summaryrefslogtreecommitdiff
path: root/modules/comment/controllers/admin_comments.php
AgeCommit message (Collapse)Author
2009-06-01Security pass over all controller code. Mostly adding CSRF checkingBharat Mediratta
and verifying user permissions, but there are several above-the-bar changes: 1) Server add is now only available to admins. This is a hard requirement because we have to limit server access (eg: server_add::children) to a user subset and the current permission model doesn't include that. Easiest fix is to restrict to admins. Got rid of the server_add permission. 2) We now know check permissions at every level, which means in controllers AND in helpers. This "belt and suspenders" approach will give us defense in depth in case we overlook it in one area. 3) We now do CSRF checking in every controller method that changes the code, in addition to the Forge auto-check. Again, defense in depth and it makes scanning the code for security much simpler. 4) Moved Simple_Uploader_Controller::convert_filename_to_title to item:convert_filename_to_title 5) Fixed a bug in sending notification emails. 6) Fixed the Organize code to verify that you only have access to your own tasks. In general, added permission checks to organize which had pretty much no validation code. I did my best to verify every feature that I touched.
2009-05-13Gee it's May already. Update copyright to 2009.Bharat Mediratta
2009-05-11Refactor to support pagination and simplify the code.Bharat Mediratta
- Simplify the public controller methods - Fix a bug where missing thumbnails would cause a divide by zero error - actually pay attention to the page # for pagination and limit the query accordingly.
2009-02-28Change the pattern to identify tables that need prefix substitution toTim Almdal
mirror the drupal pattern of using braces {}.
2009-02-27This implements table prefix for all the queries in core, user, exif,Tim Almdal
tag, search, comment and notification modules (Ticket #68)
2009-02-02Fix trac issue: #31Tim Almdal
2009-01-16Fix validation when adding new comments.Bharat Mediratta
Fire off the appropriate item_related_update events as appropriate.
2009-01-15Changing t() placeholder syntax from {{replace_me}} to %replace_me.Andy Staudacher
2009-01-15Simplifying the way t() is called. Refactoring localization function ↵Andy Staudacher
t($message, $options=array()) into 2 separate functions: - the new t($message, $options=array()) is for simple strings, optionally with placeholder interpolation. - t2($singular, $plural, $count, $options=array()) is for plurals.
2009-01-15Rename 'xxx_changed' events to 'xxx_updated'Bharat Mediratta
2009-01-10Auto-delete 7-day old spam/deleted comments.Bharat Mediratta
2009-01-10Create a 'recently deleted' queueBharat Mediratta
2009-01-10Update the queue counts in the menu list whenever weBharat Mediratta
approve/unapprove/spam a comment.
2009-01-08i18n refactoring: Rename all _() (reserved by gettext) calls to t().Andy Staudacher
- And refactor printf to our string interpolation / pluralization syntax - Also, a slight change to the translations_incomings table, using binary(16) instead of char(32) as message key.
2009-01-08Incremental improvement in comment moderation:Bharat Mediratta
1) Akismet now detects when we change a comment's published state and submits info back to akismet.com as appropriate 2) We now show 4 different queues (all / approved / unapproved / spam) and let you move messages between the queues 3) We track and display "spam caught" stats. 4) You can delete comments entirely.
2009-01-07Add very basic comment listing which shows the different queuesBharat Mediratta
(approved, unapproved, spam).
generated by cgit v1.2.3 (git 2.51.0) at 2025-11-12 23:01:43 +0000