PageRenderTime 59ms CodeModel.GetById 28ms RepoModel.GetById 0ms app.codeStats 0ms

/WebCalendar-1.2.5/search_handler.php

#
PHP | 264 lines | 202 code | 22 blank | 40 comment | 65 complexity | c24333ba44456358f16bc4b687e49bc9 MD5 | raw file
Possible License(s): LGPL-2.1
  1. <?php
  2. /* This page produces search results.
  3. *
  4. * "Advanced Search" adds the ability to search other users' calendars.
  5. * We do a number of security checks to make sure this is allowed.
  6. *
  7. * @author Craig Knudsen <cknudsen@cknudsen.com>
  8. * @copyright Craig Knudsen, <cknudsen@cknudsen.com>, http://www.k5n.us/cknudsen
  9. * @license http://www.gnu.org/licenses/gpl.html GNU GPL
  10. * @package WebCalendar
  11. * @version $Id: search_handler.php,v 1.46.2.8 2012/02/28 02:07:45 cknudsen Exp $
  12. */
  13. include_once 'includes/init.php';
  14. require_valide_referring_url ();
  15. $error = '';
  16. // Disable if public access and OVERRIDE_PUBLIC in use
  17. if ( $login == '__public__' && ! empty ( $OVERRIDE_PUBLIC ) &&
  18. $OVERRIDE_PUBLIC == 'Y' ) {
  19. print_header ();
  20. echo print_not_auth ();
  21. print_trailer ();
  22. exit;
  23. }
  24. $keywords = getValue ( 'keywords' );
  25. $advanced = getValue ( 'advanced' );
  26. if ( strlen ( $keywords ) == 0 )
  27. $error = translate ( 'You must enter one or more search keywords' ) . '.';
  28. $matches = 0;
  29. // Determine if this user is allowed to search the calendar of other users
  30. $search_others = false; // show "Advanced Search"
  31. if ( $single_user == 'Y' )
  32. $search_others = false;
  33. if ( $is_admin )
  34. $search_others = true;
  35. else
  36. if ( access_is_enabled () )
  37. $search_others = access_can_access_function ( ACCESS_ADVANCED_SEARCH );
  38. else
  39. if ( $login != '__public__' && ! empty ( $ALLOW_VIEW_OTHER ) &&
  40. $ALLOW_VIEW_OTHER == 'Y' )
  41. $search_others = true;
  42. else
  43. if ( $login == '__public__' && ! empty ( $PUBLIC_ACCESS_OTHERS ) &&
  44. $PUBLIC_ACCESS_OTHERS == 'Y' )
  45. $search_others = true;
  46. $users = getValue ( 'users' );
  47. if ( empty ( $users ) || empty ( $users[0] ) )
  48. $search_others = false;
  49. // Security precaution -- make sure users listed in participants list
  50. // was not hacked up to include users that they don't really have access to.
  51. if ( $search_others ) {
  52. // If user can only see users in his group, then remove users not in his group.
