diff options
Diffstat (limited to 'modules/gallery')
| -rw-r--r-- | modules/gallery/controllers/albums.php | 91 | ||||
| -rw-r--r-- | modules/gallery/controllers/items.php | 12 | ||||
| -rw-r--r-- | modules/gallery/controllers/movies.php | 16 | ||||
| -rw-r--r-- | modules/gallery/controllers/photos.php | 17 | ||||
| -rw-r--r-- | modules/gallery/controllers/rest.php | 183 | ||||
| -rw-r--r-- | modules/gallery/helpers/album.php | 4 | ||||
| -rw-r--r-- | modules/gallery/helpers/movie.php | 2 | ||||
| -rw-r--r-- | modules/gallery/helpers/photo.php | 21 | ||||
| -rw-r--r-- | modules/gallery/helpers/rest.php | 116 | ||||
| -rw-r--r-- | modules/gallery/tests/Albums_Controller_Test.php | 3 | ||||
| -rw-r--r-- | modules/gallery/tests/Controller_Auth_Test.php | 16 | ||||
| -rw-r--r-- | modules/gallery/tests/Database_Test.php | 1 | ||||
| -rw-r--r-- | modules/gallery/tests/Photos_Controller_Test.php | 3 | ||||
| -rw-r--r-- | modules/gallery/tests/REST_Controller_Test.php | 197 | ||||
| -rw-r--r-- | modules/gallery/tests/REST_Helper_Test.php | 45 | ||||
| -rw-r--r-- | modules/gallery/tests/controller_auth_data.txt | 16 | ||||
| -rw-r--r-- | modules/gallery/tests/xss_data.txt | 4 |
17 files changed, 37 insertions, 710 deletions
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index cc63d43f..19140891 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -18,10 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Albums_Controller extends Items_Controller { - - /** - * @see REST_Controller::_show($resource) - */ public function _show($album) { $page_size = module::get_var("gallery", "page_size", 9); if (!access::can("view", $album)) { @@ -83,27 +79,9 @@ class Albums_Controller extends Items_Controller { print $template; } - /** - * @see REST_Controller::_create($resource) - */ - public function _create($album) { + public function create($parent_id) { access::verify_csrf(); - access::required("view", $album); - access::required("add", $album); - - switch ($this->input->post("type")) { - case "album": - return $this->_create_album($album); - - case "photo": - return $this->_create_photo($album); - - default: - access::forbidden(); - } - } - - private function _create_album($album) { + $album = ORM::factory("item", $parent_id); access::required("view", $album); access::required("add", $album); @@ -124,8 +102,7 @@ class Albums_Controller extends Items_Controller { print json_encode( array("result" => "success", - "location" => $new_album->url(), - "resource" => $new_album->url())); + "location" => $new_album->url())); } else { print json_encode( array( @@ -134,43 +111,9 @@ class Albums_Controller extends Items_Controller { } } - private function _create_photo($album) { - access::required("view", $album); - access::required("add", $album); - - // If we set the content type as JSON, it triggers saving the result as - // a document in the browser (well, in Chrome at least). - // @todo figure out why and fix this. - $form = photo::get_add_form($album); - if ($form->validate()) { - $photo = photo::create( - $album, - $this->input->post("file"), - $_FILES["file"]["name"], - $this->input->post("title", $this->input->post("name")), - $this->input->post("description"), - identity::active_user()->id); - - log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo")); - message::success(t("Added photo %photo_title", - array("photo_title" => html::purify($photo->title)))); - - print json_encode( - array("result" => "success", - "resource" => $photo->url(), - "location" => $photo->url())); - } else { - print json_encode( - array("result" => "error", - "form" => $form->__toString())); - } - } - - /** - * @see REST_Controller::_update($resource) - */ - public function _update($album) { + public function update($album_id) { access::verify_csrf(); + $album = ORM::factory("item", $album_id); access::required("view", $album); access::required("edit", $album); @@ -230,32 +173,16 @@ class Albums_Controller extends Items_Controller { } } - /** - * @see REST_Controller::_form_add($parameters) - */ - public