From 30f4e143e8fbec928661dcbe75898465e7eff29c Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 11 Jun 2010 08:15:25 -0700 Subject: Actually execute the database query that updates the album view count. Fixes ticket #1092. Thanks to shinta for pointing the way. --- modules/gallery/controllers/albums.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index ea15418f..eaa09be5 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -73,8 +73,8 @@ class Albums_Controller extends Items_Controller { // We can't use math in ORM or the query builder, so do this by hand. It's important // that we do this with math, otherwise concurrent accesses will damage accuracy. - db::query( - "UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id"); + db::query("UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id") + ->execute(); print $template; } -- cgit v1.2.3 From bbbb35675acefc6b0b1b78dea9fd3a983189d772 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 11 Jun 2010 15:40:54 -0700 Subject: Fix for ticket #1039. The problem was, as Bryan76 pointed out, with passing the full url in the continue parameter. In the logout controller, we tried to get the item from the url so we could check the permission of the item to insure that the guest user had access. But url::get_item_from_url expects a relative url. --- modules/gallery/controllers/logout.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index 967dad49..fdbadf1b 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -22,13 +22,16 @@ class Logout_Controller extends Controller { access::verify_csrf(); auth::logout(); if ($continue_url = Input::instance()->get("continue")) { - $item = url::get_item_from_uri($continue_url); + $components = explode("/", parse_url($continue_url, PHP_URL_PATH), 4); + $item = url::get_item_from_uri($components[3]); if (access::can("view", $item)) { // Don't use url::redirect() because it'll call url::site() and munge the continue url. - header("Location: $continue_url"); + header("Location: {$item->relative_url()}"); } else { url::redirect(item::root()->abs_url()); } + } else { + url::redirect(item::root()->abs_url()); } } } \ No newline at end of file -- cgit v1.2.3 From 63d95087bf0f24d4e880843cd2841906c6f91b38 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 13:35:12 -0700 Subject: Stop trying to parse the continue url in the logout controller because it requires us to reproduce a bunch of complex routing logic. Instead, just have the logout link generating code generate a link that's visible to guests. --- modules/gallery/controllers/logout.php | 12 ++---------- modules/gallery/helpers/gallery_event.php | 13 ++++++++++++- 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index fdbadf1b..9caafec8 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -22,16 +22,8 @@ class Logout_Controller extends Controller { access::verify_csrf(); auth::logout(); if ($continue_url = Input::instance()->get("continue")) { - $components = explode("/", parse_url($continue_url, PHP_URL_PATH), 4); - $item = url::get_item_from_uri($components[3]); - if (access::can("view", $item)) { - // Don't use url::redirect() because it'll call url::site() and munge the continue url. - header("Location: {$item->relative_url()}"); - } else { - url::redirect(item::root()->abs_url()); - } - } else { - url::redirect(item::root()->abs_url()); + url::redirect($continue_url); } + url::redirect(item::root()->abs_url()); } } \ No newline at end of file diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index ae7131ae..1b688843 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -157,11 +157,22 @@ class gallery_event_Core { ->view("login_current_user.html") ->url(user_profile::url($user->id)) ->label($user->display_name())); + + if (isset($theme->item)) { + if (access::user_can(identity::guest(), "view", $theme->item)) { + $continue_url = $theme->item->abs_url(); + } else { + $continue_url = item::root()->abs_url(); + } + } else { + $continue_url = url::abs_current(); + } + $menu->append(Menu::factory("link") ->id("user_menu_logout") ->css_id("g-logout-link") ->url(url::site("logout?csrf=$csrf&continue=" . - urlencode(url::abs_current()))) + urlencode($continue_url))) ->label(t("Logout"))); } } -- cgit v1.2.3 From b61b50604bfffc25a395df3a1aedf84d3c557ff4 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 15:09:16 -0700 Subject: Push the continue url into the form for consistency with other login/continue code. --- modules/gallery/controllers/admin.php | 2 +- modules/gallery/controllers/reauthenticate.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index 787a2138..0aeaa876 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -78,7 +78,7 @@ class Admin_Controller extends Controller { private static function _prompt_for_reauth($controller_name, $args) { if (request::method() == "get" && !request::is_ajax()) { // Avoid anti-phishing protection by passing the url as session variable. - Session::instance()->set("continue_url", url::current(true)); + Session::instance()->set("continue_url", url::abs_current(true)); } url::redirect("reauthenticate"); } diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index 3503d80a..acb27f6a 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -37,8 +37,7 @@ class Reauthenticate_Controller extends Controller { if ($valid) { message::success(t("Successfully re-authenticated!")); module::event("user_auth", $user); - $continue_url = Session::instance()->get_once("continue_url", "admin"); - url::redirect($continue_url); + url::redirect($form->continue_url->value); } else { $name = $user->name; log::warning("user", t("Failed re-authentication for %name", array("name" => $name))); @@ -59,6 +58,7 @@ class Reauthenticate_Controller extends Controller { private static function _form() { $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form")); $form->set_attr('class', "g-narrow"); + $form->hidden("continue_url")->value(Session::instance()->get("continue_url", "admin")); $group = $form->group("reauthenticate")->label(t("Re-authenticate")); $group->password("password")->label(t("Password"))->id("g-password")->class(null) ->callback("auth::validate_too_many_failed_auth_attempts") -- cgit v1.2.3 From c026da85cdbac9e9566045f8de2718cae985f0ec Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 15:10:34 -0700 Subject: Use "continue_url" instead of "continue" for consistency with the reauth code. --- modules/gallery/controllers/logout.php | 2 +- modules/gallery/helpers/gallery_event.