	
 	public $prototype = array(
 		'string' => array(
-			'Body'			=> "Body",
 			'Name'			=> "Name",
 			'EmailAddress'		=> "EmailAddress"
 		),
@ -37,6 +36,9 @@ class BlogComment extends CPHPDatabaseRecordClass
 			"Visible"		=> "Visible",
 			"IsGuestPost"		=> "GuestPost"
 		),
+		'simplehtml' => array(
+			'Body'			=> "Body",
+		),
 		'user' => array(
 			"Author"		=> "UserId"
 		),
--- a/public_html/modules/blog/comment.php
+++ b/public_html/modules/blog/comment.php
@ -0,0 +1,78 @@
+<?php
+/*
+ * Box is more free software. It is licensed under the WTFPL, which
+ * allows you to do pretty much anything with it, without having to
+ * ask permission. Commercial use is allowed, and no attribution is
+ * required. We do politely request that you share your modifications
+ * to benefit other developers, but you are under no enforced
+ * obligation to do so :)
+ * 
+ * Please read the accompanying LICENSE document for the full WTFPL
+ * licensing text.
+ */
+
+if(!isset($_APP)) { die("Unauthorized."); }
+
+try
+{
+	$sBlogPost = BlogPost::CreateFromQuery("SELECT * FROM blog_posts WHERE `Slug` = :Slug", array(":Slug" => $router->uParameters[1]), 60, true);
+}
+catch (NotFoundException $e)
+{
+	throw new RouterException("No such blog post exists.");
+}
+
+$sErrors = array();
+
+if(empty($sCurrentUser) && (empty($_POST['name']) && empty($_POST['email'])))
+{
+	$sErrors[] = "You did not enter a valid name and/or e-mail address.";
+}
+
+if(empty($sCurrentUser) && !User::CheckIfEmailValid($_POST['email']))
+{
+	$sErrors[] = "The e-mail address you entered is invalid.";
+}
+
+if(empty($_POST['body']))
+{
+	$sErrors[] = "You can't post an empty comment!";
+}
+
+if(empty($sErrors))
+{
+	$sBlogComment = new BlogComment(0);
+
+	$sBlogComment->uPostId = $sBlogPost->sId;
+	$sBlogComment->uBody = $_POST['body'];
+	$sBlogComment->uPostedDate = time();
+	$sBlogComment->uVisible = true;
+
+	if(!empty($sCurrentUser))
+	{
+		$sBlogComment->uIsGuestPost = false;
+		$sBlogComment->uName = "";
+		$sBlogComment->uEmailAddress = "";
+		$sBlogComment->uAuthorId = $sCurrentUser->sId;
+	}
+	else
+	{
+		$sBlogComment->uIsGuestPost = true;
+		$sBlogComment->uName = $_POST['name'];
+		$sBlogComment->uEmailAddress = $_POST['email'];
+		$sBlogComment->uAuthorId = 0;
+	}
+	
+	$sBlogComment->InsertIntoDatabase();
+	
+	redirect("/blog/{$sBlogPost->sSlug}/#comment_{$sBlogComment->sId}");
+}
+else
+{
+	foreach($sErrors as $sError)
+	{
+		flash_error($sError);
+	}
+	
+	redirect("/blog/{$sBlogPost->sSlug}/");
+}
--- a/public_html/modules/blog/post.php
+++ b/public_html/modules/blog/post.php
@ -0,0 +1,68 @@
+<?php
+/*
+ * Box is more free software. It is licensed under the WTFPL, which
+ * allows you to do pretty much anything with it, without having to
+ * ask permission. Commercial use is allowed, and no attribution is
+ * required. We do politely request that you share your modifications
+ * to benefit other developers, but you are under no enforced
+ * obligation to do so :)
+ * 
+ * Please read the accompanying LICENSE document for the full WTFPL
+ * licensing text.
