diff options
author | Simon Rettberg | 2014-06-11 17:30:44 +0200 |
---|---|---|
committer | Simon Rettberg | 2014-06-11 17:30:44 +0200 |
commit | 5f5a073b4e5f5014adaa14d4d1dfe355ff803f8d (patch) | |
tree | 883d3e4c91317ed05a391dbdc4c12f69afa26711 /modules | |
parent | [news] Fix SQL injection (diff) | |
download | slx-admin-5f5a073b4e5f5014adaa14d4d1dfe355ff803f8d.tar.gz slx-admin-5f5a073b4e5f5014adaa14d4d1dfe355ff803f8d.tar.xz slx-admin-5f5a073b4e5f5014adaa14d4d1dfe355ff803f8d.zip |
[news] Make nicer
1) Delete via POST
2) Error message if newsId is missing on delete
3) Highlight last news if not editing a specific news entry
4) Fix html syntax (missing <tr> in <thead>)
Diffstat (limited to 'modules')
-rw-r--r-- | modules/news.inc.php | 58 |
1 files changed, 26 insertions, 32 deletions
diff --git a/modules/news.inc.php b/modules/news.inc.php index 4ec6fddd..3b7ef2bc 100644 --- a/modules/news.inc.php +++ b/modules/news.inc.php @@ -12,48 +12,39 @@ class Page_News extends Page // load user, we will need it later User::load(); - // get the newsid given per GET - $newsId = Request::get('newsid'); - if ($newsId !== false) $this->newsId = $newsId; + // only admins should be able to edit news + if (!User::hasPermission('superadmin')) { + Message::addError('no-permission'); + return; + } // check which action we need to do $action = Request::any('action', 'show'); if ($action === 'show') { // show news - $this->showNews(); + if (!$this->loadNews(Request::any('newsid'))) { + Message::addError('news-empty'); + } } elseif ($action === 'save') { // save to DB $this->saveNews(); } elseif ($action === 'delete') { // delete it - $this->delNews(); + $this->delNews(Request::post('newsid')); } else { Message::addError('invalid-action', $action); + Util::redirect('?do=News'); } } protected function doRender() { - // user must be logged in - if (!User::isLoggedIn()) { - Render::addTemplate('page-main-guest'); - return; - } - - // only admins should be able to edit news - if (!User::hasPermission('superadmin')) { - Message::addError('no-permission'); - return; - } - - // prepare the list of the older news $lines = array(); $paginate = new Paginate("SELECT newsid, dateline, title, content FROM news ORDER BY dateline DESC", 10); $res = $paginate->exec(); while ($row = $res->fetch(PDO::FETCH_ASSOC)) { - $day = date('d.m.Y', $row['dateline']); - $row['date'] = $day . date(' H:i', $row['dateline']); + $row['date'] = date('d.m.Y H:i', $row['dateline']); if ($row['newsid'] == $this->newsId) $row['active'] = "active"; $lines[] = $row; @@ -61,7 +52,7 @@ class Page_News extends Page $paginate->render('page-news', array( 'token' => Session::get('token'), - 'latestDate' => date('Y-m-d H:i:s (T)', $this->newsDate), + 'latestDate' => ($this->newsDate ? date('d.m.Y H:i', $this->newsDate) : '--'), 'latestContent' => $this->newsContent, 'latestTitle' => $this->newsTitle, 'list' => $lines @@ -69,12 +60,12 @@ class Page_News extends Page } - private function showNews() + private function loadNews($newsId) { // check to see if we need to request a specific newsid - if ($this->newsId !== false) { + if ($newsId !== false) { $row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news WHERE newsid = :newsid LIMIT 1", array( - 'newsid' => $this->newsId + 'newsid' => $newsId )); } else { $row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news ORDER BY dateline DESC LIMIT 1"); @@ -82,13 +73,12 @@ class Page_News extends Page // fetch the news to be shown if ($row !== false) { + $this->newsId = $row['newsid']; $this->newsTitle = $row['title']; $this->newsContent = $row['content']; $this->newsDate = $row['dateline']; - } else { - Message::addError('news-empty'); } - + return $row !== false; } private function saveNews() @@ -109,12 +99,16 @@ class Page_News extends Page } } - private function delNews() + private function delNews($newsId) { - Database::exec("DELETE FROM news WHERE newsid = :newsid LIMIT 1", array( - 'newsid' => $this->newsId - )); - Message::addSuccess('news-del-success'); + if (!is_numeric($newsId)) { + Message::addError('value-invalid', 'newsid', $newsId); + } else { + Database::exec("DELETE FROM news WHERE newsid = :newsid LIMIT 1", array( + 'newsid' => $newsId + )); + Message::addSuccess('news-del-success'); + } Util::redirect('?do=News'); } |