From b46998e392bbf52fadc9c8e13271d911dff01cbe Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 16 Jul 2009 10:24:10 -0700 Subject: Update Xss_Security_Test to know about p::purify() and checkpoint the golden file. --- modules/gallery/tests/Xss_Security_Test.php | 2 +- modules/gallery/tests/xss_data.txt | 93 ++++++++++++++++------------- 2 files changed, 51 insertions(+), 44 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index e179482c..9bde11dc 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -36,7 +36,7 @@ class Xss_Security_Test extends Unit_Test_Case { // If we find a "(" after a "p::clean" then start counting levels of parens and assume // that we're inside a p::clean() call until we find the matching close paren. - if ($token[0] == "(" && $str == "p::clean") { + if ($token[0] == "(" && ($str == "p::clean" || $str == "p::purify")) { $in_p_clean = 1; } else if ($token[0] == "(" && $in_p_clean) { $in_p_clean++; diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 982343f6..d1167555 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -141,22 +141,28 @@ modules/gallery/views/admin_maintenance.html.php 75 DIRTY $task->na modules/gallery/views/admin_maintenance.html.php 86 DIRTY $task->percent_complete modules/gallery/views/admin_maintenance.html.php 90 DIRTY $task->status modules/gallery/views/admin_maintenance.html.php 93 $task->owner()->name -modules/gallery/views/admin_maintenance.html.php 97 DIRTY $task->id -modules/gallery/views/admin_maintenance.html.php 97 DIRTY $csrf -modules/gallery/views/admin_maintenance.html.php 101 DIRTY $task->id -modules/gallery/views/admin_maintenance.html.php 101 DIRTY $csrf -modules/gallery/views/admin_maintenance.html.php 113 DIRTY $csrf -modules/gallery/views/admin_maintenance.html.php 140 DIRTY $task->state -modules/gallery/views/admin_maintenance.html.php 142 DIRTY $task->updated -modules/gallery/views/admin_maintenance.html.php 145 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 157 DIRTY $task->status -modules/gallery/views/admin_maintenance.html.php 160 DIRTY $task->owner()->name -modules/gallery/views/admin_maintenance.html.php 164 DIRTY $task->id -modules/gallery/views/admin_maintenance.html.php 164 DIRTY $csrf -modules/gallery/views/admin_maintenance.html.php 168 DIRTY $task->id -modules/gallery/views/admin_maintenance.html.php 168 DIRTY $csrf -modules/gallery/views/admin_maintenance.html.php 171 DIRTY $task->id -modules/gallery/views/admin_maintenance.html.php 171 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 98 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 98 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 102 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 102 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 115 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 142 DIRTY $task->state +modules/gallery/views/admin_maintenance.html.php 144 DIRTY $task->updated +modules/gallery/views/admin_maintenance.html.php 147 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 159 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 162 DIRTY $task->owner()->name +modules/gallery/views/admin_maintenance.html.php 166 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 166 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 170 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 170 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 175 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 175 DIRTY $csrf +modules/gallery/views/admin_maintenance.html.php 178 DIRTY $task->id +modules/gallery/views/admin_maintenance.html.php 178 DIRTY $csrf +modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $task->id +modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $csrf +modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name +modules/gallery/views/admin_maintenance_show_log.html.php 15 $task->get_log() modules/gallery/views/admin_maintenance_task.html.php 5 DIRTY $task->id modules/gallery/views/admin_maintenance_task.html.php 5 DIRTY $csrf modules/gallery/views/admin_maintenance_task.html.php 26 DIRTY $task->name @@ -201,10 +207,10 @@ modules/gallery/views/admin_themes_preview.html.php 4 DIRTY $info->na modules/gallery/views/admin_themes_preview.html.php 7 DIRTY $url