From bd270b02274b4e43a887e86805a44cf456f2da38 Mon Sep 17 00:00:00 2001
From: Karl 'vollmerk' Vollmer <vollmer@ampache.org>
Date: Fri, 7 Mar 2008 06:51:52 +0000
Subject: fixed the acl issue... sigh

---
 democratic.php                           | 13 +++---
 lib/class/access.class.php               | 15 +++----
 lib/class/api.class.php                  |  2 +-
 lib/class/democratic.class.php           | 69 +++++++++++++++++++++++++++++++-
 lib/class/stream.class.php               |  2 +-
 lib/class/update.class.php               | 14 +++++++
 lib/class/user.class.php                 | 15 ++++---
 lib/class/vauth.class.php                |  6 +--
 lib/class/xmlrpcserver.class.php         |  2 +-
 templates/show_create_democratic.inc.php | 16 +++++++-
 templates/show_manage_democratic.inc.php | 14 ++++++-
 11 files changed, 138 insertions(+), 30 deletions(-)

diff --git a/democratic.php b/democratic.php
index bf208e5b..6cca46c4 100644
--- a/democratic.php
+++ b/democratic.php
@@ -32,24 +32,23 @@ show_header();
 // Switch on their action
 switch ($_REQUEST['action']) { 
 	case 'show_create': 
-		if (!$GLOBALS['user']->has_access('75')) { 
+		if (!Access::check('interface','75')) { 
 			access_denied(); 
 			break;
 		} 
 
 		// Show the create page
 		require_once Config::get('prefix') . '/templates/show_create_democratic.inc.php'; 
-
 	break; 
 	case 'create': 
 		// Only power users here 
-		if (!$GLOBALS['user']->has_access('75')) { 
+		if (!Access::check('interface','75')) { 
 			access_denied(); 
 			break;
 		} 
+
 		// Create the playlist
-		//FIXME: don't use hardcoded id value here, needs db rework to fix this
-		Democratic::create('-1','vote','song',$_REQUEST['democratic']); 
+		Democratic::create($_POST); 
 		header("Location: " . Config::get('web_path') . "/democratic.php?action=manage_playlists"); 	
 	break; 
 	case 'create_playlist':
@@ -92,7 +91,7 @@ switch ($_REQUEST['action']) {
 		exit; 
 	break;
 	case 'manage_playlists': 
-		if (!$GLOBALS['user']->has_access('75')) { 
+		if (!Access::check('interface','75')) { 
 			access_denied(); 
 			break;
 		} 
@@ -104,7 +103,7 @@ switch ($_REQUEST['action']) {
 	break;
 	case 'update_playlist':
 		/* Only Admins Here */
-		if (!$GLOBALS['user']->has_access(100)) { 
+		if (!Access::check('interface','100')) { 
 			access_denied();
 			break;
 		}
diff --git a/lib/class/access.class.php b/lib/class/access.class.php
index bfc7beb9..b899342c 100644
--- a/lib/class/access.class.php
+++ b/lib/class/access.class.php
@@ -80,8 +80,8 @@ class Access {
 
 		$name	= Dba::escape($data['name']); 
 		$type	= self::validate_type($data['type']); 
-		$start 	= ip2long($data['start']);
-		$end	= ip2long($data['end']);
+		$start 	= sprintf("%u",ip2long($data['start']));
+		$end	= springf("%u",ip2long($data['end'])); 
 		$level	= Dba::escape($data['level']);
 		$user	= $data['user'] ? Dba::escape($data['user']) : '-1'; 
 		$key	= Dba::escape($data['key']);
@@ -104,16 +104,17 @@ class Access {
 
 		/* We need to verify the incomming data a littlebit */
 
-		$start 	= ip2long($data['start']);
-		$end 	= ip2long($data['end']);
+		$start 	= sprintf("%u",ip2long($data['start'])); 
+		$end 	= sprintf("%u",ip2long($data['end'])); 
 		$name	= Dba::escape($data['name']);
 		$key	= Dba::escape($data['key']);
 		$user	= $data['user'] ? Dba::escape($data['user']) : '-1'; 
 		$level	= intval($data['level']);
 		$type	= self::validate_type($data['type']);
+		$dns	= ' '; 
 
