PonyMirrors/ponepaste
1
0
Fork 0
mirror of https://github.com/Neetpone/ponepaste.git synced 2025-03-12 06:30:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CSRF stuff I guess

Browse source
This commit is contained in:
Floorb 2022-03-14 15:43:01 -04:00
parent 52a1c86bd9
commit e89de763d5
21 changed files with 148 additions and 262 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
.htaccess
View file

@ -1,52 +0,0 @@
Options +FollowSymLinks
RewriteEngine on
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^page/([a-zA-Z0-9]+)/? pages.php?page=$1 [L]
RewriteRule ^archive archive.php [L]
RewriteRule ^discover discover.php [L]
RewriteRule ^profile profile.php [L]
RewriteRule ^user/([^/]+)/?$ user.php?user=$1 [L]
RewriteRule ^user/([^/]+)/([^/]+)/?$ user.php?user=$1&q=$2 [L]
RewriteRule ^contact contact.php [L]
RewriteRule ^download/(.*)$ paste.php?download&id=$1 [L]
RewriteRule ^raw/(.*)$ paste.php?raw&id=$1 [L]
RewriteRule ^embed/(.*)$ paste.php?embed&id=$1 [L]
RewriteRule ^report report.php [L]
RewriteRule ^event event.php [L]
Options +FollowSymLinks
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" [OR]
RewriteCond %{HTTP_USER_AGENT} Mb2345Browser|LieBaoFast|zh-CN|MicroMessenger|zh_CN|Kinza|Datanyze|serpstatbot|spaziodati|OPPO\sA33|AspiegelBot|aspiegel|PetalBot|SemrushBot/7~bl [NC]
RewriteRule ^ - [F,L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ paste.php?id=$1 [L]
</IfModule>
# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
# Or, compress certain file types by extension:
<files *.html>
SetOutputFilter DEFLATE
</files>

2
README.md
View file

@ -5,4 +5,4 @@ punishedponepaste
# Building the JS
When you change the JS, you need to rebuild it. `assets/bundle.js` is used in dev, `assets/bundle.min.js` is used in production.
You need Yarn (version 1, not version 2 - 2 may work but I haven't tried it.) After that, whenever you change anything under `js/`, you need to run `yarn rollup --config`. Good luck!
You need Yarn (version 1, not version 2 - 2 may work, but I haven't tried it.) After that, whenever you change anything under `js/`, you need to run `yarn rollup --config`. Good luck!

2
includes/Helpers/SessionHelper.php
View file

@ -7,6 +7,7 @@ use PonePaste\Models\UserSession;
class SessionHelper {
public const REMEMBER_TOKEN_COOKIE = '_ponepaste_token';
public const CSRF_TOKEN_KEY = 'csrf_token';
public static function currentUser() {
$session_user = SessionHelper::currentUserFromPhpSession();
@ -60,7 +61,6 @@ class SessionHelper {
return null;
}
return User::find(intval($_SESSION['user_id']));
}
}

2
includes/Models/Paste.php
View file

@ -33,8 +33,6 @@ class Paste extends Model {
$this->tags()->attach($tag);
}
// FIXME: We need to get rid of tagsys.
$this->tagsys = implode(',', $tags);
$this->save();
}

4
includes/captcha.php
View file

@ -89,7 +89,7 @@ function captcha($color, $mode, $mul, $allowed) : array {
}
// Generate HTML for image src
$image_src = substr(__FILE__, strlen(realpath($_SERVER['DOCUMENT_ROOT']))) . '?_CAPTCHA&amp;t=' . urlencode(microtime());
$image_src = substr(__FILE__, strlen(realpath($_SERVER['DOCUMENT_ROOT']))) . '?_CAPTCHA&_R=' . urlencode(rand());
$image_src = '/' . ltrim(preg_replace('/\\\\/', '/', $image_src), '/');
$_SESSION['_CAPTCHA']['config'] = serialize($captcha_config);
@ -125,7 +125,6 @@ if (!function_exists('hex2rgb')) {
// Draw the image
if (isset($_GET['_CAPTCHA'])) {
session_start();
$captcha_config = unserialize(@$_SESSION['_CAPTCHA']['config']);
@ -178,5 +177,4 @@ if (isset($_GET['_CAPTCHA'])) {
// Output image
header("Content-type: image/png");
imagepng($captcha);
}

