| Age | Commit message (Collapse) | Author |
|---|
|
providing the default Identity implementation.
* Remove the user_event callbacks and move them to the gallery_event callbacks. This will insure that the active user is always loaded (because the gallery callbacks are always called first) to its available to other gallery_ready handlers. Moved the method set_request_locale to the locales helper as it is more related to locales.
* Move the user controllers and views into the gallery module.
* Move the theme and block processing out of the user module and into core.
|
|
writes and saves later.
Convert the Admin_User controller
Convert the login and password change controller
Change the item model to call user::lookup to get the owner.
On the log model, delete the relationship between the log and user table, and replace with a
call to user::lookup
|
|
up tacking onto the base url.
|
|
we're not relying on overriding url::site() to do tricks around item
urls. This means that you won't get item urls by doing
url::site("albums/37"), for example, but it also means that we won't
get pretty urls where we don't expect them (like in the action of a
<form> element).
Incidentally, this will help us move over to using the slug format
because if you've got a bad character in a url, the edit forms will
now work on it since they'll be id based.
|
|
SafeString::purify().
Removing any p::clean() calls for arguments to t() and t2() since their args are wrapped in a SafeString anyway.
|
|
using the checklist in ticket #385.
|
|
and verifying user permissions, but there are several above-the-bar
changes:
1) Server add is now only available to admins. This is a hard
requirement because we have to limit server access (eg:
server_add::children) to a user subset and the current permission
model doesn't include that. Easiest fix is to restrict to admins.
Got rid of the server_add permission.
2) We now know check permissions at every level, which means in
controllers AND in helpers. This "belt and suspenders" approach will
give us defense in depth in case we overlook it in one area.
3) We now do CSRF checking in every controller method that changes the
code, in addition to the Forge auto-check. Again, defense in depth
and it makes scanning the code for security much simpler.
4) Moved Simple_Uploader_Controller::convert_filename_to_title to
item:convert_filename_to_title
5) Fixed a bug in sending notification emails.
6) Fixed the Organize code to verify that you only have access to your
own tasks. In general, added permission checks to organize which had
pretty much no validation code.
I did my best to verify every feature that I touched.
|
|
trapping.
|
|
listener in core
|
|
|
|
|
|
gets run at scaffolding::package() time, not on the target machine.
Instead, create a core module variable to trigger running
graphics::choose_default_toolkit() on the first admin login after install.
Fixes ticket #206.
|
|
|
|
We now have two clear and separate login approaches:
login/ajax
login/html
Choose the one that's appropriate. Totally simplified the maintenance
page to be separate from the theme and dead simple, and use login/html
approach there. Totally simplified the top level login
(login_page.html.php) to just be a login page, not the rest of the
chrome on the page and use the login/ajax approach there.
Don't use access::required in albums and then catch the exception,
instead use access::can and check the return code.
Improve the text for maintenance mode.
|
|
url:site(url::abs_file(...))
Create a login_page.html to be used when there is no guest access to
the root album. It doesn't have a sidebar nor breadcrumb.
|
|
item. ticket #118.
|
|
can start to logon, request the password to be reset, and an email is
sent to the users email address. If you click on the link you get an
unformatted form. But its a start :-)
|
|
|
|
than the originating module to provide additional functionality to the form.
|
|
|
|
OLD:
$form->submit("Foo") --> <input type="submit" value="Foo">
New:
$form->submit("foo_button")->("Foo") --> <input type="submit" name="foo_button" value="Foo">
Mostly we don't care what the button is so we leave the name blank.
|
|
- And refactor printf to our string interpolation / pluralization syntax
- Also, a slight change to the translations_incomings table, using binary(16) instead of char(32) as message key.
|
|
|
|
directly help since text/html works just as well for our JSON communications
|
|
|
|
|
|
1) they now have their own matching severity constants
2) they both have convenience functions success(), info(), warning() and error()
3) they both have severity_class()
|
|
communicate. Almost all controllers now use JSON to speak to the
theme when we're dealing with form processing. This means tht we only
send the form back and forth, but we use a JSON protocol to tell the
browser success/error status as well as the location of any newly
created resources, or where the browser should redirect the user.
Lots of small changes:
1) Admin -> Edit Profile is gone. Instead I fixed the "Modify Profile" link
in the top right corner to be a modal dialog
2) We use json_encode everywhere. No more Atom/XML for now. We can bring those
back later, though. For now there's a lot of code duplication but that'll be
easy to clean up.
3) REST_Controller is no longer abstract. All methods its subclasses should create
throw exceptions, which means that subclasses don't have to implement stubs for
those methods.
4) New pattern: helper method get_add_form calls take an Item_Model,
not an id since we have to load the Item_Model in the controller
anyway to check permissions.
5) User/Groups REST resources are separate from User/Group in the site
admin. They do different things, we should avoid confusing overlap.
|
|
|
|
1) Deleted in-place-editing. We'll be replacing this with a real edit
system that groups settings together and is more coherent.
2) Tweaked the way that dialog boxes work to get the ajax stuff working
again. It's imperfect and does not work properly for uploading images.
This is going to get redone also, but this is a good resting point.
3) Created edit forms for albums and photos. Moved _update and _create out
of Items_Controller and into the individual subclasses.
4) Created access::required which is a shorthand for:
if (!access::can(...)) {
access::forbidden();
}
5) Added validation rules to Items_Model
6) Converted login to use the regular modal dialog approach in the theme.
|
|
|
|
meta level
|
|
|
|
|
|
|
|
This disambiguates forms from blocks (for example in the comment
module we were calling both the form and block gComments).
|
|
|
|
Make the continue= param a GET only parameter so that it's not part of
the form.
|
|
* Remove user registration link and popup from the theme; this
shouldn't be done in a popup. Use ajaxform to simplify the way
that we load the login popup.
* Create form.html.php, this is a template for Forge based forms.
* Move user validation rules into User_Model and let forms
populate the rules into their forms as useful.
* Undo r18688's changes regarding the REST code. We should never
accept a null resource, this breaks the REST abstraction.
* Change login and user controllers to use Forge which lets us delete
login.html.php and user.html.php since those now are generated by
the theme-owned form template
|
|
|
|
|
|
|
|
html for the login form is retrieve via an ajax call when the user clicks on login. Can't login with a valid id yet, but you certainly get error messages when things are wrong :-)
|
|
|
|
login link in the header wil open up a login box like the mockup
|