function _form_add($album_id) { + public function form_add($album_id) { $album = ORM::factory("item", $album_id); access::required("view", $album); access::required("add", $album); - switch ($this->input->get("type")) { - case "album": - print album::get_add_form($album); - break; - - case "photo": - print photo::get_add_form($album); - break; - - default: - kohana::show_404(); - } + print album::get_add_form($album); } - /** - * @see REST_Controller::_form_add($parameters) - */ - public function _form_edit($album) { + public function form_edit($album_id) { + $album = ORM::factory("item", $album_id); access::required("view", $album); access::required("edit", $album); diff --git a/modules/gallery/controllers/items.php b/modules/gallery/controllers/items.php index 7f60f2b7..ec3681a3 100644 --- a/modules/gallery/controllers/items.php +++ b/modules/gallery/controllers/items.php @@ -17,14 +17,16 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ -class Items_Controller extends REST_Controller { - protected $resource_type = "item"; - - public function _show($item) { +class Items_Controller extends Controller { + public function __call($function, $args) { + $item = ORM::factory("item", (int)$function); + if (!$item->loaded) { + return Kohana::show_404(); + } // Redirect to the more specific resource type, since it will render // differently. We could also just delegate here, but it feels more appropriate // to have a single canonical resource mapping. access::required("view", $item); - return url::redirect($item->abs_url()); + return $this->_show($item); } } diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 2e2e837c..3d5eac32 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -18,10 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Movies_Controller extends Items_Controller { - - /** - * @see REST_Controller::_show($resource) - */ public function _show($movie) { access::required("view", $movie); @@ -53,11 +49,9 @@ class Movies_Controller extends Items_Controller { print $template; } - /** - * @see REST_Controller::_update($resource) - */ - public function _update($movie) { + public function update($movie_id) { access::verify_csrf(); + $movie = ORM::factory("item", $movie_id); access::required("view", $movie); access::required("edit", $movie); @@ -120,10 +114,8 @@ class Movies_Controller extends Items_Controller { } } - /** - * @see REST_Controller::_form_edit($resource) - */ - public function _form_edit($movie) { + public function form_edit($movie_id) { + $movie = ORM::factory("item", $movie_id); access::required("view", $movie); access::required("edit", $movie); print movie::get_edit_form($movie); diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 0c2ff6ee..f052eccd 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -18,10 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Photos_Controller extends Items_Controller { - - /** - * @see REST_Controller::_show($resource) - */ public function _show($photo) { access::required("view", $photo); @@ -53,12 +49,9 @@ class Photos_Controller extends Items_Controller { print $template; } - - /** - * @see REST_Controller::_update($resource) - */ - public function _update($photo) { + public function update($photo_id) { access::verify_csrf(); + $photo = ORM::factory("item", $photo_id); access::required("view", $photo); access::required("edit", $photo); @@ -125,10 +118,8 @@ class Photos_Controller extends Items_Controller { } } - /** - * @see REST_Controller::_form_edit($resource) - */ - public function _form_edit($photo) { + public function form_edit($photo_id) { + $photo = ORM::factory("item", $photo_id); access::required("view", $photo); access::required("edit", $photo); diff --git a/modules/gallery/controllers/rest.php b/modules/gallery/controllers/rest.php deleted file mode 100644 index 087f2c29..00000000 --- a/modules/gallery/controllers/rest.php +++ /dev/null @@ -1,183 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2009 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -/** - * This abstract controller makes it