30
includes/common.php
View file

@ -5,6 +5,7 @@ if (!defined('IN_PONEPASTE')) {
require_once(__DIR__ . '/../vendor/autoload.php');
require_once(__DIR__ . '/config.php');
require_once(__DIR__ . '/functions.php');
require_once(__DIR__ . '/passwords.php');
require_once(__DIR__ . '/DatabaseHandle.class.php');
use Illuminate\Database\Capsule\Manager as Capsule;
@ -154,6 +155,33 @@ function updatePageViews() : void {
}
}
function setupCsrfToken() : string {
if (isset($_SESSION[SessionHelper::CSRF_TOKEN_KEY])) {
return $_SESSION[SessionHelper::CSRF_TOKEN_KEY];
}
$token = pp_random_token();
$_SESSION[SessionHelper::CSRF_TOKEN_KEY] = $token;
return $token;
}
function verifyCsrfToken($token = null) : bool {
if ($token === null) {
$token = $_POST[SessionHelper::CSRF_TOKEN_KEY];
}
if (empty($token) || empty($_SESSION[SessionHelper::CSRF_TOKEN_KEY])) {
return false;
}
$success = hash_equals($_SESSION[SessionHelper::CSRF_TOKEN_KEY], $token);
unset($_SESSION[SessionHelper::CSRF_TOKEN_KEY]);
return $success;
}
session_start();
/* Set up the database and Eloquent ORM */
@ -215,6 +243,8 @@ $total_unique_views = PageView::select('tvisit')->orderBy('id', 'desc')->first()
$current_user = SessionHelper::currentUser();
//SessionHelper::setupCsrfToken();
$script_bundles = [];
/* Security headers */

9
includes/functions.php
View file

@ -55,13 +55,6 @@ function tagsToHtmlUser(string | array | Collection $tags, $profile_username) :
return $output;
}
function getevent($conn, $event_name, $count) {
$query = $conn->prepare("SELECT id, visible, title, date, now_time, views, member FROM pastes WHERE visible='1' AND tagsys LIKE '%?%'
ORDER BY RAND () LIMIT 0, ?");
$query->execute([$event_name, $count]);
return $query->fetchAll();
}
function linkify($value, $protocols = array('http', 'mail'), array $attributes = array()) {
// Link attributes
$attr = '';
@ -150,7 +143,7 @@ function truncate(string $input, int $maxWords, int $maxChars) : string {
return $result . ($input == $result ? '' : '[...]');
}
function embedView($paste_id, $p_title, $content, $p_code, $title, $baseurl, $lang) {
function embedView($paste_id, $p_title, $content, $title) {
$stats = false;
if ($content) {
// Build the output

7
index.php
View file

@ -75,6 +75,11 @@ updatePageViews();
// POST Handler
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!verifyCsrfToken()) {
$error = 'Incorrect CSRF token (do you have cookies enabled?)';
goto OutPut;
}
$error = validatePasteFields();
if ($error !== null) {
@ -172,6 +177,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
}
OutPut:
$csrf_token = setupCsrfToken();
$page_template = 'main';
require_once('theme/' . $default_theme . '/common.php');

4
js/data_tables.js
View file

@ -224,6 +224,10 @@ class DataTable {
}
const dumbFilterCallback = (datum, query) => {
if (!query) {
return true;
}
if (datum.title.indexOf(query) !== -1) {
return true;
}

