Merge branch 'master' of git://github.com/gallery/gallery3

author: Nathan Kinkade <nkinkade@nkinka.de> 2010-05-13 01:49:54 +0000
committer: Nathan Kinkade <nkinkade@nkinka.de> 2010-05-13 01:49:54 +0000
commit: a0b0b415515bff5f9edd43d373e8e78f3b3f8e4d (patch)
tree: a101f7a71a33f75c21d4ac828f442d902f5d8af9 /modules/tag/helpers
parent: 104430e9e1e8dacd5e4320e29e59fc59aa5c6ee9 (diff)
parent: 9affa8ebbd539396d71f19003b91af577a8a183e (diff)
6 files changed, 22 insertions, 24 deletions
diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php
index 8a1b1e8b..02c79e5d 100644
--- a/modules/tag/helpers/item_tags_rest.php
+++ b/modules/tag/helpers/item_tags_rest.php
@@ -31,8 +31,8 @@ class item_tags_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     tag::add($item, $tag->name);
@@ -45,6 +45,7 @@ class item_tags_rest_Core {
 
   static function delete($request) {
     list ($tag, $item) = rest::resolve($request->url);
+    access::required("edit", $item);
     $tag->remove($item);
     $tag->save();
   }
diff --git a/modules/tag/helpers/tag.php b/modules/tag/helpers/tag.php
index 8df4210d..14d27c94 100644
--- a/modules/tag/helpers/tag.php
+++ b/modules/tag/helpers/tag.php
@@ -98,7 +98,7 @@ class tag_Core {
       ($item->is_photo() ? t("Add tag to photo") : t("Add tag to movie"));
 
     $group = $form->group("add_tag")->label("Add Tag");
-    $group->input("name")->label($label)->rules("required");
+    $group->input("name")->label($label)->rules("required")->id("name");
     $group->hidden("item_id")->value($item->id);
     $group->submit("")->value(t("Add Tag"));
     return $form;
diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index bce00a9f..17cb726e 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -22,7 +22,7 @@ class tag_item_rest_Core {
     list ($tag, $item) = rest::resolve($request->url);
     return array(
       "url" => $request->url,
-      "members" => array(
+      "entity" => array(
         "tag" => rest::url("tag", $tag),
         "item" => rest::url("item", $item)));
   }
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index 003c7c95..848c2cd3 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -33,8 +33,8 @@ class tag_items_rest_Core {
   }
 
   static function post($request) {
-    $tag = rest::resolve($request->params->tag);
-    $item = rest::resolve($request->params->item);
+    $tag = rest::resolve($request->params->entity->tag);
+    $item = rest::resolve($request->params->entity->item);
     access::required("view", $item);
 
     if (!$tag->loaded()) {
diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php
index f30706bd..e0b7bd87 100644
--- a/modules/tag/helpers/tag_rest.php
+++ b/modules/tag/helpers/tag_rest.php
@@ -36,28 +36,25 @@ class tag_rest_Core {
           "members" => $tag_items)));
   }
 
-  static function post($request) {
-    if (empty($request->params->url)) {
-      throw new Rest_Exception("Bad request", 400);
-    }
-
-    $tag = rest::resolve($request->url);
-    $item = rest::resolve($request->params->url);
-    access::required("edit", $item);
-
-    tag::add($item, $tag->name);
-    return array("url" => rest::url("tag_item", $tag, $item));
-  }
-
   static function put($request) {
+    // Who can we allow to edit a tag name?  If we allow anybody to do it then any logged in
+    // user can rename all your tags to something offensive.  Right now limit renaming to admins.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
-    if (isset($request->params->name)) {
-      $tag->name = $request->params->name;
+    if (isset($request->params->entity->name)) {
+      $tag->name = $request->params->entity->name;
       $tag->save();
     }
   }
 
   static function delete($request) {
+    // Restrict deleting tags to admins.  Otherwise, a logged in user can do great harm to an
+    // install.
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
     $tag = rest::resolve($request->url);
     $tag->delete();
   }
diff --git a/modules/tag/helpers/tags_rest.php b/modules/tag/helpers/tags_rest.php
index 82826d8e..434e774a 100644
--- a/modules/tag/helpers/tags_rest.php
+++ b/modules/tag/helpers/tags_rest.php
@@ -40,13 +40,13 @@ class tags_rest_Core {
       }
     }
 
-    if (empty($request->params->name)) {
+    if (empty($request->params->entity->name)) {
       throw new Rest_Exception("Bad Request", 400);
     }
 
-    $tag = ORM::factory("tag")->where("name", "=", $request->params->name)->find();
+    $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find();
     if (!$tag->loaded()) {
-      $tag->name = $request->params->name;
+      $tag->name = $request->params->entity->name;
       $tag->count = 0;
       $tag->save();
     }
author	Nathan Kinkade <nkinkade@nkinka.de>	2010-05-13 01:49:54 +0000
committer	Nathan Kinkade <nkinkade@nkinka.de>	2010-05-13 01:49:54 +0000
commit	a0b0b415515bff5f9edd43d373e8e78f3b3f8e4d (patch)
tree	a101f7a71a33f75c21d4ac828f442d902f5d8af9 /modules/tag/helpers
parent	104430e9e1e8dacd5e4320e29e59fc59aa5c6ee9 (diff)
parent	9affa8ebbd539396d71f19003b91af577a8a183e (diff)