From 49623924c2e418225f79565c8ec272e2d982314b Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.me>
Date: Fri, 16 Oct 2020 15:23:53 +0200
Subject: [PATCH] Add admin approval

---
 common_config.php |   3 +-
 lang_de.php       |   5 ++
 lang_en.php       |   5 ++
 lang_update.php   |   2 +-
 setup.php         |   5 +-
 www/admin.php     | 205 +++++++++++++++++++++++++++-------------------
 www/onions.php    |  58 +++++++++----
 7 files changed, 176 insertions(+), 107 deletions(-)

diff --git a/common_config.php b/common_config.php
index 60faba1..3fab835 100644
--- a/common_config.php
+++ b/common_config.php
@@ -33,7 +33,8 @@ define('PROMOTEPRICE', 0.025); // Price to promote a site for PROMOTETIME long
 define('PROMOTETIME', 2592000); // Time (in seconds) to promote a site payed with PROMOTEPRICE - 864000 equals 10 days
 define('PER_PAGE', 50); // Sites listed per page
 define('VERSION', '1'); // Script version
-define('DBVERSION', 5); // Database layout version
+define('DBVERSION', 6); // Database layout version
+define('REQUIRE_APPROVAL', false); // require admin approval of new sites? true/false
 //Categories - new links will always be put into the first one, leave it to Unsorted
 //once configured, only add new categories at the end or you have to manually adjust the database.
 $categories=['Unsorted', 'Adult/Porn', 'Communication/Social', 'Forums', 'Hacking/Programming/Software', 'Hosting', 'Libraries/Wikis', 'Link Lists', 'Market/Shop/Store', 'Other', 'Personal Sites/Blogs', 'Security/Privacy/Encryption', 'Whistleblowing', 'Empty/Error/Unknown', 'Cryptocurrencies', 'Scams', 'Fun/Games/Joke', 'Search', 'Autodetected scam (unchecked)'];
diff --git a/lang_de.php b/lang_de.php
index 029aa23..6636c05 100644
--- a/lang_de.php
+++ b/lang_de.php
@@ -67,4 +67,9 @@ $T=[
 	'language'	=>	'Sprache',
 	'format'	=>	'Format',
 	'hidelocked'	=>	'Gesperrte nicht anzeigen',
+	'pendingapproval'   =>    'Genehmigung ausstehend',
+	'rejected'  =>  'Abgelehnt',
+	'reject'    =>  'Ablehnen',
+	'approve'   =>  'Akzeptieren',
+	'switchviewmode' => 'Ansichtsmodus wechseln',
 ];
diff --git a/lang_en.php b/lang_en.php
index 45795f4..995cab2 100644
--- a/lang_en.php
+++ b/lang_en.php
@@ -67,4 +67,9 @@ $I=[
 	'language'	=>	'Language',
 	'format'	=>	'Format',
 	'hidelocked'	=>	'Hide locked',
+	'pendingapproval'    => 'Pending approval',
+	'rejected'  =>  'Rejected',
+	'reject'    =>  'Reject',
+	'approve'   =>  'Approve',
+	'switchviewmode' => 'Switch view mode',
 ];
diff --git a/lang_update.php b/lang_update.php
index 6db58eb..23227d6 100644
--- a/lang_update.php
+++ b/lang_update.php
@@ -1,6 +1,6 @@
 <?php
 $native = 'Deutsch'; // Native lanugae name
-$english = 'German'; // Enlish language name
+$english = 'German'; // English language name
 $code = 'de'; // Language code
 
 ob_start();
diff --git a/setup.php b/setup.php
index 5612cde..5b337f5 100644
--- a/setup.php
+++ b/setup.php
@@ -51,7 +51,7 @@ try{
 if(!@$db->query('SELECT * FROM ' . PREFIX . 'settings LIMIT 1;')){
 	//create tables
 	$db->exec('CREATE TABLE ' . PREFIX . "captcha (id int(10) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT, time int(10) UNSIGNED NOT NULL, code char(5) NOT NULL) ENGINE=MEMORY;");
-	$db->exec('CREATE TABLE ' . PREFIX . "onions (id int(10) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT, address varchar(56) CHARACTER SET latin1 COLLATE latin1_general_ci NOT NULL, md5sum binary(16) NOT NULL UNIQUE, lasttest int(10) UNSIGNED NOT NULL DEFAULT '0', lastup int(10) UNSIGNED NOT NULL DEFAULT '0', timediff int(10) UNSIGNED NOT NULL DEFAULT '0', timeadded int(10) UNSIGNED NOT NULL DEFAULT '0', description text CHARACTER SET utf8mb4 NOT NULL, category smallint(6) NOT NULL DEFAULT '0', locked smallint(6) NOT NULL DEFAULT '0', special int(10) UNSIGNED NOT NULL DEFAULT '0', INDEX(address), INDEX(lasttest), INDEX(timediff), INDEX(category), INDEX(special));");
