From 5e8e3ab6b59731733d830acadd4b218619eb3656 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 30 Jun 2009 18:28:55 -0700 Subject: Rejigger the way we handle "done" status in the upgrader. Now we present the done box if you're done and let you get rid of it if you want. It's not beautiful, by any means, but it gives you an easy link back to your Gallery when you're finished. Fixes ticket #479. --- modules/gallery/controllers/upgrader.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php index 91952fa9..0f6cbc2c 100644 --- a/modules/gallery/controllers/upgrader.php +++ b/modules/gallery/controllers/upgrader.php @@ -32,11 +32,18 @@ class Upgrader_Controller extends Controller { @unlink(TMPPATH . $upgrade_token); } + $available_upgrades = 0; + foreach (module::available() as $module) { + if ($module->version && $module->version != $module->code_version) { + $available_upgrades++; + } + } + $view = new View("upgrader.html"); $view->can_upgrade = user::active()->admin || $session->get("can_upgrade"); $view->upgrade_token = $upgrade_token; $view->available = module::available(); - $view->done = Input::instance()->get("done"); + $view->done = ($available_upgrades == 0); print $view; } @@ -67,7 +74,7 @@ class Upgrader_Controller extends Controller { if (php_sapi_name() == "cli") { print "Upgrade complete\n"; } else { - url::redirect("upgrader?done=1"); + url::redirect("upgrader"); } } } -- cgit v1.2.3 From 666c807fccf4f360fac667e9a7ab6b7e560b3a6c Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 30 Jun 2009 20:47:51 -0700 Subject: Revert "Add Session::abort_save() to Kohana." Obsoleted by upstream fix. This reverts commit 06f066164f60fe0babbc7a480e6319a0702e0c46. --- modules/gallery/controllers/file_proxy.php | 3 --- system/libraries/Session.php | 13 ------------- system/libraries/drivers/Session/Database.php | 4 ---- 3 files changed, 20 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 0d64bcd9..1f885e53 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -112,9 +112,6 @@ class File_Proxy_Controller extends Controller { kohana::show_404(); } - // We don't need to save the session for this request - Session::abort_save(); - // Dump out the image header("Content-Type: $item->mime_type"); Kohana::close_buffers(false); diff --git a/system/libraries/Session.php b/system/libraries/Session.php index 61a0d403..e03f5dff 100644 --- a/system/libraries/Session.php +++ b/system/libraries/Session.php @@ -27,9 +27,6 @@ class Session_Core { // Input library protected $input; - // Automatically save the session by default - public static $should_save = true; - /** * Singleton instance of Session. */ @@ -458,14 +455,4 @@ class Session_Core { } } - /** - * Do not save this session. - * - * @return void - */ - public function abort_save() { - Session::$should_save = false; - - } - } // End Session Class diff --git a/system/libraries/drivers/Session/Database.php b/system/libraries/drivers/Session/Database.php index b8993a9e..b4144ffb 100644 --- a/system/libraries/drivers/Session/Database.php +++ b/system/libraries/drivers/Session/Database.php @@ -98,10 +98,6 @@ class Session_Database_Driver implements Session_Driver { public function write($id, $data) { - if (!Session::$should_save) { - return true; - } - $data = array ( 'session_id' => $id, -- cgit v1.2.3 From 132bd8306e444c46d3e588bdc1b21fa4474f2a98 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 30 Jun 2009 20:51:02 -0700 Subject: Re-add Session::abort_save(). It was reverted as part of the earlier change, but this is the part that we want to keep. --- modules/gallery/controllers/file_proxy.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 1f885e53..0d64bcd9 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -112,6 +112,9 @@ class File_Proxy_Controller extends Controller { kohana::show_404(); } + // We don't need to save the session for this request + Session::abort_save(); + // Dump out the image header("Content-Type: $item->mime_type"); Kohana::close_buffers(false); -- cgit v1.2.3 From 8f9a943f55c1342177d7687e3d891f5d1c9eff30 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Wed, 1 Jul 2009 17:57:39 -0700 Subject: Fix a bunch of XSS vulnerabilities turned up by manual inspection using the checklist in ticket #385. --- modules/gallery/controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/admin_modules.php | 2 +- modules/gallery/controllers/albums.php | 9 ++++++--- modules/gallery/controllers/movies.php | 3 ++- modules/gallery/controllers/photos.php | 3 ++- modules/gallery/controllers/quick.php | 11 ++++++----- modules/gallery/helpers/l10n_client.php | 4 +++- modules/organize/controllers/organize.php | 6 +++--- modules/server_add/controllers/admin_server_add.php | 4 ++-- modules/server_add/controllers/server_add.php | 2 +- modules/tag/controllers/admin_tags.php | 6 +++--- modules/user/controllers/admin_users.php | 17 ++++++++++------- modules/user/controllers/login.php | 5 +++-- modules/user/controllers/logout.php | 4 ++-- modules/user/controllers/password.php | 4 +++- 15 files changed, 48 insertions(+), 34 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index 79bc1183..64007fdb 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { module::set_var($module_name, $var_name, Input::instance()->post("value")); message::success( t("Saved value for %var (%module_name)", - array("var" => $var_name, "module_name" => $module_name))); + array("var" => p::clean($var_name), "module_name" => $module_name))); print json_encode(array("result" => "success")); } diff --git a/modules/gallery/controllers/admin_modules.php b/modules/gallery/controllers/admin_modules.php index ed1f7665..dfa49a0e 100644 --- a/modules/gallery/controllers/admin_modules.php +++ b/modules/gallery/controllers/admin_modules.php @@ -56,7 +56,7 @@ class Admin_Modules_Controller extends Admin_Controller { module::event("module_change", $changes); - // @todo this type of collation is questionable from a i18n perspective + // @todo this type of collation is questionable from an i18n perspective if ($activated_names) { message::success(t("Activated: %names", array("names" => join(", ", $activated_names)))); } diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 22f50fb8..d141d157 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -111,7 +111,8 @@ class Albums_Controller extends Items_Controller { log::success("content", "Created an album", html::anchor("albums/$new_album->id", "view album")); - message::success(t("Created album %album_title", array("album_title" => $new_album->title))); + message::success( + t("Created album %album_title", array("album_title" => p::clean($new_album->title)))); print json_encode( array("result" => "success", @@ -143,7 +144,8 @@ class Albums_Controller extends Items_Controller { user::active()->id); log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo")); - message::success(t("Added photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Added photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", @@ -197,7 +199,8 @@ class Albums_Controller extends Items_Controller { module::event("item_updated", $orig, $album); log::success("content", "Updated album", "id\">view"); - message::success(t("Saved album %album_title", array("album_title" => $album->title))); + message::success( + t("Saved album %album_title", array("album_title" => p::clean($album->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index d8cca825..30a5d78c 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -94,7 +94,8 @@ class Movies_Controller extends Items_Controller { module::event("item_updated", $orig, $photo); log::success("content", "Updated photo", "id\">view"); - message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index f5be5d59..6a62e859 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -87,7 +87,8 @@ class Photos_Controller extends Items_Controller { module::event("item_updated", $orig, $photo); log::success("content", "Updated photo", "id\">view"); - message::success(t("Saved photo %photo_title", array("photo_title" => $photo->title))); + message::success( + t("Saved photo %photo_title", array("photo_title" => p::clean($photo->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index e89d9701..5d3d8885 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -89,7 +89,7 @@ class Quick_Controller extends Controller { access::required("view", $item->parent()); access::required("edit", $item->parent()); - $msg = t("Made %title this album's cover", array("title" => $item->title)); + $msg = t("Made %title this album's cover", array("title" => p::clean($item->title))); item::make_album_cover($item); message::success($msg); @@ -105,9 +105,10 @@ class Quick_Controller extends Controller { if ($item->is_album()) { print t( "Delete the album %title? All photos and movies in the album will also be deleted.", - array("title" => $item->title)); + array("title" => p::clean($item->title))); } else { - print t("Are you sure you want to delete %title?", array("title" => $item->title)); + print t("Are you sure you want to delete %title?", + array("title" => p::clean($item->title))); } $form = item::get_delete_form($item); @@ -121,9 +122,9 @@ class Quick_Controller extends Controller { access::required("edit", $item); if ($item->is_album()) { - $msg = t("Deleted album %title", array("title" => $item->title)); + $msg = t("Deleted album %title", array("title" => p::clean($item->title))); } else { - $msg = t("Deleted photo %title", array("title" => $item->title)); + $msg = t("Deleted photo %title", array("title" => p::clean($item->title))); } $item->delete(); diff --git a/modules/gallery/helpers/l10n_client.php b/modules/gallery/helpers/l10n_client.php index 20f81ecc..e153532c 100644 --- a/modules/gallery/helpers/l10n_client.php +++ b/modules/gallery/helpers/l10n_client.php @@ -112,7 +112,9 @@ class l10n_client_Core { // {key:, ...