From e6b5e164565c52ef220441ad98e3eaa5188d6780 Mon Sep 17 00:00:00 2001
From: Oliver <github@raduner.ch>
Date: Tue, 27 Dec 2022 17:47:18 +0100
Subject: [PATCH 1/3] =?UTF-8?q?Fixes=20inappropriate=20=C2=ABpermission=20?=
 =?UTF-8?q?denied=C2=BB=20warnings?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 www/gallery.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/www/gallery.php b/www/gallery.php
index 886a1b5..f24c2fd 100644
--- a/www/gallery.php
+++ b/www/gallery.php
@@ -66,7 +66,7 @@
 		$doAction = (string)$_GET['do'];
 		/** Das Benoten (und mypic markieren) können nebst Schönen auch die registrierten User,
 			deshalb müssen wirs vorziehen... */
-		if ($user->is_loggedin() && isset($_POST['picID']) && !empty($_POST['picID']) && $_POST['picID'] > 0)
+		if ($user->is_loggedin() && ($doAction === 'benoten' || $doAction === 'mypic') && isset($_POST['picID']) && !empty($_POST['picID']) && $_POST['picID'] > 0)
 		{
 			switch ($doAction)
 			{
@@ -83,12 +83,12 @@
 					}
 					break;
 			}
-		} else {
+		} elseif (!$user->is_loggedin() && !empty($doAction)) {
 			$smarty->assign('error', ['type' => 'warn', 'dismissable' => 'false', 'title' => t('permissions-insufficient', 'gallery', [$doAction])]);
 		}
 
 		/** Ab hier kommt nur noch Zeugs dass Member & Schöne machen dürfen */
-		if ($user->typ >= USER_MEMBER)
+		if ($user->typ >= USER_MEMBER && (!empty($doAction) && $doAction != 'benoten' && $doAction != 'mypic'))
 		{
 			switch ($doAction)
 			{
@@ -128,9 +128,8 @@
 				/*case 'markieren':
 					doMark($getPicId);
 					break;*/
-
 			}
-		} else {
+		} elseif ($user->typ < USER_MEMBER && !empty($doAction)) {
 			$smarty->assign('error', ['type' => 'warn', 'dismissable' => 'false', 'title' => t('permissions-insufficient', 'gallery', [$doAction])]);
 		}
 

From f1768c5b5edc4804680d280538e24d487e7547c1 Mon Sep 17 00:00:00 2001
From: Oliver <github@raduner.ch>
Date: Tue, 27 Dec 2022 21:15:00 +0100
Subject: [PATCH 2/3] Fixes some Errors in PHP, JS Console and hardens AJAX

---
 www/includes/gallery.inc.php           |  6 +++---
 www/js/ajax/get-onlineuser.php         | 21 +++++++++++++++------
 www/js/ajax/get-unreadcomments.php     | 17 ++++++++++++-----
 www/js/mobilez/browsernotifications.js |  8 ++++----
 www/js/zorg.js                         |  2 ++
 5 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/www/includes/gallery.inc.php b/www/includes/gallery.inc.php
index a40a7ec..557c4a4 100644
--- a/www/includes/gallery.inc.php
+++ b/www/includes/gallery.inc.php
@@ -362,7 +362,7 @@ function pic ($id)
 	/** Bild Zensur-Info */
 	if ($cur['zensur'] === '1') echo '<span class="small" title="Bild ist ZENSIERT">🫥</span>';
 	/** Bild Datum (Desktop Viewports) */
-	if (!$user->from_mobile && is_file($pic_filepath) !== false)
+	if ((!isset($user->from_mobile) || false === $user->from_mobile) && is_file($pic_filepath) !== false)
 	{
 		/** APOD Special: use pic_added from database, instead of filemtime */
 		if ($cur['album'] == APOD_GALLERY_ID && !empty($cur['timestamp'])) {
@@ -434,7 +434,7 @@ function pic ($id)
 	echo '</td></tr>';
 