-		$sql = "INSERT INTO `access_list` (`name`,`level`,`start`,`end`,`key`,`user`,`type`) " . 
-			"VALUES ('$name','$level','$start','$end','$key','$user','$type')";
+		$sql = "INSERT INTO `access_list` (`name`,`level`,`start`,`end`,`key`,`user`,`type`,`dns`) " . 
+			"VALUES ('$name','$level','$start','$end','$key','$user','$type','$dns')";
 		$db_results = Dba::query($sql);
 
 		return true;
@@ -170,7 +171,7 @@ class Access {
 		} 
 
 		// Clean incomming variables
-		$ip 	= ip2long($ip);
+		$ip 	= sprintf("%u",ip2long($ip)); 
 		$user 	= Dba::escape($user);
 		$key 	= Dba::escape($key);
 		$level	= Dba::escape($level);
diff --git a/lib/class/api.class.php b/lib/class/api.class.php
index bd1b7ce0..2d55aad5 100644
--- a/lib/class/api.class.php
+++ b/lib/class/api.class.php
@@ -65,7 +65,7 @@ class Api {
 		// Clean incomming variables
 		$user_id 	= Dba::escape($user_id); 
 		$timestamp 	= intval($timestamp); 
-		$ip 		= ip2long($ip); 
+		$ip 		= sprintf("%u",ip2long($ip)); 
 
 		// Log this attempt
 		debug_event('API','Login Attempt, IP:' . long2ip($ip) . ' Time:' . $timestamp . ' User:' . $user_id . ' Auth:' . $passphrase,'1'); 
diff --git a/lib/class/democratic.class.php b/lib/class/democratic.class.php
index bc9429fb..32ecbee2 100644
--- a/lib/class/democratic.class.php
+++ b/lib/class/democratic.class.php
@@ -26,6 +26,51 @@
  */
 class Democratic extends tmpPlaylist {
 
+	/**
+	 * constructor
+	 * We need a constructor for this class. It does it's own thing now
+	 */
+	public function __construct($id='') { 
+
+		if (!$id) { return false; } 
+
+		$info = $this->get_info($id); 
+		
+		foreach ($info as $key=>$value) { 
+			$this->$key = $value; 
+		} 
+
+	} // constructor
+
+
+	/**
+ 	 * get_info
+	 * This returns the data from the database
+	 */
+	private function get_info($id) { 
+
+		$id = Dba::escape($id); 
+
+		$sql = "SELECT * FROM `democratic` WHERE `id`='$id'"; 
+		$db_results = Dba::query($sql); 
+
+		$row = Dba::fetch_assoc($db_results); 
+
+		return $row; 
+
+	} // get_info
+
+	/**
+	 * format
+	 * This makes the objects variables all purrty so that they can be displayed
+	 */
+	public function format() { 
+
+		$this->f_cooldown	= $this->cooldown . ' ' . _('minutes'); 
+		$this->f_primary	= $this->primary ? _('Primary') : ''; 
+
+	} // format
+
 	/**
 	 * get_playlists
 	 * This returns all of the current valid 'Democratic' Playlists
@@ -36,7 +81,7 @@ class Democratic extends tmpPlaylist {
 		// Pull all tmp playlsits with a session of < 0 (as those are fake) 
 		// This is kind of hackish, should really think about tweaking the db
 		// and doing this right. 
-		$sql = "SELECT `id` FROM `tmp_playlist` WHERE `session`< '0'"; 
+		$sql = "SELECT `id` FROM `democratic` ORDER BY `name`"; 
 		$db_results = Dba::query($sql);  
 
 		$results = array(); 
@@ -328,6 +373,28 @@ class Democratic extends tmpPlaylist {
 
 	} // delete_votes
 
+	/**
+	 * create
+	 * This is the democratic play create function it inserts this into the democratic table
+	 */
+	public static function create($data) { 
+
+		// Clean up the input
+		$name 	= Dba::escape($data['name']); 
+		$base 	= Dba::escape($data['democratic']); 
+		$cool	= Dba::escape($data['cooldown']); 
+		$level	= Dba::escape($data['level']); 
+		$default = Dba::escape($data['make_default']); 
+		$user	= Dba::escape($GLOBALS['user']->id); 
+
+		$sql = "INSERT INTO `democratic` (`name`,`cooldown`,`level`,`user`,`primary`) " . 
+			"VALUES ('$name','$cool','$level','$user','$default')"; 
+		$db_results = Dba::query($sql); 
+
+		return $db_results; 
+
+	} // create
+
 	/**
 	 * prune_tracks
 	 * This replaces the normal prune tracks and correctly removes the votes
diff --git a/lib/class/stream.class.php b/lib/class/stream.class.php
index fee74523..10ad2044 100644
--- a/lib/class/stream.class.php
+++ b/lib/class/stream.class.php
@@ -188,7 +188,7 @@ class Stream {
 		$expire = time() + Config::get('stream_length'); 
 		$sid 	= Dba::escape($sid); 
 		$agent	= Dba::escape($_SERVER['HTTP_USER_AGENT']); 
-		$ip	= ip2long($_SERVER['REMOTE_ADDR']); 
+		$ip	= sprintf("%u",ip2long($_SERVER['REMOTE_ADDR'])); 
 		$uid	= Dba::escape($uid); 
 
