site_style.php 2.92 KB
Newer Older
1 2
<?php
// Dobrado Content Management System
3
// Copyright (C) 2017 Malcolm Blaney
4 5 6 7 8 9 10 11 12 13 14 15 16 17
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

18
include 'functions/session.php';
19

20 21
if (session_expired()) exit;

22
foreach (['style', 'media', 'url'] as $name) {
23
  if (!isset($_POST[$name])) {
24
    echo json_encode(['error' => $name.' not provided']);
25 26 27
    exit;
  }
}
28

29 30 31 32
include 'functions/db.php';
include 'functions/page_owner.php';
include 'functions/permission.php';
include 'functions/write_style.php';
33

34
include 'config.php';
35
include 'module.php';
36
include 'user.php';
37

38
$mysqli = connect_db();
39
$url = $mysqli->escape_string($_POST['url']);
40 41 42 43 44
list($page, $owner) = page_owner($url);

$user = new User();
$user->SetPermission($page, $owner);
if (!$user->canEditSite) {
45
  echo json_encode(['error' => 'Permission denied editing site style.']);
46
  $mysqli->close();
47
  exit;
48
}
49 50

// The posted style is used sql unsafe here.
51 52
$us_style = json_decode($_POST['style'], true);
$media = $mysqli->escape_string($_POST['media']);
53 54 55

foreach ($us_style as $us_selector => $us_rules) {
  if (!is_array($us_rules)) continue;
Mal's avatar
Mal committed
56
  $selector = $mysqli->escape_string($us_selector);
57
  foreach ($us_rules as $us_property => $us_value) {
Mal's avatar
Mal committed
58
    $property = $mysqli->escape_string($us_property);
59
    // Ignore the default 'property' value.
60
    if ($property === 'property') continue;
Mal's avatar
Mal committed
61
    $value = $mysqli->escape_string($us_value);
62
    // If value is empty, the rule should be removed.
63
    if ($value === '') {
64 65
      $query = 'DELETE FROM site_style WHERE media = "'.$media.'" AND '.
        'selector = "'.$selector.'" AND property = "'.$property.'"';
66 67 68 69 70 71 72 73
      if (!$mysqli->query($query)) {
        log_db('site_style 1: '.$mysqli->error, $owner, $user->name, $page);
      }
      continue;
    }
    // If value contains 'javascript' or 'expression', ignore it.
    if (strpos($value, 'javascript') !== false ||
        strpos($value, 'expression') !== false) {
74 75
      continue;
    }
76
    $query = 'INSERT INTO site_style VALUES ("'.$user->name.'", '.
77 78
      '"'.$media.'", "'.$selector.'", "'.$property.'", "'.$value.'") '.
      'ON DUPLICATE KEY UPDATE value = "'.$value.'"';
79 80 81
    if (!$mysqli->query($query)) {
      log_db('site_style 2: '.$mysqli->error, $owner, $user->name, $page);
    }
82 83 84
  }
}

Mal's avatar
Mal committed
85 86
$mysqli->close();

87 88 89
write_site_style();

// Let the client know the action completed.
90
echo json_encode(['done' => true]);