From 187a122bdf92e6a757aa298769cc297b3c12f414 Mon Sep 17 00:00:00 2001
From: Arslan Hassan <arslan@clip-bucket.com>
Date: Thu, 15 Oct 2009 15:50:26 +0000
Subject: [PATCH] UPDATED : USER LEVEL SYSTEM

---
 upload/actions/update_phrase.php              |  2 +-
 upload/admin_area/add_phrase.php              |  2 +-
 .../styles/cbadmin/layout/_permission.html    |  2 +-
 .../styles/cbadmin/layout/user_levels.html    | 94 ++++++++++++++-----
 upload/admin_area/user_levels.php             |  2 +-
 upload/includes/classes/lang.class.php        |  2 +-
 upload/includes/classes/user.class.php        | 77 +++++++++++++--
 upload/includes/common.php                    |  3 +-
 upload/includes/functions.php                 |  8 +-
 upload/watch_video.php                        |  1 +
 10 files changed, 149 insertions(+), 44 deletions(-)
diff --git a/upload/actions/update_phrase.php b/upload/actions/update_phrase.php
index 2a9ec76b..243f97ab 100644
--- a/upload/actions/update_phrase.php
+++ b/upload/actions/update_phrase.php
@@ -16,5 +16,5 @@ $value = $_POST['value'];
 
 $lang_obj->update_phrase($phrase_id,$value);
 
-echo mysql_clean($value);
+echo ($value);
 ?>
diff --git a/upload/admin_area/add_phrase.php b/upload/admin_area/add_phrase.php
index b659a654..8612377a 100644
--- a/upload/admin_area/add_phrase.php
+++ b/upload/admin_area/add_phrase.php
@@ -14,7 +14,7 @@ $pages->page_redir();
 if(isset($_POST['add_phrase']))
 {
 	$name = mysql_clean($_POST['name']);
-	$text = mysql_clean($_POST['text']);
+	$text = mysql_real_escape_string($_POST['text']);
 	$lang_code = mysql_clean($_POST['lang_code']);
 	$lang_obj->add_phrase($name,$text);
 }
diff --git a/upload/admin_area/styles/cbadmin/layout/_permission.html b/upload/admin_area/styles/cbadmin/layout/_permission.html
index d4bae00c..f42f0a6d 100644
--- a/upload/admin_area/styles/cbadmin/layout/_permission.html
+++ b/upload/admin_area/styles/cbadmin/layout/_permission.html
@@ -9,7 +9,7 @@
 </tr>
 </table>
 {assign var=perms value=$userquery->get_permissions($types[t].user_permission_type_id)}
-<table width="99%" border="0" cellpadding="0" cellspacing="0">
+<table width="99%" border="0" align="center" cellpadding="0" cellspacing="0">
 {assign var = bgcolor value = ""}
 {foreach from=$perms item=perm}
 {if $perm.permission_id !=""}
diff --git a/upload/admin_area/styles/cbadmin/layout/user_levels.html b/upload/admin_area/styles/cbadmin/layout/user_levels.html
index 02a58664..fa80b04d 100644
--- a/upload/admin_area/styles/cbadmin/layout/user_levels.html
+++ b/upload/admin_area/styles/cbadmin/layout/user_levels.html
@@ -31,33 +31,77 @@
 {elseif $view=='edit'}
 
