Mercurial > hgrepos > hgweb.cgi > s4

--- a/y4-blog.sh	Tue Jul 21 14:37:00 2015 +0900
+++ b/y4-blog.sh	Tue Jul 21 14:38:21 2015 +0900
@@ -284,7 +284,7 @@

 blog_addentry() {
   # $1=GRPname(if it is a group)
-  grp=$1
+  grprowid=$1
   rowid=`getpar rowid`
 err ba: rowid=$rowid
   #if [ -z "$rowid" ]; then
@@ -293,8 +293,9 @@
       listing=$user guide="[個人]"
 #listing代入は rowid 時でもするべき
     else
-      if isgroup $1; then
-	listing=$1 guide="[${1}]" GF_OWNER=$1
+      grp=`getgroupbyid $grprowid`
+      if [ -n "$grp" ]; then
+	listing=$1 guide="[${grp}]" GF_OWNER=$grp
       else
 	echo "<p>無効なグループ指定です。</p>"
 	return
@@ -355,7 +356,8 @@
   if isuser "$owner"; then
     subtitle="`gecos $owner` さんの話題"
   else
-    subtitle="<a href=\"?grp+$owner\">`gecos $owner`</a> での話題"
+    grprowid=`query "select rowid from grp where gname=\"$owner\";"`
+    subtitle="<a href=\"?grp+$grprowid\">`gecos $owner`</a> での話題"
   fi
   if [ -z "$title" ]; then
     echo "<p>日記番号指定が無効です。</p>"
--- a/y4-funcs.sh	Tue Jul 21 14:37:00 2015 +0900
+++ b/y4-funcs.sh	Tue Jul 21 14:38:21 2015 +0900
@@ -16,7 +16,7 @@
 layout=$templ/default
 formdir=$templ/form
 imgdir=img
-url=${URL:-"${REQUEST_SCHEME}://$HTTP_HOST$REQUEST_URI"}
+url=${URL:-"${REQUEST_SCHEME:-http${HTTPS:+s}}://$HTTP_HOST$REQUEST_URI"}
 urlbase=${url%%\?*}
 msg=$templ/msg
 timeout="+2 days"
@@ -311,20 +311,30 @@
 }
 ismember() {
   # $1=user, $2=group
-err ismem: "select user from grp_mem where gname='$2' and user='$1';"
-  test -n "`query \"select user from grp_mem where gname='$2' and user='$1';\"`"
+err ismem: "select user from grp_mem where gname=$(sqlquote $2) and user='$1';"
+  test -n "`query \"select user from grp_mem where gname=$(sqlquote $2) and user='$1';\"`"
 }
 isuser() {			# Check if $1 is a valid user
   test -n "`query \"select name from user where name='$1';\"`"
 }
 isgroup() {			# Check if $1 is a valid group
-  test -n "`query \"select gname from grp where gname='$1';\"`"
+  err isgroup: "select gname from grp where gname=$(sqlquote $1);"
+  test -n "`query \"select gname from grp where gname=$(sqlquote $1);\"`"
 }
-isgrpowner() {
+isgrpowner() (
   # $1=user, $2=group
-  test -n "`query \"select user from grp_adm
-	 where gname='$2' and user='$1';\"`"
-}
+  gn=`sqlquote "$2"`
+  sql="select user from grp_adm where gname=$gn and user='$1';"
+  err isgrpowner: $sql
+  test -n "`query $sql`"
+)
+getgroupbyid() (
+  # $1=id|gname
+  sql="select coalesce((select gname from grp where gname=$(sqlquote $1)),
+	(select gname from grp where rowid=$(sqlquote $1)));"
+err ggbyid: `echo $sql`
+  query $sql
+)
 isfilereadable() { # $1=user $2=tbl $3=rowid
   # Return true if user($1) can read attachment files in tbl($2):rowid($3)
   [ -z "$1" -o -z "$2" -o -z "$3" ] && return 1 # invalid argument
@@ -384,22 +394,30 @@
   fi
 }
 gecos() (
-  u=${1:-$user}
+  u=`sqlquote ${1:-$user}`
   #gecos=`query "select val from user_s where name='$u' and key='gecos';"`
-  sql="select case when (select name from user where name='$u') is not null
-		then (select val from user_s where name='$u' and key='gecos')
-		when (select gname from grp where gname='$u') is not null
-		then (select val from grp_s where gname='$u' and key='gecos')
-		else '$u'
+  sql="select case when (select name from user where name=$u) is not null
+		then (select val from user_s where name=$u and key='gecos')
+		when (select gname from grp where gname=$u) is not null
+		then (select val from grp_s where gname=$u and key='gecos')
+		else $u
 		end;"
   query "$sql"
 )
+setpar() {
+  query "replace into par values('$session', '$1', '$2', \"$3\");"
+}
+replpar() {
+  query "update par set val=\"$3\" where sessid='$session' and var='$1' and type='$2';"
+}
 getpar() {
 err getpar: "select val from par where var='$1' and sessid='$session' $2;"
   val=`query "select val from par where var='$1' and sessid='$session' $2;"`
+err getpar/val1: "val=[$val]"
   if [ -z "$val" ]; then
     val=`query "select val from cookie where var='$1' and sessid='$session' $2;"`
   fi
+err getpar/val2: "val=[$val]"
   case "$var" in
     owner)
       if [ x"$user" = x"$val" ]; then
@@ -408,6 +426,7 @@
 	echo $val; return
       fi ;;
   esac
+err getpar/ret: "val=[$val]"
   echo "$val"
 }

