PageRenderTime 21ms CodeModel.GetById 10ms app.highlight 8ms RepoModel.GetById 1ms app.codeStats 0ms

/WebCalendar-1.2.5/search_handler.php

#
PHP | 264 lines | 202 code | 22 blank | 40 comment | 65 complexity | c24333ba44456358f16bc4b687e49bc9 MD5 | raw file
  1<?php
  2/* This page produces search results.
  3 *
  4 * "Advanced Search" adds the ability to search other users' calendars.
  5 * We do a number of security checks to make sure this is allowed.
  6 *
  7 * @author Craig Knudsen <cknudsen@cknudsen.com>
  8 * @copyright Craig Knudsen, <cknudsen@cknudsen.com>, http://www.k5n.us/cknudsen
  9 * @license http://www.gnu.org/licenses/gpl.html GNU GPL
 10 * @package WebCalendar
 11 * @version $Id: search_handler.php,v 1.46.2.8 2012/02/28 02:07:45 cknudsen Exp $
 12 */
 13include_once 'includes/init.php';
 14require_valide_referring_url ();
 15
 16$error = '';
 17
 18// Disable if public access and OVERRIDE_PUBLIC in use
 19if ( $login == '__public__' && ! empty ( $OVERRIDE_PUBLIC ) &&
 20  $OVERRIDE_PUBLIC == 'Y' ) {
 21  print_header ();
 22  echo print_not_auth ();
 23  print_trailer ();
 24  exit;
 25}
 26
 27$keywords = getValue ( 'keywords' );
 28$advanced = getValue ( 'advanced' );
 29
 30if ( strlen ( $keywords ) == 0 )
 31  $error = translate ( 'You must enter one or more search keywords' ) . '.';
 32
 33$matches = 0;
 34// Determine if this user is allowed to search the calendar of other users
 35$search_others = false; // show "Advanced Search"
 36if ( $single_user == 'Y' )
 37  $search_others = false;
 38
 39if ( $is_admin )
 40  $search_others = true;
 41else
 42if ( access_is_enabled () )
 43  $search_others = access_can_access_function ( ACCESS_ADVANCED_SEARCH );
 44else
 45if ( $login != '__public__' && ! empty ( $ALLOW_VIEW_OTHER ) &&
 46    $ALLOW_VIEW_OTHER == 'Y' )
 47  $search_others = true;
 48else
 49if ( $login == '__public__' && ! empty ( $PUBLIC_ACCESS_OTHERS ) &&
 50    $PUBLIC_ACCESS_OTHERS == 'Y' )
 51  $search_others = true;
 52
 53$users = getValue ( 'users' );
 54if ( empty ( $users ) || empty ( $users[0] ) )
 55  $search_others = false;
 56// Security precaution -- make sure users listed in participants list
 57// was not hacked up to include users that they don't really have access to.
 58if ( $search_others ) {
 59  // If user can only see users in his group, then remove users not in his group.