 		$sql = "UPDATE `session_stream` SET `expire`='$expire', `agent`='$agent', `ip`='$ip' " . 
diff --git a/lib/class/update.class.php b/lib/class/update.class.php
index 66322cd7..924e87e7 100644
--- a/lib/class/update.class.php
+++ b/lib/class/update.class.php
@@ -1144,5 +1144,19 @@ class Update {
 		
 	} // update_340015
 
+	/** 
+	 * update_340016
+	 * This adds in the base_playlist to the democratic table... should have
+ 	 * done this in the previous one but I screwed up... sigh
+	 */
+	public static function update_340016() { 
+
+		$sql = "ALTER TABLE `democratic` ADD `base_playlist` INT ( 11 ) UNSIGNED NOT NULL"; 
+		$db_results = Dba::query($sql); 
+
+		self::set_version('db_version','340016'); 
+
+	} // update_340016
+
 } // end update class
 ?>
diff --git a/lib/class/user.class.php b/lib/class/user.class.php
index ad5c20f3..ceeb7332 100644
--- a/lib/class/user.class.php
+++ b/lib/class/user.class.php
@@ -547,14 +547,17 @@ class User {
 	 * address at this time in this place, doing this thing.. you get the point
 	 */
 	public function insert_ip_history() { 
+
 		if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
-		    $sip = $_SERVER['HTTP_X_FORWARDED_FOR'];
-		    debug_event('User Ip', 'Login from ip adress: ' . $sip,'3');
-		} else {
-		    $sip = $_SERVER['REMOTE_ADDR'];
-		    debug_event('User Ip', 'Login from ip adress: ' . $sip,'3');
+			$sip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+			debug_event('User Ip', 'Login from ip adress: ' . $sip,'3');
+		} 
+		else {
+			$sip = $_SERVER['REMOTE_ADDR'];
+			debug_event('User Ip', 'Login from ip adress: ' . $sip,'3');
 		}
-		$ip = ip2long($sip);
+
+		$ip = sprintf("%u",ip2long($sip)); 
 		$date = time(); 
 		$user = $this->id;
 
diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php
index b670db2d..14f8b40d 100644
--- a/lib/class/vauth.class.php
+++ b/lib/class/vauth.class.php
@@ -264,7 +264,7 @@ class vauth {
 		} // end switch on data type 
 		
 	        $username       = Dba::escape($data['username']);
-	        $ip             = $_SERVER['REMOTE_ADDR'] ? Dba::escape(ip2long($_SERVER['REMOTE_ADDR'])) : '0'; 
+	        $ip             = $_SERVER['REMOTE_ADDR'] ? Dba::escape(sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']))) : '0'; 
 	        $type           = Dba::escape($data['type']);
 	        $value          = Dba::escape($data['value']);
 		$agent		= Dba::escape(substr($_SERVER['HTTP_USER_AGENT'],0,254)); 
@@ -358,7 +358,7 @@ class vauth {
 			break; 
 			case 'stream': 
 				$key	= Dba::escape($key); 
-				$ip	= ip2long($data['ip']);
+				$ip	= sprintf("%u",ip2long($data['ip'])); 
 				$agent	= Dba::escape($data['agent']); 
 				$sql = "SELECT * FROM `session_stream` WHERE `id`='$key' AND `expire` > '$time' AND `ip`='$ip' AND `agent`='$agent'"; 
 				$db_results = Dba::query($sql); 
@@ -504,7 +504,7 @@ class vauth {
 	        if (Config::get('prevent_multiple_logins')) {
 	                $client = new User($results['id']);
 	                $current_ip = $client->is_logged_in();
-	                if ($current_ip != ip2long($_SERVER['REMOTE_ADDR'])) {
+	                if ($current_ip != sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']))) {
 	                        Error::add('general','User Already Logged in');
 	                        return false;
 	                }
diff --git a/lib/class/xmlrpcserver.class.php b/lib/class/xmlrpcserver.class.php
index 6cb08451..5b6b3892 100644
--- a/lib/class/xmlrpcserver.class.php
+++ b/lib/class/xmlrpcserver.class.php
@@ -146,7 +146,7 @@ class xmlRpcServer {
 		debug_event('XMLSERVER','Login Attempt, IP: ' . $_SERVER['REMOTE_ADDR'] . ' Time: ' . $timestamp . ' Hash:' . $encoded_key,'5'); 
 
