diff --git a/account.php b/account.php index dd1c3b8..ace194c 100644 --- a/account.php +++ b/account.php @@ -3,17 +3,37 @@ require_once('connection/SQL.php'); require_once('config.php'); require_once('include/view.php'); require_once('include/security.php'); +require_once('include/user.php'); + +$user = validate_user(); +if (!$user->valid) { + http_response_code(403); + header("Location: index.php?err=account"); + exit; +} if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST['password']) && isset($_POST['name']) && isset($_POST['email'])) { // create new account + if (!$blog['register']) { + http_response_code(403); + header('axios-location: account.php'); + exit; + } + if (!validate_csrf()) { http_response_code(403); header('axios-location: account.php?new'); exit; } + $username = $_POST['username']; - $exist = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s' OR `email`='%s'", array($username, $_POST["email"]))['num_rows']; - if ($exist == 0) { + try { + $target_user = new User($username); + + http_response_code(409); // 409 Conflict + header('axios-location: account.php?new&err=used'); + exit; + } catch (NoUserException $e) { if (preg_match('/^[a-z][a-z0-9\_\-]*$/', $username) && strlen($username) <= 20 && strlen($_POST['name']) <= 40 && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { $SQL->query("INSERT INTO `user` (`username`, `pwd`, `name`, `email`) VALUES ('%s', '%s', '%s', '%s')", array($username, cavern_password_hash($_POST['password'], $username), htmlspecialchars($_POST['name']), $_POST['email'])); header('axios-location: index.php?ok=reg'); @@ -22,12 +42,8 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[ header('axios-location: index.php?err=miss'); } exit; - } else { - http_response_code(409); // 409 Conflict - header('axios-location: account.php?new&err=used'); - exit; } -} else if (isset($_SESSION['cavern_username']) && isset($_POST['username']) && isset($_POST['old']) && (isset($_POST['name']) || isset($_POST['new']))) { +} else if ($user->islogin && isset($_POST['username']) && isset($_POST['old']) && (isset($_POST['name']) || isset($_POST['new']))) { // modify account data if (!validate_csrf()) { http_response_code(403); @@ -35,7 +51,7 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[ exit; } $username = $_POST['username']; - if ($username != $_SESSION['cavern_username']) { + if ($username !== $user->username) { // not the same person http_response_code(403); header('axios-location: account.php?err=edit'); @@ -77,11 +93,11 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[ exit; } } -} else if (!isset($_SESSION['cavern_username']) && !isset($_GET['new'])) { - // if mode isn't definded, redirect to register page +} else if (!$user->islogin && !isset($_GET['new'])) { + // if mode isn't defined, redirect to register page header('Location: account.php?new'); exit; -} else if (isset($_SESSION['cavern_username']) && isset($_GET['new'])) { +} else if ($user->islogin && isset($_GET['new'])) { // if someone is logged in, then redirect to account setting page header('Location: account.php'); exit; @@ -141,11 +157,6 @@ if (isset($_GET['new'])) { $view->render(); } else { // edit account data - $username = $_SESSION['cavern_username']; - $result = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s'", array($username)); - $name = $result['row']['name']; - $email = $result['row']['email']; - $view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "帳號"); $view->add_script_source("ts('.ts.dropdown').dropdown();"); $view->add_script("./include/js/security.js"); @@ -180,25 +191,25 @@ if (isset($_GET['new'])) {
- +
?
- +
- + 上限40字元。
- + 透過電子信箱,在 Gravatar 更改你的頭貼。
diff --git a/notification.php b/notification.php index 21e1621..53cfd32 100644 --- a/notification.php +++ b/notification.php @@ -2,13 +2,21 @@ require_once('connection/SQL.php'); require_once('config.php'); require_once('include/view.php'); +require_once('include/user.php'); -if (isset($_SESSION['cavern_username'])) { +$user = validate_user(); +if (!$user->valid) { + http_response_code(403); + header("Location: index.php?err=account"); + exit; +} + +if ($user->islogin) { $view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "通知"); $view->add_script_source("ts('.ts.dropdown:not(.basic)').dropdown();"); $view->add_script("./include/js/security.js"); - $notice_list = cavern_query_result("SELECT * FROM `notification` WHERE `username` = '%s' ORDER BY `time` DESC", array($_SESSION['cavern_username'])); + $notice_list = cavern_query_result("SELECT * FROM `notification` WHERE `username` = '%s' ORDER BY `time` DESC", array($user->username)); if ($notice_list['num_rows'] > 0) { $regex = array( diff --git a/post.php b/post.php index ad38acb..667b978 100644 --- a/post.php +++ b/post.php @@ -12,7 +12,7 @@ require_once('notification.php'); $user = validate_user(); if (!$user->valid) { http_response_code(403); - header("Location: ../index.php?err=account"); + header("Location: index.php?err=account"); exit; } diff --git a/user.php b/user.php index 727e71c..19ac4d7 100644 --- a/user.php +++ b/user.php @@ -2,28 +2,34 @@ require_once('connection/SQL.php'); require_once('config.php'); require_once('include/view.php'); +require_once('include/user.php'); + +$user = validate_user(); +if (!$user->valid) { + http_response_code(403); + header("Location: index.php?err=account"); + exit; +} if (isset($_GET['username']) && trim($_GET['username']) != "") { $username = trim($_GET['username']); - $result = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s'", array($username)); - if ($result['num_rows'] > 0) { - $name = $result['row']['name']; - $level = $result['row']['level']; - $email = md5(strtolower($result['row']['email'])); - $role = cavern_level_to_role($level); - $posts = cavern_query_result("SELECT * FROM `post` WHERE `username`='%s'", array($username)); - $posts_count = ($posts['num_rows'] > 0 ? $posts['num_rows'] : 0); - } else { + + try { + $target_user = new User($username); + } catch (NoUserException $e) { http_response_code(404); header('Location: user.php?err=no'); exit; } - - if (isset($_SESSION['cavern_username'])) { - $view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], $name); + + $posts = cavern_query_result("SELECT * FROM `post` WHERE `username`='%s'", array($username)); + $posts_count = ($posts['num_rows'] > 0 ? $posts['num_rows'] : 0); + + if ($user->islogin) { + $view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], $target_user->name); $view->add_script_source("ts('.ts.dropdown').dropdown();"); } else { - $view = new View('theme/default.html', 'theme/nav/default.html', 'theme/sidebar.php', $blog['name'], $name); + $view = new View('theme/default.html', 'theme/nav/default.html', 'theme/sidebar.php', $blog['name'], $target_user->name); } $view->add_script("./include/js/security.js"); @@ -35,11 +41,11 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") { } } ?> -
的個人資料
+
name ?> 的個人資料
- +
@@ -57,11 +63,11 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") { 暱稱 - + name ?> 權限 - + level) ?> @@ -87,7 +93,7 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") { render(); } else { if (isset($_GET['err'])) { - if (isset($_SESSION['cavern_username'])) { + if ($user->islogin) { $view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "使用者"); $view->add_script_source("ts('.ts.dropdown').dropdown();"); } else {