| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2009-06-06 | Fix formatting. | Bharat Mediratta | |
| 2009-06-01 | Security pass over all controller code. Mostly adding CSRF checking | Bharat Mediratta | |
| and verifying user permissions, but there are several above-the-bar changes: 1) Server add is now only available to admins. This is a hard requirement because we have to limit server access (eg: server_add::children) to a user subset and the current permission model doesn't include that. Easiest fix is to restrict to admins. Got rid of the server_add permission. 2) We now know check permissions at every level, which means in controllers AND in helpers. This "belt and suspenders" approach will give us defense in depth in case we overlook it in one area. 3) We now do CSRF checking in every controller method that changes the code, in addition to the Forge auto-check. Again, defense in depth and it makes scanning the code for security much simpler. 4) Moved Simple_Uploader_Controller::convert_filename_to_title to item:convert_filename_to_title 5) Fixed a bug in sending notification emails. 6) Fixed the Organize code to verify that you only have access to your own tasks. In general, added permission checks to organize which had pretty much no validation code. I did my best to verify every feature that I touched. | |||
| 2009-05-31 | Properly call user::login when we automatically login the admin user | Bharat Mediratta | |
| immediately after install. Fixes ticket #323. | |||
| 2009-05-31 | Localize a string | Bharat Mediratta | |
| 2009-05-31 | user admin facelift | jhilden | |
| * added drag & drop help message for empty groups * fixed overflow issue with more than ~10 members in one group * CSS improvements | |||
| 2009-05-31 | Clean up view variables | Bharat Mediratta | |
| 2009-05-31 | Run all variables that come from user-entered data through p::clean() | Bharat Mediratta | |
| 2009-05-27 | Regenerate the session id every time through login::_auth() to avoid session ↵ | Bharat Mediratta | |
| trapping. | |||
| 2009-05-27 | Use a random value for the password reset hash to reduce the chances | Bharat Mediratta | |
| that it can be guessed by an attacker. | |||
| 2009-05-26 | Restructure the module lifecycle. | Bharat Mediratta | |
| Install: <module>_installer::install() is called, any necessary tables are created. Activate: <module>_installer::activate() is called. Module controllers are routable, helpers are accessible, etc. The module is in use. Deactivate: <module>_installer::deactivate() is called. Module code is not accessible or routable. Module is *not* in use, but its tables are still around. Uninstall: <module>_installer::uninstall() is called. Module is completely removed from the database. Admin > Modules will install and activate modules, but will only deactivate (will NOT uninstall modules). | |||
| 2009-05-26 | Quick fix for ticket #144. Reapply event handler for delete link gDialog ↵ | Chad Kieffer | |
| when group is refreshed. | |||
| 2009-05-26 | Link to gallery.panel.js from the head, not body. | Chad Kieffer | |
| 2009-05-26 | Split out re-used JavaScript for common functions (messages, valign), panel ↵ | Chad Kieffer | |
| toggle, and forms to external files. | |||
| 2009-05-26 | White space fixes | Chad Kieffer | |
| 2009-05-25 | Changed name to username in user admin form labels | Chad Kieffer | |
| 2009-05-24 | Use phpass as our hashing mechanism, and check for it first (instead | Bharat Mediratta | |
| of checking G1/G2 techniquew first). | |||
| 2009-05-21 | Changed Name label to Username, closes ticket #93 | Chad Kieffer | |
| 2009-05-20 | Move the first-admin-login steps out of the user module and into an event ↵ | Bharat Mediratta | |
| listener in core | |||
| 2009-05-18 | Get rid of trailing whitespace in security preamble | Bharat Mediratta | |
| 2009-05-18 | Add security preamble | Bharat Mediratta | |
| 2009-05-18 | Move 3rd party PasswordHash library into the "lib" dir for | Bharat Mediratta | |
| consistency. No 3rd party libs in "libraries", at least for now. | |||
