Merge pull request #106 from JoomJunk/development

Update master to 1.3.0
JoomJunk · Feb 26, 2014 · 7f83759 · 7f83759
2 parents fa66bf0 + f60fa95
commit 7f83759
Show file tree

Hide file tree

Showing 17 changed files with 152 additions and 143 deletions.
diff --git a/changelog.php b/changelog.php
@@ -14,6 +14,13 @@
 - -> Removed
 ! -> Note
 
+Version 1.3.0
+* People without necessary permissions could delete posts
++ Allow template overriding of jQuery no conflict file and CSS file
+# Cleanup detection of posts if a shout was submitted
+# Only include recaptcha library if parameter turned on
+# Incorrect usage of JFolder removed
+
 Version 1.2.6
 ^ Updated to jQuery 1.11.0
 + Added new date format (yyyy.mm.dd)

diff --git a/mod_shoutbox/helper.php b/mod_shoutbox/helper.php
@@ -7,6 +7,8 @@
 
 defined('_JEXEC') or die('Restricted access');
 
+jimport('joomla.filesystem.file');
+
 /**
  * Shoutbox helper connector class.
  *
@@ -18,7 +20,7 @@ class ModShoutboxHelper
 	 * Retrieves the shouts from the database and returns them. Will return an error
 	 * message if the database retrieval fails.
 	 *
-	 * @param   int     $number   The number of posts to retrieve from the databse.
+	 * @param   int     $number   The number of posts to retrieve from the database.
 	 * @param   string  $message  The error message to return if the database retrieval fails.
 	 *
 	 * @return  array  The shoutbox posts.
@@ -28,11 +30,11 @@ class ModShoutboxHelper
 	public static function getShouts($number, $message)
 	{
 		$shouts	= array();
-		$db = JFactory::getDBO();
+		$db = JFactory::getDbo();
 		$query = $db->getQuery(true);
 		$query->select('*')
-		->from('#__shoutbox')
-		->order('id DESC');
+		->from($db->quoteName('#__shoutbox'))
+		->order($db->quoteName('id') . ' DESC');
 		$db->setQuery($query, 0, $number);
 
 		if (!JError::$legacy)
@@ -117,68 +119,57 @@ public static function shouttitle($user, $ip)
 	 */
 	public static function postFiltering($shout, $user, $swearCounter, $swearNumber, $displayName)
 	{
-		if (isset($shout['shout']))
+		$replace = '****';
+
+		if (!$user->guest && $displayName == 0)
+		{
+			$name = $user->name;
+			$nameSwears = 0;
+		}
+		elseif (!$user->guest && $displayName == 1)
+		{
+			$name = $user->username;
+			$nameSwears = 0;
+		}
+		else
 		{
-			JSession::checkToken() or die( JText::_('SHOUT_INVALID_TOKEN') );
+			if ($swearCounter == 0)
+			{
+				$before = substr_count($shout['name'], $replace);
+			}
+
+			$name = self::swearfilter($shout['name'], $replace);
 
