From b7700d1eec02caa794629adcc0555d7c9f0c1414 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 8 Aug 2010 09:57:13 -0700 Subject: Require the size parameter. Optional params are confusing. And be robust in the face of a missing data file (movies and albums lack resize, albums lack full size, some albums don't have a thumb if they have no contents, etc) --- modules/gallery/helpers/data_rest.php | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'modules/gallery/helpers') diff --git a/modules/gallery/helpers/data_rest.php b/modules/gallery/helpers/data_rest.php index e45a4645..48de2a3a 100644 --- a/modules/gallery/helpers/data_rest.php +++ b/modules/gallery/helpers/data_rest.php @@ -23,7 +23,11 @@ class data_rest_Core { access::required("view", $item); $p = $request->params; - switch (isset($p->size) ? $p->size : "full") { + if (!isset($p->size) || !in_array($p->size, array("thumb", "resize", "full"))) { + throw new Rest_Exception("Bad Request", 400, array("errors" => array("size" => "invalid"))); + } + + switch ($p->size) { case "thumb": $entity = array( "width" => $item->thumb_width, @@ -38,7 +42,6 @@ class data_rest_Core { "path" => $item->resize_path()); break; - default: case "full": $entity = array( "width" => $item->width, @@ -47,8 +50,13 @@ class data_rest_Core { break; } - $entity["size"] = filesize($entity["path"]); - $entity["contents"] = file_get_contents($entity["path"]); + if (file_exists($entity["path"]) && is_file($entity["path"])) { + $entity["size"] = filesize($entity["path"]); + $entity["contents"] = file_get_contents($entity["path"]); + } else { + $entity["size"] = null; + $entity["contents"] = null; + } unset($entity["path"]); $result = array( -- cgit v1.2.3 From 9b5e058dd3a7d0d08fa0fad954a1908b9949e934 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 8 Aug 2010 15:01:38 -0700 Subject: We can always send back the header because Kohana buffers output. --- modules/gallery/helpers/json.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'modules/gallery/helpers') diff --git a/modules/gallery/helpers/json.php b/modules/gallery/helpers/json.php index a39db27a..a88608aa 100644 --- a/modules/gallery/helpers/json.php +++ b/modules/gallery/helpers/json.php @@ -25,9 +25,7 @@ class json_Core { * @param mixed $message string or object to json encode and print */ static function reply($message) { - if (!headers_sent()) { - header("Content-Type: application/json; charset=" . Kohana::CHARSET); - } + header("Content-Type: application/json; charset=" . Kohana::CHARSET); print json_encode($message); } } \ No newline at end of file -- cgit v1.2.3 From 2dda8e22a7a32db8a5577aad0cff2b47ac0f9c63 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 8 Aug 2010 16:54:31 -0700 Subject: Use the gallery helper date/time functions wherever we format date time for the browser. Fixes ticket #1278. --- modules/comment/views/comments.html.php | 6 +++--- modules/comment/views/user_profile_comments.html.php | 4 ++-- modules/gallery/helpers/gallery.php | 4 ++-- modules/gallery/tests/xss_data.txt | 2 +- modules/info/views/info_block.html.php | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) (limited to 'modules/gallery/helpers') diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php index da45f57b..b524f5da 100644 --- a/modules/comment/views/comments.html.php +++ b/modules/comment/views/comments.html.php @@ -36,11 +36,11 @@ author()->guest): ?> date("Y-M-d H:i:s", $comment->created), - "name" => html::clean($comment->author_name()))); ?> + array("date" => gallery::date_time($comment->created), + "name" => html::clean($comment->author_name()))); ?> %name said', - array("date" => date("Y-M-d H:i:s", $comment->created), + array("date" => gallery::date_time($comment->created), "url" => user_profile::url($comment->author_id), "name" => html::clean($comment->author_name()))); ?> diff --git a/modules/comment/views/user_profile_comments.html.php b/modules/comment/views/user_profile_comments.html.php index a2a641ba..377b2d95 100644 --- a/modules/comment/views/user_profile_comments.html.php +++ b/modules/comment/views/user_profile_comments.html.php @@ -4,8 +4,8 @@

