Fix attachment handling, Add multifile support, Add csrf protection

05f0ad3d · Peter Rotich · dbad3a3a · 05f0ad3d · 05f0ad3d · 05f0ad3d
Commit 05f0ad3d authored 12 years ago by Peter Rotich
--- a/include/class.faq.php
+++ b/include/class.faq.php
@@ -19,11 +19,11 @@ class FAQ {

    var $id;
    var $ht;
+
    var $category;
+    var $attachments;

    function FAQ($id) {
-
-
        $this->id=0;
        $this->ht = array();
        $this->load($id);
@@ -44,6 +44,7 @@ class FAQ {
        $this->ht = db_fetch_array($res);
        $this->ht['id'] = $this->id = $this->ht['faq_id'];
        $this->category = null;
+        $this->attachments = array();

        return true;
    }
@@ -158,6 +159,20 @@ class FAQ {
            return false;

        $this->updateTopics($vars['topics']);
+                    
+        //Delete removed attachments.
+        $keepers = $vars['files']?$vars['files']:array();
+        if(($attachments = $this->getAttachments())) {
+            foreach($attachments as $k=>$file) {
+                if($file['id'] && !in_array($file['id'], $keepers))
+                    $this->deleteAttachment($file['id']);
+            }
+        }
+
+        //Upload new attachments IF any.
+        if($_FILES['attachments'] && ($files=Format::files($_FILES['attachments'])))
+            $this->uploadAttachments($files);
+
        $this->reload();

        return true;
@@ -261,10 +276,19 @@ class FAQ {
    /* ------------------> Static methods <--------------------- */
   
    function add($vars, &$errors) {
-        if(($id=self::create($vars, $errors)) && ($faq=self::lookup($id)))
+        if(!($id=self::create($vars, $errors)))
+            return false;
+
+        if(($faq=self::lookup($id))) {
            $faq->updateTopics($vars['topics']);
+               
+            if($_FILES['attachments'] && ($files=Format::files($_FILES['attachments'])))
+                $faq->uploadAttachments($files);

-        return$faq;
+            $faq->reload();
+        }
+            
+        return $faq;
    }

    function create($vars, &$errors) {   

--- a/include/staff/faq.inc.php
+++ b/include/staff/faq.inc.php
@@ -23,6 +23,7 @@ if($faq){
 $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
 ?>
 <form action="faq.php?<?php echo $qstr; ?>" method="post" id="save" enctype="multipart/form-data">
+ <?php csrf_token(); ?>
 <input type="hidden" name="do" value="<?php echo $action; ?>">
 <input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
 <input type="hidden" name="id" value="<?php echo $info['id']; ?>">
@@ -90,7 +91,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                <div><b>Attachments</b> (optional) <font class="error">&nbsp;<?php echo $errors['files']; ?></font></div>
                <?php
                if($faq && ($files=$faq->getAttachments())) {
-                    echo '<div id="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
+                    echo '<div class="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
                    foreach($files as $file) {
                        $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
                        echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
@@ -99,14 +100,12 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                    }
                    echo '</div><br>';
                }
-                //TODO: add a setting on admin panel
-                if(count($files)<5) {
                ?>
-                <div>
-                    <input type="file" name="attachments[]" value=""/>
+                <div class="faded">Select files to upload.</div>
+                <div class="uploads"></div>
+                <div class="file_input">
+                    <input type="file" class="multifile" name="attachments[]" size="30" value="" />
                </div>
-                <?}?>
-                <div class="faded">You can upload up to 5 attachments.</div>
            </td>
        </tr>
        <?php

--- a/scp/faq.php
+++ b/scp/faq.php
@@ -40,19 +40,7 @@ if($_POST):
            elseif($faq->update($_POST,$errors)) {
                $msg='FAQ updated successfully';
                $_REQUEST['a']=null; //Go back to view
-                //Delete removed attachments.
-                $keepers = $_POST['files']?$_POST['files']:array();
-                if(($attachments = $faq->getAttachments())) {
-                    foreach($attachments as $k=>$file) {
-                        if($file['id'] && !in_array($file['id'], $keepers)) {
-                            $faq->deleteAttachment($file['id']);
-                        }
-                    }
-                }
-                //Upload NEW attachments IF ANY - TODO: validate attachment types??
-                if($_FILES['attachments'] && ($files=Format::files($_FILES['attachments'])))
-                    $faq->uploadAttachments($files);
-
+                $faq->reload();
            } elseif(!$errors['err'])
                $errors['err'] = 'Unable to update FAQ. Try again!';     
            break;