diff options
Diffstat (limited to 'modules/server_add')
| -rw-r--r-- | modules/server_add/controllers/server_add.php | 38 | ||||
| -rw-r--r-- | modules/server_add/helpers/server_add_installer.php | 5 | ||||
| -rw-r--r-- | modules/server_add/helpers/server_add_menu.php | 4 | ||||
| -rw-r--r-- | modules/server_add/helpers/server_add_task.php | 1 |
4 files changed, 33 insertions, 15 deletions
diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php index d5278b3b..c37eab58 100644 --- a/modules/server_add/controllers/server_add.php +++ b/modules/server_add/controllers/server_add.php @@ -21,10 +21,11 @@ class Server_Add_Controller extends Controller { public function index($id) { $paths = unserialize(module::get_var("server_add", "authorized_paths")); - $item = ORM::factory("item", $id); - access::required("server_add", $item); - access::required("add", $item); + if (!user::active()->admin) { + access::forbidden(); + } + $item = ORM::factory("item", $id); $view = new View("server_add_tree_dialog.html"); $view->action = url::abs_site("__ARGS__/{$id}__TASK_ID__?csrf=" . access::csrf_token()); $view->parents = $item->parents(); @@ -41,8 +42,11 @@ class Server_Add_Controller extends Controller { } public function children() { - $paths = unserialize(module::get_var("server_add", "authorized_paths")); + if (!user::active()->admin) { + access::forbidden(); + } + $paths = unserialize(module::get_var("server_add", "authorized_paths")); $path_valid = false; $path = $this->input->post("path"); @@ -66,7 +70,12 @@ class Server_Add_Controller extends Controller { } function start($id) { + if (!user::active()->admin) { + access::forbidden(); + } access::verify_csrf(); + + $item = ORM::factory("item", $id); $paths = unserialize(module::get_var("server_add", "authorized_paths")); $input_files = $this->input->post("path"); $files = array(); @@ -114,9 +123,15 @@ class Server_Add_Controller extends Controller { } function add_photo($task_id) { + if (!user::active()->admin) { + access::forbidden(); + } access::verify_csrf(); $task = task::run($task_id); + if (!$task->loaded || $task->owner_id != user::active()->id) { + access::forbidden(); + } if ($task->done) { switch ($task->state) { @@ -146,10 +161,16 @@ class Server_Add_Controller extends Controller { } public function finish($id, $task_id) { + if (!user::active()->admin) { + access::forbidden(); + } access::verify_csrf(); - $task = ORM::factory("task", $task_id); + if (!$task->loaded || $task->owner_id != user::active()->id) { + access::forbidden(); + } + if (!$task->done) { message::warning(t("Add from server was cancelled prior to completion")); } @@ -159,9 +180,14 @@ class Server_Add_Controller extends Controller { } public function pause($id, $task_id) { + if (!user::active()->admin) { + access::forbidden(); + } access::verify_csrf(); - $task = ORM::factory("task", $task_id); + if (!$task->loaded || $task->owner_id != user::active()->id) { + access::forbidden(); + } message::warning(t("Add from server was cancelled prior to completion")); batch::stop(); diff --git a/modules/server_add/helpers/server_add_installer.php b/modules/server_add/helpers/server_add_installer.php index b592b448..f8773a2e 100644 --- a/modules/server_add/helpers/server_add_installer.php +++ b/modules/server_add/helpers/server_add_installer.php @@ -22,7 +22,6 @@ class server_add_installer { $db = Database::instance(); $version = module::get_version("server_add"); if ($version == 0) { - access::register_permission("server_add", t("Add files from server")); module::set_version("server_add", 1); } server_add::check_config(); @@ -31,8 +30,4 @@ class server_add_installer { static function deactivate() { site_status::clear("server_add_configuration"); } - - static function uninstall() { - access::delete_permission("server_add"); - } } diff --git a/modules/server_add/helpers/server_add_menu.php b/modules/server_add/helpers/server_add_menu.php index 04c94493..7269d952 100644 --- a/modules/server_add/helpers/server_add_menu.php +++ b/modules/server_add/helpers/server_add_menu.php @@ -28,11 +28,9 @@ class server_add_menu_Core { static function site($menu, $theme) { $item = $theme->item(); - $paths = unserialize(module::get_var("server_add", "authorized_paths")); - if ($item && access::can("edit", $item) && access::can("server_add", $item) && - $item->is_album() && !empty($paths)) { + if (user::active()->admin && $item->is_album() && !empty($paths)) { $options_menu = $menu->get("options_menu") ->append(Menu::factory("dialog") ->id("server_add") diff --git a/modules/server_add/helpers/server_add_task.php b/modules/server_add/helpers/server_add_task.php index c5a7f067..98575915 100644 --- a/modules/server_add/helpers/server_add_task.php +++ b/modules/server_add/helpers/server_add_task.php @@ -31,7 +31,6 @@ class server_add_task_Core { if (!empty($context["files"][$path])) { $file = $context["files"][$path][$context["position"]]; $parent = ORM::factory("item", $file["parent_id"]); - access::required("server_add", $parent); access::required("add", $parent); if (!$parent->is_album()) { throw new Exception("@todo BAD_ALBUM"); |