diff options
| -rw-r--r-- | modules/comment/controllers/admin_comments.php | 52 | ||||
| -rw-r--r-- | modules/comment/controllers/comments.php | 6 | ||||
| -rw-r--r-- | modules/comment/helpers/comment.php | 5 | ||||
| -rw-r--r-- | modules/comment/helpers/comment_event.php | 2 | ||||
| -rw-r--r-- | modules/comment/helpers/comment_installer.php | 8 | ||||
| -rw-r--r-- | modules/comment/module.info | 2 | ||||
| -rw-r--r-- | modules/comment/views/admin_comments.html.php | 7 | ||||
| -rw-r--r-- | modules/comment/views/comments.html.php | 5 | ||||
| -rw-r--r-- | modules/gallery/helpers/item.php | 5 | ||||
| -rw-r--r-- | modules/gallery/helpers/item_rest.php | 2 | ||||
| -rw-r--r-- | modules/gallery/helpers/items_rest.php | 20 | ||||
| -rw-r--r-- | modules/gallery/helpers/module.php | 7 | ||||
| -rw-r--r-- | modules/gallery/tests/controller_auth_data.txt | 2 | ||||
| -rw-r--r-- | modules/gallery/tests/xss_data.txt | 37 | ||||
| -rw-r--r-- | modules/image_block/helpers/image_block_block.php | 2 | ||||
| -rw-r--r-- | modules/rest/helpers/rest.php | 7 | ||||
| -rw-r--r-- | modules/rest/helpers/rest_installer.php | 8 | ||||
| -rw-r--r-- | modules/rest/module.info | 2 |
18 files changed, 128 insertions, 51 deletions
diff --git a/modules/comment/controllers/admin_comments.php b/modules/comment/controllers/admin_comments.php new file mode 100644 index 00000000..fda3873c --- /dev/null +++ b/modules/comment/controllers/admin_comments.php @@ -0,0 +1,52 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2010 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Admin_Comments_Controller extends Admin_Controller { + public function index() { + $view = new Admin_View("admin.html"); + $view->page_title = t("Comment settings"); + $view->content = new View("admin_comments.html"); + $view->content->form = $this->_get_admin_form(); + print $view; + } + + public function save() { + access::verify_csrf(); + $form = $this->_get_admin_form(); + $form->validate(); + module::set_var("comment", "access_permissions", + $form->comment_settings->access_permissions->value); + message::success(t("Comment settings updated")); + url::redirect("admin/comments"); + } + + private function _get_admin_form() { + $form = new Forge("admin/comments/save", "", "post", + array("id" => "g-comments-admin-form")); + $comment_settings = $form->group("comment_settings")->label(t("Permissions")); + $comment_settings->dropdown("access_permissions") + ->label(t("Who can leave comments?")) + ->options(array("everybody" => t("Everybody"), + "registered_users" => t("Only registered users"))) + ->selected(module::get_var("comment", "access_permissions")); + $comment_settings->submit("save")->value(t("Save")); + return $form; + } +} + diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 465b1bcd..c42ad24e 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -24,6 +24,9 @@ class Comments_Controller extends Controller { public function create($id) { $item = ORM::factory("item", $id); access::required("view", $item); + if (!comment::can_comment()) { + access::forbidden(); + } $form = comment::get_add_form($item); try { @@ -69,6 +72,9 @@ class Comments_Controller extends Controller { public function form_add($item_id) { $item = ORM::factory("item", $item_id); access::required("view", $item); + if (!comment::can_comment()) { + access::forbidden(); + } print comment::prefill_add_form(comment::get_add_form($item)); } diff --git a/modules/comment/helpers/comment.php b/modules/comment/helpers/comment.php index 94b14d0d..92a286c7 100644 --- a/modules/comment/helpers/comment.php +++ b/modules/comment/helpers/comment.php @@ -60,5 +60,10 @@ class comment_Core { } return $form; } + + static function can_comment() { + return !identity::active_user()->guest || + module::get_var("comment", "access_permissions") == "everybody"; + } } diff --git a/modules/comment/helpers/comment_event.php b/modules/comment/helpers/comment_event.php index 25fd4171..33d4cd05 100644 --- a/modules/comment/helpers/comment_event.php +++ b/modules/comment/helpers/comment_event.php @@ -51,13 +51,11 @@ class comment_event_Core { } static function admin_menu($menu, $theme) { - /* $menu->get("settings_menu") ->append(Menu::factory("link") ->id("comment") ->label(t("Comments")) ->url(url::site("admin/comments"))); - */ $menu->get("content_menu") ->append(Menu::factory("link") diff --git a/modules/comment/helpers/comment_installer.php b/modules/comment/helpers/comment_installer.php index 9ca47f1a..7a32bf67 100644 --- a/modules/comment/helpers/comment_installer.php +++ b/modules/comment/helpers/comment_installer.php @@ -47,7 +47,8 @@ class comment_installer { DEFAULT CHARSET=utf8;"); module::set_var("comment", "spam_caught", 0); - module::set_version("comment", 