+	$db->exec('CREATE TABLE ' . PREFIX . "onions (id int(10) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT, address varchar(56) CHARACTER SET latin1 COLLATE latin1_general_ci NOT NULL, md5sum binary(16) NOT NULL UNIQUE, lasttest int(10) UNSIGNED NOT NULL DEFAULT '0', lastup int(10) UNSIGNED NOT NULL DEFAULT '0', timediff int(10) UNSIGNED NOT NULL DEFAULT '0', timeadded int(10) UNSIGNED NOT NULL DEFAULT '0', description text CHARACTER SET utf8mb4 NOT NULL, category smallint(6) NOT NULL DEFAULT '0', locked smallint(6) NOT NULL DEFAULT '0', special int(10) UNSIGNED NOT NULL DEFAULT '0', approved smallint(6) NOT NULL DEFAULT '0', INDEX(address), INDEX(lasttest), INDEX(timediff), INDEX(category), INDEX(special));");
 	$db->exec('CREATE TABLE ' . PREFIX . 'phishing (onion_id int(10) UNSIGNED NOT NULL PRIMARY KEY, original varchar(56) CHARACTER SET latin1 COLLATE latin1_general_ci NOT NULL, FOREIGN KEY (onion_id) REFERENCES onions(id) ON DELETE CASCADE ON UPDATE CASCADE);');
 	$db->exec('CREATE TABLE ' . PREFIX . 'settings (setting varchar(50) NOT NULL PRIMARY KEY, value varchar(20000) NOT NULL);');
 	$stmt=$db->prepare('INSERT INTO ' . PREFIX . "settings (setting, value) VALUES ('version', ?);");
@@ -89,6 +89,9 @@ if(!@$db->query('SELECT * FROM ' . PREFIX . 'settings LIMIT 1;')){
 	if($version<5){
 		$db->exec('CREATE TABLE ' . PREFIX . "captcha (id int(10) UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT, time int(10) UNSIGNED NOT NULL, code char(5) NOT NULL) ENGINE=MEMORY;");
 	}
+	if($version < 6){
+		$db->exec('ALTER TABLE ' . PREFIX . "onions ADD approved smallint(6) NOT NULL DEFAULT '0';");
+	}
 	$stmt=$db->prepare('UPDATE ' . PREFIX . "settings SET value=? WHERE setting='version';");
 	$stmt->execute([DBVERSION]);
 	echo "$I[statusok]\n";
diff --git a/www/admin.php b/www/admin.php
index 88f2c8e..0bd85ce 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -28,14 +28,34 @@ if(!isSet($_POST['pass']) || $_POST['pass']!==ADMINPASS){
 		echo "<p class=\"red\">$I[wrongpass]</p>";
 	}
 }else{
+	$view_mode = isset($_POST['view_mode']) ? $_POST['view_mode'] : 'single';
+	if(isset($_POST['switch_view_mode'])){
+		$view_mode = $view_mode === 'single' ? 'multi' : 'single';
+	}
 	echo "<form action=\"$_SERVER[SCRIPT_NAME]\" method=\"POST\">";
 	echo "<input type=\"hidden\" name=\"lang\" value=\"$language\">";
 	echo "<input type=\"hidden\" name=\"pass\" value=\"$_POST[pass]\">";
-	echo "<p>$I[link]: <input name=\"addr\" size=\"30\" value=\"";
-	if(isSet($_REQUEST['addr'])){
-		echo htmlspecialchars($_REQUEST['addr']);
+	echo "<input type=\"hidden\" name=\"view_mode\" value=\"$view_mode\">";
+	echo "<br><input type=\"submit\" name=\"switch_view_mode\" value=\"$I[switchviewmode]\"></form>";
+	echo "<form action=\"$_SERVER[SCRIPT_NAME]\" method=\"POST\">";
+	echo "<input type=\"hidden\" name=\"lang\" value=\"$language\">";
+	echo "<input type=\"hidden\" name=\"pass\" value=\"$_POST[pass]\">";
+	echo "<input type=\"hidden\" name=\"view_mode\" value=\"$view_mode\">";
+	if($view_mode === 'single') {
+		echo "<p>$I[link]: <input name=\"addr\" size=\"30\" value=\"";
+		if ( isset( $_REQUEST[ 'addr' ] ) ) {
+			echo htmlspecialchars( $_REQUEST[ 'addr' ] );
+		}
+		echo '" required autofocus></p>';
+	} else {
+		echo '<table border="1"><tr><th>Select</th><th>Address</th><th>Description</th><th>Category</th><th>Status</th></tr>';
+		$stmt=$db->query('SELECT address, description, category, approved, locked FROM ' . PREFIX . "onions WHERE address!='';");
+		while($onion = $stmt->fetch(PDO::FETCH_ASSOC)){
+			echo '<tr><td><input type="checkbox" name="addr[]" value="'.$onion['address'].'"></td><td><a href="http://'.$onion['address'].'.onion" rel="noopener">'.$onion['address'].'.onion</a></td>';
