diff options
| author | Romain LE DISEZ <romain.git@ledisez.net> | 2009-07-23 18:08:57 +0200 |
|---|---|---|
| committer | Romain LE DISEZ <romain.git@ledisez.net> | 2009-07-23 18:08:57 +0200 |
| commit | 386130114b3e3a9cf1617a1ea62407f569ee391c (patch) | |
| tree | 4728e044dc755b79494101effd7fab4689d5289d /modules | |
| parent | 06fd89e8bcad2142f0b6158d5db7a91d2b6956d8 (diff) | |
| parent | 5999ccb512d65ad9ae06a0a5542eb1123b44e9db (diff) | |
Merge commit 'upstream/master'
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/comment/helpers/comment_theme.php | 2 | ||||
| -rw-r--r-- | modules/digibug/config/digibug.php | 29 | ||||
| -rw-r--r-- | modules/digibug/controllers/digibug.php | 50 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_menu.php | 2 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_theme.php | 2 | ||||
| -rw-r--r-- | modules/digibug/tests/Digibug_Controller_Test.php | 78 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery.php | 2 | ||||
| -rw-r--r-- | modules/gallery/helpers/gallery_theme.php | 20 | ||||
| -rw-r--r-- | modules/gallery/libraries/Gallery_View.php | 66 | ||||
| -rw-r--r-- | modules/gallery/tests/Access_Helper_Test.php | 37 | ||||
| -rw-r--r-- | modules/notification/helpers/notification.php | 12 | ||||
| -rw-r--r-- | modules/notification/helpers/notification_menu.php | 4 | ||||
| -rw-r--r-- | modules/organize/helpers/organize_theme.php | 6 | ||||
| -rw-r--r-- | modules/server_add/helpers/server_add_theme.php | 8 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_theme.php | 4 | ||||
| -rw-r--r-- | modules/user/helpers/user_theme.php | 2 |
16 files changed, 243 insertions, 81 deletions
diff --git a/modules/comment/helpers/comment_theme.php b/modules/comment/helpers/comment_theme.php index 89b2f57c..b807e2cf 100644 --- a/modules/comment/helpers/comment_theme.php +++ b/modules/comment/helpers/comment_theme.php @@ -19,7 +19,7 @@ */ class comment_theme_Core { static function head($theme) { - $theme->script("modules/comment/js/comment.js"); + $theme->script("comment.js"); return ""; } diff --git a/modules/digibug/config/digibug.php b/modules/digibug/config/digibug.php new file mode 100644 index 00000000..6cd165d1 --- /dev/null +++ b/modules/digibug/config/digibug.php @@ -0,0 +1,29 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +/** + * PHP Mail Configuration parameters + * from => email address that appears as the from address + * line-length => word wrap length (PHP documentations suggest no larger tha 70 characters + * reply-to => what goes into the reply to header + */ +$config["ranges"] = array( + "Digibug1" => array("low" => "65.249.152.0", "high" => "65.249.159.255"), + "Digibug2" => array("low" => "208.122.55.0", "high" => "208.122.55.255") +); diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index d881db9b..e0f4b6bf 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -21,7 +21,7 @@ class Digibug_Controller extends Controller { public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); - access::required("view_full", $item); + access::required("view", $item); if (access::group_can(group::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); @@ -56,6 +56,30 @@ class Digibug_Controller extends Controller { } public function print_proxy($type, $id) { + // If its a request for the full size then make sure we are coming from an + // authorized address + if ($type == "full") { + $remote_addr = ip2long($this->input->server("REMOTE_ADDR")); + if ($remote_addr === false) { + Kohana::show_404(); + } + $config = Kohana::config("digibug"); + + $authorized = false; + foreach ($config["ranges"] as $ip_range) { + $low = ip2long($ip_range["low"]); + $high = ip2long($ip_range["high"]); + $authorized = $low !== false && $high !== false && + $low <= $remote_addr && $remote_addr <= $high; + if ($authorized) { + break; + } + } + if (!