 	/** Bild Datum (Mobile Viewports) */
-	if ($user->from_mobile != false && is_file($pic_filepath) !== false)
+	if (isset($user->from_mobile) && $user->from_mobile != false && is_file($pic_filepath) !== false)
 	{
 		echo '<tr><td colspan="3" class="align-right padding-bottom-s small light">';
 		/** APOD Special: use pic_added from database, instead of filemtime */
@@ -507,7 +507,7 @@ function pic ($id)
 	/**
 	 * Mobile Touch Swipe - next/prev Pic
 	 */
-	if ($user->from_mobile != false)
+	if (isset($user->from_mobile) && $user->from_mobile != false)
 	{
 		echo '<script>// HammerJS
 			document.onreadystatechange = function(){
diff --git a/www/js/ajax/get-onlineuser.php b/www/js/ajax/get-onlineuser.php
index 11a8208..823cdfe 100644
--- a/www/js/ajax/get-onlineuser.php
+++ b/www/js/ajax/get-onlineuser.php
@@ -4,15 +4,22 @@
  *
  * @package zorg\Usersystem
  */
+
 /**
  * AJAX Request validation
  */
+if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') {
+	/** The request is not an AJAX request */
+	http_response_code(405); // Set response code 405 (Method Not Allowed)
+	exit('Request not allowed');
+ }
 if(!isset($_GET['style']) || empty($_GET['style']) || false === filter_var(trim($_GET['style']), FILTER_SANITIZE_STRING))
 {
 	http_response_code(400); // Set response code 400 (bad request) and exit.
-	die('Invalid or missing GET-Parameter');
+	exit('Invalid or missing GET-Parameter');
+} else {
+	$onlineUserListstyle = filter_var(trim($_GET['style']), FILTER_SANITIZE_STRING);
 }
-$onlineUserListstyle = filter_var(trim($_GET['style']), FILTER_SANITIZE_STRING);
 
 /**
  * Get online user HTML
@@ -21,16 +28,17 @@
 {
 	case 'image':
 		/** Requires usersystem.inc.php */
-		require_once INCLUDES_DIR.'usersystem.inc.php';
+		require_once __DIR__.'/../../includes/usersystem.inc.php';
 		$onlineUserHtml = $user->online_users(true);
 
 		if (!empty($onlineUserHtml))
 		{
 			http_response_code(200); // Set response code 200 (OK)
 			header('Content-type: text/html; charset=utf-8');
-			echo $onlineUserHtml;
+			exit($onlineUserHtml);
 		} else {
 			http_response_code(204); // Set response code 204 (OK but no Content)
+			exit;
 		}
 		break;
 
@@ -55,15 +63,16 @@
 			}
 			http_response_code(200); // Set response code 200 (OK)
 			header('Content-type: text/html; charset=utf-8');
-			echo implode(', ', $onlineUsersArr);
+			exit(implode(', ', $onlineUsersArr));
 		}
 		/** No logged-in user seems to be online... */
 		else {
 			http_response_code(204); // Set response code 204 (OK but no Content)
+			exit;
 		}
 		break;
 
