From 5e316f78c6d73fcba9b39c0f9033f1d670de83cb Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 16 Sep 2010 15:17:00 -0700 Subject: Restrict viewing user profile pages to registered users only, but provide a "show_user_profiles_to" setting to allow admins to open it up to everybody (choices there are "registered_users", "admin_users" or "everybody"). Fixes ticket #1378. --- modules/gallery/controllers/user_profile.php | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php index e992655b..4922416c 100644 --- a/modules/gallery/controllers/user_profile.php +++ b/modules/gallery/controllers/user_profile.php @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class User_Profile_Controller extends Controller { + public function show($id) { // If we get here, then we should have a user id other than guest. $user = identity::lookup_user($id); @@ -25,6 +26,10 @@ class User_Profile_Controller extends Controller { throw new Kohana_404_Exception(); } + if (!$this->_can_view_profile_pages($user)) { + throw new Kohana_404_Exception(); + } + $v = new Theme_View("page.html", "other", "profile"); $v->page_title = t("%name Profile", array("name" => $user->display_name())); $v->content = new View("user_profile.html"); @@ -44,12 +49,20 @@ class User_Profile_Controller extends Controller { public function contact($id) { $user = identity::lookup_user($id); + if (!$this->_can_view_profile_pages($user)) { + throw new Kohana_404_Exception(); + } + print user_profile::get_contact_form($user); } public function send($id) { access::verify_csrf(); $user = identity::lookup_user($id); + if (!$this->_can_view_profile_pages($user)) { + throw new Kohana_404_Exception(); + } + $form = user_profile::get_contact_form($user); if ($form->validate()) { Sendmail::factory() @@ -66,4 +79,30 @@ class User_Profile_Controller extends Controller { json::reply(array("result" => "error", "html" => (string)$form)); } } + + private function _can_view_profile_pages($user) { + if (!$user->loaded()) { + return false; + } + + if ($user->id == identity::active_user()->id) { + // You can always view your own profile + return true; + } + + switch (module::get_var("gallery", "show_user_profiles_to")) { + case "admin_users": + return identity::active_user()->admin; + + case "registered_users": + return !identity::active_user()->guest; + + case "everybody": + return true; + + default: + // Fail in private mode on an invalid setting + return false; + } + } } -- cgit v1.2.3 From 64dfccc4eddf204a80ce533bad69ac8c0c83c1bd Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 16 Sep 2010 20:04:22 -0700 Subject: Preserve the image extension on the temp file that we create for rotating images. Some versions of GD won't work if we don't do this. Fixes ticket #1375. --- modules/gallery/controllers/quick.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index c34209da..3db4f5df 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -36,7 +36,8 @@ class Quick_Controller extends Controller { } if ($degrees) { - $tmpfile = tempnam(TMPPATH, "rotate"); + $tmpfile = tempnam(TMPPATH, "rotate") . "." . + pathinfo($item->file_path(), PATHINFO_EXTENSION); gallery_graphics::rotate($item->file_path(), $tmpfile, array("degrees" => $degrees)); $item->set_data_file($tmpfile); $item->save(); -- cgit v1.2.3