21
js/user_profile.js
View file

@ -2,6 +2,16 @@ import { escape, whenReady } from './dom';
import { DataTable, dumbFilterCallback } from './data_tables';
import { globalSetup } from './main';
const getUserInfo = () => {
const elem = document.getElementById('js-data-holder');
if (!elem) {
return { userId: null, csrfToken: null };
}
return { userId: elem.dataset.userId, csrfToken: elem.dataset.csrfToken };
};
const parsePasteInfo = (elem) => {
if (!elem.dataset.pasteInfo) {
return null;
@ -40,12 +50,23 @@ whenReady(() => {
</a>`;
}).join('');
const userData = getUserInfo();
const deleteElem = true ? `<td>
<form action="/${rowData.id}" method="POST">
<input type="hidden" name="delete" value="delete" />
<input type="hidden" name="csrf_token" value="${userData.csrfToken}" />
<input type="submit" value="Delete" />
</form>
</td>` : '';
return `<tr>
<td><a href="/${rowData.id}">${escape(rowData.title)}</a></td>
<td>${rowData.created_at}</td>
<td>${rowData.visibility}</td>
<td>${rowData.views || 0}</td>
<td>${tags}</td>
${deleteElem}
</tr>`;
},
filterCallback: dumbFilterCallback,

9
pages.php
View file

@ -7,13 +7,16 @@ use PonePaste\Models\Page;
updatePageViews();
$page_title = 'Page not found';
if (isset($_GET['page'])) {
$page = Page::select('page_title', 'page_content', 'last_date')
->where('page_name', $_GET['page'])
->first();
$page_title = $page->page_title;
} else {
$page_title = 'Page not found';
if (isset($page)) {
$page_title = $page->page_title;
}
}
$page_template = 'pages';

27
paste.php
View file

@ -2,7 +2,6 @@
define('IN_PONEPASTE', 1);
require_once('includes/common.php');
require_once('includes/functions.php');
require_once('includes/passwords.php');
use Highlight\Highlighter;
use PonePaste\Models\Paste;
@ -55,6 +54,13 @@ if (!$paste) {
goto Not_Valid_Paste;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!verifyCsrfToken()) {
$notfound = 'Invalid CSRF token (do you have cookies enabled?)';
goto Not_Valid_Paste;
}
}
$paste_owner_id = $paste->user->id;
$paste_title = $paste->title;
$paste_code = $paste->code;
@ -72,7 +78,6 @@ $fav_count = $paste->favouriters()->count();
'tags' => getPasteTags($conn, $paste_id)
];*/
//$p_member = $row['member'];
$p_content = $paste->content;
$p_visible = $paste->visible;
$p_expiry = $paste->expiry;
@ -80,7 +85,6 @@ $p_password = $paste->password;
$p_encrypt = (bool) $paste->encrypt;
$paste_is_favourited = $current_user !== null && $current_user->favourites->where('paste_id', $paste->id)->count() === 1;
$is_private = $p_visible === '2';
if ($is_private && (!$current_user || $current_user->id !== $paste_owner_id)) {
@ -88,6 +92,19 @@ if ($is_private && (!$current_user || $current_user->id !== $paste_owner_id)) {
goto Not_Valid_Paste;
}
/* Paste deletion */
if (isset($_POST['delete'])) {
if (!$current_user || ($current_user->id !== $paste_owner_id)) {
$notfound = 'You cannot delete someone else\'s paste!';
goto Not_Valid_Paste;
}
$paste->delete();
flashSuccess('Paste deleted.');
header('Location: ' . urlForMember($current_user));
die();
}
/* Verify paste password */
$password_required = $p_password !== null && $p_password !== 'NONE';
$password_valid = true;
@ -191,7 +208,7 @@ if ($paste_code === "pastedown") {
// Embed view after highlighting is applied so that $p_code is syntax highlighted as it should be.
if (isset($_GET['embed'])) {
embedView($paste_id, $paste_title, $p_content, $paste_code, $title, $baseurl, $lang);
embedView($paste_id, $paste_title, $p_content, $title);
exit();
}
@ -230,5 +247,7 @@ if ($is_private || $notfound || !$password_valid) {
// Display errors
$page_template = 'errors';
}
$csrf_token = setupCsrfToken();
require_once('theme/' . $default_theme . '/common.php');