 	default:
 		http_response_code(400); // Set response code 400 (Bad Request)
-		die('Invalid GET-Parameter');
+		exit('Invalid GET-Parameter');
 }
diff --git a/www/js/ajax/get-unreadcomments.php b/www/js/ajax/get-unreadcomments.php
index d17a07c..fcbbbea 100644
--- a/www/js/ajax/get-unreadcomments.php
+++ b/www/js/ajax/get-unreadcomments.php
@@ -4,9 +4,15 @@
  *
  * @package zorg\Forum
  */
+
 /**
  * AJAX Request validation
  */
+if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') {
+	/** The request is not an AJAX request */
+	http_response_code(405); // Set response code 405 (Method Not Allowed)
+	exit('Request not allowed');
+}
 if(!isset($_GET['user']) || empty($_GET['user']) || false === filter_var(trim($_GET['user']), FILTER_SANITIZE_NUMBER_INT))
 {
 	http_response_code(400); // Set response code 400 (bad request) and exit.
@@ -22,12 +28,12 @@
  * The reason is to have a very minimal "overhead" for repeated
  * checks for unread comments (updating the corresponding frontend)
  */
-if (!empty($user_id))
+if (!empty($user_id) && $user_id > 0)
 {
 	/** Requires mysql.inc.php */
-	require_once dirname(__FILE__).'/../../includes/mysql.inc.php';
+	require_once __DIR__.'/../../includes/mysql.inc.php';
 	/** Unread Comments are only valid while a User is online... for minimum external exposure. */
-	$sql = 'SELECT COUNT(*) AS numunread FROM comments_unread WHERE user_id IN (SELECT id FROM user WHERE activity > (NOW()-200) AND id='.$user_id.')';
+	$sql = 'SELECT COUNT(*) AS numunread FROM comments_unread WHERE user_id='.$user_id;
 	$rs = $db->fetch($db->query($sql, __FILE__, __LINE__, 'SELECT FROM comments_unread'));
 	/** Check if at least 1 unread comment */
 	$numUnreadComments = (false !== $rs['numunread'] && !empty($rs['numunread']) ? (int)$rs['numunread'] : 0);
@@ -35,11 +41,12 @@
 	{
 		http_response_code(200); // Set response code 200 (OK)
 		header('Content-type: text/html;charset=utf-8');
-		printf('%d Comment%s', $numUnreadComments, ($numUnreadComments > 1 ? 's' : ''));
+		exit(sprintf('%d Comment%s', $numUnreadComments, ($numUnreadComments > 1 ? 's' : '')));
 	} else {
 		http_response_code(204); // Set response code 204 (OK but no Content)
+		exit;
 	}
 } else {
 	http_response_code(403); // Set response code 403 (Forbidden)
-	//die('Invalid User');
+	exit;
 }
diff --git a/www/js/mobilez/browsernotifications.js b/www/js/mobilez/browsernotifications.js
index fbf7ad7..5c522e7 100644
--- a/www/js/mobilez/browsernotifications.js
+++ b/www/js/mobilez/browsernotifications.js
@@ -1,6 +1,6 @@
 var backgroundActiveCheck = 60000/4; // Refresh period, interval is passed in Miliseconds
 var newNotificationCheck = 10000; // Refresh period, interval is passed in Miliseconds
-var debugMode = true; // ON = true | OFF = false
+var debugMode = false; // ON = true | OFF = false
 
 function notificationsRefresh(notify) {
 		notify = typeof notify !== "undefined" ? notify : true; // if not otherwise specified, notify = true
@@ -89,7 +89,8 @@ $(document).ready(function(){
 });
 
 // Initialize the html5Notification Plugin with custom options
-$.html5Notification.init({
+// FIXME Disabled due to "Undefined $.html5Notification.init"
+/* $.html5Notification.init({
 	display_message: true,
 	message: {
 		supported_browser: "Your browser does support the Notification API.",
@@ -101,6 +102,5 @@ $.html5Notification.init({
 		container: $("body").find("#Content"),
 		browser_support: $('<div class="DismissMessage AlertMessage" />')
 	}
-})
+}); */
 if (debugMode) console.log("container: " + $("#Content").length);
-;
\ No newline at end of file
diff --git a/www/js/zorg.js b/www/js/zorg.js
index 2fb6a02..277bac4 100644
--- a/www/js/zorg.js
+++ b/www/js/zorg.js
@@ -162,6 +162,7 @@ function updateOnlineuser(elementId, displayFormat)
 		var oldOnlineUserHtml = domElement.innerHTML;
 		var xhr = new XMLHttpRequest();
 		xhr.open('GET', '/js/ajax/get-onlineuser.php?style='+displayFormat);
+		xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
 		xhr.onload = function() {
 			//console.info(xhr.responseText);
 			if (xhr.status === 200 || xhr.status === 204)
@@ -202,6 +203,7 @@ function updateUnreadComments()
 		let unreadsForUser = parseInt(unreadsContainer.dataset.userid);
 		var xhr = new XMLHttpRequest();
 		xhr.open('GET', '/js/ajax/get-unreadcomments.php?user='+unreadsForUser);
+		xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
 		xhr.onload = function() {
 			//console.info(xhr.responseText);
 			if (xhr.status === 200)