  53. if ( ! empty ( $USER_SEES_ONLY_HIS_GROUPS ) &&
  54. $USER_SEES_ONLY_HIS_GROUPS == 'Y' && ! empty ( $GROUPS_ENABLED ) &&
  55. $GROUPS_ENABLED == 'Y' ) {
  56. $myusers = get_my_users ( '', 'view' );
  57. $userlookup = array ();
  58. for ( $i = 0, $cnt = count ( $myusers ); $i < $cnt; $i++ ) {
  59. $userlookup[$myusers[$i]['cal_login']] = 1;
  60. }
  61. $newlist = array ();
  62. $cnt = count ( $users );
  63. for ( $i = 0; $i < $cnt; $i++ ) {
  64. if ( ! empty ( $userlookup[$users[$i]] ) )
  65. $newlist[] = $users[$i];
  66. }
  67. $users = $newlist;
  68. }
  69. // Now, use access control to remove more users :-)
  70. if ( access_is_enabled () && ! $is_admin ) {
  71. $newlist = array ();
  72. for ( $i = 0; $i < count ( $users ); $i++ ) {
  73. if ( access_user_calendar ( 'view', $users[$i] ) ) {
  74. $newlist[] = $users[$i];
  75. //echo "can access $users[$i] <br>";
  76. } else {
  77. //echo "cannot access $users[$i] <br>";
  78. }
  79. }
  80. $users = $newlist;
  81. }
  82. }
  83. if ( empty ( $users ) || empty ( $users[0] ) )
  84. $search_others = false;
  85. //Get advanced filters
  86. $cat_filter = getPostValue ( 'cat_filter' );
  87. $extra_filter = getPostValue ( 'extra_filter' );
  88. $date_filter = getPostValue ( 'date_filter' );
  89. $start_day = getPostValue ( 'from_day' );
  90. $start_month = getPostValue ( 'from_month' );
  91. $start_year = getPostValue ( 'from_year' );
  92. if ( $start_year < 1970 )
  93. $start_year = 1970;
  94. $end_day = getPostValue ( 'until_day' );
  95. $end_month = getPostValue ( 'until_month' );
  96. $end_year = getPostValue ( 'until_year' );
  97. if ( $end_year < 1970 )
  98. $end_year = 1970;
  99. $startDate = gmdate ( 'Ymd', gmmktime ( 0, 0, 0,
  100. $start_month, $start_day, $start_year ) );
  101. $endDate = gmdate ( 'Ymd', gmmktime ( 23, 59, 59,
  102. $end_month, $end_day, $end_year ) );
  103. print_header ();
  104. echo '
  105. <h2>' . translate ( 'Search Results' ) . '</h2>';
  106. if ( ! empty ( $error ) )
  107. echo print_error ( $error );
  108. else {
  109. // *** "Phrase" feature by Steve Weyer saweyer@comcast.net 4-May-2005
  110. // check if keywords is surrounded by quotes
  111. // an alternative might be to add a checkbox/list on search.php
  112. // to indicate Phrase or other mode via an arg
  113. // if a phrase, use (after removing quotes) rather than split into words
  114. // also add query (keywords) to "match results" heading near end
  115. // e.g., search_handler.php?keywords=%22Location:%20Arts%20and%20Crafts%22
  116. // begin Phrase modification
  117. $klen = strlen ( $keywords );
  118. $phrasedelim = "\\\"";
  119. $plen = strlen ( $phrasedelim );
  120. if ( substr ( $keywords, 0, $plen ) == $phrasedelim &&
  121. substr ( $keywords, $klen - $plen ) == $phrasedelim ) {
  122. $phrase = substr ( $keywords, $plen, $klen - ( $plen * 2 ) );
  123. $words = array ( $phrase );
  124. } else
  125. // original (default) behavior
  126. $words = explode ( ' ', $keywords );
  127. // end Phrase modification
  128. $order = 'DESC';
  129. $word_cnt = count ( $words );
  130. for ( $i = 0; $i < $word_cnt; $i++ ) {
  131. $sql_params = array ();
  132. // Note: we only search approved/waiting events (not deleted).
  133. $sql = 'SELECT we.cal_id, we.cal_name, we.cal_date, weu.cal_login '
  134. . ( ! empty ( $extra_filter ) ? ', wse.cal_data ' : '' )
  135. . 'FROM webcal_entry_user weu LEFT JOIN webcal_entry we '
  136. . ( ! empty ( $cat_filter ) ? ', webcal_entry_categories wec ' : '')
  137. . ( ! empty ( $extra_filter ) ? ', webcal_site_extras wse ' : '')
  138. . 'ON weu.cal_id = we.cal_id
  139. WHERE weu.cal_status in ( \'A\',\'W\' )
  140. AND weu.cal_login IN ( ?';
  141. if ( $search_others ) {
  142. if ( empty ( $users[0] ) )
  143. $sql_params[0] = $users[0] = $login;
  144. $user_cnt = count ( $users );
  145. for ( $j = 0; $j < $user_cnt; $j++ ) {
  146. if ( $j > 0 ) $sql .= ', ?';
  147. $sql_params[] = $users[$j];
  148. }
  149. } else
  150. $sql_params[] = $login;
  151. $sql .= ' ) ';
  152. if ( $search_others ) {
  153. // Don't search confidential entries of other users.
  154. $sql .= 'AND ( weu.cal_login = ?