  • - date("Y-M-d H:i:s", $comment->created), + gallery::date_time($comment->created), "title" => $comment->item()->title)); ?> item()->thumb_img(array(), 50) ?> diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php index 54d16322..3f83b23d 100644 --- a/modules/gallery/helpers/gallery.php +++ b/modules/gallery/helpers/gallery.php @@ -60,7 +60,7 @@ class gallery_Core { * @return string */ static function date_time($timestamp) { - return date(module::get_var("gallery", "date_time_format", "Y-M-d H:i:s"), $timestamp); + return date(module::get_var("gallery", "date_time_format"), $timestamp); } /** @@ -69,7 +69,7 @@ class gallery_Core { * @return string */ static function date($timestamp) { - return date(module::get_var("gallery", "date_format", "Y-M-d"), $timestamp); + return date(module::get_var("gallery", "date_format"), $timestamp); } /** diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index f135c522..ef92970b 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -267,7 +267,7 @@ modules/gallery/views/user_profile.html.php 34 DIRTY_ATTR $use modules/gallery/views/user_profile.html.php 43 DIRTY $info->view modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item->url() modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"g-thumbnail")) -modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) +modules/info/views/info_block.html.php 22 DIRTY gallery::date_time($item->captured) modules/info/views/info_block.html.php 29 DIRTY_JS $item->owner->url modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->abs_url() modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->abs_url() diff --git a/modules/info/views/info_block.html.php b/modules/info/views/info_block.html.php index ac177ee7..ebe9bd28 100644 --- a/modules/info/views/info_block.html.php +++ b/modules/info/views/info_block.html.php @@ -19,7 +19,7 @@ captured): ?>

  • - captured)?> + captured)?>
    • owner): ?> -- cgit v1.2.3 From 6a8c1f5e855b1c4d768524e6e542218c234df6d3 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 8 Aug 2010 17:19:51 -0700 Subject: whitespace fix. --- modules/gallery/helpers/identity.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'modules/gallery/helpers') diff --git a/modules/gallery/helpers/identity.php b/modules/gallery/helpers/identity.php index 5f1664ec..4febc4e2 100644 --- a/modules/gallery/helpers/identity.php +++ b/modules/gallery/helpers/identity.php @@ -66,7 +66,8 @@ class identity_Core { // The installer cannot set a user into the session, so it just sets an id which we should // upconvert into a user. - // @todo set the user name into the session instead of 2 and then use it to get the user object + // @todo set the user name into the session instead of 2 and then use it to get the + // user object if ($user === 2) { auth::login(IdentityProvider::instance()->admin_user()); } -- cgit v1.2.3 From acb1faaa594fc5067c4340e073afca3b83f819d4 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 8 Aug 2010 17:25:31 -0700 Subject: Cache the group ids for a day to trade off performance for security updates. Fixes ticket #1227. --- modules/gallery/helpers/identity.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'modules/gallery/helpers') diff --git a/modules/gallery/helpers/identity.php b/modules/gallery/helpers/identity.php index 4febc4e2..5de05948 100644 --- a/modules/gallery/helpers/identity.php +++ b/modules/gallery/helpers/identity.php @@ -72,12 +72,14 @@ class identity_Core { auth::login(IdentityProvider::instance()->admin_user()); } - if (!$session->get("group_ids")) { + // Cache the group ids for a day to trade off performance for security updates. + if (!$session->get("group_ids") || $session->get("group_ids_timeout", 0) < time()) { $ids = array(); foreach ($user->groups() as $group) { $ids[] = $group->id; } $session->set("group_ids", $ids); + $session->set("group_ids_timeout", time() + 86400); } } catch (Exception $e) { // Log it, so we at least have so notification that we swallowed the exception. -- cgit v1.2.3