| 2009-05-13 | Gee it's May already. Update copyright to 2009. | Bharat Mediratta | |
| 2009-05-13 | Don't allow admins to delete the guest user. Fixes ticket #213 | Bharat Mediratta | |
| 2009-05-13 | Make the 'this user cannot be deleted' link actually not clickable. | Bharat Mediratta | |
| 2009-05-13 | Variety of changes to the way we do user editing: | Bharat Mediratta | |
| 1) Allow admins to edit the admin bit of other admins 2) Don't allow admins to delete themselves (partial fix for ticket #213) 3) Inline user::update(). Don't do form processing in helper methods! 4) Inline user::_get_edit_form() so that we can treat edit forms differently. Trying to hard to make common functions makes for weird edge cases. | |||
| 2009-05-13 | Colorize admin user rows to make them stand out | Bharat Mediratta | |
| 2009-05-13 | Use the name field if the full_name field is empty. | Bharat Mediratta | |
| 2009-05-13 | Log password reset attempts. Fixes ticket #251. | Bharat Mediratta | |
| 2009-05-12 | Add group::lookup_by_name() | Bharat Mediratta | |
| 2009-05-12 | Fix a comment. | Bharat Mediratta | |
| 2009-05-10 | After ajax login, just reload the current page. | Bharat Mediratta | |
| 2009-04-24 | add_group() was not getting $form before using it. | Bharat Mediratta | |
| 2009-04-18 | Add user::lookup_by_name() | Bharat Mediratta | |
| 2009-04-17 | Fix i18n for "Logged in as" string | Andy Staudacher | |
| 2009-04-15 | Provate a way to set the hashed password directly | Bharat Mediratta | |
| 2009-04-09 | Fix for ticket 181: don't ignore the locale option when adding users | Andy Staudacher | |
| 2009-04-09 | Fix the spelling of "appearance_menu" and update user_menu so that the | Bharat Mediratta | |
| user/groups admin menu option appears again. | |||
| 2009-04-05 | Don't do graphics detection in core_installer::install() because that | Bharat Mediratta | |
| gets run at scaffolding::package() time, not on the target machine. Instead, create a core module variable to trigger running graphics::choose_default_toolkit() on the first admin login after install. Fixes ticket #206. | |||
| 2009-04-05 | Add a weight column to the items model. Change the album ordering to | Tim Almdal | |
| use this as the default instead of id. This prepares the way for manual reordering in the organize functionality. | |||
| 2009-04-03 | Fix for ticket #201. | Tim Almdal | |
| 1) create common update function so processing consistent between the user edit and admin edit. 2) created common private helper function to build the user edit form the same way. So a user can now change their user name if the new one doesn't exist. | |||
| 2009-03-27 | Put csrf token into Admin_View and Theme_View by default, then use it | Bharat Mediratta | |
| directly wherever possible instead of access::csrf_token(). | |||
| 2009-03-25 | Fix for ticket #181. Valiant take note of the change to | Tim Almdal | |
| admin_users.php. I had to remove the check for the locale as it hasn't been added to the form. | |||
| 2009-03-17 | Fix the locale field in the change user settings form | Andy Staudacher | |
| 2009-03-17 | Fix edit user form handler | Andy Staudacher | |
| 2009-03-16 | Switch the locale::$locales data structure to be an array instead of a | Bharat Mediratta | |
| stdClass because we're not allowed to asort() stdClass objects in PHP 5.2.6. | |||
| 2009-03-16 | Fix indentation | Bharat Mediratta | |
| 2009-03-16 | Proxy the url through _auth() to user::get_login_form() | Bharat Mediratta | |
| 2009-03-16 | Get rid of the extra robust code we had in here to make the | Bharat Mediratta | |
| scaffolding work when the Gallery wasn't installed yet. Now we force users through the installer. | |||
| 2009-03-16 | Combined "Logged in as..." and "Modify Profile" to by just "Logged in as ↵ | Chad Kieffer | |
| FullName" | |||
| 2009-03-16 | Missed this in the last commit | Bharat Mediratta | |
 |
index : gallery3.git | |
| A clone of the Gallery3 code for testing and development. | root |
| summaryrefslogtreecommitdiff |