+			echo "<td>$onion[description]</td><td>{$categories[$onion['category']]}</td><td>Approved: $onion[approved]<br>Locked: $onion[locked]</td></tr>";
+		}
+		echo '</table>';
 	}
-	echo '" required autofocus></p>';
 	echo "<p>$I[cloneof]: <input type=\"text\" name=\"original\" size=\"30\"";
 	if(isSet($_REQUEST['original'])){
 		echo ' value="'.htmlspecialchars($_REQUEST['original']).'"';
@@ -49,7 +69,7 @@ if(!isSet($_POST['pass']) || $_POST['pass']!==ADMINPASS){
 	echo "<p>$I[adddesc]: <br><textarea name=\"desc\" rows=\"2\" cols=\"30\">";
 	if(!empty($_REQUEST['desc'])){
 		echo htmlspecialchars(trim($_REQUEST['desc']));
-	}elseif(isSet($_REQUEST['addr'])){
+	}elseif(isset($_REQUEST['addr']) && is_string($_REQUEST['addr'])){
 		if(preg_match('~(^(https?://)?([a-z2-7]{16}|[a-z2-7]{56})(\.onion(/.*)?)?$)~i', trim($_REQUEST['addr']), $addr)){
 			$addr=strtolower($addr[3]);
 			$md5=md5($addr, true);
@@ -90,94 +110,107 @@ if(!isSet($_POST['pass']) || $_POST['pass']!==ADMINPASS){
 	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[unphishing]\"></td>";
 	echo '</tr><tr>';
 	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[update]\"></td>";
+	if(REQUIRE_APPROVAL) {
+		echo "<td><input type=\"submit\" name=\"action\" value=\"$I[reject]\"></td>";
+		echo "<td><input type=\"submit\" name=\"action\" value=\"$I[approve]\"></td>";
+	}
 	echo '</tr></table>';
 	echo '</form><br>';
 
 	if(!empty($_POST['addr'])){
-		if(!preg_match('~(^(https?://)?([a-z2-7]{16}|[a-z2-7]{56})(\.onion(/.*)?)?$)~i', trim($_POST['addr']), $addr)){
-			echo "<p class=\"red\">$I[invalonion]</p>";
-		}else{
-			$addr=strtolower($addr[3]);
-			$md5=md5($addr, true);
-			if($_POST['action']===$I['remove']){ //remove address from public display
-				$db->prepare('UPDATE ' . PREFIX . "onions SET address='', locked=1 WHERE md5sum=?;")->execute([$md5]);
-				echo "<p class=\"green\">$I[succremove]</p>";
-			}elseif($_POST['action']===$I['lock']){ //lock editing
-				$db->prepare('UPDATE ' . PREFIX . 'onions SET locked=1 WHERE md5sum=?;')->execute([$md5]);
-				echo "<p class=\"green\">$I[succlock]</p>";
-			}elseif($_POST['action']===$I['readd']){ //add onion back, if previously removed
-				$db->prepare('UPDATE ' . PREFIX . 'onions SET address=?, locked=1 WHERE md5sum=?;')->execute([$addr, $md5]);
-				echo "<p class=\"green\">$I[succreadd]</p>";
-			}elseif($_POST['action']===$I['unlock']){ //unlock editing
-				$db->prepare('UPDATE ' . PREFIX . 'onions SET locked=0 WHERE md5sum=?;')->execute([$md5]);
-				echo "<p class=\"green\">$I[succunlock]</p>";
-			}elseif($_POST['action']===$I['promote']){ //promote link for payed time
-				$stmt=$db->prepare('SELECT special FROM ' . PREFIX . 'onions WHERE md5sum=?;');
-				$stmt->execute([$md5]);
-				$specialtime=$stmt->fetch(PDO::FETCH_NUM);
-				if($specialtime[0]<time()){
-					$time=time()+(($_POST['btc']/PROMOTEPRICE)*PROMOTETIME);
-				}else{
-					$time=$specialtime[0]+(($_POST['btc']/PROMOTEPRICE)*PROMOTETIME);
-				}
-				$db->prepare('UPDATE ' . PREFIX . 'onions SET special=?, locked=1 WHERE md5sum=?;')->execute([$time, $md5]);
-				printf("<p class=\"green\">$I[succpromote]</p>", date('Y-m-d H:i', $time));
-			}elseif($_POST['action']===$I['unpromote']){ //remove promoted status
-				$db->prepare('UPDATE ' . PREFIX . 'onions SET special=0 WHERE md5sum=?;')->execute([$md5]);
-				echo "<p class=\"green\">$I[succunpromote]</p>";
-			}elseif($_POST['action']===$I['update']){ //update description
-				$stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'onions WHERE md5sum=?;');
-				$stmt->execute([$md5]);
-				if($category===count($categories)){
-					$category=0;
-				}
-				if(!isSet($_POST['desc'])){
-					$desc='';
-				}else{
-						$desc=trim($_POST['desc']);
-					$desc=htmlspecialchars($desc);
-					$desc=preg_replace("/(\r?\n|\r\n?)/", '<br>', $desc);
-				}