modules/gallery/views/after_install.html.php 11 $user->name modules/gallery/views/after_install.html.php 15 DIRTY $user->id -modules/gallery/views/kohana_error_page.php 98 DIRTY $message -modules/gallery/views/kohana_error_page.php 100 DIRTY $file -modules/gallery/views/kohana_error_page.php 100 DIRTY $line -modules/gallery/views/kohana_error_page.php 112 DIRTY $trace +modules/gallery/views/kohana_error_page.php 102 DIRTY $message +modules/gallery/views/kohana_error_page.php 104 DIRTY $file +modules/gallery/views/kohana_error_page.php 104 DIRTY $line +modules/gallery/views/kohana_error_page.php 116 DIRTY $trace modules/gallery/views/kohana_profiler.php 32 DIRTY $profile->render() modules/gallery/views/kohana_profiler.php 34 DIRTY $execution_time modules/gallery/views/l10n_client.html.php 17 DIRTY $string @@ -212,8 +218,8 @@ modules/gallery/views/l10n_client.html.php 19 DIRTY $string modules/gallery/views/l10n_client.html.php 20 DIRTY $string modules/gallery/views/l10n_client.html.php 22 DIRTY $string modules/gallery/views/l10n_client.html.php 28 DIRTY $l10n_search_form -modules/gallery/views/l10n_client.html.php 72 DIRTY $string_list -modules/gallery/views/l10n_client.html.php 73 DIRTY $plural_forms +modules/gallery/views/l10n_client.html.php 74 DIRTY $string_list +modules/gallery/views/l10n_client.html.php 75 DIRTY $plural_forms modules/gallery/views/move_browse.html.php 4 DIRTY $source->id modules/gallery/views/move_browse.html.php 39 DIRTY $tree modules/gallery/views/move_browse.html.php 42 DIRTY $source->id @@ -280,8 +286,8 @@ modules/gallery/views/simple_uploader.html.php 7 DIRTY $csrf modules/gallery/views/simple_uploader.html.php 9 $item->title modules/gallery/views/simple_uploader.html.php 29 $parent->title modules/gallery/views/simple_uploader.html.php 31 $item->title -modules/gallery/views/simple_uploader.html.php 85 DIRTY $item->id -modules/gallery/views/simple_uploader.html.php 89 DIRTY $csrf +modules/gallery/views/simple_uploader.html.php 86 DIRTY $item->id +modules/gallery/views/simple_uploader.html.php 90 DIRTY $csrf modules/gallery/views/upgrader.html.php 44 DIRTY $module->version modules/gallery/views/upgrader.html.php 44 DIRTY $module->code_version modules/gallery/views/upgrader.html.php 45 DIRTY $id @@ -417,16 +423,17 @@ modules/server_add/views/admin_server_add.html.php 14 DIRTY $csrf modules/server_add/views/admin_server_add.html.php 15 DIRTY $id modules/server_add/views/admin_server_add.html.php 19 DIRTY $path modules/server_add/views/admin_server_add.html.php 24 DIRTY $form -modules/server_add/views/server_add_tree.html.php 4 DIRTY $tree_id -modules/server_add/views/server_add_tree.html.php 6 DIRTY $file_info -modules/server_add/views/server_add_tree.html.php 10 $file_info -modules/server_add/views/server_add_tree.html.php 10 DIRTY $checked -modules/server_add/views/server_add_tree.html.php 10 $file -modules/server_add/views/server_add_tree_dialog.html.php 10 $album_title -modules/server_add/views/server_add_tree_dialog.html.php 15 $parent->title -modules/server_add/views/server_add_tree_dialog.html.php 17 $album_title -modules/server_add/views/server_add_tree_dialog.html.php 20 DIRTY $action -modules/server_add/views/server_add_tree_dialog.html.php 22 DIRTY $tree +modules/server_add/views/server_add_tree.html.php 12 DIRTY $dir +modules/server_add/views/server_add_tree.html.php 13 DIRTY $dir +modules/server_add/views/server_add_tree.html.php 20 DIRTY $file +modules/server_add/views/server_add_tree.html.php 25 DIRTY $file +modules/server_add/views/server_add_tree.html.php 27 $file +modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY $item->id +modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY $csrf +modules/server_add/views/server_add_tree_dialog.html.php 8 $item->title +modules/server_add/views/server_add_tree_dialog.html.php 14 $parent->title +modules/server_add/views/server_add_tree_dialog.html.php 18 $item->title +modules/server_add/views/server_add_tree_dialog.html.php 23 DIRTY $tree modules/tag/views/admin_tags.html.php 13 DIRTY $csrf modules/tag/views/admin_tags.html.php 27 DIRTY $tags->count() modules/tag/views/admin_tags.html.php 35 DIRTY $current_letter @@ -501,14 +508,14 @@ themes/admin_default/views/admin.html.php 37 DIRTY $theme->a