<?php
/*
* Onion Link List - Admin interface
*
* Copyright (C) 2016 Daniel Winzen <d@winzen4.de>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

header('Content-Type: text/html; charset=UTF-8');
header('Pragma: no-cache');
header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
header('Expires: 0');
if($_SERVER['REQUEST_METHOD']==='HEAD'){
	exit; // headers sent, no further processing needed
}
include('common_config.php');
try{
	$db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME, DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT]);
}catch(PDOException $e){
	die($I['nodb']);
}
asort($categories);
echo '<!DOCTYPE html><html><head>';
echo "<title>$I[admintitle]</title>";
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
echo '<meta name=viewport content="width=device-width, initial-scale=1">';
echo '<style type="text/css">.red{color:red;} .green{color:green;}</style>';
echo '</head><body>';
echo "<h2>$I[admintitle]</h2>";
print_langs();

//check password
if(!isSet($_POST['pass']) || $_POST['pass']!==ADMINPASS){
	echo "<form action=\"$_SERVER[SCRIPT_NAME]\" method=\"POST\">";
	echo "<input type=\"hidden\" name=\"lang\" value=\"$language\">";
	echo "<p>$I[password]: <input type=\"password\" name=\"pass\" size=\"30\" required></p>";
	echo "<input type=\"submit\" name=\"action\" value=\"$I[login]\">";
	echo '</form>';
	if(isSet($_POST['pass'])){
		echo "<p class=\"red\">$I[wrongpass]</p>";
	}
}else{
	echo "<form action=\"$_SERVER[SCRIPT_NAME]\" method=\"POST\">";
	echo "<input type=\"hidden\" name=\"lang\" value=\"$language\">";
	echo "<input type=\"hidden\" name=\"pass\" value=\"$_POST[pass]\">";
	echo "<p>$I[link]: <input name=\"addr\" size=\"30\" value=\"";
	if(isSet($_REQUEST['addr'])){
		echo htmlspecialchars($_REQUEST['addr']);
	}
	echo '" required></p>';
	echo "<p>$I[cloneof]: <input type=\"text\" name=\"original\" size=\"30\"";
	if(isSet($_REQUEST['original'])){
		echo ' value="'.htmlspecialchars($_REQUEST['original']).'"';
	}
	echo '></p>';
	echo "<p>$I[bitcoins]: <input type=\"text\" name=\"btc\" size=\"30\"";
	if(isSet($_REQUEST['btc'])){
		echo ' value="'.htmlspecialchars($_REQUEST['btc']).'"';
	}
	echo '></p>';
	echo "<p>$I[adddesc]: <br><textarea name=\"desc\" rows=\"2\" cols=\"30\">";
	if(!empty($_REQUEST['desc'])){
		echo htmlspecialchars(trim($_REQUEST['desc']));
	}elseif(isSet($_REQUEST['addr'])){
		if(preg_match('~(^(https?://)?([a-z2-7]{16})(\.onion(/.*)?)?$)~i', trim($_REQUEST['addr']), $addr)){
			$addr=strtolower($addr[3]);
			$md5=md5($addr, true);
			$stmt=$db->prepare('SELECT description, category FROM ' . PREFIX . 'onions WHERE md5sum=?;');
			$stmt->execute([$md5]);
			if($desc=$stmt->fetch(PDO::FETCH_ASSOC)){
				$category=$desc['category'];
				echo str_replace('<br>', "\n", $desc['description']);
			}
		}
	}
	echo '</textarea></p>';
	if(isSet($_REQUEST['cat']) && $_REQUEST['cat']<count($categories) && $_REQUEST['cat']>=0){
		$category=$_REQUEST['cat'];
	}
	if(!isSet($category)){
		$category=count($categories);
	}
	echo "<p>$I[category]: <select name=\"cat\">";
	foreach($categories as $cat=>$name){
		echo "<option value=\"$cat\"";
		if($category==$cat || ($cat===0 && $category>=count($categories))){
			echo ' selected';
		}
		echo ">$name</option>";
	}
	echo '</select></p>';
	echo '<input style="display:none;" type="submit" name="action" value="None">';
	echo '<table><tr>';
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[remove]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[lock]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[promote]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[phishing]\"></td>";
	echo '</tr><tr>';
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[readd]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[unlock]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[unpromote]\"></td>";
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[unphishing]\"></td>";
	echo '</tr><tr>';
	echo "<td><input type=\"submit\" name=\"action\" value=\"$I[update]\"></td>";
	echo '</tr></table>';
	echo '</form><br>';