$authorized) { + Kohana::show_404(); + } + } + $proxy = ORM::factory("digibug_proxy", array("uuid" => $id)); if (!$proxy->loaded || !$proxy->item->loaded) { Kohana::show_404(); @@ -69,16 +93,18 @@ class Digibug_Controller extends Controller { // We don't need to save the session for this request Session::abort_save(); - // Dump out the image - header("Content-Type: $proxy->item->mime_type"); - Kohana::close_buffers(false); - $fd = fopen($file, "rb"); - fpassthru($fd); - fclose($fd); + if (!TEST_MODE) { + // Dump out the image + header("Content-Type: $proxy->item->mime_type"); + Kohana::close_buffers(false); + $fd = fopen($file, "rb"); + fpassthru($fd); + fclose($fd); - // If the request was for the image and not the thumb, then delete the proxy. - if ($type == "full") { - $proxy->delete(); + // If the request was for the image and not the thumb, then delete the proxy. + if ($type == "full") { + $proxy->delete(); + } } $this->_clean_expired(); @@ -89,8 +115,8 @@ class Digibug_Controller extends Controller { } private function _clean_expired() { - Database::instance()>query( - "DELETE FROM {digibug_proxy} " . + Database::instance()->query( + "DELETE FROM {digibug_proxies} " . "WHERE request_date <= (CURDATE() - INTERVAL 10 DAY) " . "LIMIT 20"); } diff --git a/modules/digibug/helpers/digibug_menu.php b/modules/digibug/helpers/digibug_menu.php index c95cada2..3f70fa24 100644 --- a/modules/digibug/helpers/digibug_menu.php +++ b/modules/digibug/helpers/digibug_menu.php @@ -37,7 +37,7 @@ class digibug_menu { } static function thumb($menu, $theme, $item) { - if ($item->type == "photo" && access::can("view_full", $item)) { + if ($item->type == "photo") { $menu->get("options_menu") ->append( Menu::factory("link") diff --git a/modules/digibug/helpers/digibug_theme.php b/modules/digibug/helpers/digibug_theme.php index f94d07c6..ceda55b5 100644 --- a/modules/digibug/helpers/digibug_theme.php +++ b/modules/digibug/helpers/digibug_theme.php @@ -19,6 +19,6 @@ */ class digibug_theme_Core { static function head($theme) { - $theme->script("modules/digibug/js/digibug.js"); + $theme->script("digibug.js"); } } diff --git a/modules/digibug/tests/Digibug_Controller_Test.php b/modules/digibug/tests/Digibug_Controller_Test.php new file mode 100644 index 00000000..859ff637 --- /dev/null +++ b/modules/digibug/tests/Digibug_Controller_Test.php @@ -0,0 +1,78 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Digibug_Controller_Test extends Unit_Test_Case { + private $_proxy; + private $_item; + private $_server; + + public function teardown() { + $_SERVER = $this->_server; + + if ($this->_proxy) { + $this->_proxy->delete(); + } + } + + public function setup() { + $this->_server = $_SERVER; + + $root = ORM::factory("item", 1); + $this->_album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view_full", $this->_album); + access::deny(group::registered_users(), "view_full", $this->_album); + + $rand = rand(); + $this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", + $rand, $rand); + $this->_proxy = ORM::factory("digibug_proxy"); + $this->_proxy->uuid = md5(rand()); + $this->_proxy->item_id = $this->_item->id; + $this->_proxy->save(); + } + + public function digibug_request_thumb_test() { + $controller = new Digibug_Controller(); + $controller->print_proxy("thumb", $this->_proxy->uuid); + } + + public function digibug_request_full_malicious_ip_test() { + $_SERVER["REMOTE_ADDR"] = "123.123.123.123"; + try { + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + $this->assert_true(false, "Should have failed with an 404 exception"); + } catch (Kohana_404_Exception $e) { + // expected behavior + } + } + + public function digibug_request_full_authorized_ip_test() { + $config = Kohana::config("digibug"); + $this->assert_true(!empty($config), "The Digibug config is empty"); + + $ranges = array_values($config["ranges"]); + $low = ip2long($ranges[0]["low"]); + $high = ip2long($ranges[0]["high"]); + + $_SERVER["REMOTE_ADDR"] = long2ip(rand($low, $high)); + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + } +} diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php index a32ac484..2fa7ad1c 100644 --- a/modules/gallery/helpers/gallery.php +++ b/modules/gallery/helpers/gallery.