From 8c01a2ee1de3751c520d00033858fd83d31f4e84 Mon Sep 17 00:00:00 2001
From: Oliver <github@raduner.ch>
Date: Tue, 27 Dec 2022 21:16:07 +0100
Subject: [PATCH 3/3] Makes Unread Comments working again

---
 www/css/css.php               |  2 +-
 www/forum.php                 | 44 +++++++++++-----------
 www/includes/comments.res.php | 70 ++++++++++++++++++-----------------
 3 files changed, 60 insertions(+), 56 deletions(-)

diff --git a/www/css/css.php b/www/css/css.php
index 9a435f8..d4054ba 100644
--- a/www/css/css.php
+++ b/www/css/css.php
@@ -142,7 +142,7 @@
 			font-size: 0.4rem;
 		}
 		header > .infos .solarstate .event { margin-right: 5px; }
-		header > .onlineuser { font-size: 0.4rem; }
+		header > .onlineuser { font-size: 0.4rem; text-align: right; }
 		header > .notifications { font-size: 0.4rem; }
 	.navigation { font-size: 0.5rem; }
 		div.menu { overflow-x: auto; }
diff --git a/www/forum.php b/www/forum.php
index 448b46e..119189e 100644
--- a/www/forum.php
+++ b/www/forum.php
@@ -107,20 +107,6 @@
 
 			$model->showThread($smarty, $thread['thread_id'], $thread['text']);
 
-			/** Comment is the Thread-Comment */
-			if ($parent_id === 1)
-			{
-				$comments_resource = ($showCommentId === $thread['thread_id'] ? $thread['board'].'-'.$showCommentId : $showCommentId);
-				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $parent_id == %d: %s', __FILE__, __LINE__, $parent_id, $comments_resource));
-				$outputContent .= $smarty->fetch('comments:'.$comments_resource);
-			}
-			/** Comment is a regular (Sub-)Comment */
-			else {
-				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $parent_id == %d: id=%d', __FILE__, __LINE__, $parent_id, $showCommentId));
-				$smarty->assign('comments_top_additional', 1);
-				$outputContent .= $smarty->fetch('comments:'.$showCommentId);
-			}
-
 			/** Zusätzliche Features & Output nur bei eingeloggten Usern... */
 			if ($user->is_loggedin())
 			{
@@ -142,15 +128,29 @@
 							);
 				while ($d = $db->fetch($e)) $comments_unread[] = $d['comment_id'];
 				$smarty->assign('comments_unread', $comments_unread);
+			}
 
-				/** Commentform zum posten printen */
-				if ($no_form === false)
-				{
-					$smarty->assign('board', 'f');
-					$smarty->assign('thread_id', Comment::getThreadid('f', $showCommentId));
-					$smarty->assign('parent_id', $showCommentId);
-					$outputContent .= $smarty->fetch('file:layout/partials/commentform.tpl');
-				}
+			/** Comment is the Thread-Comment */
+			if ($parent_id === 1)
+			{
+				$comments_resource = ($showCommentId === $thread['thread_id'] ? $thread['board'].'-'.$showCommentId : $showCommentId);
+				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $parent_id == %d: %s', __FILE__, __LINE__, $parent_id, $comments_resource));
+				$outputContent .= $smarty->fetch('comments:'.$comments_resource);
+			}
+			/** Comment is a regular (Sub-)Comment */
+			else {
+				if (DEVELOPMENT === true) error_log(sprintf('[DEBUG] <%s:%d> $parent_id == %d: id=%d', __FILE__, __LINE__, $parent_id, $showCommentId));
+				$smarty->assign('comments_top_additional', 1);
+				$outputContent .= $smarty->fetch('comments:'.$showCommentId);
+			}
+
+			/** Commentform zum posten printen (bei eingeloggten Usern) */
+			if ($user->is_loggedin() && $no_form === false)
+			{
+				$smarty->assign('board', 'f');
+				$smarty->assign('thread_id', Comment::getThreadid('f', $showCommentId));
+				$smarty->assign('parent_id', $showCommentId);
+				$outputContent .= $smarty->fetch('file:layout/partials/commentform.tpl');
 			}
 		}
 