-				if(!$stmt->fetch(PDO::FETCH_ASSOC)){ //not yet there, add it
-					$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'onions (address, description, md5sum, category, timeadded, locked) VALUES (?, ?, ?, ?, ?, 1);');
-					$stmt->execute([$addr, $desc, $md5, $category, time()]);
-					echo "<p class=\"green\">$I[succadd]</p>";
-				}elseif($desc!=''){ //update description+category
-					$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET description=?, category=?, locked=1 WHERE md5sum=?;');
-					$stmt->execute([$desc, $category, $md5]);
-					echo "<p class=\"green\">$I[succupddesc]</p>";
-				}elseif($category!=0){ //only update category
-					$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET category=?, locked=1 WHERE md5sum=?;');
-					$stmt->execute([$category, $md5]);
-					echo "<p class=\"green\">$I[succupdcat]!</p>";
-				}else{ //no description or category change and already known
-					echo "<p class=\"green\">$I[alreadyknown]</p>";
-				}
-			}elseif($_POST['action']===$I['phishing']){//mark as phishing clone
-				if($_POST['original']!=='' && !preg_match('~(^(https?://)?([a-z2-7]{16}|[a-z2-7]{56})(\.onion(/.*)?)?$)~i', $_POST['original'], $orig)){
-					echo "<p class=\"red\">$I[invalonion]</p>";
-				}else{
-					if(isset($orig[3])){
-						$orig=strtolower($orig[3]);
-					}else{
-						$orig='';
+		$addrs = is_array($_POST['addr']) ? $_POST['addr'] : [$_POST['addr']];
+		foreach ($addrs as $addr_single) {
+			if ( ! preg_match( '~(^(https?://)?([a-z2-7]{16}|[a-z2-7]{56})(\.onion(/.*)?)?$)~i', trim( $addr_single ), $addr ) ) {
+				echo "<p class=\"red\">$I[invalonion]</p>";
+			} else {
+				$addr = strtolower( $addr[ 3 ] );
+				$md5 = md5( $addr, true );
+				if ( $_POST[ 'action' ] === $I[ 'remove' ] ) { //remove address from public display
+					$db->prepare( 'UPDATE ' . PREFIX . "onions SET address='', locked=1, approved=-1 WHERE md5sum=?;" )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succremove]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'lock' ] ) { //lock editing
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET locked=1, approved=1 WHERE md5sum=?;' )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succlock]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'readd' ] ) { //add onion back, if previously removed
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET address=?, locked=1, approved=1 WHERE md5sum=?;' )->execute( [ $addr, $md5 ] );
+					echo "<p class=\"green\">$I[succreadd]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'unlock' ] ) { //unlock editing
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET locked=0, approved=1 WHERE md5sum=?;' )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succunlock]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'promote' ] ) { //promote link for payed time
+					$stmt = $db->prepare( 'SELECT special FROM ' . PREFIX . 'onions WHERE md5sum=?;' );
+					$stmt->execute( [ $md5 ] );
+					$specialtime = $stmt->fetch( PDO::FETCH_NUM );
+					if ( $specialtime[ 0 ] < time() ) {
+						$time = time() + ( ( $_POST[ 'btc' ] / PROMOTEPRICE ) * PROMOTETIME );
+					} else {
+						$time = $specialtime[ 0 ] + ( ( $_POST[ 'btc' ] / PROMOTEPRICE ) * PROMOTETIME );
 					}
-					if($orig!==$addr){
-						$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'phishing (onion_id, original) VALUES ((SELECT id FROM ' . PREFIX . 'onions WHERE address=?), ?);');
-						$stmt->execute([$addr, $orig]);
-						$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET locked=1 WHERE address=?;');
-						$stmt->execute([$addr]);
-						echo "<p class=\"green\">$I[succaddphish]</p>";
-					}else{
-						echo "<p class=\"red\">$I[samephish]</p>";
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET special=?, locked=1, approved=1 WHERE md5sum=?;' )->execute( [ $time, $md5 ] );
