diff --git a/documentation/changelog.html b/documentation/changelog.html index 700d86baf1..bb1d1ba150 100755 --- a/documentation/changelog.html +++ b/documentation/changelog.html @@ -46,6 +46,7 @@

Debugging


CSS changes

diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php index b51845344a..2b61c8f41e 100755 --- a/main/forum/forumfunction.inc.php +++ b/main/forum/forumfunction.inc.php @@ -2854,33 +2854,42 @@ function send_notification_mails($thread_id, $reply_info) { } /** -* This function is called whenever something is made visible because there might be new posts and the user might have indicated that (s)he wanted -* to be informed about the new posts by mail. +* This function is called whenever something is made visible because there might +* be new posts and the user might have indicated that (s)he wanted to be +* informed about the new posts by mail. * -* @param int +* @param string Content type (post, thread, forum, forum_category) +* @param int Item DB ID * @return string language variable -* * @author Patrick Cool , Ghent University * @version february 2006, dokeos 1.8 */ function handle_mail_cue($content, $id) { - $table_mailcue = Database :: get_course_table(TABLE_FORUM_MAIL_QUEUE); - $table_forums = Database :: get_course_table(TABLE_FORUM); - $table_threads = Database :: get_course_table(TABLE_FORUM_THREAD); - $table_posts = Database :: get_course_table(TABLE_FORUM_POST); - $table_users = Database :: get_main_table(TABLE_MAIN_USER); - + $table_mailcue = Database :: get_course_table(TABLE_FORUM_MAIL_QUEUE); + $table_forums = Database :: get_course_table(TABLE_FORUM); + $table_threads = Database :: get_course_table(TABLE_FORUM_THREAD); + $table_posts = Database :: get_course_table(TABLE_FORUM_POST); + $table_users = Database :: get_main_table(TABLE_MAIN_USER); + $table_userscourses = Database :: get_main_table(TABLE_MAIN_COURSE_REL_USER); + $course = api_get_course_id(); + // if the post is made visible we only have to send mails to the people who indicated that they wanted to be informed for that thread. if ($content=='post') { // getting the information about the post (need the thread_id) $post_info=get_post_information($id); - + $thread_id = Database::escape_string($post_info['thread_id']); + // sending the mail to all the users that wanted to be informed for replies on this thread. - $sql="SELECT users.firstname, users.lastname, users.user_id, users.email FROM $table_mailcue mailcue, $table_posts posts, $table_users users - WHERE posts.thread_id='".Database::escape_string($post_info['thread_id'])."' + $sql="SELECT users.firstname, users.lastname, users.user_id, users.email + FROM $table_mailcue mailcue, $table_posts posts, + $table_users users, $table_userscourses userscourses + WHERE posts.thread_id='$thread_id' AND posts.post_notification='1' - AND mailcue.thread_id='".Database::escape_string($post_info['thread_id'])."' + AND mailcue.thread_id='$thread_id' AND users.user_id=posts.poster_id + AND users.active=1 + AND userscourses.user_id = users.user_id + AND userscourses.course_code = '$course' GROUP BY users.email"; $result=Database::query($sql); while ($row=Database::fetch_array($result)) { @@ -2888,15 +2897,22 @@ function handle_mail_cue($content, $id) { } // deleting the relevant entries from the mailcue - $sql_delete_mailcue="DELETE FROM $table_mailcue WHERE post_id='".Database::escape_string($id)."' AND thread_id='".Database::escape_string($post_info['thread_id'])."'"; + $sql_delete_mailcue="DELETE FROM $table_mailcue + WHERE post_id='".Database::escape_string($id)."' + AND thread_id='".Database::escape_string($post_info['thread_id'])."'"; //$result=Database::query($sql_delete_mailcue); } elseif ($content=='thread') { // sending the mail to all the users that wanted to be informed for replies on this thread. - $sql="SELECT users.firstname, users.lastname, users.user_id, users.email FROM $table_mailcue mailcue, $table_posts posts, $table_users users + $sql="SELECT users.firstname, users.lastname, users.user_id, users.email + FROM $table_mailcue mailcue, $table_posts posts, + $table_users users, $table_userscourses userscourses WHERE posts.thread_id='".Database::escape_string($id)."' AND posts.post_notification='1' AND mailcue.thread_id='".Database::escape_string($id)."' AND users.user_id=posts.poster_id + AND users.active=1 + AND userscourses.user_id = users.user_id + AND userscourses.course_code = $course GROUP BY users.email"; $result=Database::query($sql); while ($row=Database::fetch_array($result)) { diff --git a/main/link/link.php b/main/link/link.php index 0cc7e321c5..1fe3cbac48 100755 --- a/main/link/link.php +++ b/main/link/link.php @@ -16,6 +16,7 @@ * @author René Haentjens, added CSV file import (October 2004) * @package chamilo.link * @todo improve organisation, tables should come from database library + * @todo Needs serious rewriting here. This doesn't make sense */ /* INIT SECTION */ @@ -81,6 +82,7 @@ $submit_link = isset($_REQUEST['submitLink']); $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : ''; $category_title = !empty($_REQUEST['category_title']) ? $_REQUEST['category_title'] : ''; $submit_category = isset($_POST['submitCategory']); +$target_link = !empty($_REQUEST['target_link']) ? $_REQUEST['target_link'] : '_self'; $nameTools = get_lang('Links'); @@ -275,12 +277,16 @@ if (api_is_allowed_to_edit(null, true) && isset($_GET['action'])) { '.get_lang('AddTargetOfLinkOnHomepage').'
- +
