From bb35aefffbc287efc9823abd4b0e451b86c37378 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 11 Jun 2010 12:36:23 -0700 Subject: Fix for ticket #797 When load a file is uploaded using a dialog box and the jquery plugin ajaxForm, the ajaxForm plugin uses an hidden iFrame element to send the multi-part form and this is where the response goes. The ajaxForm plugin then retrieves the document body and parses the result as a json string. If the file uploads properly everything is fine, but if it fails Gallery3 return the input form with the the error fields highlighted as part of the json response. As this response is returned to a hidden iframe, the browser attempts to manipulate it and all hell breaks loose. We lose the trailing brace, we start getting escaping of form tags. When the ajaxForm plugin retrieves the iFrame body its no longer a valid json frame and the parsing fails and the user sees no indication that it failed. --- lib/gallery.dialog.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/gallery.dialog.js') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 3587108c..f280a525 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -114,7 +114,8 @@ }, success: function(data) { if (data.form) { - $("#g-dialog form").replaceWith(data.form); + var formData = unescape(data.form); + $("#g-dialog form").replaceWith(formData); $("#g-dialog form :submit").removeClass("ui-state-disabled") .attr("disabled", null); self._ajaxify_dialog(); -- cgit v1.2.3 From c946ad1fcd87d4cb9c8f45b0b3c553b31fcebec8 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 25 Jun 2010 09:56:29 -0700 Subject: If we promote the

element to be the title, hide it so we're not showing it twice. --- lib/gallery.dialog.js | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/gallery.dialog.js') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index f280a525..6ec8c634 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -40,6 +40,7 @@ $(".ui-dialog-titlebar").remove(); } else if ($("#g-dialog h1").length) { $("#g-dialog").dialog('option', 'title', $("#g-dialog h1:eq(0)").html()); + $("#g-dialog h1:eq(0)").hide(); } else if ($("#g-dialog fieldset legend").length) { $("#g-dialog").dialog('option', 'title', $("#g-dialog fieldset legend:eq(0)").html()); } -- cgit v1.2.3 From 8493a3d36f597e183490ae880b35a3d98f50a045 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 5 Jul 2010 08:23:17 -0700 Subject: If the admin request originates as a dialog link, don't display the entire page when reauthenticating the administrator. Just put the form in the dialog. --- lib/gallery.dialog.js | 3 ++- modules/gallery/controllers/admin.php | 11 ++++++-- modules/gallery/controllers/reauthenticate.php | 20 ++------------ modules/gallery/helpers/reauthenticate.php | 36 ++++++++++++++++++++++++++ 4 files changed, 49 insertions(+), 21 deletions(-) create mode 100644 modules/gallery/helpers/reauthenticate.php (limited to 'lib/gallery.dialog.js') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 6ec8c634..dd1a5663 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -26,7 +26,8 @@ $("#g-dialog").gallery_show_loading(); - $.get(sHref, function(data) { + var url = sHref + (sHref.indexOf("?") == -1 ? "?" : "&") + "g-in-dialog"; + $.get(url, function(data) { $("#g-dialog").html(data).gallery_show_loading(); if ($("#g-dialog form").length) { diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index c460f58c..d9bee284 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -38,7 +38,8 @@ class Admin_Controller extends Controller { return self::_reauth_check(); } if (auth::must_reauth_for_admin_area()) { - return self::_prompt_for_reauth($controller_name, $args); + print self::_prompt_for_reauth($controller_name, $args); + return; } if (request::method() == "post") { @@ -85,7 +86,13 @@ class Admin_Controller extends Controller { // Avoid anti-phishing protection by passing the url as session variable. Session::instance()->set("continue_url", url::abs_current(true)); } - url::redirect("reauthenticate"); + + // Check that we we not in a dialog. If we are, then use an ajax response. + if (strpos(Router::$query_string, "g-in-dialog") === false) { + url::redirect("reauthenticate"); + } else { + return reauthenticate::get_authenticate_form(); + } } } diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index acb27f6a..9ddaff2e 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -22,7 +22,7 @@ class Reauthenticate_Controller extends Controller { if (!identity::active_user()->admin) { access::forbidden(); } - return self::_show_form(self::_form()); + return self::_show_form(reauthenticate::get_authenticate_form()); } public function auth() { @@ -31,7 +31,7 @@ class Reauthenticate_Controller extends Controller { } access::verify_csrf(); - $form = self::_form(); + $form = reauthenticate::get_authenticate_form(); $valid = $form->validate(); $user = identity::active_user(); if ($valid) { @@ -54,20 +54,4 @@ class Reauthenticate_Controller extends Controller { $view->content->user_name = identity::active_user()->name; print $view; } - - private static function _form() { - $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form")); - $form->set_attr('class', "g-narrow"); - $form->hidden("continue_url")->value(Session::instance()->get("continue_url", "admin")); - $group = $form->group("reauthenticate")->label(t("Re-authenticate")); - $group->password("password")->label(t("Password"))->id("g-password")->class(null) - ->callback("auth::validate_too_many_failed_auth_attempts") - ->callback("user::valid_password") - ->error_messages("invalid_password", t("Incorrect