7
profile.php
View file

@ -6,7 +6,6 @@ require_once('includes/passwords.php');
use PonePaste\Models\Paste;
// Check if already logged in
if ($current_user === null) {
header("Location: ./login.php");
die();
@ -19,7 +18,9 @@ $user_ip = $current_user->ip;
$user_password = $current_user->password;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['cpassword'])) {
if (!verifyCsrfToken()) {
$error = 'Invalid CSRF token (do you have cookies enabled?)';
} else if (isset($_POST['cpassword'])) {
$user_new_full = trim(htmlspecialchars($_POST['full']));
$user_old_pass = $_POST['old_password'];
if (pp_password_verify($user_old_pass, $user_password)) {
@ -40,8 +41,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
updatePageViews();
$total_user_pastes = Paste::where('user_id', $current_user->id)->count();
$csrf_token = setupCsrfToken();
// Theme
$page_template = 'profile';
$page_title = 'My Profile';
require_once('theme/' . $default_theme . '/common.php');

15
report.php
View file

@ -1,15 +0,0 @@
<?php
define('IN_PONEPASTE', 1);
require_once('includes/common.php');
require_once('includes/functions.php');
//Report paste
$p_reasonrep = Trim(htmlspecialchars($_POST['reasonrep']));
$p_memreport = $current_user ? $current_user->username : 'Guest';
$p_pastereport = $_POST['reppasteid'];
$p_reasonrep = preg_replace("/[^0-9]/", "", $p_reasonrep);
$conn->prepare('INSERT INTO user_reports (m_report, p_report, t_report, rep_reason) VALUES (?, ?, NOW(), ?)')
->execute([$p_memreport, $p_pastereport, $p_reasonrep]);
$repmes = "Paste has been reported.";

4
theme/bulma/common.php
View file

@ -125,6 +125,10 @@ $flashes = getFlashes();
</div>
</nav>
<?php if ($current_user): ?>
<div class="hidden" id="js-data-holder" data-user-id="<?= $current_user->id ?>" data-csrf-token="<?= $csrf_token ?>"></div>
<?php endif; ?>
<div id="#signin" class="modal modal-fx-fadeInScale">
<div class="modal-background"></div>
<div class="modal-content modal-card is-tiny">