 		// Convert the IP Address to an int
-		$ip = ip2long($_SERVER['REMOTE_ADDR']); 
+		$ip = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
 
 		// Run the query and return the key's for ACLs of type RPC that would match this IP 
 		$sql = "SELECT * FROM `access_list` WHERE `type`='rpc' AND `start` <= '$ip' AND `end` >= '$ip'"; 
diff --git a/templates/show_create_democratic.inc.php b/templates/show_create_democratic.inc.php
index cce0857d..7059cebe 100644
--- a/templates/show_create_democratic.inc.php
+++ b/templates/show_create_democratic.inc.php
@@ -1,7 +1,7 @@
 <?php
 /*
 
- Copyright (c) 2001 - 2007 Ampache.org
+ Copyright (c) 2001 - 2008 Ampache.org
  All rights reserved.
 
  This program is free software; you can redistribute it and/or
@@ -30,6 +30,20 @@ show_box_top(_('Create Democratic Playlist')); ?>
 	<td><?php echo _('Base Playlist'); ?></td>
 	<td><?php show_playlist_select('democratic'); ?></td>
 </tr>
+<tr>
+	<td><?php echo _('Cooldown Time'); ?></td>	
+	<td><input type="textbox" size="4" maxlength="6" name="cooldown" value="5" /><?php echo _('minutes'); ?></td>
+</tr>
+<tr>
+	<td><?php echo _('Level'); ?></td>
+	<td>
+		<select name="level">
+                <option value="25"><?php echo _('User'); ?></option>
+                <option value="50"><?php echo _('Content Manager'); ?></option>
+                <option value="75"><?php echo _('Catalog Manager'); ?></option>
+                <option value="100"><?php echo _('Admin'); ?></option>
+                </select>
+
 <tr>
 	<td><?php echo _('Make Default'); ?></td>
 	<td><input type="checkbox" name="make_default" value="1" /></td>
diff --git a/templates/show_manage_democratic.inc.php b/templates/show_manage_democratic.inc.php
index 8c5a88c0..8361e525 100644
--- a/templates/show_manage_democratic.inc.php
+++ b/templates/show_manage_democratic.inc.php
@@ -25,23 +25,33 @@ show_box_top(_('Manage Democratic Playlists'));  ?>
 	<col id="col_number" />
 	<col id="col_base_playlist" />
 	<col id="col_vote_count" />
+	<col id="col_cooldown" />
+	<col id="col_level" />
+	<col id="col_default" />
 	<col id="col_action" />
 </colgroup>
 <tr class="th-top">
 	<th class="cel_number"><?php echo _('Playlist'); ?></th>
 	<th class="cel_base_playlist"><?php echo _('Base Playlist'); ?></th>
+	<th class="cel_cooldown"><?php echo _('Cooldown'); ?></th>
+	<th class="cel_level"><?php echo _('Level'); ?></th>
+	<th class="cel_default"><?php echo _('Default'); ?></th>
 	<th class="cel_vote_count"><?php echo _('Songs'); ?></th>
 	<th class="cel_action"><?php echo _('Action'); ?></th>
 </tr>
 <?php
 	foreach ($playlists as $democratic_id) { 
 		$democratic = new Democratic($democratic_id); 
+		$democratic->format(); 
 		$playlist = new Playlist($democratic->base_playlist); 
 		$playlist->format(); 
 ?>
 <tr class="<?php echo flip_class(); ?>">
-	<td><?php echo abs($democratic->id); ?></td>
+	<td><?php echo scrub_out($democratic->name); ?></td>
 	<td><?php echo $playlist->f_link; ?></td>
+	<td><?php echo $democratic->f_cooldown; ?></td>
+	<td><?php echo $democratic->f_level; ?></td>
+	<td><?php echo $democratic->f_primary; ?></td>
 	<td><?php echo $democratic->count_items(); ?></td>
 	<td>
 	<?php echo Ajax::button('?page=democratic&action=send_playlist','all',_('Play'),'play_democratic'); ?>
@@ -49,7 +59,7 @@ show_box_top(_('Manage Democratic Playlists'));  ?>
 </tr>
 <?php } if (!count($playlists)) { ?>
 <tr>
-	<td colspan="4"><span class="fatalerror"><?php echo _('Not Enough Data'); ?></span></td>
+	<td colspan="7"><span class="fatalerror"><?php echo _('Not Enough Data'); ?></span></td>
 </tr>
 <?php } ?>
 </table>
-- 
cgit