	if(!empty($_POST['addr'])){
		if(!preg_match('~(^(https?://)?([a-z2-7]{16})(\.onion(/.*)?)?$)~i', trim($_POST['addr']), $addr)){
			echo "<p class=\"red\">$I[invalonion]</p>";
		}else{
			$addr=strtolower($addr[3]);
			$md5=md5($addr, true);
			if($_POST['action']===$I['remove']){ //remove address from public display
				$db->prepare('UPDATE ' . PREFIX . "onions SET address='', locked=1 WHERE md5sum=?;")->execute([$md5]);
				echo "<p class=\"green\">$I[succremove]</p>";
			}elseif($_POST['action']===$I['lock']){ //lock editing
				$db->prepare('UPDATE ' . PREFIX . 'onions SET locked=1 WHERE md5sum=?;')->execute([$md5]);
				echo "<p class=\"green\">$I[succlock]</p>";
			}elseif($_POST['action']===$I['readd']){ //add onion back, if previously removed
				$db->prepare('UPDATE ' . PREFIX . 'onions SET address=?, locked=1 WHERE md5sum=?;')->execute([$addr, $md5]);
				echo "<p class=\"green\">$I[succreadd]</p>";
			}elseif($_POST['action']===$I['unlock']){ //unlock editing
				$db->prepare('UPDATE ' . PREFIX . 'onions SET locked=0 WHERE md5sum=?;')->execute([$md5]);
				echo "<p class=\"green\">$I[succunlock]</p>";
			}elseif($_POST['action']===$I['promote']){ //promote link for payed time
				$stmt=$db->prepare('SELECT special FROM ' . PREFIX . 'onions WHERE md5sum=?;');
				$stmt->execute([$md5]);
				$specialtime=$stmt->fetch(PDO::FETCH_NUM);
				if($specialtime[0]<time()){
					$time=time()+(($_POST['btc']/PROMOTEPRICE)*PROMOTETIME);
				}else{
					$time=$specialtime[0]+(($_POST['btc']/PROMOTEPRICE)*PROMOTETIME);
				}
				$db->prepare('UPDATE ' . PREFIX . 'onions SET special=?, locked=1 WHERE md5sum=?;')->execute([$time, $md5]);
				printf("<p class=\"green\">$I[succpromote]</p>", date('Y-m-d H:i', $time));
			}elseif($_POST['action']===$I['unpromote']){ //remove promoted status
				$db->prepare('UPDATE ' . PREFIX . 'onions SET special=0 WHERE md5sum=?;')->execute([$md5]);
				echo "<p class=\"green\">$I[succunpromote]</p>";
			}elseif($_POST['action']===$I['update']){ //update description
				$stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'onions WHERE md5sum=?;');
				$stmt->execute([$md5]);
				if($category===count($categories)){
					$category=0;
				}
				if(!isSet($_POST['desc'])){
					$desc='';
				}else{
						$desc=trim($_POST['desc']);
					$desc=htmlspecialchars($desc);
					$desc=preg_replace("/(\r?\n|\r\n?)/", '<br>', $desc);
				}
				if(!$stmt->fetch(PDO::FETCH_ASSOC)){ //not yet there, add it
					$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'onions (address, description, md5sum, category, timeadded) VALUES (?, ?, ?, ?, ?);');
					$stmt->execute([$addr, $desc, $md5, $category, time()]);
					echo "<p class=\"green\">$I[succadd]</p>";
				}elseif($desc!=''){ //update description+category
					$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET description=?, category=?, locked=1 WHERE md5sum=?;');
					$stmt->execute([$desc, $category, $md5]);
					echo "<p class=\"green\">$I[succupddesc]</p>";
				}elseif($category!=0){ //only update category
					$stmt=$db->prepare('UPDATE ' . PREFIX . 'onions SET category=? WHERE md5sum=?;');
					$stmt->execute([$category, $md5]);
					echo "<p class=\"green\">$I[succupdcat]!</p>";
				}else{ //no description or category change and already known
					echo "<p class=\"green\">$I[alreadyknown]</p>";
				}
			}elseif($_POST['action']===$I['phishing']){//mark as phishing clone
				if($_POST['original']!=='' && !preg_match('~(^(https?://)?([a-z2-7]{16})(\.onion(/.*)?)?$)~i', $_POST['original'], $orig)){
					echo "<p class=\"red\">$I[invalonion]</p>";
				}else{
					if(isset($orig[3])){
						$orig=strtolower($orig[3]);
					}else{
						$orig='';
					}
					if($orig!==$addr){
						$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'phishing (onion_id, original) VALUES ((SELECT id FROM ' . PREFIX . 'onions WHERE address=?), ?);');
						$stmt->execute([$addr, $orig]);
						echo "<p class=\"green\">$I[succaddphish]</p>";
					}else{
						echo "<p class=\"red\">$I[samephish]</p>";
					}
				}
			}elseif($_POST['action']===$I['unphishing']){ //remove phishing clone status
				$stmt=$db->prepare('DELETE FROM ' . PREFIX . 'phishing WHERE onion_id=(SELECT id FROM ' . PREFIX . 'onions WHERE address=?);');
				$stmt->execute([$addr]);
				echo "<p class=\"green\">$I[succrmphish]</p>";
			}else{ //no specific button was pressed
				echo "<p class=\"red\">$I[noaction]</p>";
			}
		}
	}
}
echo '<br><p style="text-align:center;font-size:small;"><a target="_blank" href="https://github.com/DanWin/onion-link-list">Onion Link List - ' . VERSION . '</a></p>';
echo '</body></html>';
?>