password")) - ->error_messages( - "too_many_failed_auth_attempts", - t("Too many incorrect passwords. Try again later")); - $group->submit("")->value(t("Submit")); - return $form; - } } diff --git a/modules/gallery/helpers/reauthenticate.php b/modules/gallery/helpers/reauthenticate.php new file mode 100644 index 00000000..1ad90e15 --- /dev/null +++ b/modules/gallery/helpers/reauthenticate.php @@ -0,0 +1,36 @@ + "g-reauthenticate-form")); + $form->set_attr('class', "g-narrow"); + $form->hidden("continue_url")->value(Session::instance()->get("continue_url", "admin")); + $group = $form->group("reauthenticate")->label(t("Re-authenticate")); + $group->password("password")->label(t("Password"))->id("g-password")->class(null) + ->callback("auth::validate_too_many_failed_auth_attempts") + ->callback("user::valid_password") + ->error_messages("invalid_password", t("Incorrect password")) + ->error_messages( + "too_many_failed_auth_attempts", + t("Too many incorrect passwords. Try again later")); + $group->submit("")->value(t("Submit")); + return $form; + } +} -- cgit v1.2.3 From 226d1f714635995722fe7927f8ec049fe3890011 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 5 Jul 2010 08:58:36 -0700 Subject: Revert "If the admin request originates as a dialog link, don't display the entire page when reauthenticating the administrator. Just put the form in the dialog." This reverts commit 8493a3d36f597e183490ae880b35a3d98f50a045. --- lib/gallery.dialog.js | 3 +-- modules/gallery/controllers/admin.php | 11 ++------ modules/gallery/controllers/reauthenticate.php | 20 ++++++++++++-- modules/gallery/helpers/reauthenticate.php | 36 -------------------------- 4 files changed, 21 insertions(+), 49 deletions(-) delete mode 100644 modules/gallery/helpers/reauthenticate.php (limited to 'lib/gallery.dialog.js') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index dd1a5663..6ec8c634 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -26,8 +26,7 @@ $("#g-dialog").gallery_show_loading(); - var url = sHref + (sHref.indexOf("?") == -1 ? "?" : "&") + "g-in-dialog"; - $.get(url, function(data) { + $.get(sHref, function(data) { $("#g-dialog").html(data).gallery_show_loading(); if ($("#g-dialog form").length) { diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index d9bee284..c460f58c 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -38,8 +38,7 @@ class Admin_Controller extends Controller { return self::_reauth_check(); } if (auth::must_reauth_for_admin_area()) { - print self::_prompt_for_reauth($controller_name, $args); - return; + return self::_prompt_for_reauth($controller_name, $args); } if (request::method() == "post") { @@ -86,13 +85,7 @@ class Admin_Controller extends Controller { // Avoid anti-phishing protection by passing the url as session variable. Session::instance()->set("continue_url", url::abs_current(true)); } - - // Check that we we not in a dialog. If we are, then use an ajax response. - if (strpos(Router::$query_string, "g-in-dialog") === false) { - url::redirect("reauthenticate"); - } else { - return reauthenticate::get_authenticate_form(); - } + url::redirect("reauthenticate"); } } diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index 9ddaff2e..acb27f6a 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -22,7 +22,7 @@ class Reauthenticate_Controller extends Controller { if (!identity::active_user()->admin) { access::forbidden(); } - return self::_show_form(reauthenticate::get_authenticate_form()); + return self::_show_form(self::_form()); } public function auth() { @@ -31,7 +31,7 @@ class Reauthenticate_Controller extends Controller { } access::verify_csrf(); - $form = reauthenticate::get_authenticate_form(); + $form = self::_form(); $valid = $form->validate(); $user = identity::active_user(); if ($valid) { @@ -54,4 +54,20 @@ class Reauthenticate_Controller extends Controller { $view->content->user_name = identity::active_user()->name; print $view; } + + private static function _form() { + $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form")); + $form->set_attr('class', "g-narrow"); + $form->hidden("continue_url")->value(Session::instance()->get("continue_url", "admin")); + $group = $form->group("reauthenticate")->label(t("Re-authenticate")); + $group->password("password")->label(t("Password"))->id("g-password")->class(null) + ->callback("auth::validate_too_many_failed_auth_attempts") + ->callback("user::valid_password") + ->error_messages("invalid_password", t("Incorrect password")) + ->error_messages( + "too_many_failed_auth_attempts", + t("Too many incorrect passwords. Try again later")); + $group->submit("")->value(t("Submit")); + return $form; + } } diff --git a/modules/gallery/helpers/reauthenticate.php b/modules/gallery/helpers/reauthenticate.php deleted file mode 100644 index 1ad90e15..00000000 --- a/modules/gallery/helpers/reauthenticate.php +++ /dev/null @@ -1,36 +0,0 @@ - "g-reauthenticate-form")); - $form->set_attr('class', "g-narrow"); - $form->hidden("continue_url")->value(Session::instance()->get("continue_url", "admin")); - $group = $form->group("reauthenticate")->label(t("Re-authenticate")); - $group->password("password")->label(t("Password"))->id("g-password")->class(null) - ->callback("auth::validate_too_many_failed_auth_attempts") - ->callback("user::valid_password") - ->error_messages("invalid_password", t("Incorrect password")) - ->error_messages( - "too_many_failed_auth_attempts", - t("Too many incorrect passwords. Try again later")); - $group->submit("")->value(t("Submit")); - return $form; - } -} -- cgit v1.2.3