125
theme/bulma/event.php
View file

@ -57,132 +57,9 @@
<?php }
if (!$site_is_private) { ?>
<div class="notification is-warning">
<strong id="headline">Entries Deadline</strong>
<div id="countdown">
<p>
<span id="days"></span> Days,
<span id="hours"></span> Hours,
<span id="minutes"></span> Minutes,
<span id="seconds"></span> Seconds Remaining
</p>
</div>
<div class="message">
<div id="content">
</div>
</div>
<p>No event right now!</p>
</div>
</div>
<br>
<h1 class="title is-4">Welcome to Ponepaste /pj50kb/ Pastejam
<h1>
<h1 class="title is-5">No context 50kb Challenge
<h1>
<b> What is the PasteJam 50kb challange?</b>
<p> The PasteJam 50kb challenge is a competition that last for two weeks that any one
can join.</p>
<b> What do I win? </b>
<p style="color:green;"> >A fucking badge, plus the best pony game the host can
find.</p>
<img src="/img/prize.png" alt="Prize" />
<p>Note: This is a steam game, winner will be sent a cdkey</p>
<br>
<b> What do I have to do? </b>
<p> A prompt is given and you have to write a 50kb greentext or prose. </p>
<b> Does it have to be exactly 50kb </b>
<p> As close as possible. This is more of a guide due to magin of error.</p>
<b> What will happen if I submit a paste thats under 50kb?</b>
<p> Again, As close as possible.</p>
<b> Can I ask for feedback for my green/prose?</b>
<p> From other anons on /mlp/ is fine.</p>
<b> Can I write anything? </b>
<p> As long it follows the prompt, mlp related and follows Ponepaste rules.</p>
<b> How is the prompt chosen?</b>
<p> Hand picked homonyms.</p>
<b> How do I submit? </b>
<p> Make a <b>UNLISTED</b> paste with /pj50kb/ in the title and tag.</p>
<b> How is the winner chosen?</b>
<p> By a vote after the closing date </p>
<b> When is the closing date? </b>
<p> 28th of May </p>
<b> When does the voting start? </b>
<p> 28th of May, to gives (you) time to read.</p>
<b> Where do I vote? </b>
<p> Here, on this page.</p>
<b> How long will the vote last? </b>
<p> Two weeks. Vote ends on 11th of June, 8pm UTC </p>
<b> What will I be voting on?</b>
<p> How well the story is written, how unique the idea is and how it fits the
prompt. </p>
<b>Can the entry be a sequel/ side arc of one of their existing greens?</b>
<p>It must be a stand alone story. </p>
<br>
<br>
<div class="notification is-info">
<strong>Prompt:</strong>
<figure>
<figcaption>Listen to the prompt:</figcaption>
<audio
controls
src="prompt.mp3">
Your browser is shit and does not support the
<code>audio</code> element.
</audio>
</figure>
</div>
<!-- Submitted Pastes -->
<div class="col-md-9 col-lg-10">
<div class="panel panel-default">
<h1 class="title is-4">Submitted Entries
<h1>
<div class="panel-body">
<div class="list-widget pagination-content">
<?php
$res = getevent($conn, 100);
while ($row = mysqli_fetch_array($res)) {
$title = Trim($row['title']);
$p_member = Trim($row['member']);
$titlehov = ($row['title']);
$p_id = Trim($row['id']);
$p_date = Trim($row['date']);
$p_time = Trim($row['now_time']);
$nowtime = time();
$oldtime = $p_time;
$p_time = conTime($nowtime - $oldtime);
$title = truncate($title, 24, 60);
$todea = strtotime("now");
?>
<?php
echo '<header class="bd-category-header my-1">
<a href="' . $p_id . '" title="' . $titlehov . '">' . $title . ' </a>
<a class="icon is-pulled-right has-tooltip-arrow has-tooltip-left-mobile has-tooltip-bottom-desktop has-tooltip-left-until-widescreen" data-tooltip="' . $p_time . '">
<i class="far fa-clock has-text-grey" aria-hidden="true"></i>
</a>
<p class="subtitle is-7">' . 'by ' . '
<i><a href="https://Ponepaste.org/user/' . $p_member . '">' . $p_member . '</a></i>
</p>' .
'</header>';
?>
<?php } ?>
</div>
</div>
<div class="notification is-warning">
<strong id="headline">Note:</strong>
<div id="mess">
<p>
No one has been nominated for the Wooden Spoon Award.
</p>
</div>
</div>
<iframe width="620" height="444"
src="https://strawpoll.com/embed/kzvcup4hp"
style="width: 100%; height: 444px;" frameborder="0"
allowfullscreen></iframe>
</div>
</div>
<hr>
<!-- <iframe width="620" height="744" src="https://strawpoll.com/embed/kz179c835" style="width: 100%; height: 744px;" frameborder="0" allowfullscreen></iframe> -->
</div>
</div>
</div>

5
theme/bulma/main.php
View file

@ -298,12 +298,15 @@
<div class="notification">
<span class="tags are-large"><img src="<?= $_SESSION['captcha']['image_src'] ?>" alt="CAPTCHA" class="imagever" /></span>
<input type="text" class="input" name="scode" value=""
placeholder="Enter the CAPTCHA">
placeholder="Enter the CAPTCHA" />
<p class="is-size-6 has-text-grey-light has-text-left mt-2">and press
"Enter"</p>
</div>
</div>
<?php endif; ?>
<?php if (isset($csrf_token)): ?>
<input type="hidden" name="csrf_token" value="<?= $csrf_token ?>" />
<?php endif; ?>
</div>
</div>
</div>

