diff options
| -rw-r--r-- | modules/gallery/helpers/item_ordered_members_rest.php | 82 | ||||
| -rw-r--r-- | modules/gallery/helpers/item_rest.php | 93 | ||||
| -rw-r--r-- | modules/gallery/models/item.php | 2 | ||||
| -rw-r--r-- | modules/rest/controllers/rest.php | 7 | ||||
| -rw-r--r-- | modules/tag/helpers/item_tags_rest.php | 5 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_item_rest.php | 2 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_items_rest.php | 4 | ||||
| -rw-r--r-- | modules/tag/helpers/tag_rest.php | 27 | ||||
| -rw-r--r-- | modules/tag/helpers/tags_rest.php | 6 |
9 files changed, 85 insertions, 143 deletions
diff --git a/modules/gallery/helpers/item_ordered_members_rest.php b/modules/gallery/helpers/item_ordered_members_rest.php deleted file mode 100644 index 5ae331bc..00000000 --- a/modules/gallery/helpers/item_ordered_members_rest.php +++ /dev/null @@ -1,82 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2010 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -class item_ordered_members_rest_Core { - static function get($request) { - $item = rest::resolve($request->url); - $ordered_members = array(); - foreach ($item->children() as $child) { - $ordered_members[] = rest::url("item", $child); - } - - return array( - "url" => $request->url, - "entity" => array("ordered_members" => $ordered_members)); - } - - static function put($request) { - $item = rest::resolve($request->url); - access::required("edit", $item); - - // Verify that we're not adding or removing members this way - if (count($request->params->ordered_members) != $item->children_count()) { - throw new Rest_Exception("Bad Request", 400); - } - - $ordered_members = array(); - foreach ($request->params->ordered_members as $url) { - $member = rest::resolve($url); - if ($member->parent_id != $item->id) { - throw new Rest_Exception("Bad Request", 400); - } - $ordered_members[] = $member; - } - - // Update all the weights. This is a pretty inefficient way to do this if we're just changing - // one or two elements, but it's easy. We could optimize this by looking at the current order - // and figuring out which elements have moved and then only changing those values. - $i = 0; - foreach ($ordered_members as $member) { - $member->weight = $i++; - $member->save(); - } - } - - static function relationships($resource_type, $resource) { - if ($resource_type == "item" && $resource->is_album()) { - return array( - "item_ordered_members" => array( - "url" => rest::url("item_ordered_members", $resource))); - } - - return array(); - } - - static function resolve($id) { - $item = ORM::factory("item", $id); - if (!access::can("view", $item) || !$item->is_album()) { - throw new Kohana_404_Exception(); - } - return $item; - } - - static function url($item) { - return url::abs_site("rest/item_ordered_members/{$item->id}"); - } -} diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php index 16abec5a..f52713b8 100644 --- a/modules/gallery/helpers/item_rest.php +++ b/modules/gallery/helpers/item_rest.php @@ -70,6 +70,14 @@ class item_rest_Core { $orm->where("type", "IN", explode(",", $p->type)); } + // Apply the item's sort order, using id as the tie breaker. + // See Item_Model::children() + $order_by = array($item->sort_column => $item->sort_order); + if ($item->sort_column != "id") { + $order_by["id"] = "ASC"; + } + $orm->order_by($order_by); + $members = array(); foreach ($orm->find_all() as $child) { $members[] = rest::url("item", $child); @@ -86,33 +94,44 @@ class item_rest_Core { $item = rest::resolve($request->url); access::required("edit", $item); - $params = $request->params; - - // Only change fields from a whitelist. - foreach (array("album_cover", "captured", "description", - "height", "mime_type", "name", "parent", "rand_key", "resize_dirty", - "resize_height", "resize_width", "slug", "sort_column", "sort_order", - "thumb_dirty", "thumb_height", "thumb_width", "title", "view_count", - "weight", "width") as $key) { - switch ($key) { - case "album_cover": - if (property_exists($request->params, "album_cover")) { - $album_cover_item = rest::resolve($request->params->album_cover); - access::required("view", $album_cover_item); - $item->album_cover_item_id = $album_cover_item->id; + if ($entity = $request->params->entity) { + // Only change fields from a whitelist. + foreach (array("album_cover", "captured", "description", + "height", "mime_type", "name", "parent", "rand_key", "resize_dirty", + "resize_height", "resize_width", "slug", "sort_column", "sort_order", + "thumb_dirty", "thumb_height", "thumb_width", "title", "view_count", + "width") as $key) { + switch ($key) { + case "album_cover": + if (property_exists($entity, "album_cover")) { + $album_cover_item = rest::resolve($entity->album_cover); + access::required("view", $album_cover_item); + $item->album_cover_item_id = $album_cover_item->id; + } + break; + + case "parent": + if (property_exists($entity, "parent")) { + $parent = rest::resolve($entity->parent); + access::required("edit", $parent); + $item->parent_id = $parent->id; + } + break; + default: + if (property_exists($entity, $key)) { + $item->$key = $entity->$key; + } } - break; + } + } - case "parent": - if (property_exists($request->params, "parent")) { - $parent = rest::resolve($request->params->parent); - access::required("edit", $parent); - $item->parent_id = $parent->id; - } - break; - default: - if (property_exists($request->params, $key)) { - $item->$key = $request->params->$key; + $weight = 0; + if (isset($request->params->members)) { + foreach ($request->params->members as $url) { + $child = rest::resolve($url); + if ($child->parent_id == $item->id && $child->weight != $weight) { + $child->weight = $weight++; + $child->save(); } } } @@ -123,33 +142,33 @@ class item_rest_Core { $parent = rest::resolve($request->url); access::required("edit", $parent); - $params = $request->params; + $entity = $request->params->entity; $item = ORM::factory("item"); - switch ($params->type) { + switch ($entity->type) { case "album": $item->type = "album"; $item->parent_id = $parent->id; - $item->name = $params->name; - $item->title = isset($params->title) ? $params->title : $name; - $item->description = isset($params->description) ? $params->description : null; - $item->slug = isset($params->slug) ? $params->slug : null; + $item->name = $entity->name; + $item->title = isset($entity->title) ? $entity->title : $name; + $item->description = isset($entity->description) ? $entity->description : null; + $item->slug = isset($entity->slug) ? $entity->slug : null; $item->save(); break; case "photo": case "movie": - $item->type = $params->type; + $item->type = $entity->type; $item->parent_id = $parent->id; $item->set_data_file($request->file); - $item->name = $params->name; - $item->title = isset($params->title) ? $params->title : $params->name; - $item->description = isset($params->description) ? $params->description : null; - $item->slug = isset($params->slug) ? $params->slug : null; + $item->name = $entity->name; + $item->title = isset($entity->title) ? $entity->title : $entity->name; + $item->description = isset($entity->description) ? $entity->description : null; + $item->slug = isset($entity->slug) ? $entity->slug : null; $item->save(); break; default: - throw new Rest_Exception("Invalid type: $params->type", 400); + throw new Rest_Exception("Invalid type: $entity->type", 400); } return array("url" => rest::url("item", $item)); diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 6ede5109..4a87a2ab 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -941,7 +941,7 @@ class Item_Model extends ORM_MPTT { // Elide some internal-only data that is going to cause confusion in the client. foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr", - "thumb_dirty", "resize_dirty") as $key) { + "thumb_dirty", "resize_dirty", "weight") as $key) { unset($data[$key]); } return $data; diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php index 29334cea..dab54976 100644 --- a/modules/rest/controllers/rest.php +++ b/modules/rest/controllers/rest.php @@ -54,6 +54,13 @@ class Rest_Controller extends Controller { break; } + if (isset($request->params->entity)) { + $request->params->entity = json_decode($request->params->entity); + } + if (isset($request->params->members)) { + $request->params->members = json_decode($request->params->members); + } + $request->method = strtolower($input->server("HTTP_X_GALLERY_REQUEST_METHOD", $method)); $request->access_key = $input->server("HTTP_X_GALLERY_REQUEST_KEY"); $request->url = url::abs_current(true); diff --git a/modules/tag/helpers/item_tags_rest.php b/modules/tag/helpers/item_tags_rest.php index 8a1b1e8b..02c79e5d 100644 --- a/modules/tag/helpers/item_tags_rest.php +++ b/modules/tag/helpers/item_tags_rest.php @@ -31,8 +31,8 @@ class item_tags_rest_Core { } static function post($request) { - $tag = rest::resolve($request->params->tag); - $item = rest::resolve($request->params->item); + $tag = rest::resolve($request->params->entity->tag); + $item = rest::resolve($request->params->entity->item); access::required("view", $item); tag::add($item, $tag->name); @@ -45,6 +45,7 @@ class item_tags_rest_Core { static function delete($request) { list ($tag, $item) = rest::resolve($request->url); + access::required("edit", $item); $tag->remove($item); $tag->save(); } diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php index bce00a9f..17cb726e 100644 --- a/modules/tag/helpers/tag_item_rest.php +++ b/modules/tag/helpers/tag_item_rest.php @@ -22,7 +22,7 @@ class tag_item_rest_Core { list ($tag, $item) = rest::resolve($request->url); return array( "url" => $request->url, - "members" => array( + "entity" => array( "tag" => rest::url("tag", $tag), "item" => rest::url("item", $item))); } diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php index 003c7c95..848c2cd3 100644 --- a/modules/tag/helpers/tag_items_rest.php +++ b/modules/tag/helpers/tag_items_rest.php @@ -33,8 +33,8 @@ class tag_items_rest_Core { } static function post($request) { - $tag = rest::resolve($request->params->tag); - $item = rest::resolve($request->params->item); + $tag = rest::resolve($request->params->entity->tag); + $item = rest::resolve($request->params->entity->item); access::required("view", $item); if (!$tag->loaded()) { diff --git a/modules/tag/helpers/tag_rest.php b/modules/tag/helpers/tag_rest.php index f30706bd..e0b7bd87 100644 --- a/modules/tag/helpers/tag_rest.php +++ b/modules/tag/helpers/tag_rest.php @@ -36,28 +36,25 @@ class tag_rest_Core { "members" => $tag_items))); } - static function post($request) { - if (empty($request->params->url)) { - throw new Rest_Exception("Bad request", 400); - } - - $tag = rest::resolve($request->url); - $item = rest::resolve($request->params->url); - access::required("edit", $item); - - tag::add($item, $tag->name); - return array("url" => rest::url("tag_item", $tag, $item)); - } - static function put($request) { + // Who can we allow to edit a tag name? If we allow anybody to do it then any logged in + // user can rename all your tags to something offensive. Right now limit renaming to admins. + if (!identity::active_user()->admin) { + access::forbidden(); + } $tag = rest::resolve($request->url); - if (isset($request->params->name)) { - $tag->name = $request->params->name; + if (isset($request->params->entity->name)) { + $tag->name = $request->params->entity->name; $tag->save(); } } static function delete($request) { + // Restrict deleting tags to admins. Otherwise, a logged in user can do great harm to an + // install. + if (!identity::active_user()->admin) { + access::forbidden(); + } $tag = rest::resolve($request->url); $tag->delete(); } diff --git a/modules/tag/helpers/tags_rest.php b/modules/tag/helpers/tags_rest.php index 82826d8e..434e774a 100644 --- a/modules/tag/helpers/tags_rest.php +++ b/modules/tag/helpers/tags_rest.php @@ -40,13 +40,13 @@ class tags_rest_Core { } } - if (empty($request->params->name)) { + if (empty($request->params->entity->name)) { throw new Rest_Exception("Bad Request", 400); } - $tag = ORM::factory("tag")->where("name", "=", $request->params->name)->find(); + $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find(); if (!$tag->loaded()) { - $tag->name = $request->params->name; + $tag->name = $request->params->entity->name; $tag->count = 0; $tag->save(); } |