-			if (!empty($shout['message']))
+			if ($swearCounter == 0)
 			{
-				if ($_SESSION['token'] == $shout['token'])
-				{
-					$replace = '****';
-
-					if (!$user->guest && $displayName == 0)
-					{
-						$name = $user->name;
-						$nameSwears = 0;
-					}
-					elseif (!$user->guest && $displayName == 1)
-					{
-						$name = $user->username;
-						$nameSwears = 0;
-					}
-					else
-					{
-						if ($swearCounter == 0)
-						{
-							$before = substr_count($shout['name'], $replace);
-						}
-
-						$name = self::swearfilter($shout['name'], $replace);
-
-						if ($swearCounter == 0)
-						{
-							$after = substr_count($name, $replace);
-							$nameSwears = ($after - $before);
-						}
-						else
-						{
-							$nameSwears = 0;
-						}
-					}
-
-					if ($swearCounter == 0)
-					{
-						$before = substr_count($shout['message'], $replace);
-					}
-
-					$message = self::swearfilter($shout['message'], $replace);
-
-					if ($swearCounter == 0)
-					{
-						$after = substr_count($message, $replace);
-						$messageSwears = ($after - $before);
-					}
-
-					$ip = $_SERVER['REMOTE_ADDR'];
-
-					if ($swearCounter == 1 || $swearCounter == 0 && (($nameSwears + $messageSwears) <= $swearNumber))
-					{
-						self::addShout($name, $message, $ip);
-					}
-				}
+				$after = substr_count($name, $replace);
+				$nameSwears = ($after - $before);
+			}
+			else
+			{
+				$nameSwears = 0;
 			}
 		}
+
+		if ($swearCounter == 0)
+		{
+			$before = substr_count($shout['message'], $replace);
+		}
+
+		$message = self::swearfilter($shout['message'], $replace);
+
+		if ($swearCounter == 0)
+		{
+			$after = substr_count($message, $replace);
+			$messageSwears = ($after - $before);
+		}
+
+		$ip = $_SERVER['REMOTE_ADDR'];
+
+		if ($swearCounter == 1 || $swearCounter == 0 && (($nameSwears + $messageSwears) <= $swearNumber))
+		{
+			self::addShout($name, $message, $ip);
+		}
 	}
 
 	/**
@@ -244,7 +235,7 @@ public static function smileyFilter($message)
 	 *
 	 * @return   array  $smilies The smiley images html code.
 	 *
-	 * @since 2.5
+	 * @since 1.2
 	 */
 	public static function smileyshow()
 	{
@@ -379,14 +370,14 @@ public static function linkUser($profile, $name, $user_id)
 	 */
 	public static function addShout($name, $message, $ip)
 	{
-		$db = JFactory::getDBO();
+		$db = JFactory::getDbo();
 		$config = JFactory::getConfig();
 		$columns = array('name', 'when', 'ip', 'msg', 'user_id');
 		$values = array($db->Quote($name), $db->Quote(JFactory::getDate('now', $config->get('offset'))->toSql(true)),
 			$db->quote($ip), $db->quote($message), $db->quote(JFactory::getUser()->id));
 		$query = $db->getQuery(true);
 
-		$query	->insert($db->quoteName('#__shoutbox'))
+		$query->insert($db->quoteName('#__shoutbox'))
 			->columns($db->quoteName($columns))
 			->values(implode(',', $values));
 
@@ -428,8 +419,8 @@ public static function deletepost($id)
 		$db	= JFactory::getDBO();
 		$query = $db->getQuery(true);
 		$query->delete()
-		->from('#__shoutbox')
-		->where('id = ' . (int) $id);
+		->from($db->quoteName('#__shoutbox'))
+		->where($db->quoteName('id') . ' = ' . (int) $id);
 		$db->setQuery($query);
 
 		if (version_compare(JVERSION, '3.0.0', 'ge'))
@@ -456,8 +447,8 @@ public static function deleteall($delete)
 		$db = JFactory::getDBO();
 		$query = $db->getQuery(true);
 		$query->select('*')
-			->from('#__shoutbox')
-			->order('id DESC');
+			->from($db->quoteName('#__shoutbox'))
+			->order($db->quoteName('id') . ' DESC');
 		$db->setQuery($query, 0, $delete);
 		$rows = $db->loadObjectList();
 

diff --git a/mod_shoutbox/language/en-GB/en-GB.mod_shoutbox.ini b/mod_shoutbox/language/en-GB/en-GB.mod_shoutbox.ini
@@ -89,7 +89,6 @@ SHOUT_K2_BLOG_USERS="K2 - Blog"
 SHOUT_NO_USERS="None"
 SHOUT_LINK_PROFILE_ALLOW="Allow guests to view profile"
 SHOUT_LINK_PROFILE_ALLOWDESC="Select whether or not you would like to allow guests to be able to click the authors name to view their profile"
-SHOUT_INVALID_TOKEN="Invalid Token"
 SHOUT_MASS_DELETE="Mass Delete"
 SHOUT_GREATER_THAN_ZERO="You must delete more than 0 shouts"
 SHOUT_NOT_INT="You must delete a integer number of shouts"