'; diff --git a/main/link/linkfunctions.php b/main/link/linkfunctions.php index d93a2ff69d..750317062c 100755 --- a/main/link/linkfunctions.php +++ b/main/link/linkfunctions.php @@ -293,6 +293,7 @@ function editlinkcategory($type) { global $description; global $category_title; global $onhomepage; + global $target_link; $tbl_link = Database :: get_course_table(TABLE_LINK); $tbl_categories = Database :: get_course_table(TABLE_LINK_CATEGORY); @@ -300,18 +301,20 @@ function editlinkcategory($type) { if ($type == 'link') { // This is used to populate the link-form with the info found in the database - $sql = "SELECT * FROM ".$tbl_link." WHERE id='".$_GET['id']."'"; - $result = Database::query($sql); - if ($myrow = Database::fetch_array($result)) { - $urllink = $myrow['url']; - $title = $myrow['title']; - $description = $myrow['description']; - $category = $myrow['category_id']; - if ($myrow['on_homepage'] != 0) { - $onhomepage = 'checked'; + if (!empty($_GET['id'])) { + $sql = "SELECT * FROM ".$tbl_link." WHERE id='".intval($_GET['id'])."'"; + $result = Database::query($sql); + if ($myrow = Database::fetch_array($result)) { + $urllink = $myrow['url']; + $title = $myrow['title']; + $description = $myrow['description']; + $category = $myrow['category_id']; + if ($myrow['on_homepage'] != 0) { + $onhomepage = 'checked'; + } + $target_link = $myrow['target']; } } - // This is used to put the modified info of the link-form into the database if ($_POST['submitLink']) { @@ -331,7 +334,7 @@ function editlinkcategory($type) { $category_id = $row['category_id']; if ($category_id != $_POST['selectcategory']) { - $sql = "SELECT MAX(display_order) FROM ".$tbl_link." WHERE category_id='".$_POST['selectcategory']."'"; + $sql = "SELECT MAX(display_order) FROM ".$tbl_link." WHERE category_id='".intval($_POST['selectcategory'])."'"; $result = Database::query($sql); list ($max_display_order) = Database::fetch_row($result); $max_display_order ++; @@ -344,11 +347,11 @@ function editlinkcategory($type) { // Update search enchine and its values table if enabled if (api_get_setting('search_enabled') == 'true') { - $link_id = $_POST['id']; + $link_id = intval($_POST['id']); $course_id = api_get_course_id(); - $link_url = $_POST['urllink']; - $link_title = $_POST['title']; - $link_description = $_POST['description']; + $link_url = Database::escape_string($_POST['urllink']); + $link_title = Database::escape_string($_POST['title']); + $link_description = Database::escape_string($_POST['description']); // Actually, it consists on delete terms from db, insert new ones, create a new search engine document, and remove the old one // get search_did @@ -440,7 +443,7 @@ function editlinkcategory($type) { // This is used to populate the category-form with the info found in the database if (!$submit_category) { - $sql = "SELECT * FROM ".$tbl_categories." WHERE id='".$_GET['id']."'"; + $sql = "SELECT * FROM ".$tbl_categories." WHERE id='".intval($_GET['id'])."'"; $result = Database::query($sql); if ($myrow = Database::fetch_array($result)) { $category_title = $myrow["category_title"]; @@ -512,10 +515,10 @@ function showlinksofcategory($catid) { $myrow[3] = text_filter($myrow[3]); if ($myrow['visibility'] == '1') { - echo '', get_lang('Link'), '', Security::remove_XSS($myrow[2]), '', $session_img, '
', $myrow[3]; + echo '', get_lang('Link'), '', Security::remove_XSS($myrow[2]), '', $session_img, '
', $myrow[3]; } else { if (api_is_allowed_to_edit(null, true)) { - echo '\n", $session_img, '
', $myrow[3]; + echo '\n", $session_img, '
', $myrow[3]; } } @@ -678,23 +681,23 @@ function get_cat($catname) { function put_link($url, $cat, $title, $description, $on_homepage, $hidden) { $tbl_link = Database :: get_course_table(TABLE_LINK); - $urleq = "url='".addslashes($url)."'"; - $cateq = "category_id=".$cat; + $urleq = "url='".Database::escape_string($url)."'"; + $cateq = "category_id=".intval($cat); $result = Database::query("SELECT id FROM $tbl_link WHERE ".$urleq.' AND '.$cateq); if (Database::num_rows($result) >= 1 && ($row = Database::fetch_array($result))) { - Database::query("UPDATE $tbl_link set title='".addslashes($title)."', description='".addslashes($description)."' WHERE id='".addslashes($id = $row['id'])."'"); + Database::query("UPDATE $tbl_link set title='".Database::escape_string($title)."', description='".Database::escape_string($description)."' WHERE id='".Database::escape_string($row['id'])."'"); $lang_link = get_lang('update_link'); $ipu = 'LinkUpdated'; $rv = 1; // 1 = upd } else { // Add new link - $result = Database::query("SELECT MAX(display_order) FROM $tbl_link WHERE category_id='".addslashes($cat)."'"); + $result = Database::query("SELECT MAX(display_order) FROM $tbl_link WHERE category_id='".intval($cat)."'"); list ($max_order) = Database::fetch_row($result); - Database::query("INSERT INTO $tbl_link (url, title, description, category_id, display_order, on_homepage) VALUES ('".addslashes($url)."','".addslashes($title)."','".addslashes($description)."','".addslashes($cat)."','". ($max_order +1)."','".$on_homepage."')"); + Database::query("INSERT INTO $tbl_link (url, title, description, category_id, display_order, on_homepage) VALUES ('".Database::escape_string($url)."','".Database::escape_string($title)."','".Database::escape_string($description)."','".intval($cat)."','". (intval($max_order) +1)."','".intval($on_homepage)."')"); $id = Database::insert_id(); $lang_link = get_lang('new_link');