summaryrefslogtreecommitdiff
path: root/modules/gallery
diff options
context:
space:
mode:
Diffstat (limited to 'modules/gallery')
-rw-r--r--modules/gallery/controllers/reauthenticate.php11
-rw-r--r--modules/gallery/controllers/upgrader.php21
-rw-r--r--modules/gallery/helpers/gallery_event.php4
-rw-r--r--modules/gallery/models/item.php50
-rw-r--r--modules/gallery/tests/Item_Model_Test.php57
-rw-r--r--modules/gallery/tests/controller_auth_data.txt2
-rw-r--r--modules/gallery/tests/xss_data.txt37
-rw-r--r--modules/gallery/views/upgrader.html.php2
8 files changed, 106 insertions, 78 deletions
diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
index 0486c0fe..53a96374 100644
--- a/modules/gallery/controllers/reauthenticate.php
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -19,12 +19,19 @@
*/
class Reauthenticate_Controller extends Controller {
public function index() {
+ $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax());
if (!identity::active_user()->admin) {
- access::forbidden();
+ if ($is_ajax) {
+ // We should never be able to get here since Admin_Controller::_reauth_check() won't work
+ // for non-admins.
+ access::forbidden();
+ } else {
+ url::redirect(item::root()->abs_url());
+ }
}
+
// On redirects from the admin controller, the ajax request indicator is lost,
// so we store it in the session.
- $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax());
if ($is_ajax) {
$v = new View("reauthenticate.html");
$v->form = self::_form();
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index 6613d671..b2646874 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller {
// @todo this may screw up some module installers, but we don't have a better answer at
// this time.
$_SERVER["HTTP_HOST"] = "example.com";
- } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
- access::forbidden();
+ } else {
+ if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
+ access::forbidden();
+ }
+
+ try {
+ access::verify_csrf();
+ } catch (Exception $e) {
+ url::redirect("upgrader");
+ }
}
$available = module::available();
@@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller {
site_status::clear("upgrade_now");
if (php_sapi_name() == "cli") {
- print "Upgrade complete\n";
+ if ($failed) {
+ print "Upgrade completed ** WITH FAILURES **\n";
+ print "The following modules were not successfully upgraded:\n";
+ print " " . implode($failed, "\n ") . "\n";
+ print "Try getting newer versions or deactivating those modules\n";
+ } else {
+ print "Upgrade complete\n";
+ }
} else {
url::redirect("upgrader?failed=" . join(",", $failed));
}
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 0ba98025..5b1db987 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -211,9 +211,9 @@ class gallery_event_Core {
if (Router::$controller == "admin") {
$continue_url = url::abs_site("");
- } else if (isset($theme->item)) {
+ } else if ($item = $theme->item()) {
if (access::user_can(identity::guest(), "view", $theme->item)) {
- $continue_url = $theme->item->abs_url();
+ $continue_url = $item->abs_url();
} else {
$continue_url = item::root()->abs_url();
}
diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php
index cdba0241..3ceb5e37 100644
--- a/modules/gallery/models/item.php
+++ b/modules/gallery/models/item.php
@@ -357,26 +357,7 @@ class Item_Model extends ORM_MPTT {
}
}
- // Randomize the name or slug if there's a conflict. Preserve the extension.
- // @todo Improve this. Random numbers are not user friendly
- $base_name = pathinfo($this->name, PATHINFO_FILENAME);
- $base_ext = pathinfo($this->name, PATHINFO_EXTENSION);
- $base_slug = $this->slug;
- while (ORM::factory("item")
- ->where("parent_id", "=", $this->parent_id)
- ->and_open()
- ->where("name", "=", $this->name)
- ->or_where("slug", "=", $this->slug)
- ->close()
- ->find()->id) {
- $rand = rand();
- if ($base_ext) {
- $this->name = "$base_name-$rand.$base_ext";
- } else {
- $this->name = "$base_name-$rand";
- }
- $this->slug = "$base_slug-$rand";
- }
+ $this->_randomize_name_or_slug_on_conflict();
parent::save();
@@ -427,6 +408,8 @@ class Item_Model extends ORM_MPTT {
$this->relative_url_cache = null;
}
+ $this->_randomize_name_or_slug_on_conflict();
+
parent::save();
// Now update the filesystem and any database caches if there were significant value
@@ -505,6 +488,33 @@ class Item_Model extends ORM_MPTT {
}
/**
+ * Check to see if there's another item that occupies the same name or slug that this item
+ * intends to use, and if so choose a new name/slug while preserving the extension.