 60  if ( ! empty ( $USER_SEES_ONLY_HIS_GROUPS ) &&
 61      $USER_SEES_ONLY_HIS_GROUPS == 'Y' && ! empty ( $GROUPS_ENABLED ) &&
 62      $GROUPS_ENABLED == 'Y' ) {
 63    $myusers = get_my_users ( '', 'view' );
 64    $userlookup = array ();
 65    for ( $i = 0, $cnt = count ( $myusers ); $i < $cnt; $i++ ) {
 66      $userlookup[$myusers[$i]['cal_login']] = 1;
 67    }
 68    $newlist = array ();
 69    $cnt = count ( $users );
 70    for ( $i = 0; $i < $cnt; $i++ ) {
 71      if ( ! empty ( $userlookup[$users[$i]] ) )
 72        $newlist[] = $users[$i];
 73    }
 74    $users = $newlist;
 75  }
 76  // Now, use access control to remove more users :-)
 77  if ( access_is_enabled () && ! $is_admin ) {
 78    $newlist = array ();
 79    for ( $i = 0; $i < count ( $users ); $i++ ) {
 80      if ( access_user_calendar ( 'view', $users[$i] ) ) {
 81        $newlist[] = $users[$i];
 82        //echo "can access $users[$i] <br>";
 83      } else {
 84        //echo "cannot access $users[$i] <br>";
 85      }
 86    }
 87    $users = $newlist;
 88  }
 89}
 90
 91if ( empty ( $users ) || empty ( $users[0] ) )
 92  $search_others = false;
 93
 94//Get advanced filters
 95$cat_filter = getPostValue ( 'cat_filter' );
 96$extra_filter = getPostValue ( 'extra_filter' );
 97$date_filter = getPostValue ( 'date_filter' );
 98$start_day = getPostValue ( 'from_day' );
 99$start_month = getPostValue ( 'from_month' );
100$start_year = getPostValue ( 'from_year' );
101if ( $start_year < 1970 )
102  $start_year = 1970;
103$end_day = getPostValue ( 'until_day' );
104$end_month = getPostValue ( 'until_month' );
105$end_year = getPostValue ( 'until_year' );
106if ( $end_year < 1970 )
107  $end_year = 1970;
108$startDate =  gmdate ( 'Ymd', gmmktime ( 0, 0, 0,
109  $start_month, $start_day, $start_year ) );
110$endDate =  gmdate ( 'Ymd', gmmktime ( 23, 59, 59,
111  $end_month, $end_day, $end_year ) );
112
113print_header ();
114echo '
115    <h2>' . translate ( 'Search Results' ) . '</h2>';
116
117if ( ! empty ( $error ) )
118  echo print_error ( $error );
119else {
120// *** "Phrase" feature by Steve Weyer saweyer@comcast.net 4-May-2005
121// check if keywords is surrounded by quotes
122// an alternative might be to add a checkbox/list on search.php
123// to indicate Phrase or other mode via an arg
124// if a phrase, use (after removing quotes) rather than split into words
125// also add query (keywords) to "match results" heading near end
126// e.g., search_handler.php?keywords=%22Location:%20Arts%20and%20Crafts%22
127
128// begin Phrase modification
129$klen = strlen ( $keywords );
130$phrasedelim = "\\\"";
131$plen = strlen ( $phrasedelim );
132
133if ( substr ( $keywords, 0, $plen ) == $phrasedelim &&
134    substr ( $keywords, $klen - $plen ) == $phrasedelim ) {
135  $phrase = substr ( $keywords, $plen, $klen - ( $plen * 2 ) );
136  $words = array ( $phrase );
137} else
138  // original (default) behavior
139  $words = explode ( ' ', $keywords );
140// end Phrase modification
141  $order = 'DESC';
142  $word_cnt = count ( $words );
143  for ( $i = 0; $i < $word_cnt; $i++ ) {
144    $sql_params = array ();
145    // Note: we only search approved/waiting events (not deleted).
146    $sql = 'SELECT we.cal_id, we.cal_name, we.cal_date, weu.cal_login '
147      . ( ! empty ( $extra_filter ) ? ', wse.cal_data ' : '' )
148      . 'FROM webcal_entry_user weu LEFT JOIN  webcal_entry we '
149      . ( ! empty ( $cat_filter ) ? ', webcal_entry_categories wec ' : '')
150      . ( ! empty ( $extra_filter ) ? ', webcal_site_extras wse ' : '')
151	  . 'ON weu.cal_id = we.cal_id
152        WHERE weu.cal_status in ( \'A\',\'W\' )
153        AND weu.cal_login IN ( ?';
154    if ( $search_others ) {
155      if ( empty ( $users[0] ) )
156        $sql_params[0] = $users[0] = $login;
157      $user_cnt = count ( $users );
158      for ( $j = 0; $j < $user_cnt; $j++ ) {
159        if ( $j > 0 ) $sql .= ', ?';
160        $sql_params[] = $users[$j];
161      }
162    } else
163      $sql_params[] = $login;
164
165    $sql .= ' ) ';
166    if ( $search_others ) {
167      // Don't search confidential entries of other users.
168      $sql .= 'AND ( weu.cal_login = ?