@@ -964,7 +983,7 @@
 	k=${us%%\=*}
 	#echo u=$us
 	#v="`echo ${us#*=}|nkf -Ww -mQ|sed -e 's/\"/\"\"/g'`"
-	v="`echo ${us#*=}|unhexize`"
+	v="`echo ${us#*=}|unhexize|sed -e 's/\"/\"\"/g'`"
  # err k=$k v=$v
 	case "$k" in
 	  *:filename)
@@ -980,7 +999,8 @@
 	    type='string'
 	    ;;
 	esac
-	sq $db "replace into par values('$session', '$k', '$type', \"$v\")"
+	#sq $db "replace into par values('$session', '$k', '$type', \"$v\")"
+	setpar "$k" "$type" "$v"
       done
       ;;
     *)
@@ -1085,8 +1105,10 @@
   GF_ACTION="?home" edittable "$formdir/user.def" "user" "$user"
 }
 groupconf() {
+  # $1=rowid in grp (2015-07-21 changed from gname)
   m4 -D_BODYCLASS_=groupconf -D_TITLE_="グループ情報編集" $layout/html.m4.html
-  rowid=`query "select rowid from grp where gname='$1';"`
+  #rowid=`query "select rowid from grp where gname='$1';"`
+  rowid=${1%%[!A-Z0-9a-z_]*}
 err gcon \$1=$1 rowid=$rowid
   GF_ACTION="?grp+$1" edittable "$formdir/grp.def" "grp" "$rowid"
 }
@@ -1173,7 +1195,7 @@
   else				# if group
     hrb="$myname?grp"
     deficon=person-default.png
-    entity="グループ" tbl=grp link=gname nm=gname stage=grps
+    entity="グループ" tbl=grp link=rowid nm=gname stage=grps
     tagline=`grep :tag: $formdir/grp.def|cut -d: -f5-`
     if [ -n "$tagline" ]; then
       tagconv=`echo $tagline|sed 's/\([^= :]*\)=\([^= :]*\)/-D\2=\1/g'`
@@ -1189,9 +1211,11 @@
   fi

   # XX: これ複雑すぎるかな。もっとシンプルにしたい。$3条件も。2015-07-08
+  qgrp=`sqlquote $grp`
+  qgrp=${qgrp:-'""'}
   sql="select a.rowid, a.$link, coalesce(b.gecos, a.$nm) as nick, b.tag,
 	case when a.$nm in (select user from grp_adm
-			where gname='$grp') then '(管理者)' -- from group mode
+			where gname=$qgrp) then '(管理者)' -- from group mode
 	     when '$user' in (select user from grp_adm where gname=a.$nm)
 		then '(ADMIN)'
 	     when '$iamowner' = '' then ''
@@ -1203,6 +1227,7 @@
 			from ${tbl}_s group by $nm)
 		b on a.$nm=b.name $cond $3
 	order by b.tag desc, a.rowid asc"
+err LE:sql.1="$sql"
   total=`query "with x as ($sql) select count(*) from x;"`
   echo "<h2>${entity} 一覧</h2>"
   if [ $total -gt $limit ]; then
@@ -1239,7 +1264,8 @@

   query "$sql limit $limit ${offset:+offset $offset};" \
       | while IFS='|' read id lnk name tag ownerp; do
-err name=$name owner=$ownerp
+err name=$name owner=$ownerp lnk=$lnk
+err newlnk=$lnk
     files=`getvalbyid $tbl profimg $id $dir`
     # Pick up only first icon
     echo "<div class=\"iconlist xy$thumbxy\"><p class=\"tag _$tag\">$tag</p>" \
@@ -1262,12 +1288,14 @@
 }
 showgroup() {
   grp=$1
+err showgroup1: grp=$grp qgrp="[$(sqlquote $grp)]"