+ */
+
+if(!isset($_APP)) { die("Unauthorized."); }
+
+try
+{
+	$sBlogPost = BlogPost::CreateFromQuery("SELECT * FROM blog_posts WHERE `Slug` = :Slug", array(":Slug" => $router->uParameters[1]), 60, true);
+}
+catch (NotFoundException $e)
+{
+	throw new RouterException("No such blog post exists.");
+}
+
+try
+{
+	$result = BlogComment::CreateFromQuery("SELECT * FROM blog_comments WHERE `PostId` = :PostId AND `Visible` = 1 ORDER BY `Posted` ASC", array(":PostId" => $sBlogPost->sId));
+}
+catch (NotFoundException $e)
+{
+	$result = array();
+}
+
+$sComments = array();
+
+foreach($result as $sComment)
+{
+	if($sComment->sIsGuestPost)
+	{
+		$sAuthorName = $sComment->sName;
+		$sEmailAddress = $sComment->sEmailAddress;
+	}
+	else
+	{
+		$sAuthorName = $sComment->sAuthor->sUsername;
+		$sEmailAddress = $sComment->sAuthor->sEmailAddress;
+	}
+	
+	$sComments[] = array(
+		"author"	=> $sAuthorName,
+		"relative-date"	=> time_ago($sComment->sPostedDate, $locale),
+		"body"		=> Markdown($sComment->sBody),
+		"gravatar"	=> "https://secure.gravatar.com/avatar/" . md5(strtolower(trim($sEmailAddress))) . ".jpg?d=retro&s=40",
+		"id"		=> $sComment->sId
+	);
+}
+
+$sPageTitle = $sBlogPost->sTitle;
+$sPageContents = NewTemplater::Render("blog/post", $locale->strings, array(
+	"title"		=> $sBlogPost->sTitle,
+	"body"		=> Markdown($sBlogPost->sBody),
+	"author"	=> $sBlogPost->sAuthor->sUsername,
+	"relative-date"	=> time_ago($sBlogPost->sPostedDate, $locale),
+	"thumbnail"	=> $sBlogPost->sThumbnail,
+	"tags"		=> "test1, test2, test3",
+	"comments"	=> $sComments,
+	"slug"		=> $sBlogPost->sSlug
+));
--- a/public_html/modules/forums/thread.php
+++ b/public_html/modules/forums/thread.php
@ -51,7 +51,7 @@ foreach($result as $sForumPost)
 		"body"		=> filter_html(Markdown($sForumPost->uBody)),
 		"date"		=> time_ago($sForumPost->sPostedDate, $locale),
 		"date-full"	=> local_from_unix($sForumPost->sPostedDate, $locale->datetime_long),
-		"self"		=> ($sForumPost->sAuthorId == $sCurrentUser->sId),
+		"self"		=> (!empty($sCurrentUser) && $sForumPost->sAuthorId == $sCurrentUser->sId),
 		"gravatar"	=> "https://secure.gravatar.com/avatar/" . md5(strtolower(trim($sForumPost->sAuthor->sEmailAddress))) . ".jpg?d=retro&s=40",
 		"signature"	=> filter_html(Markdown($sForumPost->sAuthor->uSignature)),
 		"permalink"	=> $sForumPost->GetPermalink()
--- a/public_html/rewrite.php
+++ b/public_html/rewrite.php
@ -14,6 +14,18 @@
 $_APP = true;
 require("include/base.php");

+if(strtolower($_SERVER["REQUEST_METHOD"]) == "post")
+{
+	try
+	{
+		CSRF::VerifyToken();
+	}
+	catch (CsrfException $e)
+	{
+		die();
+	}
+}
+
 $sPageTitle = "";
 $sPageContents = "";

@ -36,6 +48,14 @@ $router->routes = array(
 			"target"	=> "modules/blog/home.php",
 			"_section"	=> "Blog"
 		),
+		"^/blog/([a-z0-9-]+)$"					=> array(
+			"target"	=> "modules/blog/post.php",
+			"_section"	=> "Blog"
+		),
+		"^/blog/([a-z0-9-]+)/comment$"				=> array(
+			"target"	=> "modules/blog/comment.php",
+			"_section"	=> "Blog"
+		),