 <form action="" method="post">
-<table width="99%" border="0" cellspacing="2" cellpadding="2">
-  <tr class="tr_head">
-    <td>Edit Level</td>
-  </tr>
+<table width="98%" border="0" align="center" cellpadding="0" cellspacing="0">
+<tr>
+<td width="30" class="left_head">&nbsp;</td>
+<td align="left" class="head">Edit Level Permissions</td>
+<td width="30" class="right_head">&nbsp;</td>
+</tr>
 </table>
-<table width="99%" border="0" cellspacing="2" cellpadding="2">
-<tr class="td_body">
-    <td width="13%">Level Name</td>
-    <td width="87%"><label for="level_name"></label>
-      <input name="level_name" type="text" id="level_name" value="{$level_details.user_level_name}" /></td>
-  </tr>
-{foreach from=$userquery->access_type_list key=access item=name}
-  <tr class="td_body">
-    <td width="13%">{$name}</td>
-    <td width="87%">  
-        <label>
-          <input type="radio" name="{$access}" value="yes"{if $level_perms.$access==yes} checked="checked"{/if}/>
-          Yes</label>
-        <label>
-          <input type="radio" name="{$access}" value="no"{if $level_perms.$access==no} checked="checked"{/if}/>
-        No</label>
-        </td>
-  </tr>
+<table width="98%" border="0" cellpadding="0" cellspacing="0" align="center" >
+<tr bgcolor="{$bgcolor}" class="item_listing">
+<td style="padding:5px 0px 5px 10px"><strong>Level Name</strong></td>
+<td style="padding:5px 0px 5px 10px" width="250"><span class="tips">
+  <input name="level_name" type="text" id="level_name2" value="{$level_details.user_level_name|form_val}" />
+</span></td>
+</tr>
+</table>
+
+
+{assign var='types' value=$userquery->get_level_types()}
+{section name=t loop=$types}
+<table width="98%" border="0" align="center" cellpadding="0" cellspacing="0">
+<tr>
+<td width="30" class="left_head">&nbsp;</td>
+<td align="left" class="head">{$types[t].user_permission_type_name}</td>
+<td width="30" class="right_head">&nbsp;</td>
+</tr>
+</table>
+{assign var=perms value=$userquery->get_permissions($types[t].user_permission_type_id)}
+<table width="98%" border="0" cellpadding="0" cellspacing="0" align="center" >
+{assign var = bgcolor value = ""}
+{foreach from=$perms item=perm}
+{if $perm.permission_id !=""}
+
+
+<tr bgcolor="{$bgcolor}" class="item_listing">
+<td style="padding:5px 0px 5px 10px"><strong>{$perm.permission_name}</strong><br />
+<em>{$perm.permission_desc}</em></td>
+<td style="padding:5px 0px 5px 10px" width="250">
+{assign var="perm_code" value=$perm.permission_code}
+<label>
+<input type="radio" name="{$perm.permission_code}" value="yes" id="{$perm.permission_id}_yes" {if $level_perms.$perm_code=='yes'} checked="checked"{/if}/>
+Yes</label>
+<label>
+<input type="radio" name="{$perm.permission_code}" value="no" id="{$perm.permission_id}_no" {if $level_perms.$perm_code==no} checked="checked"{/if}/>
+No</label>
+
+
+</td>
+</tr>
+{else}
+<tr><td><div style="width:100%; margin:auto" align="center"><em>No Permission Found</em></div></td></tr>
+{/if}
+
+{if $bgcolor == ""}
+{assign var = bgcolor value = "#EEEEEE"}
+{else}
+{assign var = bgcolor value = ""}
+{/if}
+
+{foreachelse}
+<tr><td><div style="width:100%; margin:auto" align="center"><em>No Permission Found</em></div></td></tr>
 {/foreach}
 </table>
+
+{/section}
+
+
+
+
+
 <table width="99%" border="0" cellspacing="2" cellpadding="2">
-<tr>
+  <tr>
 	<td><label for="button"></label>
 	  <input type="submit" name="update_level_perms" id="button" value="Update" /></td>
 </tr>
@@ -68,7 +112,7 @@
 <table width="98%" border="0" align="center" cellpadding="0" cellspacing="0">
 <tr>
 <td width="30" class="left_head">&nbsp;</td>
-<td align="center" class="head">User Level Details</td>
+<td align="left" class="head">User Level Details</td>
 <td width="30" class="right_head">&nbsp;</td>
 </tr>
 </table>
@@ -86,7 +130,7 @@
 <table width="98%" border="0" align="center" cellpadding="0" cellspacing="0">
 <tr>
 <td width="30" class="left_head">&nbsp;</td>
-<td align="center" class="head">{$types[t].user_permission_type_name}</td>
+<td align="left" class="head">{$types[t].user_permission_type_name}</td>
 <td width="30" class="right_head">&nbsp;</td>
 </tr>
 </table>
diff --git a/upload/admin_area/user_levels.php b/upload/admin_area/user_levels.php
index f2bfbb45..f566d56e 100644
--- a/upload/admin_area/user_levels.php
+++ b/upload/admin_area/user_levels.php
@@ -57,7 +57,7 @@ switch($mode)
 		{
 			$array = $_POST;
 			if($userquery->add_user_level($array))
-				redirect_to('user_levels.php');
+				redirect_to('user_levels.php?added=true');
 		}
 		Assign('view','add');
 	}
diff --git a/upload/includes/classes/lang.class.php b/upload/includes/classes/lang.class.php
index 72d44d4d..ea051a8f 100644
--- a/upload/includes/classes/lang.class.php
+++ b/upload/includes/classes/lang.class.php
@@ -87,7 +87,7 @@ class language
 		global $db;
 		//First checking if phrase already exists or not
 		if($this->get_phrase($id,$lang_code))
-			$db->update("phrases",array('text'),array($text)," id = '".mysql_clean($id)."' ");
+			$db->update("phrases",array('text'),array(mysql_real_escape_string($text))," id = '".mysql_real_escape_string($id)."' ");
 	}
 	