+					printf( "<p class=\"green\">$I[succpromote]</p>", date( 'Y-m-d H:i', $time ) );
+				} elseif ( $_POST[ 'action' ] === $I[ 'unpromote' ] ) { //remove promoted status
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET special=0 WHERE md5sum=?;' )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succunpromote]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'update' ] ) { //update description
+					$stmt = $db->prepare( 'SELECT * FROM ' . PREFIX . 'onions WHERE md5sum=?;' );
+					$stmt->execute( [ $md5 ] );
+					if ( $category === count( $categories ) ) {
+						$category = 0;
 					}
+					if ( ! isset( $_POST[ 'desc' ] ) ) {
+						$desc = '';
+					} else {
+						$desc = trim( $_POST[ 'desc' ] );
+						$desc = htmlspecialchars( $desc );
+						$desc = preg_replace( "/(\r?\n|\r\n?)/", '<br>', $desc );
+					}
+					if ( ! $stmt->fetch( PDO::FETCH_ASSOC ) ) { //not yet there, add it
+						$stmt = $db->prepare( 'INSERT INTO ' . PREFIX . 'onions (address, description, md5sum, category, timeadded, locked, approved) VALUES (?, ?, ?, ?, ?, 1, 1);' );
+						$stmt->execute( [ $addr, $desc, $md5, $category, time() ] );
+						echo "<p class=\"green\">$I[succadd]</p>";
+					} elseif ( $desc != '' ) { //update description+category
+						$stmt = $db->prepare( 'UPDATE ' . PREFIX . 'onions SET description=?, category=?, locked=1, approved=1 WHERE md5sum=?;' );
+						$stmt->execute( [ $desc, $category, $md5 ] );
+						echo "<p class=\"green\">$I[succupddesc]</p>";
+					} elseif ( $category != 0 ) { //only update category
+						$stmt = $db->prepare( 'UPDATE ' . PREFIX . 'onions SET category=?, locked=1, approved=1 WHERE md5sum=?;' );
+						$stmt->execute( [ $category, $md5 ] );
+						echo "<p class=\"green\">$I[succupdcat]!</p>";
+					} else { //no description or category change and already known
+						echo "<p class=\"green\">$I[alreadyknown]</p>";
+					}
+				} elseif ( $_POST[ 'action' ] === $I[ 'phishing' ] ) {//mark as phishing clone
+					if ( $_POST[ 'original' ] !== '' && ! preg_match( '~(^(https?://)?([a-z2-7]{16}|[a-z2-7]{56})(\.onion(/.*)?)?$)~i', $_POST[ 'original' ], $orig ) ) {
+						echo "<p class=\"red\">$I[invalonion]</p>";
+					} else {
+						if ( isset( $orig[ 3 ] ) ) {
+							$orig = strtolower( $orig[ 3 ] );
+						} else {
+							$orig = '';
+						}
+						if ( $orig !== $addr ) {
+							$stmt = $db->prepare( 'INSERT INTO ' . PREFIX . 'phishing (onion_id, original) VALUES ((SELECT id FROM ' . PREFIX . 'onions WHERE address=?), ?);' );
+							$stmt->execute( [ $addr, $orig ] );
+							$stmt = $db->prepare( 'UPDATE ' . PREFIX . 'onions SET locked=1, approved=1 WHERE address=?;' );
+							$stmt->execute( [ $addr ] );
+							echo "<p class=\"green\">$I[succaddphish]</p>";
+						} else {
+							echo "<p class=\"red\">$I[samephish]</p>";
+						}
+					}
+				} elseif ( $_POST[ 'action' ] === $I[ 'unphishing' ] ) { //remove phishing clone status
+					$stmt = $db->prepare( 'DELETE FROM ' . PREFIX . 'phishing WHERE onion_id=(SELECT id FROM ' . PREFIX . 'onions WHERE address=?);' );
+					$stmt->execute( [ $addr ] );
+					echo "<p class=\"green\">$I[succrmphish]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'reject' ] ) { //lock editing
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET approved=-1 WHERE md5sum=?;' )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succlock]</p>";
+				} elseif ( $_POST[ 'action' ] === $I[ 'approve' ] ) { //lock editing
+					$db->prepare( 'UPDATE ' . PREFIX . 'onions SET approved=1 WHERE md5sum=?;' )->execute( [ $md5 ] );
+					echo "<p class=\"green\">$I[succlock]</p>";
+				} else { //no specific button was pressed
+					echo "<p class=\"red\">$I[noaction]</p>";
 				}
-			}elseif($_POST['action']===$I['unphishing']){ //remove phishing clone status