diff --git a/www/includes/comments.res.php b/www/includes/comments.res.php
index 63383c0..1b8036e 100644
--- a/www/includes/comments.res.php
+++ b/www/includes/comments.res.php
@@ -242,25 +242,25 @@ function smartyresource_comments_get_commenttree ($id, $is_thread=false) {
 				'{/foreach}';
 
 			$html .=
-			 '<td align="left" class="border forum">'
-			 .'{if $user->id!=0 && in_array('.$rs['id'].', $comments_unread)}'
-			 	.'{assign var=comment_color value=$color.newcomment}'
-			 	.'{comment_mark_read comment_id="'.$rs['id'].'" user_id=$user->id}'
-			 .'{elseif $user->id == '.$rs['user_id'].'}'
-			  .'{assign var=comment_color value=$color.owncomment}'
-			 .'{else}'
-			 	.'{assign var=comment_color value=$color.background}'
-			 .'{/if}'
-			 .'{capture assign="sizeof_hdepth"}{sizeof array=$hdepth}{/capture}'
-			 .'<table bgcolor="{comment_colorfade depth=$sizeof_hdepth color=$comment_color}" style="table-layout:fixed;" width="100%">'
-			 .'<tr class="tiny">'
-				.'<td class="forum comment meta left" style="width: {if $user->from_mobile}85%{else}70%{/if};">'
-				.'<div style="display: none;" itemscope itemtype="http://schema.org/Organization" itemprop="publisher"><span style="display: none;" itemprop="name">{$smarty.const.SITE_HOSTNAME}</span></div>'
-				.'<a href="{comment_get_link board='.$rs['board'].' parent_id='.$rs['parent_id'].' id='.$rs['id'].' thread_id='.$rs['thread_id'].'}" name="'.$rs['id'].'"'.($is_thread ? ' itemprop="url"' : '').'>'
-				.'#'.$rs['id']
-				.'</a>'
-				.' by <span itemprop="'.($is_thread ? 'author' : 'contributor').'" itemscope itemtype="http://schema.org/Person">'.$user->userpagelink($rs['user_id'], $rs['clan_tag'], $rs['username'])
-				.'</span> @ <meta itemprop="datePublished" content="{'.$rs['date'].'|date_format:"%Y-%m-%d"}">{datename date='.$rs['date'].'}'
+			'<td align="left" class="border forum">'
+				.'{if $user->id>0 && in_array('.$rs['id'].', $comments_unread)}'
+					.'{assign var=comment_color value=$color.newcomment}'
+					.'{comment_mark_read comment_id="'.$rs['id'].'" user_id=$user->id}'
+				.'{elseif $user->id == '.$rs['user_id'].'}'
+					.'{assign var=comment_color value=$color.owncomment}'
+				.'{else}'
+					.'{assign var=comment_color value=$color.background}'
+				.'{/if}'
+				.'{capture assign="sizeof_hdepth"}{sizeof array=$hdepth}{/capture}'
+				.'<table bgcolor="{comment_colorfade depth=$sizeof_hdepth color=$comment_color}" style="table-layout:fixed;" width="100%">'
+				.'<tr class="tiny">'
+					.'<td class="forum comment meta left" style="width: {if $user->from_mobile}85%{else}70%{/if};">'
+						.'<div style="display: none;" itemscope itemtype="http://schema.org/Organization" itemprop="publisher"><span style="display: none;" itemprop="name">{$smarty.const.SITE_HOSTNAME}</span></div>'
+						.'<a href="{comment_get_link board='.$rs['board'].' parent_id='.$rs['parent_id'].' id='.$rs['id'].' thread_id='.$rs['thread_id'].'}" name="'.$rs['id'].'"'.($is_thread ? ' itemprop="url"' : '').'>'
+						.'#'.$rs['id']
+						.'</a>'
+						.' by <span itemprop="'.($is_thread ? 'author' : 'contributor').'" itemscope itemtype="http://schema.org/Person">'.$user->userpagelink($rs['user_id'], $rs['clan_tag'], $rs['username'])
+						.'</span> @ <meta itemprop="datePublished" content="{'.$rs['date'].'|date_format:"%Y-%m-%d"}">{datename date='.$rs['date'].'}'
 			;
 