 	/**
diff --git a/upload/includes/classes/user.class.php b/upload/includes/classes/user.class.php
index 2a3774e8..d8a38a4a 100644
--- a/upload/includes/classes/user.class.php
+++ b/upload/includes/classes/user.class.php
@@ -188,10 +188,10 @@ class userquery {
 		//Now user have passed all the stages, now checking if user has level access or not
 		elseif($access)
 		{
-			$access_details = $this->get_user_level(userid());
+			//$access_details = $this->get_user_level(userid());
+			$access_details = $this->permission;
 			if(is_numeric($access))
 			{
-				$access_details = $this->get_user_level(userid());
 				if($access_details['level_id'] == $access)
 				{
 					return true;
@@ -1199,12 +1199,18 @@ class userquery {
 	 * Function used to get user level and its details
 	 * @param INT userid
 	 */
-	function get_user_level($uid)
+	function get_user_level($uid,$is_level=false)
 	{
 		global $db;
-		if(!$uid)
-			$uid = userid();
-		$level = $this->get_user_field($uid,'level');
+		if($is_level)
+			$level['level'] = $uid;
+		else
+		{
+			if(!$uid)
+				$uid = userid();
+			$level = $this->get_user_field($uid,'level');
+		}
+		
 		$results = $db->select('user_levels','*'," user_level_id='".$level['level']."'");
 		if($db->num_rows == 0)
 		 //incase user level is not valid, it will consider it as registered user
@@ -1231,7 +1237,7 @@ class userquery {
 	function get_levels($filter=NULL)
 	{
 		global $db;
-		$results = $db->select("user_levels","*");
+		$results = $db->select("user_levels","*",NULL,NULL," user_level_id ASC" );
 		if($db->num_rows > 0)
 		{
 			return $results;
@@ -1302,7 +1308,8 @@ class userquery {
 				$fields_array[] = $access;
 				$value_array[] = $array[$access] ? $array[$access] : 'no';
 			}
-			$db->insert("user_levels_permissions",$fields_array,$value_array);						
+			$db->insert("user_levels_permissions",$fields_array,$value_array);		
+			return true;
 		}
 	}
 	