-				$stmt=$db->prepare('DELETE FROM ' . PREFIX . 'phishing WHERE onion_id=(SELECT id FROM ' . PREFIX . 'onions WHERE address=?);');
-				$stmt->execute([$addr]);
-				echo "<p class=\"green\">$I[succrmphish]</p>";
-			}else{ //no specific button was pressed
-				echo "<p class=\"red\">$I[noaction]</p>";
 			}
 		}
 	}
diff --git a/www/onions.php b/www/onions.php
index 64c0436..705e131 100644
--- a/www/onions.php
+++ b/www/onions.php
@@ -18,8 +18,6 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-use JetBrains\PhpStorm\ExitPoint;
-
 if($_SERVER['REQUEST_METHOD']==='HEAD'){
 	exit; // ignore headers, no further processing needed
 }
@@ -158,11 +156,15 @@ function send_html(){
 	echo "<ul class=\"list\"><li>$I[specialcat]:</li>";
 	$cat=count($categories);
 	$pages=1;
+	$admin_approval = '';
+	if(REQUIRE_APPROVAL){
+		$admin_approval = PREFIX . 'onions.approved = 1 AND';
+	}
 	foreach($special as $name=>$query){
 		if($cat===count($categories)+1){
 			$num[0]=PER_PAGE;
 		}else{
-			$num=$db->query('SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE $query;")->fetch(PDO::FETCH_NUM);
+			$num=$db->query('SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE $admin_approval $query;")->fetch(PDO::FETCH_NUM);
 		}
 		if($category==$cat){
 			echo " <li class=\"active\"><a href=\"?cat=$cat&amp;pg=$_REQUEST[newpg]&amp;lang=$language\" target=\"_self\">$name ($num[0])</a></li>";
@@ -172,17 +174,24 @@ function send_html(){
 		}
 		++$cat;
 	}
-	$num=$db->query('SELECT COUNT(*) FROM ' . PREFIX . 'phishing, ' . PREFIX . 'onions WHERE ' . PREFIX . "onions.id=onion_id AND address!='' AND timediff<604800;")->fetch(PDO::FETCH_NUM);
+	$num=$db->query('SELECT COUNT(*) FROM ' . PREFIX . 'phishing, ' . PREFIX . 'onions WHERE ' . "$admin_approval " . PREFIX . "onions.id=onion_id AND address!='' AND timediff<604800;")->fetch(PDO::FETCH_NUM);
 	if($category==$cat){
 		echo " <li class=\"active\"><a href=\"?cat=$cat&amp;lang=$language\" target=\"_self\">$I[phishingclones] ($num[0])</a></li>";
 	}else{
 		echo " <li><a href=\"?cat=$cat&amp;lang=$language\" target=\"_self\">$I[phishingclones] ($num[0])</a></li>";
 	}
 	$num=$db->query('SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE address='';")->fetch(PDO::FETCH_NUM);
-	echo " <li>$I[removed] ($num[0])</li></ul><br><br>";
+	echo " <li>$I[removed] ($num[0])</li>";
+	if(REQUIRE_APPROVAL) {
+		$num = $db->query( 'SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE approved = 0 AND address!='';" )->fetch( PDO::FETCH_NUM );
+		echo " <li>$I[pendingapproval] ($num[0])</li>";
+		$num = $db->query( 'SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE approved = -1 AND address!='';" )->fetch( PDO::FETCH_NUM );
+		echo " <li>$I[rejected] ($num[0])</li>";
+	}
+	echo '</ul><br><br>';
 	//List normal categories
 	echo "<ul class=\"list\"><li>$I[categories]:</li>";
-	$stmt=$db->prepare('SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE category=? AND address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800;');
+	$stmt=$db->prepare('SELECT COUNT(*) FROM ' . PREFIX . "onions WHERE $admin_approval category=? AND address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800;');
 	foreach($categories as $cat=>$name){
 		$stmt->execute([$cat]);
 		$num=$stmt->fetch(PDO::FETCH_NUM);
@@ -235,14 +244,12 @@ function send_html(){
 				$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'onions (address, description, md5sum, category, timeadded) VALUES (?, ?, ?, ?, ?);');
 				$stmt->execute([$addr, $desc, $md5, $category, time()]);
 				echo "<p class=\"green\">$I[succadd]</p>";
-//	mail('daniel@tt3j2x4k5ycaa5zt.onion', 'New onion', "$addr.onion was added - $desc", "Content-Type: text/plain; charset=UTF-8\r\n");
 			}elseif($locked==1){//locked, not editable
 				echo "<p class=\"red\">$I[faillocked]</p>";
 			}elseif($desc!==''){//update description