15
theme/bulma/profile.php
View file

@ -4,7 +4,9 @@
<div class="bd-duo">
<div class="bd-lead">
<h1 class="title is-5">Total Pastes: <?= $total_user_pastes ?></h1>
<h1 class="subtitle is-6"><?php echo '<a href="user.php?user=' . urlencode($current_user->username) . '" target="_self">My Pastes</a>'; ?></h1>
<h1 class="subtitle is-6">
<a href="<?= urlForMember($current_user); ?>" target="_self">My Pastes</a>
</h1>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($success)) {
@ -20,14 +22,14 @@
?>
<hr>
<h1 class="title is-5">My Profile</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<form action="<?= $_SERVER['PHP_SELF']; ?>" method="post">
<div class="columns">
<div class="column">
<div class="field">
<label class="label">Generate New Recovery Key</label>
<div class="control has-icons-left has-icons-right">
<input disabled="" type="text" class="input" name="username"
style="cursor:not-allowed;" placeholder="New gen generated here">
style="cursor:not-allowed;" placeholder="New key generated here">
<span class="icon is-small is-left">
<i class="fas fa-user"></i>
</span>
@ -43,9 +45,9 @@
<div class="field">
<label class="label" for="username">Username</label>
<div class="control has-icons-left has-icons-right">
<input disabled="" type="text" class="input" name="username" id="username"
<input disabled="disabled" type="text" class="input" name="username" id="username"
style="cursor:not-allowed;"
placeholder="<?php echo pp_html_escape($current_user->username); ?>">
placeholder="<?= pp_html_escape($current_user->username); ?>">
<span class="icon is-small is-left">
<i class="fas fa-user"></i>
</span>
@ -84,6 +86,9 @@
</div>
</div>
<div class="field">
<?php if (isset($csrf_token)): ?>
<input type="hidden" name="csrf_token" value="<?= $csrf_token ?>" />
<?php endif; ?>
<button type="submit" name="submit" class="button is-info">Submit</button>
</div>
</div>

14
theme/bulma/user_profile.php
View file

@ -1,4 +1,6 @@
<?php
use PonePaste\Models\Paste;
$public_paste_badges = [
50 => '[ProbablyAutistic] Have more than Fifty pastes',
25 => '[Writefag] Have Twenty Five or more pastes',
@ -127,14 +129,22 @@
['visibility' => $p_visible]
);
?>
<?php if ($is_current_user || $row['visible'] == Paste::VISIBILITY_PUBLIC): ?>
<?php if ($is_current_user || $paste->visible == Paste::VISIBILITY_PUBLIC): ?>
<tr data-paste-info="<?= pp_html_escape(json_encode($pasteJson)); ?>">
<td><a href="<?= urlForPaste($paste) ?>" title="<?= $escaped_title ?>"><?= $escaped_title ?></a></td>
<td data-sort="<?= $p_date->format('U') ?>" class="td-center"><?= $p_date->format('d F Y') ?></td>
<td class="td-center"><?= $p_visible; ?></td>
<td class="td-center"><?= $paste->views ?></td>
<td class="td-left"><?= tagsToHtmlUser($paste->tags, $profile_username); ?></td>
<!-- Delete button here? -->
<?php if ($is_current_user): ?>
<td class="td-center">
<form action="<?= urlForPaste($paste) ?>" method="POST">
<input type="hidden" name="delete" value="delete" />
<input type="hidden" name="csrf_token" value="<?= $csrf_token ?>" />
<input type="submit" value="Delete" />
</form>
</td>
<?php endif; ?>
</tr>
<?php endif; ?>
<?php endforeach; ?>