@@ -1398,8 +1405,8 @@ class userquery {
 			//CHeck if leve is deleteable or not
 			if($level_details['user_level_is_default']=='no')
 			{
-				$db->delete("user_levels",array("user_level_id"),$id);
-				$db->delete("user_levels_permissions",array("user_level_id"),$id);
+				$db->delete("user_levels",array("user_level_id"),array($id));
+				$db->delete("user_levels_permissions",array("user_level_id"),array($id));
 				e("User level has been deleted, 
 				  all users of this level has been transfered to '".$de_level['user_level_name']."' ");
 				
@@ -1569,5 +1576,55 @@ class userquery {
 		}else
 			e("Permission does not exist");
 	}
+	
+	
+	/**
+	 * Function used to check weather current user has permission
+	 * to view page or not
+	 * it will also check weather current page requires login 
+	 * if login is required, user will be redirected to signup page
+	 */
+	function perm_check($access='',$check_login=FALSE)
+	{
+		global $Cbucket;
+		/*if($check_login)
+		{
+			return $this->login_check($access);
+		}else
+		{*/
+			$access_details = $this->permission;
+			if(is_numeric($access))
+			{
+				if($access_details['level_id'] == $access)
+				{
+					return true;
+				}else{
+					if(!$check_only)
+					e($LANG['insufficient_privileges']);
+					$Cbucket->show_page(false);
+					return false;
+				}
+			}else
+			{
+				if($access_details[$access] == 'yes')
+				{
+					return true;
+				}
+				else
+				{
+					if(!$check_login)
+						e(lang('insufficient_privileges'));
+					else
+					{	if(userid())
+							e(lang('insufficient_privileges'));
+						else
+							e(sprintf(lang('insufficient_privileges_loggin'),cblink(array('name'=>'signup')),cblink(array('name'=>'signup'))));
+					}
+					$Cbucket->show_page(false);
+					return false;
+				}
+			}
+		//}
+	}
 }
 ?>
\ No newline at end of file
diff --git a/upload/includes/common.php b/upload/includes/common.php
index b5d192b9..440d2bc5 100644
--- a/upload/includes/common.php
+++ b/upload/includes/common.php
@@ -351,7 +351,8 @@ require('modules.php');
 if(user_id())
 {
 	$userquery->permission = $userquery->get_user_level(userid());
-}	
+}else
+	$userquery->permission = $userquery->get_user_level(4,TRUE);
 
 //Checking Website Template
 $Cbucket->set_the_template();
diff --git a/upload/includes/functions.php b/upload/includes/functions.php
index 6d7db66a..4bbf6261 100644
--- a/upload/includes/functions.php
+++ b/upload/includes/functions.php
@@ -813,7 +813,8 @@
 		for($i=0;$i<$total_fields;$i++)
 		{
 			$count++;
-			$val = mysql_clean($vls[$i]);
+			//$val = mysql_clean($vls[$i]);
+			$val = ($vls[$i]);
 			$needle = substr($val,0,3);
 			if($needle != '|f|')
 				$fields_query .= $flds[$i]."='".$val."'";
@@ -1672,7 +1673,8 @@
 		{
 			if(file_exists(LAYOUT.'/'.$file))
 			{
-				$new_list[] = $file;
+				if($ClipBucket->show_page)
+					$new_list[] = $file;
 			}
 		}
 		
@@ -1885,7 +1887,7 @@
 	/**
 	 * Function used to assign link
 	 */
-	function cblink($params,&$Smarty)
+	function cblink($params,&$Smarty=NULL)
 	{
 		global $ClipBucket;
 		$name = $params['name'];
diff --git a/upload/watch_video.php b/upload/watch_video.php
index 9c4fa3f0..63f68537 100644
--- a/upload/watch_video.php
+++ b/upload/watch_video.php
@@ -9,6 +9,7 @@
 
 define("THIS_PAGE",'watch_video');
 require 'includes/config.inc.php';
+$userquery->perm_check('view_video',true);
 
 $pages->page_redir();
 

{$perm.permission_name} +{$perm.permission_desc}	+{assign var="perm_code" value=$perm.permission_code} + + +Yes + + +No + + +
No Permission Found
No Permission Found