easy to create a RESTful controller. To use it, create a - * subclass which defines the resource type and implements get/post/put/delete methods, like this: - * - * class Comment_Controller extends REST_Controller { - * protected $resource_type = "comment"; // this tells REST which model to use - * - * public function _index() { - * // Handle GET request to /controller - * } - * - * public function _show(ORM $comment) { - * // Handle GET request to /comments/{comment_id} - * } - * - * public function _update(ORM $comment) { - * // Handle PUT request to /comments/{comment_id} - * } - * - * public function _create(ORM $comment) { - * // Handle POST request to /comments - * } - * - * public function _delete(ORM $comment) { - * // Handle DELETE request to /comments/{comments_id} - * } - * - * public function _form_add($parameters) { - * // Handle GET request to /form/add/comments - * // Show a form for creating a new comment - * } - * - * public function _form_edit(ORM $comment) { - * // Handle GET request to /form/edit/comments - * // Show a form for editing an existing comment - * } - * - * A request to http://example.com/gallery3/comments/3 will result in a call to - * REST_Controller::__call(3) which will load up the comment associated with id 3. If there's - * no such comment, it returns a 404. Otherwise, it will then delegate to - * Comment_Controller::get() with the ORM instance as an argument. - */ -class REST_Controller extends Controller { - protected $resource_type = null; - - public function __construct() { - if ($this->resource_type == null) { - throw new Exception("@todo ERROR_MISSING_RESOURCE_TYPE"); - } - parent::__construct(); - } - - /** - * Handle dispatching for all REST controllers. - */ - public function __call($function, $args) { - // If no parameter was provided after the controller name (eg "/albums") then $function will - // be set to "index". Otherwise, $function is the first parameter, and $args are all - // subsequent parameters. - $request_method = rest::request_method(); - if ($function == "index" && $request_method == "get") { - return $this->_index(); - } - - $resource = ORM::factory($this->resource_type, (int)$function); - if (!$resource->loaded() && $request_method != "post") { - return Kohana::show_404(); - } - - switch ($request_method) { - case "get": - return $this->_show($resource); - - case "put": - access::verify_csrf(); - return $this->_update($resource); - - case "delete": - access::verify_csrf(); - return $this->_delete($resource); - - case "post": - access::verify_csrf(); - return $this->_create($resource); - } - } - - /* We're editing an existing item, load it from the database. */ - public function form_edit($resource_id) { - if ($this->resource_type == null) { - throw new Exception("@todo ERROR_MISSING_RESOURCE_TYPE"); - } - - $resource = ORM::factory($this->resource_type, $resource_id); - if (!$resource->loaded()) { - return Kohana::show_404(); - } - - // Security checks must be performed in _form_edit - return $this->_form_edit($resource); - } - - /* We're adding a new item, pass along any additional parameters. */ - public function form_add($parameters) { - // Security checks must be performed in _form_add - return $this->_form_add($parameters); - } - - /** - * Perform a GET request on the controller root - * (e.g. http://www.example.com/gallery3/comments) - */ - public function _index() { - throw new Exception("@todo _create NOT IMPLEMENTED"); - } - - /** - * Perform a POST request on this resource - * @param ORM $resource the instance of this resource type - */ - public function _create($resource) { - throw new Exception("@todo _create NOT IMPLEMENTED"); - } - - /** - * Perform a GET request on this resource - * @param ORM $resource the instance of this resource type - */ - public function _show($resource) { - throw new Exception("@todo _show NOT IMPLEMENTED"); - } - - /** - * Perform a PUT request on this resource - * @param ORM $resource the instance of this resource type - */ - public function _update($resource) { - throw