 				$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET description=?, category=? WHERE md5sum=?;');
 				$stmt->execute([$desc, $category, $md5]);
 				echo "<p class=\"green\">$I[succupddesc]</p>";
-//	mail('daniel@tt3j2x4k5ycaa5zt.onion', 'Updated onion', "$addr.onion was updated - $desc", "Content-Type: text/plain; charset=UTF-8\r\n");
 			}elseif($category!=0){//update category only
 				$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET category=? WHERE md5sum=?;');
 				$stmt->execute([$category, $md5]);
@@ -267,10 +274,10 @@ function send_html(){
 			$hidelocked='';
 		}
 		if($category>=count($categories)){
-			$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND timediff<604800 $hidelocked AND (description LIKE ? OR address LIKE ?) ORDER BY address;");
+			$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $admin_approval address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND timediff<604800 $hidelocked AND (description LIKE ? OR address LIKE ?) ORDER BY address;");
 			$stmt->execute([$query, $query]);
 		}else{
-			$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE address!='' AND category=? AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND timediff<604800 $hidelocked AND (description LIKE ? OR address LIKE ?) ORDER BY address;");
+			$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $admin_approval address!='' AND category=? AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND timediff<604800 $hidelocked AND (description LIKE ? OR address LIKE ?) ORDER BY address;");
 			$stmt->execute([$category, $query, $query]);
 		}
 		$table=get_table($stmt, $numrows);
@@ -293,7 +300,7 @@ function send_html(){
 				$query.=' LIMIT ' . PER_PAGE ." OFFSET $offset";
 			}
 		}
-		$stmt=$db->query('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $query;");
+		$stmt=$db->query('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $admin_approval $query;");
 		echo get_table($stmt, $numrows, true);
 	}else{//show normal categories
 		if($_REQUEST['pg']>0){
@@ -302,7 +309,7 @@ function send_html(){
 		}else{
 			$offsetquery='';
 		}
-		$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND category=? AND timediff<604800 ORDER BY address$offsetquery;");
+		$stmt=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $admin_approval address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . "phishing) AND category=? AND timediff<604800 ORDER BY address$offsetquery;");
 		$stmt->execute([$category]);
 		echo get_table($stmt, $numrows, true);
 	}
@@ -315,11 +322,15 @@ function send_html(){
 function get_table(PDOStatement $stmt, &$numrows=0, $promoted=false){
 	global $I, $db, $language;
 	$time=time();
+	$admin_approval = '';
+	if(REQUIRE_APPROVAL){
+		$admin_approval = PREFIX . 'onions.approved = 1 AND';
+	}
 	ob_start();
 	echo "<table id=\"maintable\" border=\"1\"><tr><th>$I[link]</th><th>$I[description]</th><th>$I[lasttested]</th><th>$I[lastup]</th><th>$I[timeadded]</th><th>$I[actions]</th></tr>";
 	if($promoted){//print promoted links at the top
 		$time=time();
-		$promo=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE special>? AND address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
+		$promo=$db->prepare('SELECT address, lasttest, lastup, timeadded, description, locked, special FROM ' . PREFIX . "onions WHERE $admin_approval special>? AND address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
 		$promo->execute([$time]);
 		while($link=$promo->fetch(PDO::FETCH_ASSOC)){
 			if($link['lastup']===$link['lasttest']){
@@ -368,7 +379,6 @@ function get_table(PDOStatement $stmt, &$numrows=0, $promoted=false){
 			$edit="<form><input name=\"addr\" value=\"$link[address]\" type=\"hidden\"><input type=\"hidden\" name=\"pg\" value=\"$_REQUEST[newpg]\"><input type=\"hidden\" name=\"lang\" value=\"$language\"><input value=\"$I[edit]\" type=\"submit\"></form>";