2); + module::set_var("comment", "access_permissions", "everybody"); + module::set_version("comment", 3); } static function upgrade($version) { @@ -56,6 +57,11 @@ class comment_installer { $db->query("ALTER TABLE {comments} CHANGE `state` `state` varchar(15) default 'unpublished'"); module::set_version("comment", 2); } + + if ($version == 2) { + module::set_var("comment", "access_permissions", "everybody"); + module::set_version("comment", 3); + } } static function uninstall() { diff --git a/modules/comment/module.info b/modules/comment/module.info index c371cf27..cd34f140 100644 --- a/modules/comment/module.info +++ b/modules/comment/module.info @@ -1,3 +1,3 @@ name = "Comments" description = "Allows users and guests to leave comments on photos and albums." -version = 2 +version = 3 diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php new file mode 100644 index 00000000..dc6985b2 --- /dev/null +++ b/modules/comment/views/admin_comments.html.php @@ -0,0 +1,7 @@ +<?php defined("SYSPATH") or die("No direct script access.") ?> +<div class="g-block"> + <h1> <?= t("Comment settings") ?> </h1> + <div class="g-block-content"> + <?= $form ?> + </div> +</div> diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php index e4322e08..9a608a43 100644 --- a/modules/comment/views/comments.html.php +++ b/modules/comment/views/comments.html.php @@ -1,9 +1,12 @@ <?php defined("SYSPATH") or die("No direct script access.") ?> - <a href="<?= url::site("form/add/comments/{$item->id}") ?>#comment-form" id="g-add-comment" +<? if (comment::can_comment()): ?> +<a href="<?= url::site("form/add/comments/{$item->id}") ?>#comment-form" id="g-add-comment" class="g-button ui-corner-all ui-icon-left ui-state-default"> <span class="ui-icon ui-icon-comment"></span> <?= t("Add a comment") ?> </a> +<? endif ?> + <div id="g-comment-detail"> <? if (!$comments->count()): ?> <p class="g-no-comments"> diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php index 43c93225..bbbe1058 100644 --- a/modules/gallery/helpers/item.php +++ b/modules/gallery/helpers/item.php @@ -209,17 +209,14 @@ class item_Core { /** * Return a query to get a random Item_Model, with optional filters - * - * @param array (optional) where tuple */ - static function random_query($where=null) { + static function random_query() { // Pick a random number and find the item that's got nearest smaller number. // This approach works best when the random numbers in the system are roughly evenly // distributed so this is going to be more efficient with larger data sets. return ORM::factory("item") ->viewable() ->where("rand_key", "<", ((float)mt_rand()) / (float)mt_getrandmax()) - ->merge_where($where) ->order_by("rand_key", "DESC"); } }
\ No newline at end of file diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php index ec86ce93..f99afbc2 100644 --- a/modules/gallery/helpers/item_rest.php +++ b/modules/gallery/helpers/item_rest.php @@ -152,7 +152,7 @@ class item_rest_Core { $item->type = "album"; $item->parent_id = $parent->id; $item->name = $entity->name; - $item->title = isset($entity->title) ? $entity->title : $name; + $item->title = isset($entity->title) ? $entity->title : $entity->name; $item->description = isset($entity->description) ? $entity->description : null; $item->slug = isset($entity->slug) ? $entity->slug : null; $item->save(); diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 32597a65..9cca9a54 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -21,14 +21,14 @@ class items_rest_Core { /** * To retrieve a collection of items, you can specify the following query parameters to specify * the type of the collection. If both are specified, then the url parameter is used and the - * ancestor_for is ignored. Specifying the "type" parameter with the urls parameter, will + * ancestors_for is ignored. Specifying the "type" parameter with the urls parameter, will * filter the results based on the specified type. Using the type parameter with the - * ancestor_for parameter makes no sense and will be ignored. + * ancestors_for parameter makes no sense and will be ignored. * * urls=url1,url2,url3 * return items that match the specified urls. Typically used to return the member detail * - * ancestor_for=url + * ancestors_for=url * return the ancestors of the specified item * * type=<comma separate list of photo, movie or album> @@ -45,21 +45,21 @@ class items_rest_Core { if (access::can("view", $item)) { if (isset($types)) { if (in_array($item->type, $types)) { - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); } } else { - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); } } } - } else if (isset($request->params->ancestor_for)) { - $item = rest::resolve($request->params->ancestor_for); + } else if (isset($request->params->ancestors_for)) { + $item = rest::resolve($request->params->ancestors_for); if (!access::can("view", $item)) { throw new Kohana_404_Exception(); } - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); while (($item = $item->parent()) != null) { - array_unshift($items, items_rest::format_restful_item($item)); + array_unshift($items, items_rest::_format_restful_item($item)); }; } @@ -74,7 +74,7 @@ class items_rest_Core { return $item; } - private static function format_restful_item($item) { + private static function _format_restful_item($item) { $item_rest = array("url" => rest::url("item", $item), "entity" => $item->as_restful_array(), "relationships" => rest::relationships("item", $item)); diff --git a/modules/gallery/helpers/module.php b/modules/gallery/helpers/module.php index 18d65ed5..5134c7b3 100644 --- a/modules/gallery/helpers/module.php +++ b/modules/gallery/helpers/module.php @@ -214,13 +214,6 @@ class module_Core { throw new Exception("@todo UNKNOWN_MODULE"); } } - - // Now the module is upgraded so deactivate it, but we can'it deactivae gallery or the - // current identity provider. - $identity_provider = module::get_var("gallery", "identity_provider", "user"); - if (!in_array($module_name, array("gallery", $identity_provider)) ) { - self::deactivate($module_name); - } module::load_modules(); $version_after = module::get_version($module_name); diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt index 0aa26057..94e7a07f 100644 --- a/modules/gallery/tests/controller_auth_data.txt +++ b/modules/gallery/tests/controller_auth_data.txt @@ -1,4 +1,4 @@ -modules/comment/controllers/admin_comments.php queue DIRTY_CSRF +modules/comment/controllers/admin_manage_comments.php queue DIRTY_CSRF modules/comment/helpers/comment_rss.php feed DIRTY_AUTH modules/digibug/controllers/digibug.php print_proxy DIRTY_CSRF|DIRTY_AUTH modules/digibug/controllers/digibug.php close_window DIRTY_AUTH diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index afad9e13..0a75d6f7 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -4,21 +4,21 @@ modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR urle modules/comment/views/admin_block_recent_comments.html.php 4 DIRTY_ATTR text::alternate("g-even","g-odd") modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(32,$theme->url(,true)) modules/comment/views/admin_block_recent_comments.html.php 10 DIRTY gallery::date_time($comment->created) -modules/comment/views/admin_comments.html.php 43 DIRTY $menu->render() -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR $comment->id -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/comment/views/admin_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) -modules/comment/views/admin_comments.html.php 123 DIRTY_JS $item->url() -modules/comment/views/admin_comments.html.php 125 DIRTY_ATTR $item->thumb_url() -modules/comment/views/admin_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) -modules/comment/views/admin_comments.html.php 135 DIRTY gallery::date($comment->created) -modules/comment/views/admin_comments.html.php 142 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 151 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 160 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 169 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 176 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 184 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 197 DIRTY $pager +modules/comment/views/admin_manage_comments.html.php 43 DIRTY $menu->render() +modules/comment/views/admin_manage_comments.html.php 107 DIRTY_ATTR $comment->id +modules/comment/views/admin_manage_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/comment/views/admin_manage_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/admin_manage_comments.html.php 123 DIRTY_JS $item->url() +modules/comment/views/admin_manage_comments.html.php 125 DIRTY_ATTR $item->thumb_url() +modules/comment/views/admin_manage_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) +modules/comment/views/admin_manage_comments.html.php 135 DIRTY gallery::date($comment->created) +modules/comment/views/admin_manage_comments.html.php 142 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 151 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 160 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 169 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 176 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 184 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 197 DIRTY $pager modules/comment/views/comment.html.php 2 DIRTY_ATTR $comment->id; modules/comment/views/comment.