new Exception("@todo _update NOT IMPLEMENTED"); - } - - /** - * Perform a DELETE request on this resource - * @param ORM $resource the instance of this resource type - */ - public function _delete($resource) { - throw new Exception("@todo _delete NOT IMPLEMENTED"); - } - - /** - * Present a form for adding a new resource - * @param string part of the URI after the controller name - */ - public function _form_add($parameter) { - throw new Exception("@todo _form_add NOT IMPLEMENTED"); - } - - /** - * Present a form for editing an existing resource - * @param ORM $resource the resource container for instances of this resource type - */ - public function _form_edit($resource) { - throw new Exception("@todo _form_edit NOT IMPLEMENTED"); - } -} diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index c82a5509..84a60f83 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -92,7 +92,7 @@ class album_Core { } static function get_add_form($parent) { - $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "g-add-album-form")); + $form = new Forge("albums/create/{$parent->id}", "", "post", array("id" => "g-add-album-form")); $group = $form->group("add_album") ->label(t("Add an album to %album_title", array("album_title" => $parent->title))); $group->input("title")->label(t("Title")); @@ -114,7 +114,7 @@ class album_Core { } static function get_edit_form($parent) { - $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "g-edit-album-form")); + $form = new Forge("albums/update/{$parent->id}", "", "post", array("id" => "g-edit-album-form")); $form->hidden("_method")->value("put"); $group = $form->group("edit_item")->label(t("Edit Album")); diff --git a/modules/gallery/helpers/movie.php b/modules/gallery/helpers/movie.php index a319471d..ff86403a 100644 --- a/modules/gallery/helpers/movie.php +++ b/modules/gallery/helpers/movie.php @@ -129,7 +129,7 @@ class movie_Core { } static function get_edit_form($movie) { - $form = new Forge("movies/$movie->id", "", "post", array("id" => "g-edit-movie-form")); + $form = new Forge("movies/update/$movie->id", "", "post", array("id" => "g-edit-movie-form")); $form->hidden("_method")->value("put"); $group = $form->group("edit_item")->label(t("Edit Movie")); $group->input("title")->label(t("Title"))->value($movie->title); diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php index 90cb108f..21cb13a0 100644 --- a/modules/gallery/helpers/photo.php +++ b/modules/gallery/helpers/photo.php @@ -137,27 +137,8 @@ class photo_Core { return $photo; } - static function get_add_form($parent) { - $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "g-add-photo-form")); - $group = $form->group("add_photo")->label( - t("Add Photo to %album_title", array("album_title" => $parent->title))); - $group->input("title")->label(t("Title")); - $group->textarea("description")->label(t("Description")); - $group->input("name")->label(t("Filename")); - $group->input("slug")->label(t("Internet Address"))->value($photo->slug) - ->callback("item::validate_url_safe") - ->error_messages( - "not_url_safe", - t("The internet address should contain only letters, numbers, hyphens and underscores")); - $group->upload("file")->label(t("File"))->rules("required|allow[jpg,png,gif,flv,mp4]"); - $group->hidden("type")->value("photo"); - $group->submit("")->value(t("Upload")); - $form->add_rules_from(ORM::factory("item")); - return $form; - } - static function get_edit_form($photo) { - $form = new Forge("photos/$photo->id", "", "post", array("id" => "g-edit-photo-form")); + $form = new Forge("photos/update/$photo->id", "", "post", array("id" => "g-edit-photo-form")); $form->hidden("_method")->value("put"); $group = $form->group("edit_item")->label(t("Edit Photo")); $group->input("title")->label(t("Title"))->value($photo->title); diff --git a/modules/gallery/helpers/rest.php b/modules/gallery/helpers/rest.php deleted file mode 100644 index a63b94c8..00000000 --- a/modules/gallery/helpers/rest.php +++ /dev/null @@ -1,116 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2009 