diff --git a/mod_shoutbox/language/en-GB/en-GB.mod_shoutbox.sys.ini b/mod_shoutbox/language/en-GB/en-GB.mod_shoutbox.sys.ini
@@ -8,6 +8,6 @@
 JJSHOUTBOX_DESCRIPTION="<h1 style='color:black; font-weight:bold; padding:0px;'>JJ Shoutbox</h1><p>Copyright &copy; <a href='http://www.joomjunk.co.uk'>JoomJunk</a></p><p>Released under GNU/GPL 3.0 License</p>"
 MOD_SHOUTBOX_INSTALL="This shoutbox module allows users to post on your site with a simple yet elegant design. Parameters allow you to choose whether guests are allowed to post, the number of posts shown at any time and the design of the shoutbox itself. Posts can be easily deleted by any administrator, whilst a spam filter censors swearing on the shoutbox. There is a .php file in the module which you can easily add any extra swear words to if you feel this is needed. The module is entirely language file based, and thus can be adapted for multi-lingual sites easily."
 MOD_SHOUTBOX_UPDATE="This version has been updated to %s"
-MOD_SHOUTBOX_UPDATE_CHANGELOG="<h1 style='text-decoration: underline'>Changelog</h1><ul><li>Update to jQuery 1.11.0</li><li>Added new date format (yyyy.mm.dd)</li><li>Refinement of users permissions of who can post</li></ul>"
+MOD_SHOUTBOX_UPDATE_CHANGELOG="<h1 style='text-decoration: underline'>Changelog</h1><ul><li>Security fix with people who don't have permissions able to delete posts</li><li>Code cleanup, bug fixes and page load optimization</li></ul>"
 MOD_SHOUTBOX_INCORRECT_SEQUENCE="Incorrect version sequence. Cannot upgrade %s to %s"
 SHOUT_126_UPDATE_NOTIFICATION="Changes have been made with who is allowed to post in the module. Be sure to check the shoutbox parameters to make sure everything continues to work as expected!"
diff --git a/mod_shoutbox/mod_shoutbox.php b/mod_shoutbox/mod_shoutbox.php
@@ -39,7 +39,7 @@
 		{
 			JFactory::getApplication()->set('jquery', true);
 			JHtml::_('script', 'http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js');
-			JHtml::_('script', JUri::root() . 'media/mod_shoutbox/js/jquery-conflict.js'); 
+			JHtml::_('script', 'mod_shoutbox/jquery-conflict.js', false, true);
 		}
 	}
 }
@@ -85,7 +85,6 @@
 );
 
 $user = JFactory::getUser();
-require_once JPATH_ROOT . '/media/mod_shoutbox/recaptcha/recaptchalib.php';
 