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index 9caafec8..20fa8074 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -21,7 +21,7 @@ class Logout_Controller extends Controller { public function index() { access::verify_csrf(); auth::logout(); - if ($continue_url = Input::instance()->get("continue")) { + if ($continue_url = Input::instance()->get("continue_url")) { url::redirect($continue_url); } url::redirect(item::root()->abs_url()); diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 1b688843..55db47ce 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -171,7 +171,7 @@ class gallery_event_Core { $menu->append(Menu::factory("link") ->id("user_menu_logout") ->css_id("g-logout-link") - ->url(url::site("logout?csrf=$csrf&continue=" . + ->url(url::site("logout?csrf=$csrf&continue_url=" . urlencode($continue_url))) ->label(t("Logout"))); } -- cgit v1.2.3 From dceecabbf1b736604ceb2e08e803b12c99dc4509 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 15:16:47 -0700 Subject: Make login/logout continuation url code consistent. Where necessary, we specify the continue_url in the session, but we store it in the login form so that we can propagate it across the session creation that happens at login time. --- modules/gallery/controllers/login.php | 4 ++-- modules/gallery/helpers/auth.php | 1 + modules/gallery/libraries/MY_Kohana_Exception.php | 4 +--- 3 files changed, 4 insertions(+), 5 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php index 40125476..19335d88 100644 --- a/modules/gallery/controllers/login.php +++ b/modules/gallery/controllers/login.php @@ -44,10 +44,10 @@ class Login_Controller extends Controller { public function auth_html() { access::verify_csrf(); - $continue_url = Session::instance()->get("continue_url", null); list ($valid, $form) = $this->_auth("login/auth_html"); if ($valid) { - url::redirect($continue_url ? $continue_url : item::root()->abs_url()); + url::redirect($form->continue_url->value ? $form->continue_url_value : + item::root()->abs_url()); } else { $view = new Theme_View("page.html", "other", "login"); $view->page_title = t("Log in to Gallery"); diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index 1a9fe869..48b5fc32 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -21,6 +21,7 @@ class auth_Core { static function get_login_form($url) { $form = new Forge($url, "", "post", array("id" => "g-login-form")); $form->set_attr("class", "g-narrow"); + $form->hidden("continue_url")->value(Session::instance()->get("continue_url")); $group = $form->group("login")->label(t("Login")); $group->input("name")->label(t("Username"))->id("g-username")->class(null) ->callback("auth::validate_too_many_failed_logins") diff --git a/modules/gallery/libraries/MY_Kohana_Exception.php b/modules/gallery/libraries/MY_Kohana_Exception.php index e7ebdb1f..df7557ae 100644 --- a/modules/gallery/libraries/MY_Kohana_Exception.php +++ b/modules/gallery/libraries/MY_Kohana_Exception.php @@ -59,7 +59,7 @@ class Kohana_Exception extends Kohana_Exception_Core { private static function _show_themed_error_page(Exception $e) { // Create a text version of the exception $error = Kohana_Exception::text($e); - + // Add this exception to the log Kohana_Log::add('error', $error); @@ -83,8 +83,6 @@ class Kohana_Exception extends Kohana_Exception_Core { if ($view->content->is_guest) { $view->content->login_form = new View("login_ajax.html"); $view->content->login_form->form = auth::get_login_form("login/auth_html"); - // Avoid anti-phishing protection by passing the url as session variable. - Session::instance()->set("continue_url", url::current(true)); } } else { $view->page_title = t("Dang... Something went wrong!"); -- cgit v1.2.3 From 87f8b6ff0a76f51183f14515723a8345f7c14fa6 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 15:28:03 -0700 Subject: Bounce the user to the login page if they try to get to part of the admin site as a guest. Also, theme the login/html page. --- modules/gallery/controllers/admin.php | 7 ++++++- modules/gallery/controllers/login.php | 9 ++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index 0aeaa876..c460f58c 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -22,7 +22,12 @@ class Admin_Controller extends Controller { public function __construct($theme=null) { if (!identity::active_user()->admin) { - access::forbidden(); + if (identity::active_user()->guest) { + Session::instance()->set("continue_url", url::abs_current(true)); + url::redirect("login"); + } else { + access::forbidden(); + } } parent::__construct(); diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php index 19335d88..2b60316b 100644 --- a/modules/gallery/controllers/login.php +++ b/modules/gallery/controllers/login.php @@ -38,7 +38,10 @@ class Login_Controller extends Controller { } public function html() { - print auth::get_login_form("login/auth_html"); + $view = new Theme_View("page.html", "other", "login"); + $view->page_title = t("Login"); + $view->content = auth::get_login_form("login/auth_html"); + print $view; } public function auth_html() { @@ -46,8 +49,8 @@ class Login_Controller extends Controller { list ($valid, $form) = $this->_auth("login/auth_html"); if ($valid) { - url::redirect($form->continue_url->value ? $form->continue_url_value : - item::root()->abs_url()); + $continue_url = $form->continue_url->value; + url::redirect($continue_url ? $continue_url : item::root()->abs_url()); } else { $view = new Theme_View("page.html", "other", "login"); $view->page_title = t("Log in to Gallery"); -- cgit v1.2.3