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ - -class rest_Core { - const OK = "200 OK"; - const CREATED = "201 Created"; - const ACCEPTED = "202 Accepted"; - const NO_CONTENT = "204 No Content"; - const RESET_CONTENT = "205 Reset Content"; - const PARTIAL_CONTENT = "206 Partial Content"; - const MOVED_PERMANENTLY = "301 Moved Permanently"; - const FOUND = "302 Found"; - const SEE_OTHER = "303 See Other"; - const NOT_MODIFIED = "304 Not Modified"; - const TEMPORARY_REDIRECT = "307 Temporary Redirect"; - const BAD_REQUEST = "400 Bad Request"; - const UNAUTHORIZED = "401 Unauthorized"; - const FORBIDDEN = "403 Forbidden"; - const NOT_FOUND = "404 Not Found"; - const METHOD_NOT_ALLOWED = "405 Method Not Allowed"; - const NOT_ACCEPTABLE = "406 Not Acceptable"; - const CONFLICT = "409 Conflict"; - const GONE = "410 Gone"; - const LENGTH_REQUIRED = "411 Length Required"; - const PRECONDITION_FAILED = "412 Precondition Failed"; - const UNSUPPORTED_MEDIA_TYPE = "415 Unsupported Media Type"; - const EXPECTATION_FAILED = "417 Expectation Failed"; - const INTERNAL_SERVER_ERROR = "500 Internal Server Error"; - const SERVICE_UNAVAILABLE = "503 Service Unavailable"; - - const XML = "application/xml"; - const ATOM = "application/atom+xml"; - const RSS = "application/rss+xml"; - const JSON = "application/json"; - const HTML = "text/html"; - - /** - * We're expecting to run in an environment that only supports GET/POST, so expect to tunnel - * PUT and DELETE through POST. - * - * Returns the HTTP request method taking into consideration PUT/DELETE tunneling. - * @return string HTTP request method - */ - static function request_method() { - if (request::method() == "get") { - return "get"; - } else { - $input = Input::instance(); - switch (strtolower($input->post("_method", $input->get("_method", request::method())))) { - case "put": return "put"; - case "delete": return "delete"; - default: return "post"; - } - } - } - - /** - * Choose an output format based on what the client prefers to accept. - * @return string "html", "xml" or "json" - */ - static function output_format() { - // Pick a format, but let it be overridden. - $input = Input::instance(); - $fmt = $input->get( - "_format", $input->post( - "_format", request::preferred_accept( - array("xhtml", "html", "xml", "json")))); - - // Some browsers (Chrome!) prefer xhtml over html, but we'll normalize this to html for now. - if ($fmt == "xhtml") { - $fmt = "html"; - } - return $fmt; - } - - /** - * Set HTTP response code. - * @param string Use one of the status code constants defined in this class. - */ - static function http_status($status_code) { - header("HTTP/1.1 " . $status_code); - } - - /** - * Set HTTP Location header. - * @param string URL - */ - static function http_location($url) { - header("Location: " . $url); - } - - /** - * Set HTTP Content-Type header. - * @param string content type - */ - static function http_content_type($type) { - header("Content-Type: " . $type); - } -} diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php index 8562355c..9b904387 100644 --- a/modules/gallery/tests/Albums_Controller_Test.php +++ b/modules/gallery/tests/Albums_Controller_Test.php @@ -48,7 +48,8 @@ class Albums_Controller_Test extends Unit_Test_Case { access::allow(identity::everybody(), "edit", $root); ob_start(); - $controller->_update($this->_album); + $controller->update($this->_album->id); + $this->_album->reload(); $results = ob_get_contents(); ob_end_clean(); diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php index 0a7076c6..124d8b4c 100644 --- a/modules/gallery/tests/Controller_Auth_Test.php +++ b/modules/gallery/tests/Controller_Auth_Test.php @@ -18,11 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Controller_Auth_Test extends Unit_Test_Case { - static $rest_methods = array("_index", "_show", "_form_edit", "_form_add", "_create", - "_update", "_delete"); - - static $rest_methods_with_csrf_check = array("_update", "_delete", "_create"); - public function find_missing_auth_test() { $found = array(); $controllers = explode("\n", `git ls-files '*/*/controllers/*.php'`); @@ -46,7 +41,6 @@ class Controller_Auth_Test extends Unit_Test_Case { } $is_admin_controller = false; - $is_rest_controller = false; $open_braces = 0; $function = null; @@ -64,7 +58,6 @@ class Controller_Auth_Test extends Unit_Test_Case { $function = null; } else if ($open_braces == 0) { $is_admin_controller = false; - $is_rest_controller = false; } } else if ($token == "{") { $open_braces++; @@ -75,8 +68,6 @@ class Controller_Auth_Test extends Unit_Test_Case { if ($open_braces == 0 && $token[0] == T_EXTENDS) { if (self::_token_matches(array(T_STRING, "Admin_Controller"), $tokens, $token_number + 1)) { $is_admin_controller = true; - } else if (self::_token_matches(array(T_STRING, "REST_Controller"), $tokens, $token_number + 1)) { - $is_rest_controller = true; } } else if ($open_braces == 1 && $token[0] == T_FUNCTION) { $line = $token[2]; @@ -101,13 +92,8 @@ class Controller_Auth_Test extends Unit_Test_Case { $is_rss_feed = $name == "feed" && strpos(basename($controller), "_rss.php"); - if ((!$is_static || $is_rss_feed) && - (!$is_private || - ($is_rest_controller && in_array($name, self::$rest_methods)))) { + if ((!$is_static || $is_rss_feed) && !$is_private) { $function = self::_function($name, $line, $is_admin_controller); - if ($is_rest_controller && in_array($name, self::$rest_methods_with_csrf_check)) { - $function->checks_csrf(true); - } } } diff --git a/modules/gallery/tests/Database_Test.php b/modules/gallery/tests/Database_Test.php index ad2bbba1..98bd4046 100644 --- a/modules/gallery/tests/Database_Test.php +++ b/modules/gallery/tests/Database_Test.php @@ -138,7 +138,6 @@ class Database_For_Test extends Database { public function query($sql = '') { if (!empty($sql)) { - print " query($sql)\n"; $sql = $this->add_table_prefixes($sql); } return $sql; diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index 624e6878..fa4f101a 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -44,7 +44,8 @@ class Photos_Controller_Test extends Unit_Test_Case { access::allow(identity::everybody(), "edit", $root); ob_start(); - $controller->_update($photo); + $controller->update($photo->id); + $photo->reload(); $results = ob_get_contents(); ob_end_clean(); diff --git a/modules/gallery/tests/REST_Controller_Test.php b/modules/gallery/tests/REST_Controller_Test.php deleted file mode 100644 index 8fb04d86..00000000 --- a/modules/gallery/tests/REST_Controller_Test.php +++ /dev/null @@ -1,197 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2009 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -class REST_Controller_Test extends Unit_Test_Case { - public function setup() { - $this->_post = $_POST; - $this->mock_controller = new Mock_RESTful_Controller("mock"); - $this->mock_not_loaded_controller = new Mock_RESTful_Controller("mock_not_loaded"); - $_POST = array(); - } - - public function teardown() { - $_POST = $this->_post; - } - - public function dispatch_index_test() { - $_SERVER["REQUEST_METHOD"] = "GET"; - $_POST["_method"] = ""; - $this->mock_controller->__call("index", ""); - $this->assert_equal("index", $this->mock_controller->method_called); - } - - public function dispatch_show_test() { - $_SERVER["REQUEST_METHOD"] = "GET"; - $_POST["_method"] = ""; - $this->mock_controller->__call("3", ""); - $this->assert_equal("show", $this->mock_controller->method_called); - $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource)); - } - - public function dispatch_update_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = "PUT"; - $_POST["csrf"] = access::csrf_token(); - $this->mock_controller->__call("3", ""); - $this->assert_equal("update", $this->mock_controller->method_called); - $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource)); - } - - public function dispatch_update_fails_without_csrf_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = "PUT"; - try { - $this->mock_controller->__call("3", ""); - $this->assert_false(true, "this should fail with a forbidden exception"); - } catch (Exception $e) { - // pass - } - } - - public function dispatch_delete_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = "DELETE"; - $_POST["csrf"] = access::csrf_token(); - $this->mock_controller->__call("3", ""); - $this->assert_equal("delete", $this->mock_controller->method_called); - $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource)); - } - - public function dispatch_delete_fails_without_csrf_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = "DELETE"; - try { - $this->mock_controller->__call("3", ""); - $this->assert_false(true, "this should fail with a forbidden exception"); - } catch (Exception $e) { - // pass - } - } - - public function dispatch_404_test() { - /* The dispatcher should throw a 404 if the resource isn't loaded and the method isn't POST. */ - $methods = array( - array("GET", ""), - array("POST", "PUT"), - array("POST", "DELETE")); - - foreach ($methods as $method) { - $_SERVER["REQUEST_METHOD"] = $method[0]; - $_POST["_method"] = $method[1]; - $exception_caught = false; - try { - $this->mock_not_loaded_controller->__call(rand(), ""); - } catch (Kohana_404_Exception $e) { - $exception_caught = true; - } - $this->assert_true($exception_caught, "$method[0], $method[1]"); - } - } - - public function dispatch_create_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = ""; - $_POST["csrf"] = access::csrf_token(); - $this->mock_not_loaded_controller->__call("", ""); - $this->assert_equal("create", $this->mock_not_loaded_controller->method_called); - $this->assert_equal( - "Mock_Not_Loaded_Model", get_class($this->mock_not_loaded_controller->resource)); - } - - public function dispatch_create_fails_without_csrf_test() { - $_SERVER["REQUEST_METHOD"] = "POST"; - $_POST["_method"] = ""; - try { - $this->mock_not_loaded_controller->__call("", ""); - $this->assert_false(true, "this should fail with a forbidden exception"); - } catch (Exception $e) { - // pass - } - } - - public function dispatch_form_test_add() { - $this->mock_controller->form_add("args"); - $this->assert_equal("form_add", $this->mock_controller->method_called); - $this->assert_equal("args", $this->mock_controller->resource); - } - - public function dispatch_form_test_edit() { - $this->mock_controller->form_edit("1"); - $this->assert_equal("form_edit", $this->mock_controller->method_called); - $this->assert_equal("Mock_Model", get_class($this->mock_controller->resource)); - } - - public function routes_test() { - $this->assert_equal("mock/form_add/args", router::routed_uri("form/add/mock/args")); - $this->assert_equal("mock/form_edit/args", router::routed_uri("form/edit/mock/args")); - $this->assert_equal(null, router::routed_uri("rest/args")); - } -} - -class Mock_RESTful_Controller extends REST_Controller { - public $method_called; - public $resource; - - public function __construct($type) { - $this->resource_type = $type; - parent::__construct(); - } - - public function _index() { - $this->method_called = "index"; - } - - public function _create($resource) { - $this->method_called = "create"; - $this->resource = $resource; - } - - public function _show($resource) { - $this->method_called = "show"; - $this->resource = $resource; - } - - public function _update($resource) { - $this->method_called = "update"; - $this->resource = $resource; - } - - public function _delete($resource) { - $this->method_called = "delete"; - $this->resource = $resource; - } - - public function _form_add($args) { - $this->method_called = "form_add"; - $this->resource = $args; - } - - public function _form_edit($resource) { - $this->method_called = "form_edit"; - $this->resource = $resource; - } -} - -class Mock_Model { - public $loaded = true; -} - -class Mock_Not_Loaded_Model { - public $loaded = false; -} diff --git a/modules/gallery/tests/REST_Helper_Test.php b/modules/gallery/tests/REST_Helper_Test.php deleted file mode 100644 index 1bfc63ab..00000000 --- a/modules/gallery/tests/REST_Helper_Test.php +++ /dev/null @@ -1,45 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2009 