themes/admin_default/views/admin.html.php 43 DIRTY $theme->site_status() themes/admin_default/views/admin.html.php 45 DIRTY $theme->admin_header_top() themes/admin_default/views/admin.html.php 48 DIRTY $csrf -themes/admin_default/views/admin.html.php 52 DIRTY $theme->admin_menu() -themes/admin_default/views/admin.html.php 54 DIRTY $theme->admin_header_bottom() -themes/admin_default/views/admin.html.php 60 DIRTY $theme->messages() -themes/admin_default/views/admin.html.php 61 DIRTY $content -themes/admin_default/views/admin.html.php 67 DIRTY $sidebar -themes/admin_default/views/admin.html.php 72 DIRTY $theme->admin_footer() -themes/admin_default/views/admin.html.php 74 DIRTY $theme->admin_credits() -themes/admin_default/views/admin.html.php 78 DIRTY $theme->admin_page_bottom() +themes/admin_default/views/admin.html.php 54 DIRTY $theme->admin_menu() +themes/admin_default/views/admin.html.php 56 DIRTY $theme->admin_header_bottom() +themes/admin_default/views/admin.html.php 62 DIRTY $theme->messages() +themes/admin_default/views/admin.html.php 63 DIRTY $content +themes/admin_default/views/admin.html.php 69 DIRTY $sidebar +themes/admin_default/views/admin.html.php 74 DIRTY $theme->admin_footer() +themes/admin_default/views/admin.html.php 76 DIRTY $theme->admin_credits() +themes/admin_default/views/admin.html.php 80 DIRTY $theme->admin_page_bottom() themes/admin_default/views/block.html.php 2 DIRTY $id themes/admin_default/views/block.html.php 2 DIRTY $css_id themes/admin_default/views/block.html.php 5 DIRTY $id @@ -544,7 +551,7 @@ themes/default/views/block.html.php 3 DIRTY $css_id themes/default/views/block.html.php 4 DIRTY $title themes/default/views/block.html.php 6 DIRTY $content themes/default/views/dynamic.html.php 4 DIRTY $theme->dynamic_top() -themes/default/views/dynamic.html.php 6 $tag->name +themes/default/views/dynamic.html.php 6 $title themes/default/views/dynamic.html.php 11 DIRTY $child->is_album() themes/default/views/dynamic.html.php 12 DIRTY $theme->thumb_top($child) themes/default/views/dynamic.html.php 13 DIRTY $child->url() -- cgit v1.2.3 From 5b3b675b6d8a1cd9a5f2b9455c551791e18d88ff Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 16 Jul 2009 11:19:34 -0700 Subject: Non-trivial changes to the event handling code: 1) The item_updated event no longer takes the old and new items. Instead we overload ORM to track the original data and make that available via the item. This will allow us to move event publishing down into the API methods which in turn will give us more stability since we won't require each controller to remember to do it. 2) ORM class now tracks the original values. It doesn't track the original relationships (no need for that, yet) 3) Added new events: item_deleted group_deleted user_deleted --- modules/akismet/helpers/akismet_event.php | 6 ++--- modules/comment/controllers/admin_comments.php | 4 ++-- modules/comment/helpers/comment_event.php | 2 +- modules/exif/helpers/exif_event.php | 2 +- modules/g2_import/helpers/g2_import_event.php | 2 +- modules/gallery/controllers/albums.php | 2 +- modules/gallery/controllers/movies.php | 2 +- modules/gallery/controllers/photos.php | 2 +- modules/gallery/helpers/gallery_event.php | 4 ++-- modules/gallery/libraries/MY_ORM.php | 27 +++++++++++++++++++++- modules/gallery/models/item.php | 3 +++ modules/gallery/tests/Item_Model_Test.php | 16 +++++++++++++ modules/notification/helpers/notification.php | 19 ++++++++------- .../notification/helpers/notification_event.php | 10 ++++---- modules/notification/helpers/notification_menu.php | 2 +- modules/notification/views/item_updated.html.php | 16 ++++++------- modules/organize/controllers/organize.php | 4 ++-- modules/search/helpers/search_event.php | 6 ++--- modules/tag/helpers/tag_event.php | 2 +- modules/user/models/group.php | 2 ++ modules/user/models/user.php | 2 ++ 21 files changed, 91 insertions(+), 44 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/akismet/helpers/akismet_event.php b/modules/akismet/helpers/akismet_event.php index 80fe0127..bffc0fd7 100644 --- a/modules/akismet/helpers/akismet_event.php +++ b/modules/akismet/helpers/akismet_event.php @@ -40,14 +40,14 @@ class akismet_event_Core { $comment->save(); } - static function comment_updated($old, $new) { + static