} // ] $count = count($response); - log::info("translations", "Installed $count new / updated translation messages"); + log::info("translations", + t2("Installed 1 new / updated translation message", + "Installed %count new / updated translation messages", $count)); foreach ($response as $message_data) { // @todo Better input validation diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 57709cb5..5f80805c 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -283,10 +283,10 @@ class Organize_Controller extends Controller { if ($item->is_album()) { log::success("content", "Updated album", "id\">view"); - $message = t("Saved album %album_title", array("album_title" => $item->title)); + $message = t("Saved album %album_title", array("album_title" => p::clean($item->title))); } else { log::success("content", "Updated photo", "id\">view"); - $message = t("Saved photo %photo_title", array("photo_title" => $item->title)); + $message = t("Saved photo %photo_title", array("photo_title" => p::clean($item->title))); } print json_encode(array("form" => $form->__toString(), "message" => $message)); } else { @@ -325,7 +325,7 @@ class Organize_Controller extends Controller { module::event("item_updated", $orig, $item); log::success("content", "Updated album", "id\">view"); - $message = t("Saved album %album_title", array("album_title" => $item->title)); + $message = t("Saved album %album_title", array("album_title" => p::clean($item->title))); print json_encode(array("form" => $form->__toString(), "message" => $message)); } else { print json_encode(array("form" => $form->__toString())); diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php index a3f9aa96..a30215b8 100644 --- a/modules/server_add/controllers/admin_server_add.php +++ b/modules/server_add/controllers/admin_server_add.php @@ -40,7 +40,7 @@ class Admin_Server_Add_Controller extends Admin_Controller { module::set_var("server_add", "authorized_paths", serialize($paths)); $form->add_path->inputs->path->value = ""; - message::success(t("Added path %path", array("path" => $path))); + message::success(t("Added path %path", array("path" => p::clean($path)))); server_add::check_config($paths); url::redirect("admin/server_add"); @@ -62,7 +62,7 @@ class Admin_Server_Add_Controller extends Admin_Controller { $path = $this->input->get("path"); $paths = unserialize(module::get_var("server_add", "authorized_paths")); unset($paths[$path]); - message::success(t("Removed path %path", array("path" => $path))); + message::success(t("Removed path %path", array("path" => p::clean($path)))); module::set_var("server_add", "authorized_paths", serialize($paths)); server_add::check_config($paths); diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php index c92b4f7e..05ea5058 100644 --- a/modules/server_add/controllers/server_add.php +++ b/modules/server_add/controllers/server_add.php @@ -110,7 +110,7 @@ class Server_Add_Controller extends Controller { "url" => "", "task" => array( "id" => -1, "done" => 1, "percent_complete" => 100, - "status" => t("No Eligible files, import cancelled")))); + "status" => t("No eligible files, import cancelled")))); return; } diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php index af5055ff..dcdc16b9 100644 --- a/modules/tag/controllers/admin_tags.php +++ b/modules/tag/controllers/admin_tags.php @@ -53,8 +53,8 @@ class Admin_Tags_Controller extends Admin_Controller { $name = $tag->name; Database::instance()->delete("items_tags", array("tag_id" => "$tag->id")); $tag->delete(); - message::success(t("Deleted tag %tag_name", array("tag_name" => $name))); - log::success("tags", t("Deleted tag %tag_name", array("tag_name" => $name))); + message::success(t("Deleted tag %tag_name", array("tag_name" => p::clean($name)))); + log::success("tags", t("Deleted tag %tag_name", array("tag_name" => p::clean($name)))); print json_encode( array("result" => "success", @@ -98,7 +98,7 @@ class Admin_Tags_Controller extends Admin_Controller { $tag->save(); $message = t("Renamed tag %old_name to %new_name", - array("old_name" => $old_name, "new_name" => $tag->name)); + array("old_name" => p::clean($old_name), "new_name" => p::clean($tag->name))); message::success($message); log::success("tags", $message); diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php index fe8061aa..b5dc6cb5 100644 --- a/modules/user/controllers/admin_users.php +++ b/modules/user/controllers/admin_users.php @@ -50,7 +50,7 @@ class Admin_Users_Controller extends Controller { } $user->save(); - message::success(t("Created user %user_name", array("user_name" => $user->name))); + message::success(t("Created user %user_name", array("user_name" => p::clean($user->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -83,7 +83,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted user %user_name", array("user_name" => $name)); + $message = t("Deleted user %user_name", array("user_name" => p::clean($name))); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); @@ -139,7 +139,7 @@ class Admin_Users_Controller extends Controller { } $user->save(); - message::success(t("Changed user %user_name", array("user_name" => $user->name))); + message::success(t("Changed user %user_name", array("user_name" => p::clean($user->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -200,7 +200,8 @@ class Admin_Users_Controller extends Controller { if ($valid) { $group = group::create($new_name); $group->save(); - message::success(t("Created group %group_name", array("group_name" => $group->name))); + message::success( + t("Created group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "success")); } else { print json_encode(array("result" => "error", @@ -229,7 +230,7 @@ class Admin_Users_Controller extends Controller { "form" => $form->__toString())); } - $message = t("Deleted group %group_name", array("group_name" => $name)); + $message = t("Deleted group %group_name", array("group_name" => p::clean($name))); log::success("group", $message); message::success($message); print json_encode(array("result" => "success")); @@ -266,10 +267,12 @@ class Admin_Users_Controller extends Controller { if ($valid) { $group->name = $form->edit_group->inputs["name"]->value; $group->save(); - message::success(t("Changed group %group_name", array("group_name" => $group->name))); + message::success( + t("Changed group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "success")); } else { - message::error(t("Failed to change group %group_name", array("group_name" => $group->name))); + message::error( + t("Failed to change group %group_name", array("group_name" => p::clean($group->name)))); print json_encode(array("result" => "error", "form" => $form->__toString())); } diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php index 54a7905e..4d901051 100644 --- a/modules/user/controllers/login.php +++ b/modules/user/controllers/login.php @@ -62,7 +62,8 @@ class Login_Controller extends Controller { if (!$user->loaded || !user::is_correct_password($user, $form->login->password->value)) { log::warning( "user", - t("Failed login for %name", array("name" => $form->login->inputs["name"]->value))); + t("Failed login for %name", + array("name" => p::clean($form->login->inputs["name"]->value)))); $form->login->inputs["name"]->add_error("invalid_login", 1); $valid = false; } @@ -70,7 +71,7 @@ class Login_Controller extends Controller { if ($valid) { user::login($user); - log::info("user", t("User %name logged in", array("name" => $user->name))); + log::info("user", t("User %name logged in", array("name" => p::clean($user->name)))); } // Either way, regenerate the session id to avoid session trapping diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php index a541ed9b..63971789 100644 --- a/modules/user/controllers/logout.php +++ b/modules/user/controllers/logout.php @@ -23,8 +23,8 @@ class Logout_Controller extends Controller { $user = user::active(); user::logout(); - log::info("user", t("User %name logged out", array("name" => $user->name)), - html::anchor("user/$user->id", $user->name)); + log::info("user", t("User %name logged out", array("name" => p::clean($user->name))), + html::anchor("user/$user->id", p::clean($user->name))); if ($this->input->get("continue")) { $item = url::get_item_from_uri($this->input->get("continue")); if (access::can("view", $item)) { diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php index 2dde11b8..ed3b9736 100644 --- a/modules/user/controllers/password.php +++ b/modules/user/controllers/password.php @@ -72,7 +72,9 @@ class Password_Controller extends Controller { ->message($message->render()) ->send(); - log::success("user", "Password reset email sent for user $user->name"); + log::success( + "user", + t("Password reset email sent for user %name", array("name" => p::clean($user->name))); } else { // Don't include the username here until you're sure that it's XSS safe log::warning( -- cgit v1.2.3 From bafbe5a2d2848d6de3e758f4e5de4385c4dc7542 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Fri, 3 Jul 2009 14:58:33 -0700 Subject: Fix for ticket 510: i18n fixes - localize module / theme name in some status messages --- modules/gallery/controllers/admin_modules.php | 4 ++-- modules/gallery/controllers/admin_themes.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/admin_modules.php b/modules/gallery/controllers/admin_modules.php index dfa49a0e..af6dbbdc 100644 --- a/modules/gallery/controllers/admin_modules.php +++ b/modules/gallery/controllers/admin_modules.php @@ -40,11 +40,11 @@ class Admin_Modules_Controller extends Admin_Controller { $desired = $this->input->post($module_name) == 1; if ($info->active && !$desired && module::is_active($module_name)) { $changes->deactivate[] = $module_name; - $deactivated_names[] = $info->name; + $deactivated_names[] = t($info->name); module::deactivate($module_name); } else if (!$info->active && $desired && !module::is_active($module_name)) { $changes->activate[] = $module_name; - $activated_names[] = $info->name; + $activated_names[] = t($info->name); if (module::is_installed($module_name)) { module::upgrade($module_name); } else { diff --git a/modules/gallery/controllers/admin_themes.php b/modules/gallery/controllers/admin_themes.php index 538e5c8d..da001c55 100644 --- a/modules/gallery/controllers/admin_themes.php +++ b/modules/gallery/controllers/admin_themes.php @@ -69,11 +69,11 @@ class Admin_Themes_Controller extends Admin_Controller { if ($type == "admin" && $info->admin) { module::set_var("gallery", "active_admin_theme", $theme_name); message::success(t("Successfully changed your admin theme to %theme_name", - array("theme_name" => $info->name))); + array("theme_name" => t($info->name)))); } else if ($type == "site" && $info->site) { module::set_var("gallery", "active_site_theme", $theme_name); message::success(t("Successfully changed your Gallery theme to %theme_name", - array("theme_name" => $info->name))); + array("theme_name" => t($info->name)))); } url::redirect("admin/themes"); -- cgit v1.2.3