+ * @todo Improve this. Random numbers are not user friendly
+ */
+ private function _randomize_name_or_slug_on_conflict() {
+ $base_name = pathinfo($this->name, PATHINFO_FILENAME);
+ $base_ext = pathinfo($this->name, PATHINFO_EXTENSION);
+ $base_slug = $this->slug;
+ while (ORM::factory("item")
+ ->where("parent_id", "=", $this->parent_id)
+ ->where("id", "<>", $this->id)
+ ->and_open()
+ ->where("name", "=", $this->name)
+ ->or_where("slug", "=", $this->slug)
+ ->close()
+ ->find()->id) {
+ $rand = rand();
+ if ($base_ext) {
+ $this->name = "$base_name-$rand.$base_ext";
+ } else {
+ $this->name = "$base_name-$rand";
+ }
+ $this->slug = "$base_slug-$rand";
+ }
+ }
+
+ /**
* Return the Item_Model representing the cover for this album.
* @return Item_Model or null if there's no cover
*/
diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php
index bd123098..90c54e3c 100644
--- a/modules/gallery/tests/Item_Model_Test.php
+++ b/modules/gallery/tests/Item_Model_Test.php
@@ -136,20 +136,17 @@ class Item_Model_Test extends Gallery_Unit_Test_Case {
$this->assert_true(false, "Shouldn't get here");
}
- public function item_rename_fails_with_existing_name_test() {
+ public function item_rename_over_existing_name_gets_uniqified_test() {
// Create a test photo
$item = test::random_photo();
$item2 = test::random_photo();
- try {
- $item->name = $item2->name;
- $item->save();
- } catch (ORM_Validation_Exception $e) {
- $this->assert_true(in_array("conflict", $e->validation->errors()));
- return;
- }
+ $item->name = $item2->name;
+ $item->save();
- $this->assert_false(true, "rename should conflict");
+ // foo.jpg should become foo-####.jpg
+ $this->assert_true(
+ preg_match("/" . str_replace(".jpg", "", $item2->name) . "-\d+\.jpg/", $item->name));
}
public function move_album_test() {
@@ -208,24 +205,21 @@ class Item_Model_Test extends Gallery_Unit_Test_Case {
$this->assert_equal("file", file_get_contents($photo->file_path()));
}
- public function move_album_fails_conflicting_target_test() {
+ public function move_album_with_conflicting_target_gets_uniqified_test() {
$album = test::random_album();
$source = test::random_album_unsaved($album);
$source->name = $album->name;
$source->save();
// $source and $album have the same name, so if we move $source into the root they should
- // conflict.
+ // conflict and get randomized
- try {
- $source->parent_id = item::root()->id;
- $source->save();
- } catch (ORM_Validation_Exception $e) {
- $this->assert_equal(
- array("name" => "conflict", "slug" => "conflict"), $e->validation->errors());
- return;
- }
- $this->assert_true(false, "Shouldn't get here");
+ $source->parent_id = item::root()->id;
+ $source->save();
+
+ // foo should become foo-####
+ $this->assert_true(preg_match("/{$album->name}-\d+/", $source->name));
+ $this->assert_true(preg_match("/{$album->slug}-\d+/", $source->slug));
}
public function move_album_fails_wrong_target_type_test() {
@@ -245,7 +239,7 @@ class Item_Model_Test extends Gallery_Unit_Test_Case {
$this->assert_true(false, "Shouldn't get here");
}
- public function move_photo_fails_conflicting_target_test() {
+ public function move_photo_with_conflicting_target_gets_uniqified_test() {
$photo1 = test::random_photo();
$album = test::random_album();
$photo2 = test::random_photo_unsaved($album);
@@ -253,18 +247,17 @@ class Item_Model_Test extends Gallery_Unit_Test_Case {
$photo2->save();
// $photo1 and $photo2 have the same name, so if we move $photo1 into the root they should
- // conflict.