function comment_updated($comment) { if (!module::get_var("akismet", "api_key")) { return; } - if ($old->state != "spam" && $new->state == "spam") { + if ($comment->original("state") != "spam" && $comment->state == "spam") { akismet::submit_spam($new); - } else if ($old->state == "spam" && $new->state != "spam") { + } else if ($comment->original("state") == "spam" && $comment->state != "spam") { akismet::submit_ham($new); } } diff --git a/modules/comment/controllers/admin_comments.php b/modules/comment/controllers/admin_comments.php index 3e8d3c46..ea76b188 100644 --- a/modules/comment/controllers/admin_comments.php +++ b/modules/comment/controllers/admin_comments.php @@ -113,8 +113,8 @@ class Admin_Comments_Controller extends Admin_Controller { if ($comment->loaded) { $comment->state = $state; $comment->save(); - module::event("comment_updated", $orig, $comment); - if ($orig->state == "published" || $comment->state == "published") { + module::event("comment_updated", $comment); + if ($comment->original("state") == "published" || $comment->state == "published") { module::event("item_related_update", $comment->item()); } } diff --git a/modules/comment/helpers/comment_event.php b/modules/comment/helpers/comment_event.php index a3beb27a..3850a001 100644 --- a/modules/comment/helpers/comment_event.php +++ b/modules/comment/helpers/comment_event.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class comment_event_Core { - static function item_before_delete($item) { + static function item_deleted($item) { Database::instance()->delete("comments", array("item_id" => $item->id)); } } diff --git a/modules/exif/helpers/exif_event.php b/modules/exif/helpers/exif_event.php index f5677653..24243f4d 100644 --- a/modules/exif/helpers/exif_event.php +++ b/modules/exif/helpers/exif_event.php @@ -22,7 +22,7 @@ class exif_event_Core { exif::extract($item); } - static function item_before_delete($item) { + static function item_deleted($item) { Database::instance()->delete("exif_records", array("item_id" => $item->id)); } } diff --git a/modules/g2_import/helpers/g2_import_event.php b/modules/g2_import/helpers/g2_import_event.php index 13f5b1a0..77b489a7 100644 --- a/modules/g2_import/helpers/g2_import_event.php +++ b/modules/g2_import/helpers/g2_import_event.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class g2_import_event_Core { - static function item_before_delete($item) { + static function item_deleted($item) { Database::instance()->delete("g2_maps", array("g3_id" => $item->id)); } diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index e6d01b90..c378e3ce 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -192,7 +192,7 @@ class Albums_Controller extends Items_Controller { } $album->save(); - module::event("item_updated", $orig, $album); + module::event("item_updated", $album); log::success("content", "Updated album", "id\">view"); message::success( diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 30a5d78c..fc511082 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -91,7 +91,7 @@ class Movies_Controller extends Items_Controller { $photo->rename($form->edit_photo->filename->value); $photo->save(); - module::event("item_updated", $orig, $photo); + module::event("item_updated", $photo); log::success("content", "Updated photo", "id\">view"); message::success( diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 6a62e859..77627009 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -84,7 +84,7 @@ class Photos_Controller extends Items_Controller { $photo->rename($form->edit_photo->filename->value); $photo->save(); - module::event("item_updated", $orig, $photo); + module::event("item_updated", $photo); log::success("content", "Updated photo", "id\">view"); message::success( diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index aa11b7c0..2f3a64d3 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -23,7 +23,7 @@ class gallery_event_Core { access::add_group($group); } - static function group_before_delete($group) { + static function group_deleted($group) { access::delete_group($group); } @@ -31,7 +31,7 @@ class gallery_event_Core { access::add_item($item); } - static function item_before_delete($item) { + static function