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -class REST_Helper_Test extends Unit_Test_Case { - public function setup() { - $this->_post = $_POST; - } - - public function teardown() { - $_POST = $this->_post; - } - - public function request_method_test() { - foreach (array("GET", "POST") as $method) { - foreach (array("", "PUT", "DELETE") as $tunnel) { - if ($method == "GET") { - $expected = "GET"; - } else { - $expected = $tunnel == "" ? $method : $tunnel; - } - $_SERVER["REQUEST_METHOD"] = $method; - $_POST["_method"] = $tunnel; - - $this->assert_equal(strtolower(rest::request_method()), strtolower($expected), - "Request method: {$method}, tunneled: {$tunnel}"); - } - } - } -} diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt index 30102538..1fe29ffb 100644 --- a/modules/gallery/tests/controller_auth_data.txt +++ b/modules/gallery/tests/controller_auth_data.txt @@ -1,11 +1,9 @@ modules/comment/controllers/admin_comments.php queue DIRTY_CSRF -modules/comment/controllers/comments.php _index DIRTY_CSRF modules/comment/helpers/comment_rss.php feed DIRTY_AUTH modules/digibug/controllers/digibug.php print_proxy DIRTY_CSRF|DIRTY_AUTH modules/digibug/controllers/digibug.php close_window DIRTY_AUTH modules/gallery/controllers/admin.php __call DIRTY_AUTH modules/gallery/controllers/albums.php _show DIRTY_CSRF -modules/gallery/controllers/albums.php _form_add DIRTY_CSRF modules/gallery/controllers/combined.php javascript DIRTY_AUTH modules/gallery/controllers/combined.php css DIRTY_AUTH modules/gallery/controllers/file_proxy.php __call DIRTY_CSRF|DIRTY_AUTH @@ -15,17 +13,6 @@ modules/gallery/controllers/login.php html modules/gallery/controllers/login.php auth_html DIRTY_AUTH modules/gallery/controllers/logout.php index DIRTY_CSRF|DIRTY_AUTH modules/gallery/controllers/maintenance.php index DIRTY_AUTH -modules/gallery/controllers/rest.php __construct DIRTY_AUTH -modules/gallery/controllers/rest.php __call DIRTY_AUTH -modules/gallery/controllers/rest.php form_edit DIRTY_AUTH -modules/gallery/controllers/rest.php form_add DIRTY_AUTH -modules/gallery/controllers/rest.php _index DIRTY_AUTH -modules/gallery/controllers/rest.php _create DIRTY_AUTH -modules/gallery/controllers/rest.php _show DIRTY_AUTH -modules/gallery/controllers/rest.php _update DIRTY_AUTH -modules/gallery/controllers/rest.php _delete DIRTY_AUTH -modules/gallery/controllers/rest.php _form_add DIRTY_AUTH -modules/gallery/controllers/rest.php _form_edit DIRTY_AUTH modules/gallery/controllers/simple_uploader.php start DIRTY_AUTH modules/gallery/controllers/simple_uploader.php finish DIRTY_AUTH modules/gallery/controllers/upgrader.php index DIRTY_AUTH @@ -35,6 +22,7 @@ modules/search/controllers/search.php index modules/server_add/controllers/admin_server_add.php autocomplete DIRTY_CSRF modules/server_add/controllers/server_add.php children DIRTY_CSRF modules/tag/controllers/admin_tags.php index DIRTY_CSRF -modules/tag/controllers/tags.php _show DIRTY_CSRF|DIRTY_AUTH +modules/tag/controllers/tags.php show DIRTY_CSRF|DIRTY_AUTH +modules/tag/controllers/tags.php autocomplete DIRTY_CSRF|DIRTY_AUTH modules/user/controllers/password.php reset DIRTY_AUTH modules/user/controllers/password.php do_reset DIRTY_CSRF|DIRTY_AUTH diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index fa818636..3708bc6d 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -298,8 +298,8 @@ modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY_JS url::s modules/server_add/views/server_add_tree_dialog.html.php 21 DIRTY $tree modules/tag/views/admin_tags.html.php 45 DIRTY_ATTR $tag->id modules/tag/views/admin_tags.html.php 46 DIRTY $tag->count -modules/tag/views/tag_block.html.php 27 DIRTY $cloud -modules/tag/views/tag_block.html.php 29 DIRTY $form +modules/tag/views/tag_block.html.php 25 DIRTY $cloud +modules/tag/views/tag_block.html.php 27 DIRTY $form modules/tag/views/tag_cloud.html.php 4 DIRTY_ATTR (int)(($tag->count/$max_count)*7) modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count modules/tag/views/tag_cloud.html.php 6 DIRTY_JS $tag->url() |