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class gallery_Core { - const VERSION = "3.0 beta 2"; + const VERSION = "3.0 git (pre-beta3)"; /** * If Gallery is in maintenance mode, then force all non-admins to get routed to a "This site is diff --git a/modules/gallery/helpers/gallery_theme.php b/modules/gallery/helpers/gallery_theme.php index f245ea31..998eb289 100644 --- a/modules/gallery/helpers/gallery_theme.php +++ b/modules/gallery/helpers/gallery_theme.php @@ -22,12 +22,12 @@ class gallery_theme_Core { $session = Session::instance(); $buf = ""; if ($session->get("debug")) { - $theme->css("modules/gallery/css/debug.css"); + $theme->css("debug.css"); } if (($theme->page_type == "album" || $theme->page_type == "photo") && access::can("edit", $theme->item())) { - $theme->css("modules/gallery/css/quick.css"); - $theme->script("modules/gallery/js/quick.js"); + $theme->css("quick.css"); + $theme->script("quick.js"); } if (module::is_active("rss")) { @@ -43,9 +43,9 @@ class gallery_theme_Core { } if ($session->get("l10n_mode", false)) { - $theme->css("modules/gallery/css/l10n_client.css"); - $theme->script("lib/jquery.cookie.js"); - $theme->script("modules/gallery/js/l10n_client.js"); + $theme->css("l10n_client.css"); + $theme->script("jquery.cookie.js"); + $theme->script("l10n_client.js"); } return $buf; @@ -80,13 +80,13 @@ class gallery_theme_Core { static function admin_head($theme) { $session = Session::instance(); if ($session->get("debug")) { - $theme->css("modules/gallery/css/debug.css"); + $theme->css("debug.css"); } if ($session->get("l10n_mode", false)) { - $theme->css("modules/gallery/css/l10n_client.css"); - $theme->script("lib/jquery.cookie.js"); - $theme->script("modules/gallery/js/l10n_client.js"); + $theme->css("l10n_client.css"); + $theme->script("jquery.cookie.js"); + $theme->script("l10n_client.js"); } } diff --git a/modules/gallery/libraries/Gallery_View.php b/modules/gallery/libraries/Gallery_View.php index 31231ca6..219cc883 100644 --- a/modules/gallery/libraries/Gallery_View.php +++ b/modules/gallery/libraries/Gallery_View.php @@ -27,24 +27,20 @@ class Gallery_View_Core extends View { * @param $file the relative path to a script from the gallery3 directory */ public function script($file) { - $this->scripts[$file] = 1; - } - - /** - * Add a script to the combined scripts list. - * @param $file the relative path to a script from the base of the active theme - * @param - */ - public function theme_script($file) { - $file = "themes/{$this->theme_name}/$file"; - $this->scripts[$file] = 1; + $base_file = str_replace(".js", "", $file); + if (($path = Kohana::find_file("js", $base_file, false, "js")) || + file_exists($path = DOCROOT . "lib/$file")) { + $this->scripts[$path] = 1; + } else { + Kohana::log("error", "Can't find script file: $file"); + } } /** * Provide a url to a resource within the current theme. This allows us to refer to theme * resources without naming the theme itself which makes themes easier to copy. */ - public function theme_url($path, $absolute_url=false) { + public function url($path, $absolute_url=false) { $arg = "themes/{$this->theme_name}/$path"; return $absolute_url ? url::abs_file($arg) : url::file($arg); } @@ -53,27 +49,23 @@ class Gallery_View_Core extends View { * Add a css file to the combined css list. * @param $file the relative path to a script from the gallery3 directory */ - public function css($file, $theme_relative=false) { - $this->css[$file] = 1; - } - - /** - * Add a css file to the combined css list. - * @param $file the relative path to a script from the base of the active theme - * @param - */ - public function theme_css($file) { - $file = "themes/{$this->theme_name}/$file"; - $this->css[$file] = 1; + public function css($file) { + $base_file = str_replace(".css", "", $file); + if (($path = Kohana::find_file("css", $base_file, false, "css")) || + file_exists($path = DOCROOT . "lib/$file")) { + $this->css[$path] = 1; + } else { + Kohana::log("error", "Can't find css file: $file"); + } } /** * Combine a series of files into a single one and cache it in the database. */ - protected function combine_files($files, $type) { + protected function combine_files($paths, $type) { $links = array(); - if (empty($files)) { + if (empty($paths)) { return; } @@ -81,16 +73,10 @@ class Gallery_View_Core extends View { // entries. $key = array(url::abs_file("")); - foreach (array_keys($files) as $file) { - $path = DOCROOT . $file; - if (file_exists($path)) { - $stats = stat($path); - $links[$file] = $path; - // 7 == size, 9 == mtime, see http://php.net/stat - $key[] = "$file $stats[7] $stats[9]"; - } else { - Kohana::log("error", "missing file ($type): $file"); - } + foreach (array_keys($paths) as $path) { + $stats = stat($path); + // 7 == size, 9 == mtime, see http://php.net/stat + $key[] = "$path $stats[7] $stats[9]"; } $key = md5(join(" ", $key)); @@ -99,11 +85,13 @@ class Gallery_View_Core extends View { if (empty($contents)) { $contents = ""; - foreach ($links as $file => $link) { + $docroot_len = strlen(DOCROOT); + foreach (array_keys($paths) as $path) { + $relative = substr($path, $docroot_len); if ($type == "css") { - $contents .= "/* $file */\n" . $this->process_css($link) . "\n"; + $contents .= "/* $relative */\n" . $this->process_css($path) . "\n"; } else { - $contents .= "/* $file */\n" . file_get_contents($link) . "\n"; + $contents .= "/* $relative */\n" . file_get_contents($path) . "\n"; } } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 1352b493..59cec453 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -64,6 +64,43 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(array_key_exists("access_test_{$group->id}", $fields)); } + public function user_can_access_test() { + $access_test = group::create("access_test"); + + $root = ORM::factory("item", 1); + access::allow($access_test, "view", $root); + + $item = album::create($root, rand(), "test album"); + + access::deny(group::everybody(), "view", $item); + access::deny(group::registered_users(), "view", $item); + + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->add($access_test); + $user->save(); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function user_can_no_access_test() { + $root = ORM::factory("item", 1); + $item = album::create($root, rand(), "test album"); + + access::deny(group::everybody(), "view", $item); + access::deny(group::registered_users(), "view", $item); + + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); + } + public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); diff --git a/modules/notification/helpers/notification.php b/modules/notification/helpers/notification.php index e246af2c..d91a37e8 100644 --- a/modules/notification/helpers/notification.php +++ b/modules/notification/helpers/notification.php @@ -67,6 +67,8 @@ class notification { } static function get_subscribers($item) { + // @todo don't access the user table directly + // @todo only return distinct email addresses $users = ORM::factory("user") ->join("subscriptions", "users.id", "subscriptions.user_id") ->join("items", "subscriptions.item_id", "items.id") @@ -77,9 +79,11 @@ class notification { $subscribers = array(); foreach ($users as $user) { - $subscribers[] = $user->email; + if (access::user_can($user, "view", $item)) { + $subscribers[$user->email] = 1; + } } - return $subscribers; + return array_keys($subscribers); } static function