 		}
 		echo "<tr class=\"$class\"><td><a href=\"http://$link[address].onion\">$link[address].onion</a></td><td>$link[description]</td><td>$lasttest</td><td>$lastup</td><td>$timeadded</td><td>$edit <form method=\"post\" action=\"test.php\"><input name=\"addr\" value=\"$link[address]\" type=\"hidden\"><input type=\"hidden\" name=\"lang\" value=\"$language\"><input value=\"$I[test]\" type=\"submit\"></form></td></tr>";
-//		echo "<tr class=\"$class\"><td><a href=\"http://$link[address].onion\">$link[address].onion</a></td><td>$link[description]</td><td>$edit</td><td>$lasttest</td><td>$lastup</td><td>$timeadded</td><td><form method=\"post\" action=\"test.php\"><input name=\"addr\" value=\"$link[address]\" type=\"hidden\"><input type=\"hidden\" name=\"lang\" value=\"$language\"><input value=\"$I[test]\" type=\"submit\"></form></td></tr>";
 		++$numrows;
 	}
 	echo '</table>';
@@ -377,8 +387,12 @@ function get_table(PDOStatement $stmt, &$numrows=0, $promoted=false){
 
 function print_phishing_table(){
 	global $I, $db;
+	$admin_approval = '';
+	if(REQUIRE_APPROVAL){
+		$admin_approval = 'approved = 1 AND';
+	}
 	echo "<table border=\"1\"><tr><th>$I[link]</th><th>$I[cloneof]</th><th>$I[lastup]</th></tr>";
-	$stmt=$db->query('SELECT address, original, lasttest, lastup FROM ' . PREFIX . 'onions, ' . PREFIX . 'phishing WHERE ' . PREFIX . "onions.id=onion_id AND address!='' AND timediff<604800 ORDER BY address;");
+	$stmt=$db->query('SELECT address, original, lasttest, lastup FROM ' . PREFIX . 'onions, ' . PREFIX . 'phishing WHERE ' . "$admin_approval " . PREFIX . "onions.id=onion_id AND address!='' AND timediff<604800 ORDER BY address;");
 	while($link=$stmt->fetch(PDO::FETCH_ASSOC)){
 		if($link['lastup']===$link['lasttest']){
 			$class='up';
@@ -406,7 +420,11 @@ function send_text(){
 		die("$I[error]: $I[nodb]");
 	}
 	header('Content-Type: text/plain; charset=UTF-8');
-	$stmt=$db->query('SELECT address FROM ' . PREFIX . "onions WHERE address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
+	$admin_approval = '';
+	if(REQUIRE_APPROVAL){
+		$admin_approval = 'approved = 1 AND';
+	}
+	$stmt=$db->query('SELECT address FROM ' . PREFIX . "onions WHERE $admin_approval address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
 	while($tmp=$stmt->fetch(PDO::FETCH_NUM)){
 		echo "$tmp[0].onion\n";
 	}
@@ -418,14 +436,18 @@ function send_json(){
 		die("$I[error]: $I[nodb]");
 	}
 	header('Content-Type: application/json;');
+	$admin_approval = '';
+	if(REQUIRE_APPROVAL){
+		$admin_approval = PREFIX . 'onions.approved = 1 AND';
+	}
 	$data=['categories'=>$categories];
-	$stmt=$db->query('SELECT address, category, description, locked, lastup, lasttest, timeadded FROM ' . PREFIX . "onions WHERE address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
+	$stmt=$db->query('SELECT address, category, description, locked, lastup, lasttest, timeadded FROM ' . PREFIX . "onions WHERE $admin_approval address!='' AND id NOT IN (SELECT onion_id FROM " . PREFIX . 'phishing) AND timediff<604800 ORDER BY address;');
 	$data['onions']=$stmt->fetchALL(PDO::FETCH_ASSOC);
 	$stmt=$db->query('SELECT md5sum FROM ' . PREFIX . "onions WHERE address='';");
 	while($tmp=$stmt->fetch(PDO::FETCH_ASSOC)){
 		$data['removed'][]=bin2hex($tmp['md5sum']);
 	}
-	$stmt=$db->query('SELECT address, original FROM ' . PREFIX . 'onions, ' . PREFIX . 'phishing WHERE onion_id=' . PREFIX . "onions.id AND address!='' AND timediff<604800 ORDER BY address;");
+	$stmt=$db->query('SELECT address, original FROM ' . PREFIX . 'onions, ' . PREFIX . 'phishing WHERE onion_id=' . PREFIX . "onions.id AND $admin_approval address!='' AND timediff<604800 ORDER BY address;");
 	$data['phishing']=$stmt->fetchALL(PDO::FETCH_ASSOC);
 	echo json_encode($data);
 }