public Dictionary <string, object> Post(int threadid, [FromForm] string title, [FromForm] string content, [FromForm] int topicid, [FromForm] long attachid, [FromForm] string sessionid) { Dictionary <string, object> response = new Dictionary <string, object>(); if (!Program.users.TryGetValue(sessionid, out User user)) { response.Add("status", 1); response.Add("msg", "Invalid session"); return(response); } if (!user.canpost || user.banned) { response.Add("status", 4); response.Add("msg", "You are not allowed to edit threads"); return(response); } if (ThreadController.IsLocked(threadid)) { response.Add("status", 5); response.Add("msg", "This thread is locked from further modifications"); return(response); } SqlConnection con = new SqlConnection(Program.Configuration["connectionStrings:splashConString"]); con.Open(); SqlCommand command = new SqlCommand("UPDATE threads SET threads.title=@title, threads.content=@content, threads.topicid=@topicid, threads.attachid=@attachid , threads.mtime=@mtime WHERE threads.threadid=@threadid and threads.creator_id = @uid;", con); command.Parameters.AddWithValue("title", title); command.Parameters.AddWithValue("content", content); command.Parameters.AddWithValue("topicid", topicid); command.Parameters.AddWithValue("uid", user.uid); if (attachid == 0) { command.Parameters.AddWithValue("attachid", DBNull.Value); } else { command.Parameters.AddWithValue("attachid", attachid); } // Do this in SQL DB to prevent time difference if located on separate systems DateTime mtime = DateTime.UtcNow; command.Parameters.AddWithValue("mtime", mtime); command.Parameters.AddWithValue("threadid", threadid); if (command.ExecuteNonQuery() > 0) { response.Add("status", 0); response.Add("mtime", mtime); } con.Close(); return(response); }
internal static bool IsLocked(long commentid) { bool result = true; SqlConnection con = new SqlConnection(Program.Configuration["connectionStrings:splashConString"]); con.Open(); SqlCommand command = new SqlCommand("SELECT comments.locked, comments.threadid FROM comments WHERE commentid = " + commentid, con); SqlDataReader reader = command.ExecuteReader(); if (reader.Read()) { result = reader.GetBoolean(0); } if (!result) { result = ThreadController.IsLocked(reader.GetInt64(1)); } reader.Dispose(); con.Close(); return(result); }
public Dictionary <string, object> Post(string operation, [FromForm] long threadid, [FromForm] string content, [FromForm] string sessionid, [FromForm] long commentid) { Dictionary <string, object> response = new Dictionary <string, object>(); if (!Program.users.TryGetValue(sessionid, out User user)) { response.Add("status", 1); response.Add("msg", "Invalid session"); return(response); } if (!user.cancomment || user.banned) { response.Add("status", 4); response.Add("msg", "You are not allowed to comment"); return(response); } SqlConnection con = new SqlConnection(Program.Configuration["connectionStrings:splashConString"]); con.Open(); SqlCommand command; SqlDataReader reader; if (operation == "edit" || operation == "reply") { if (IsLocked(commentid)) { response.Add("status", 5); response.Add("msg", "This comment is locked from further modifications"); return(response); } command = new SqlCommand("SELECT creator_id, threadid FROM comments WHERE commentid = " + commentid, con); reader = command.ExecuteReader(); if (reader.Read()) { if (threadid != reader.GetInt64(1)) { response.Add("status", 3); response.Add("msg", "Invalid thread"); reader.Dispose(); con.Close(); return(response); } if (operation == "edit") { if (reader.GetInt64(0) == user.uid) { command = new SqlCommand(Program.COMMENT_TEMP_DDL + "UPDATE comments SET content=@content OUTPUT UPDATED.commentid, UPDATED.ctime, UPDATED.mtime, UPDATED.parent INTO @t WHERE commentid = @commentid; SELECT * FROM @t;", con); } else { response.Add("status", 1); response.Add("msg", "Invalid session"); reader.Dispose(); con.Close(); return(response); } } else { command = new SqlCommand(Program.COMMENT_TEMP_DDL + "INSERT INTO comments (threadid, content, creator_id, parent) OUTPUT INSERTED.commentid, INSERTED.ctime, INSERTED.mtime, INSERTED.parent INTO @t VALUES (@threadid, @content, @creator_id, @commentid); SELECT * FROM @t;", con); command.Parameters.AddWithValue("threadid", reader.GetInt64(1)); command.Parameters.AddWithValue("creator_id", user.uid); } command.Parameters.AddWithValue("commentid", commentid); } else { response.Add("status", 2); response.Add("msg", "Invalid parent comment id"); return(response); } reader.Dispose(); } else { if (ThreadController.IsLocked(threadid)) { response.Add("status", 5); response.Add("msg", "This thread is locked from further modifications"); return(response); } command = new SqlCommand(Program.COMMENT_TEMP_DDL + "INSERT INTO comments (threadid, content, creator_id) OUTPUT INSERTED.commentid, INSERTED.ctime, INSERTED.mtime, INSERTED.parent INTO @t VALUES (@threadid, @content, @creator_id); SELECT * FROM @t;", con); command.Parameters.AddWithValue("threadid", threadid); command.Parameters.AddWithValue("creator_id", user.uid); } command.Parameters.AddWithValue("content", content); reader = command.ExecuteReader(); if (reader.Read()) { response.Add("status", 0); if (operation == "reply") { response.Add("parent", commentid); } response.Add("ctime", Program.ToUnixTimestamp(reader.GetDateTime(1))); response.Add("mtime", Program.ToUnixTimestamp(reader.GetDateTime(2))); response.Add("commentid", reader.GetInt64(0)); } reader.Dispose(); con.Close(); return(response); }