send_item_updated($item) { @@ -103,8 +107,8 @@ class notification { array("title" => $item->title, "parent_title" => $parent->title)) : ($item->is_photo() ? t("Photo %title added to %parent_title", - array("title" => $item->title, "parent_title" => $parent->title)) - : t("Movie %title added to %parent_title", + array("title" => $item->title, "parent_title" => $parent->title)) : + t("Movie %title added to %parent_title", array("title" => $item->title, "parent_title" => $parent->title))); self::_notify_subscribers($item, $v->render(), $v->subject); diff --git a/modules/notification/helpers/notification_menu.php b/modules/notification/helpers/notification_menu.php index 87478b8a..73d1dd03 100644 --- a/modules/notification/helpers/notification_menu.php +++ b/modules/notification/helpers/notification_menu.php @@ -22,10 +22,10 @@ class notification_menu_Core { if (!user::active()->guest) { $item = $theme->item(); - if ($item && $item->is_album()) { + if ($item && $item->is_album() && access::can("view", $item)) { $watching = notification::is_watching($item); - $watching ? $label = t("Remove notifications") : $label = t("Enable notifications"); + $label = $watching ? t("Remove notifications") : t("Enable notifications"); $menu->get("options_menu") ->append(Menu::factory("link") diff --git a/modules/organize/helpers/organize_theme.php b/modules/organize/helpers/organize_theme.php index 02f1f589..e4feba2b 100644 --- a/modules/organize/helpers/organize_theme.php +++ b/modules/organize/helpers/organize_theme.php @@ -20,8 +20,8 @@ class organize_theme { static function head($theme) { // @tdo remove the addition css and organize.js (just here to test) - $theme->script("modules/organize/js/organize_init.js"); - $theme->script("modules/organize/js/organize.js"); - $theme->css("modules/organize/css/organize.css"); + $theme->script("organize_init.js"); + $theme->script("organize.js"); + $theme->css("organize.css"); } } diff --git a/modules/server_add/helpers/server_add_theme.php b/modules/server_add/helpers/server_add_theme.php index 02f99690..2ba2e167 100644 --- a/modules/server_add/helpers/server_add_theme.php +++ b/modules/server_add/helpers/server_add_theme.php @@ -20,20 +20,20 @@ class server_add_theme_Core { static function head($theme) { if (user::active()->admin) { - $theme->script("modules/server_add/js/server_add.js"); + $theme->script("server_add.js"); } } static function admin_head($theme) { $head = array(); if (strpos(Router::$current_uri, "admin/server_add") !== false) { - $theme->css("lib/jquery.autocomplete.css"); + $theme->css("jquery.autocomplete.css"); $base = url::site("__ARGS__"); $csrf = access::csrf_token(); $head[] = "<script> var base_url = \"$base\"; var csrf = \"$csrf\";</script>"; - $theme->script("lib/jquery.autocomplete.js"); - $theme->script("modules/server_add/js/admin.js"); + $theme->script("jquery.autocomplete.js"); + $theme->script("admin.js"); } return implode("\n", $head); diff --git a/modules/tag/helpers/tag_theme.php b/modules/tag/helpers/tag_theme.php index fe30354f..d46a91e9 100644 --- a/modules/tag/helpers/tag_theme.php +++ b/modules/tag/helpers/tag_theme.php @@ -19,11 +19,11 @@ */ class tag_theme_Core { static function head($theme) { - $theme->script("modules/tag/js/tag.js"); + $theme->script("tag.js"); } static function admin_head($theme) { - $theme->script("modules/tag/js/tag.js"); + $theme->script("tag.js"); } static function sidebar_blocks($theme) { diff --git a/modules/user/helpers/user_theme.php b/modules/user/helpers/user_theme.php index ad9d4c63..c5351f8e 100644 --- a/modules/user/helpers/user_theme.php +++ b/modules/user/helpers/user_theme.php @@ -26,7 +26,7 @@ class user_theme_Core { static function admin_head($theme) { if (strpos(Router::$current_uri, "admin/users") !== false) { - $theme->script("lib/gallery.panel.js"); + $theme->script("gallery.panel.js"); } } } |