  155. OR ( weu.cal_login != ? AND we.cal_access = \'P\' ) ) ';
  156. $sql_params[] = $login;
  157. $sql_params[] = $login;
  158. }
  159. // We get an error using mssql trying to read text column as varchar.
  160. // This workaround seems to fix it up ROJ
  161. // but, will only search the first 1kb of the description.
  162. $sql .= 'AND ( UPPER( we.cal_name ) LIKE UPPER( ? ) OR UPPER( '
  163. . ( strcmp ( $GLOBALS['db_type'], 'mssql' ) == 0
  164. ? 'CAST ( we.cal_description AS varchar (1024) )'
  165. : 'we.cal_description' )
  166. . ' ) LIKE UPPER( ? ) ';
  167. $sql_params[] = '%' . $words[$i] . '%';
  168. $sql_params[] = '%' . $words[$i] . '%';
  169. //process advanced filters
  170. if ( ! empty ( $extra_filter ) ) {
  171. $sql .= ' OR wse.cal_data LIKE UPPER( ? )';
  172. $sql_params[] = '%' . $words[$i] . '%';
  173. }
  174. //close AND statement from above
  175. $sql .= ')';
  176. if ( ! empty ( $cat_filter ) ) {
  177. $sql .= ' AND wec.cat_id = ? AND we.cal_id = wec.cal_id ';
  178. $sql_params[] = $cat_filter;
  179. }
  180. if ( ! empty ( $extra_filter ) )
  181. $sql .= ' AND we.cal_id = wse.cal_id ';
  182. if ( ! empty ( $date_filter ) ) {
  183. if ( $date_filter == 1 ) { //Past entries
  184. $sql .= 'AND we.cal_date < ? ';
  185. $sql_params[] = date ( 'Ymd' );
  186. }
  187. if ( $date_filter == 2 ) {//Upcoming entries
  188. $sql .= 'AND we.cal_date >= ? ';
  189. $sql_params[] = date ( 'Ymd' );
  190. $order = 'ASC';
  191. }
  192. if ( $date_filter == 3 ) {//Use Date Range
  193. $sql .= 'AND ( we.cal_date >= ? AND we.cal_date <= ? )';
  194. $sql_params[] = $startDate;
  195. $sql_params[] = $endDate;
  196. }
  197. }
  198. $res = dbi_execute ( $sql . ' ORDER BY we.cal_date ' . $order
  199. . ', we.cal_name', $sql_params );
  200. if ( $res ) {
  201. while ( $row = dbi_fetch_row ( $res ) ) {
  202. $info[$matches]['id'] = $row[0];
  203. $info[$matches]['text'] = $row[1] . ' ( ' . date_to_str ( $row[2] ) . ' )';
  204. $info[$matches]['user'] = $row[3];
  205. $matches++;
  206. }
  207. }
  208. dbi_free_result ( $res );
  209. }
  210. }
  211. ob_start ();
  212. echo '
  213. <p><strong>';
  214. if ( $matches > 0 ) {
  215. // Let update_translation.pl pick up translations.
  216. // translate ( 'match found' ) translate ( 'matches found' )
  217. echo $matches . ' '
  218. . translate ( // line break to bypass update_translation.pl here.
  219. 'match' . ( $matches == 1 ? '' : 'es' ) . ' found' );
  220. } else
  221. echo translate ( 'No matches found' );
  222. echo ": " . htmlentities ( $keywords ) . '</strong>.</p>';
  223. // now sort by number of hits
  224. if ( empty ( $error ) && ! empty ( $info ) ) {
  225. echo '
  226. <ul>';
  227. foreach ( $info as $result ) {
  228. echo '
  229. <li><a class="nav" href="view_entry.php?id=' . $result['id']
  230. . '&amp;user=' . $result['user'] . '">' . $result['text'] . '</a></li>';
  231. }
  232. echo '
  233. </ul>';
  234. }
  235. echo '
  236. <form action="search.php' . ( ! empty ( $advanced ) ? '?adv=1' : '' )
  237. . '" style="margin-left: 13px;" method="post">
  238. <input type="submit" value="'
  239. . translate ( 'New Search' ) . '" /></form>';
  240. ob_end_flush ();
  241. echo print_trailer ();
  242. ?>