33
theme/bulma/view.php
View file

@ -64,7 +64,8 @@ $selectedloader = "$bg[$i]"; // set variable equal to which random filename was
<div class="message-body">
<div class="columns">
<div class="column">
<p>Reporting is currently non-functional. Please email admin ( a t ) ponepaste (.) org if this is a serious violation.</p>
<!--<div class="column">
<p>Please select how this paste violates a rule:</p>
</div>
<div class="column">
@ -78,10 +79,10 @@ $selectedloader = "$bg[$i]"; // set variable equal to which random filename was
<option value="2">Paste has personal information (Dox)</option>
</select>
</div>
</div>
</div>-->
</div>
</div>
<div class="column">
<!--<div class="column">
<input type="hidden" name="reppasteid" value="<?php echo($paste_id); ?>">
<div>
<div style="text-align: center;">
@ -92,7 +93,7 @@ $selectedloader = "$bg[$i]"; // set variable equal to which random filename was
</div>
</div>
</div>
</form>
</form>-->
</article>
<div class="columns is-multiline">
@ -128,6 +129,9 @@ $selectedloader = "$bg[$i]"; // set variable equal to which random filename was
<div class="panel-tools">
<?php if ($current_user !== null): ?>
<form action="" method="POST" class="form--inline">
<?php if (isset($csrf_token)): ?>
<input type="hidden" name="csrf_token" value="<?= $csrf_token ?>" />
<?php endif; ?>
<input type="hidden" name="fave" value="1" />
<button type="submit" class="icon tool-icon button--no-style"><i class="fas fa-star fa-lg <?= $paste_is_favourited ? '' : 'has-text-grey' ?>" title="Favourite"></i></button>
</form>
@ -349,26 +353,17 @@ $selectedloader = "$bg[$i]"; // set variable equal to which random filename was
<div class="level-left">
<!-- Encrypted -->
<div class="b-checkbox is-info is-inline">
<?php
$encrypted_checked = "";
if ($_POST) {
// We came here from an error, carry the checkbox setting forward
if (isset($_POST['encrypted'])) {
$encrypted_checked = "checked";
}
} else {
// Fresh paste. Default to encrypted on
$encrypted_checked = "checked";
}
?>
<input class="is-checkradio is-info" id="encrypt" name="encrypted"
type="checkbox" <?php echo $encrypted_checked; ?>>
type="checkbox" disabled="disabled" checked="checked" />
<label for="encrypt">
Encrypt on Server
Encrypt on server (always enabled)
</label>
<?php
if ($current_user->id == $paste['user_id']) {
if ($current_user->id === $paste['user_id']) {
?>
<?php if (isset($csrf_token)): ?>
<input type="hidden" name="csrf_token" value="<?= $csrf_token ?>" />
<?php endif; ?>
<input class="button is-info" type="submit" name="edit" id="edit"
value="Edit"/>
<?php

19
user.php
View file

@ -28,6 +28,7 @@ if (!$profile_info) {
$p_title = $profile_username . "'s Public Pastes";
// FIXME: This should be incoming faves
//$total_pfav = Paste::where('user_id', $profile_info->id)->sum('faves');
$total_pfav = $profile_info->favourites->count();
$total_yfav = $profile_info->favourites->count();
@ -55,23 +56,7 @@ $is_current_user = ($current_user !== null) && ($profile_info->id == $current_us
updatePageViews();
if (isset($_GET['del'])) {
if ($current_user !== null) { // Prevent unauthorized deletes
$paste_id = intval(trim($_GET['id']));
$paste = Paste::find($paste_id);
if (!$paste || $paste->user_id !== $current_user->id) {
$error = 'That paste does not exist, or you are not the owner of it.';
} else {
$paste->delete();
$success = 'Paste deleted successfully.';
}
} else {
$error = 'You must be logged in to do that.';
}
}
// Theme
$csrf_token = setupCsrfToken();
$page_template = 'user_profile';
array_push($script_bundles, 'user_profile');
require_once('theme/' . $default_theme . '/common.php');