   gname=`getpar gname`
   if [ -n "$gname" ]; then
-    err REMOVING:::::::
+    err UPdating/Removing of group:::::::
     par2table $formdir/grp.def
   fi
+err showgroup2: grp=$grp qgrp="[$(sqlquote $grp)]"
   if isgroup "$grp"; then
      showgroupsub $formdir/grp.def "$grp" | \
 	 m4 -D_TITLE_="グループ $grp" \
@@ -1281,20 +1309,22 @@
 showgroupsub() {
   # $1=def-file $2=group
   grp=$2
-  rowid=`sq $db "select rowid from grp where gname='$grp'"`
+  qgrp=`sqlquote $grp`
+  rowid=`sq $db "select rowid from grp where gname=$qgrp"`
   if [ -z "$rowid" ]; then
     rowid=`sq $db "select rowid from grp where rowid=$grp"`
     grp=`sq $db "select gname from grp where rowid=$grp"`
   fi
+  mmgrp=`echo "$grp"|nkf -Ww -MQ|tr '=' '%'`
   val=`getvalbyid grp profimg $rowid $tmpd`
   # 6/14の次グループのHOMEで出す情報を作る Done
   viewtable $1 grp $rowid
   if isgrpowner "$user" "$grp"; then
-    echo "<p><a href=\"?groupconf+$grp\">グループ情報の編集</a>"
+    echo "<p><a href=\"?groupconf+$rowid\">グループ情報の編集</a>"
     iamowner=$grp
   fi
   if ismember "$user" "$grp"; then
-    echo "${iamowner:+ / }<a href=\"?blog+$grp\">グループの新規話題作成</a></p>"
+    echo "${iamowner:+ / }<a href=\"?blog+$rowid\">グループの新規話題作成</a></p>"
   fi
   # 加入ボタン + 加入者リスト
 err ismember $user $grp
@@ -1329,7 +1359,7 @@
 	 DT_VIEW=replyblog dumptable html blog 'ctime title heading' "$cond"

   c="group by b.name having b.name in (select user from grp_mem where gname='$grp')"
-  cm="?commission+$grp"
+  cm="?commission+$mmgrp"
   thumbxy=50x50 listmember "" "$c" \
       |sed -e "s|\(<br>\),not=\(.*\)|\1<a href=\"$cm+\2\">管理者委託</a>|"
 }
@@ -1337,6 +1367,7 @@
   # $1=group $2=user $3=yes/no $4=email(if any $5=AsAdmin)
 err joingrp: \$1=$1 \$2=$2 \$3=$3 \$4=$4
   isgrpowner "$user" "$1" && isowner="yes" || isowner=""
+err jg:isgrpowner: isowner="$isowner"
   if [ x"$2" != x"$user" ]; then # if user is not login user
     if [ -z "$isowner" ; then
       echo "<p>本人か、グループ管理者しか加入操作はできません。</p>"
--- a/y4.cgi	Tue Jul 21 14:37:00 2015 +0900
+++ b/y4.cgi	Tue Jul 21 14:38:21 2015 +0900
@@ -56,12 +56,21 @@
     contenttype; echo
     gname=`getpar gname`
     if [ -n "$gname" ]; then
+      #gname=${gname%%[!-A-Z0-9a-z_.!#$%^&()=:/*]*}
+      newgname=`echo "$gname"|tr -dc '\-0-9A-Za-z#=:/_.,'`
+      if [ x"$newgname" != x"$gname" ]; then
+	err NewGNAME: gname=$newgname
+	echo "<p>使用禁止文字を除去し $gname としました。</p>"
+	gname=$newgname
+      fi
+      replpar gname string "$gname"
       par2table $formdir/grp.def
       joingrp "$gname" "$user" yes "$user" as-admin
     fi
     GF_STAGE=groupman
+    note="<p>グループ名に使用できない文字は自動的に削除されます。</p>"
     m4 -D_TITLE_="グループ作成" \
-       -D_FORM_="`genform $formdir/grp.def`" \
+       -D_FORM_="$note`genform $formdir/grp.def`" \
        -D_DUMPTABLE_="`DT_VIEW=grp dumptable html grp 'gname gecos:DESC mtime:TIME' 'order by b.TIME desc'`" \
        $layout/html.m4.html $layout/groupman.m4.html
     ;;
@@ -108,6 +117,8 @@
     contenttype; echo
     gpg=`getpar grp`
     grp=${2:-$gpg}
+    grp=`getgroupbyid "$grp"`
+err grp: getpar-grp"(gpg)=[$grp]"
     ## . ./y4-blog.sh
     jg=`getpar joingrp`
     if [ -n "$jg" ]; then