+ // conflict and get uniqified.
- try {
- $photo2->parent_id = item::root()->id;
- $photo2->save();
- } catch (Exception $e) {
- // pass
- $this->assert_equal(
- array("name" => "conflict", "slug" => "conflict"), $e->validation->errors());
- return;
- }
- $this->assert_true(false, "Shouldn't get here");
+ $photo2->parent_id = item::root()->id;
+ $photo2->save();
+
+ // foo.jpg should become foo-####.jpg
+ $this->assert_true(
+ preg_match("/" . str_replace(".jpg", "", $photo1->name) . "-\d+\.jpg/", $photo2->name));
+
+ // foo should become foo
+ $this->assert_true(preg_match("/{$photo1->slug}/", $photo2->name));
}
public function move_album_inside_descendent_fails_test() {
diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt
index 212577c7..03032fd9 100644
--- a/modules/gallery/tests/controller_auth_data.txt
+++ b/modules/gallery/tests/controller_auth_data.txt
@@ -15,7 +15,7 @@ modules/gallery/controllers/login.php html
modules/gallery/controllers/login.php auth_html DIRTY_AUTH
modules/gallery/controllers/logout.php index DIRTY_AUTH
modules/gallery/controllers/quick.php form_edit DIRTY_CSRF
-modules/gallery/controllers/upgrader.php index DIRTY_AUTH
+modules/gallery/controllers/upgrader.php index DIRTY_CSRF|DIRTY_AUTH
modules/gallery/controllers/uploader.php start DIRTY_AUTH
modules/gallery/controllers/uploader.php status DIRTY_AUTH
modules/gallery/controllers/uploader.php finish DIRTY_AUTH
diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt
index 8d26092b..6821c963 100644
--- a/modules/gallery/tests/xss_data.txt
+++ b/modules/gallery/tests/xss_data.txt
@@ -42,7 +42,7 @@ modules/digibug/views/digibug_form.html.php 4 DIRTY form::
modules/digibug/views/digibug_form.html.php 6 DIRTY form::hidden($key,$value)
modules/exif/views/exif_dialog.html.php 14 DIRTY $details[$i]["caption"]
modules/exif/views/exif_dialog.html.php 21 DIRTY $details[$i]["caption"]
-modules/g2_import/views/admin_g2_import.html.php 30 DIRTY $form
+modules/g2_import/views/admin_g2_import.html.php 9 DIRTY $form
modules/gallery/views/admin_advanced_settings.html.php 21 DIRTY_ATTR text::alternate("g-odd","g-even")
modules/gallery/views/admin_advanced_settings.html.php 22 DIRTY $var->module_name
modules/gallery/views/admin_block_log_entries.html.php 4 DIRTY_ATTR log::severity_class($entry->severity)
@@ -248,14 +248,15 @@ modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $permi
modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $item->id
modules/gallery/views/quick_delete_confirm.html.php 11 DIRTY $form
modules/gallery/views/reauthenticate.html.php 9 DIRTY $form
-modules/gallery/views/upgrader.html.php 59 DIRTY_ATTR $done?"muted":""
-modules/gallery/views/upgrader.html.php 63 DIRTY_ATTR $done?"muted":""
-modules/gallery/views/upgrader.html.php 71 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable"
-modules/gallery/views/upgrader.html.php 72 DIRTY_ATTR $id
-modules/gallery/views/upgrader.html.php 76 DIRTY $module->version
-modules/gallery/views/upgrader.html.php 79 DIRTY $module->code_version
-modules/gallery/views/upgrader.html.php 101 DIRTY_ATTR $done?"muted":""
-modules/gallery/views/upgrader.html.php 104 DIRTY_ATTR $done?"muted":""
+modules/gallery/views/upgrader.html.php 76 DIRTY_ATTR $done?"muted":""
+modules/gallery/views/upgrader.html.php 94 DIRTY_ATTR $done?"muted":""
+modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable"
+modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR in_array($id,$failed)?"failed":""
+modules/gallery/views/upgrader.html.php 103 DIRTY_ATTR $id
+modules/gallery/views/upgrader.html.php 107 DIRTY $module->version
+modules/gallery/views/upgrader.html.php 110 DIRTY $module->code_version
+modules/gallery/views/upgrader.html.php 120 DIRTY_ATTR $done?"muted":""
+modules/gallery/views/upgrader.html.php 123 DIRTY_ATTR $done?"muted":""
modules/gallery/views/user_languages_block.html.php 2 DIRTY form::dropdown("g-select-session-locale",$installed_locales,$selected)
modules/gallery/views/user_profile.html.php 34 DIRTY_ATTR $user->avatar_url(40,$theme->url(,true))
modules/gallery/views/user_profile.html.php 43 DIRTY $info->view
@@ -338,15 +339,17 @@ modules/tag/views/tag_cloud.html.php 6 DIRTY_JS $tag->
modules/user/views/admin_users.html.php 3 DIRTY_JS url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf")
modules/user/views/admin_users.html.php 26 DIRTY_JS url::site("admin/users/group/__GROUPID__")
modules/user/views/admin_users.html.php 36 DIRTY_JS url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf")
-modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->id
-modules/user/views/admin_users.html.php 71 DIRTY_ATTR text::alternate("g-odd","g-even")
-modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->admin?"g-admin":""
modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->id
-modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true))
-modules/user/views/admin_users.html.php 87 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login)
-modules/user/views/admin_users.html.php 123 DIRTY_ATTR $group->id
-modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($group->special?"g-default-group":"")
-modules/user/views/admin_users.html.php 125 DIRTY $v
+modules/user/views/admin_users.html.php 72 DIRTY_ATTR text::alternate("g-odd","g-even")
+modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->admin?"g-admin":""
+modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->id
+modules/user/views/admin_users.html.php 74 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true))
+modules/user/views/admin_users.html.php 88 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login)
+modules/user/views/admin_users.html.php 91 DIRTY db::build()->from("items")->where("owner_id","=",$user->id)->count_records()
+modules/user/views/admin_users.html.php 127 DIRTY_ATTR $group->id
+modules/user/views/admin_users.html.php 127 DIRTY_ATTR ($group->special?"g-default-group":"")
+modules/user/views/admin_users.html.php 129 DIRTY $v
+modules/user/views/admin_users_delete_user.html.php 6 DIRTY $form
modules/user/views/admin_users_group.html.php 24 DIRTY_JS $user->id
modules/user/views/admin_users_group.html.php 24 DIRTY_JS $group->id
modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width
diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php
index c2d8a552..1ec49c77 100644
--- a/modules/gallery/views/upgrader.html.php
+++ b/modules/gallery/views/upgrader.html.php
@@ -84,7 +84,7 @@
</div>
<? else: ?>
<div id="upgrade_button" class="button button-active">
- <a id="upgrade_link" href="<?= url::site("upgrader/upgrade") ?>">
+ <a id="upgrade_link" href="<?= url::site("upgrader/upgrade?csrf=" . access::csrf_token()) ?>">
<?= t("Upgrade all") ?>
</a>
</div>
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-17 13:34:31 +0000