169        OR ( weu.cal_login != ? AND we.cal_access = \'P\' ) ) ';
170      $sql_params[] = $login;
171      $sql_params[] = $login;
172    }
173    // We get an error using mssql trying to read text column as varchar.
174    // This workaround seems to fix it up ROJ
175    // but, will only search the first 1kb of the description.
176    $sql .= 'AND ( UPPER( we.cal_name ) LIKE UPPER( ? ) OR UPPER( '
177     . ( strcmp ( $GLOBALS['db_type'], 'mssql' ) == 0
178      ? 'CAST ( we.cal_description AS varchar (1024) )'
179      : 'we.cal_description' )
180     . ' ) LIKE UPPER( ? ) ';
181    $sql_params[] = '%' . $words[$i] . '%';
182    $sql_params[] = '%' . $words[$i] . '%';
183
184    //process advanced filters
185    if ( ! empty ( $extra_filter ) ) {
186      $sql .= ' OR wse.cal_data LIKE UPPER( ? )';
187      $sql_params[] = '%' . $words[$i] . '%';
188    }
189    //close AND statement from above
190    $sql .= ')';
191    if ( ! empty ( $cat_filter ) ) {
192      $sql .= ' AND wec.cat_id = ? AND we.cal_id = wec.cal_id ';
193      $sql_params[] = $cat_filter;
194    }
195    if ( ! empty ( $extra_filter ) )
196      $sql .= ' AND we.cal_id = wse.cal_id ';
197    if ( ! empty ( $date_filter ) ) {
198      if ( $date_filter == 1 ) { //Past entries
199        $sql .= 'AND we.cal_date < ? ';
200        $sql_params[] = date ( 'Ymd' );
201      }
202      if ( $date_filter == 2 ) {//Upcoming entries
203        $sql .= 'AND we.cal_date >= ? ';
204        $sql_params[] = date ( 'Ymd' );
205        $order = 'ASC';
206      }
207      if ( $date_filter == 3 ) {//Use Date Range
208        $sql .= 'AND ( we.cal_date >= ? AND we.cal_date <= ? )';
209        $sql_params[] = $startDate;
210        $sql_params[] = $endDate;
211      }
212    }
213
214    $res = dbi_execute ( $sql . ' ORDER BY we.cal_date ' . $order
215     . ', we.cal_name', $sql_params );
216    if ( $res ) {
217      while ( $row = dbi_fetch_row ( $res ) ) {		  
218        $info[$matches]['id'] = $row[0];
219        $info[$matches]['text'] = $row[1] . ' ( ' . date_to_str ( $row[2] ) . ' )';
220		$info[$matches]['user'] = $row[3];
221		
222		$matches++;
223      }
224    }
225    dbi_free_result ( $res );
226  }
227}
228
229ob_start ();
230echo '
231    <p><strong>';
232if ( $matches > 0 ) {
233  // Let update_translation.pl pick up translations.
234  // translate ( 'match found' ) translate ( 'matches found' )
235  echo $matches . ' '
236   . translate ( // line break to bypass update_translation.pl here.
237    'match' . ( $matches == 1 ? '' : 'es' ) . ' found' );
238} else
239  echo translate ( 'No matches found' );
240
241echo ": " . htmlentities ( $keywords ) . '</strong>.</p>';
242
243
244// now sort by number of hits
245if ( empty ( $error ) && ! empty ( $info ) ) {
246  echo '
247    <ul>';
248  foreach ( $info as $result ) {
249    echo '
250      <li><a class="nav" href="view_entry.php?id=' . $result['id'] 
251	   . '&amp;user=' . $result['user'] . '">' . $result['text'] . '</a></li>';
252  }
253  echo '
254    </ul>';
255}
256echo '
257      <form action="search.php' . ( ! empty ( $advanced ) ? '?adv=1' : '' )
258        . '"  style="margin-left: 13px;" method="post">
259       <input type="submit" value="'
260        . translate ( 'New Search' ) . '" /></form>';
261ob_end_flush ();
262echo print_trailer ();
263
264?>