 		"^/login$"						=> array(
 			"target"	=> "modules/account/login.php",
 			"_section"	=> "Account"
--- a/public_html/static/css/style.css
+++ b/public_html/static/css/style.css
@ -424,14 +424,14 @@ a.user
 .post .body h5 { font-size: 16px; }
 .post .body h6 { font-size: 14px; }

-.post .body blockquote
+.post .body blockquote, .comment blockquote
 {
 	padding: 7px 0px 7px 9px;
 	margin: 9px 0px 9px 6px;
 	border-left: 3px solid #80B380;
 }

-.post .body blockquote p
+.post .body blockquote p, .comment blockquote p
 {
 	margin: 0px;
 }
@ -558,3 +558,64 @@ button.preview
 {
 	margin-right: 18px;
 }
+
+.comment
+{
+	border-bottom: 1px solid #D6D6D6;
+	padding: 7px 6px 7px 65px;
+}
+
+.comment .gravatar
+{
+	float: left;
+	border: 1px solid silver;
+	padding: 1px;
+	margin: 7px 6px;
+	margin-left: -57px;
+}
+
+.comment .metadata
+{
+	padding: 6px 0px 4px 0px;
+}
+
+.comment .metadata .author
+{
+	font-weight: bold;
+}
+
+.comment .metadata .date
+{
+	color: #7D7D7D;
+	margin-left: 10px;
+	font-size: 15px;
+}
+
+.comment p
+{
+	margin: 8px 0px;
+	font-size: 15px;
+}
+
+.comments h2
+{
+	margin: 9px 0px 0px 0px;
+	font-size: 21px;
+}
+
+.comments form
+{
+	margin-top: 9px;
+}
+
+.comments textarea.body
+{
+	height: 140px;
+	margin-top: 2px;
+}
+
+.comments label
+{
+	font-size: 17px;
+	margin-top: 8px;
+}
--- a/public_html/templates/blog/post.tpl
+++ b/public_html/templates/blog/post.tpl
@ -0,0 +1,56 @@
+<div class="entry">
+	<h1>{%?title}</h1>
+	<img src="{%?thumbnail}">
+	<div class="metadata">
+		<span class="date">{%?relative-date}</span>, by
+		<span class="author">{%?author}</span>
+		<span class="tags">Tags: {%?tags}</span>
+	</div>
+	{%?body}
+</div>
+
+<div class="comments">
+	<h2>Comments</h2>
+	{%if isempty|comments == true}
+		No comments have been posted yet.
+	{%else}
+		{%foreach comment in comments}
+			<div class="comment">
+				<a name="comment_{%?comment[id]}"></a>
+				<img src="{%?comment[gravatar]}" class="gravatar">
+				<div class="metadata">
+					<span class="author">{%?comment[author]}</span>
+					<span class="date">{%?comment[relative-date]}</span>
+				</div>
+				{%?comment[body]}
+			</div>
+		{%/foreach}
+	{%/if}
+	
+	<h2>Post a new comment</h2>
+	<div class="commentform">
+		<form method="post" action="/blog/{%?slug}/comment">
+			{%if logged-in == false}
+				<label>Name</label>
+				<input type="text" name="name">
+				
+				<label>E-mail address</label>
+				<input type="text" name="email">
+				
+				<div class="clear"></div>
+			{%/if}
+			
+			<div class="field">
+				<textarea class="body" name="body"></textarea>
+			</div>
+			
+			<div class="subtext">
+				You can use <a href="http://static.squarespace.com/static/50060af484ae2a1f638413cb/5025cecce4b0922760c3c438/5025cecce4b0922760c3c43a/1304275182573/">Markdown</a>.
+			</div>
+			
+			<button class="submit" type="submit" name="submit">Post comment</button>
+			<button class="submit preview" type="submit" name="submit">Preview</button>
+			<div class="clear"></div>
+		</form>
+	</div>
+</div>