 if (isset($_POST))
 {
@@ -99,91 +98,103 @@
 		$post = JRequest::get('post');
 	}
 
-	if ($params->get('recaptchaon') == 0)
+	if (isset($post['shout']) && !empty($post['message']) && $_SESSION['token'] == $post['token'])
 	{
-		if (isset($post["recaptcha_response_field"]))
+		JSession::checkToken() or die(JText::_('JINVALID_TOKEN'));
+
+		if ($params->get('recaptchaon') == 0)
 		{
-			if ($post["recaptcha_response_field"])
+			require_once JPATH_ROOT . '/media/mod_shoutbox/recaptcha/recaptchalib.php';
+
+			if (isset($post["recaptcha_response_field"]))
 			{
-				$resp = recaptcha_check_answer(
-					$params->get('recaptcha-private'),
-					$_SERVER["REMOTE_ADDR"],
-					$post["recaptcha_challenge_field"],
-					$post["recaptcha_response_field"]
-				);
-
-				if ($resp->is_valid)
-				{
-					modShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
-				}
-				else
+				if ($post["recaptcha_response_field"])
 				{
-					$error = $resp->error;
+					$resp = recaptcha_check_answer(
+						$params->get('recaptcha-private'),
+						$_SERVER["REMOTE_ADDR"],
+						$post["recaptcha_challenge_field"],
+						$post["recaptcha_response_field"]
+					);
+
+					if ($resp->is_valid)
+					{
+						ModShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
+					}
+					else
+					{
+						$error = $resp->error;
+					}
 				}
 			}
 		}
-	}
-	elseif ($securityquestion == 0)
-	{
-		if (isset($post['sum1']) && isset($post['sum2']))
+		elseif ($securityquestion == 0)
 		{
-			$que_result = $post['sum1'] + $post['sum2'];
-
-			if (isset($post['human']))
+			if (isset($post['sum1']) && isset($post['sum2']))
 			{
-				if ($post['human'] == $que_result)
-				{
-					modShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
-				}
-				else
+				$que_result = $post['sum1'] + $post['sum2'];
+
+				if (isset($post['human']))
 				{
-					JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_ANSWER_INCORRECT'), 'error');
+					if ($post['human'] == $que_result)
+					{
+						ModShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
+					}
+					else
+					{
+						JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_ANSWER_INCORRECT'), 'error');
+					}
 				}
 			}
 		}
-	}
-	else
-	{
-		modShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
+		else
+		{
+			ModShoutboxHelper::postFiltering($post, $user, $swearcounter, $swearnumber, $displayName);
+		}
 	}
 
 	if (isset($post['delete']))
 	{
+		JSession::checkToken() or die(JText::_('JINVALID_TOKEN'));
 		$deletepostnumber = $post['idvalue'];
-		modShoutboxHelper::deletepost($deletepostnumber);
+
+		if ($user->authorise('core.delete'))
+		{
+			ModShoutboxHelper::deletepost($deletepostnumber);
+		}
 	}
 
-	if ($mass_delete == 0)
+	if ($mass_delete == 0 && (isset($post['deleteall'])))
 	{
-		if (isset($post['deleteall']))
-		{
-			$delete = $post['valueall'];
+		JSession::checkToken() or die(JText::_('JINVALID_TOKEN'));
+		$delete = $post['valueall'];
 
-			if (isset($delete))
+		if (isset($delete))
+		{
+			if (is_numeric($delete) && (int) $delete == $delete)
 			{
-				if (is_numeric($delete) && (int) $delete == $delete)
+				if ($delete > 0)
 				{
-					if ($delete > 0)
+					if ($delete > $post['max'])
 					{
-						if ($delete > $post['max'])
-						{
-							$delete = $post['max'];
-						}
-
-						modShoutboxHelper::deleteall($delete);
+						$delete = $post['max'];
 					}
-					else
+					if ($user->authorise('core.delete'))
 					{
-						JLog::add(JText::_('SHOUT_GREATER_THAN_ZERO'), JLog::WARNING, 'mod_shoutbox');
-						JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_GREATER_THAN_ZERO'), 'error');
+						ModShoutboxHelper::deleteall($delete);
 					}
 				}
 				else
 				{
-					JLog::add(JText::_('SHOUT_NOT_INT'), JLog::WARNING, 'mod_shoutbox');
-					JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_NOT_INT'), 'error');
+					JLog::add(JText::_('SHOUT_GREATER_THAN_ZERO'), JLog::WARNING, 'mod_shoutbox');
+					JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_GREATER_THAN_ZERO'), 'error');
 				}
 			}
+			else
+			{
+				JLog::add(JText::_('SHOUT_NOT_INT'), JLog::WARNING, 'mod_shoutbox');
+				JFactory::getApplication()->enqueueMessage(JText::_('SHOUT_NOT_INT'), 'error');
+			}
 		}
 	}
 }