 			if($rs['date_edited'] > 0) {
@@ -268,12 +268,10 @@ function smartyresource_comments_get_commenttree ($id, $is_thread=false) {
 			}
 
 			$html .= '<!--googleoff: all-->';
-			$html .=
-				' <a href="#top" class="dont-wrap">- {if $user->from_mobile}top{else}nach oben{/if} -</a> '
-				.'</td><td class="forum comment meta dont-wrap align-right hide-mobile" style="width: 15%;">'
-			;
+			$html .= '<a href="#top" class="dont-wrap">{if $user->from_mobile} - top -{else} - nach oben -{/if}</a>';
+			$html .= '</td><td class="forum comment meta dont-wrap align-right hide-mobile" style="width: 15%;">';
 
-			// Subscribe / Unsubscribe
+			/** Subscribe / Unsubscribe */
 			$html .= '{if $user->id > 0}'
 						.'{if in_array('.$rs['id'].', $comments_subscribed)}
 							<a href="/actions/commenting.php'
@@ -287,18 +285,24 @@ function smartyresource_comments_get_commenttree ($id, $is_thread=false) {
 						{/if}
 					{/if}';
 
+			/** Edit Comment */
 			$html .= '{if $user->id == '.$rs['user_id'].'}'
-				  		.'<a href="/forum.php?layout=edit&parent_id='.$rs['parent_id'].'&id='.$rs['id'].'&url={$request.url|base64encodeurl}">[edit]</a> '
-				  	.'{/if}
-				  	  {if $user->id != 0}'
-				  		.'</td><td class="forum comment meta right align-right" style="width: 15%;">'
-					  		.'<label for="replyfor-'.$rs['id'].'" class="dont-wrap" style="margin-right: 2px;">'
-						  		.'<input type="radio" class="replybutton" name="parent_id" id="replyfor-'.$rs['id'].'" onClick="reply()" value="'.$rs['id'].'" '
-						  		.'{if $smarty.get.parent_id == '.$rs['id'].'} checked="checked" {/if} /><span class="hide-mobile">&nbsp;reply</span></label>'
-				  	.'{/if}';
+						.'<a href="/forum.php?layout=edit&parent_id='.$rs['parent_id'].'&id='.$rs['id'].'&url={$request.url|base64encodeurl}">[edit]</a> '
+					.'{/if}';
+
+			/** Reply-to Comment */
+			$html .= '{if $user->id > 0}'
+						.'</td><td class="forum comment meta right align-right" style="width: 15%;">'
+							.'<label for="replyfor-'.$rs['id'].'" class="dont-wrap" style="margin-right: 2px;">'
+								.'<input type="radio" class="replybutton" name="parent_id" id="replyfor-'.$rs['id'].'" onClick="reply()" value="'.$rs['id'].'"'
+								.'{if $smarty.get.parent_id == '.$rs['id'].'} checked="checked"{/if}'
+								.'/><span class="hide-mobile">&nbsp;reply</span>'
+							.'</label>'
+					.'{/if}';
 			$html .= '<!--googleon: all-->';
-			$html .= '</td></tr><tr>';
+			$html .= '</td></tr>';
 
+			$html .= '<tr>';
 			($is_thread ? $html .= '<span itemprop="headline" content="'.remove_html(Comment::getLinkThread($rs['board'], $rs['thread_id'])).'"></span>' : '');
 			$html .= '<td class="forum comment" colspan="3" itemprop="'.($is_thread ? 'articleBody' : 'text').'">';
 			if (!$rs['error']) {