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) modules/comment/views/comment.mrss.php 10 DIRTY $feed->uri @@ -175,7 +175,7 @@ modules/gallery/views/move_tree.html.php 15 DIRTY_JS $child modules/gallery/views/movieplayer.html.php 2 DIRTY html::anchor($item->file_url(true),"",$attrs) modules/gallery/views/movieplayer.html.php 5 DIRTY_JS $attrs["id"] modules/gallery/views/movieplayer.html.php 7 DIRTY_JS url::abs_file("lib/flowplayer.swf") -modules/gallery/views/movieplayer.html.php 13 DIRTY_JS url::abs_file("lib/flowplayer.h264streaming.swf") +modules/gallery/views/movieplayer.html.php 14 DIRTY_JS url::abs_file("lib/flowplayer.pseudostreaming.swf") modules/gallery/views/permissions_browse.html.php 3 DIRTY_JS url::site("permissions/form/__ITEM__") modules/gallery/views/permissions_browse.html.php 16 DIRTY_JS url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") modules/gallery/views/permissions_browse.html.php 43 DIRTY_ATTR $parent->id @@ -320,7 +320,6 @@ modules/user/views/admin_users_group.html.php 24 DIRTY_JS $group modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -themes/admin_wind/views/admin.html.php 9 DIRTY $page_title themes/admin_wind/views/admin.html.php 22 DIRTY_JS $theme->url() themes/admin_wind/views/admin.html.php 39 DIRTY $theme->admin_head() themes/admin_wind/views/admin.html.php 43 DIRTY $theme->admin_page_top() @@ -363,7 +362,7 @@ themes/wind/views/dynamic.html.php 16 DIRTY_ATTR $chi themes/wind/views/dynamic.html.php 17 DIRTY_ATTR $child->thumb_height themes/wind/views/dynamic.html.php 29 DIRTY $theme->paginator() themes/wind/views/movie.html.php 5 DIRTY $theme->paginator() -themes/wind/views/movie.html.php 8 DIRTY $item->movie_img(array("class"=>"g-movie","id"=>"g-movie-id-{$item->id}")) +themes/wind/views/movie.html.php 8 DIRTY $item->movie_img(array("class"=>"g-movie","id"=>"g-item-id-{$item->id}")) themes/wind/views/page.html.php 9 DIRTY $page_title themes/wind/views/page.html.php 33 DIRTY_JS $theme->url() themes/wind/views/page.html.php 42 DIRTY $new_width @@ -384,4 +383,4 @@ themes/wind/views/photo.html.php 8 DIRTY_JS $theme themes/wind/views/photo.html.php 8 DIRTY_JS $theme->item()->height themes/wind/views/photo.html.php 18 DIRTY $theme->paginator() themes/wind/views/photo.html.php 23 DIRTY_JS $item->file_url() -themes/wind/views/photo.html.php 25 DIRTY $item->resize_img(array("id"=>"g-photo-id-{$item->id}","class"=>"g-resize")) +themes/wind/views/photo.html.php 25 DIRTY $item->resize_img(array("id"=>"g-item-id-{$item->id}","class"=>"g-resize")) diff --git a/modules/image_block/helpers/image_block_block.php b/modules/image_block/helpers/image_block_block.php index 51ccc4a0..da6e8782 100644 --- a/modules/image_block/helpers/image_block_block.php +++ b/modules/image_block/helpers/image_block_block.php @@ -31,7 +31,7 @@ class image_block_block_Core { // @todo Consider another fallback if further optimizations are necessary. $attempts = 0; do { - $item = item::random_query(array(array("type", "!=", "album")))->find_all(1)->current(); + $item = item::random_query()->where("type", "!=", "album")->find_all(1)->current(); } while (!$item && $attempts++ < 3); if ($item && $item->loaded()) { $block = new Block(); diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php index 49999520..72927c71 100644 --- a/modules/rest/helpers/rest.php +++ b/modules/rest/helpers/rest.php @@ -39,7 +39,12 @@ class rest_Core { static function set_active_user($access_key) { if (empty($access_key)) { - throw new Rest_Exception("Forbidden", 403); + if (module::get_var("rest", "allow_guest_access")) { + identity::set_active_user(identity::guest()); + return; + } else { + throw new Rest_Exception("Forbidden", 403); + } } $key = ORM::factory("user_access_key") diff --git a/modules/rest/helpers/rest_installer.php b/modules/rest/helpers/rest_installer.php index aeb9573e..c2694a29 100644 --- a/modules/rest/helpers/rest_installer.php +++ b/modules/rest/helpers/rest_installer.php @@ -28,7 +28,8 @@ class rest_installer { UNIQUE KEY(`access_key`), UNIQUE KEY(`user_id`)) DEFAULT CHARSET=utf8;"); - module::set_version("rest", 2); + module::set_var("rest", "allow_guest_access", false); + module::set_version("rest", 3); } static function upgrade($version) { @@ -37,6 +38,11 @@ class rest_installer { $db->query("RENAME TABLE {user_access_tokens} TO {user_access_keys}"); module::set_version("rest", $version = 2); } + + if ($version == 2) { + module::set_var("rest", "allow_guest_access", false); + module::set_version("rest", $version = 3); + } } static function uninstall() { diff --git a/modules/rest/module.info b/modules/rest/module.info index 3ab7e165..4b6b5464 100644 --- a/modules/rest/module.info +++ b/modules/rest/module.info @@ -1,4 +1,4 @@ name = "REST Access Module" description = "The RESTful implementation/interface to Gallery3" -version = 2 +version = 3 |