item_deleted($item) { access::delete_item($item); } diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php index 2bd9b4eb..319cbe09 100644 --- a/modules/gallery/libraries/MY_ORM.php +++ b/modules/gallery/libraries/MY_ORM.php @@ -18,6 +18,9 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class ORM extends ORM_Core { + // Track the original value of this ORM instance so that we can look it up in ORM::original() + protected $original = null; + public function open_paren() { $this->db->open_paren(); return $this; @@ -30,7 +33,29 @@ class ORM extends ORM_Core { public function save() { model_cache::clear($this->object_name, $this->{$this->primary_key}, $this->primary_key); - return parent::save(); + $result = parent::save(); + $this->original = $this->object; + return $result; + } + + public function __set($column, $value) { + if (!isset($this->original)) { + $this->original = $this->object; + } + + return parent::__set($column, $value); + } + + public function __unset($column) { + if (!isset($this->original)) { + $this->original = $this->object; + } + + return parent::__unset($column); + } + + public function original($column) { + return $this->original[$column]; } } diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 51037073..80f19d26 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -93,6 +93,7 @@ class Item_Model extends ORM_MPTT { } public function delete() { + $old = clone $this; module::event("item_before_delete", $this); $parent = $this->parent(); @@ -114,6 +115,8 @@ class Item_Model extends ORM_MPTT { @unlink($resize_path); @unlink($thumb_path); } + + module::event("item_deleted", $old); } /** diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index 615b8997..a21cdc13 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -140,4 +140,20 @@ class Item_Model_Test extends Unit_Test_Case { } $this->assert_false(true, "Item_Model::rename should not accept / characters"); } + + public function save_original_values_test() { + print "START\n"; + $item = $this->create_random_item(); + $item->title = "ORIGINAL_VALUE"; + $item->save(); + + print "CHANGE\n"; + $item->title = "NEW_VALUE"; + + //printf("
%s
",print_r($item,1));flush(); + + print "COMPARE\n"; + $this->assert_same("ORIGINAL_VALUE", $item->original("title")); + $this->assert_same("NEW_VALUE", $item->title); + } } diff --git a/modules/notification/helpers/notification.php b/modules/notification/helpers/notification.php index 8ee0c6ba..e246af2c 100644 --- a/modules/notification/helpers/notification.php +++ b/modules/notification/helpers/notification.php @@ -82,17 +82,16 @@ class notification { return $subscribers; } - static function send_item_updated($old, $new) { + static function send_item_updated($item) { $v = new View("item_updated.html"); - $v->old = $old; - $v->new = $new; - $v->subject = $old->is_album() ? - t("Album %title updated", array("title" => $old->title)) : - ($old->is_photo() ? - t("Photo %title updated", array("title" => $old->title)) - : t("Movie %title updated", array("title" => $old->title))); - - self::_notify_subscribers($old, $v->render(), $v->subject); + $v->item = $item; + $v->subject = $item->is_album() ? + t("Album %title updated", array("title" => $item->original("title"))) : + ($item->is_photo() ? + t("Photo %title updated", array("title" => $item->original("title"))) + : t("Movie %title updated", array("title" => $item->original("title")))); + + self::_notify_subscribers($item, $v->render(), $v->subject); } static function send_item_add($item) { diff --git a/modules/notification/helpers/notification_event.php b/modules/notification/helpers/notification_event.php index 1cf9ff58..536557c6 100644 --- a/modules/notification/helpers/notification_event.php +++ b/modules/notification/helpers/notification_event.php @@ -18,15 +18,15 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class notification_event_Core { - static function item_updated($old, $new) { - notification::send_item_updated($old, $new); + static function item_updated($item) { + notification::send_item_updated($item); } static function item_created($item) { notification::send_item_add($item); } - static function item_before_delete($item) { + static function item_deleted($item) { notification::send_item_deleted($item); if (notification::is_watching($item)) { @@ -40,8 +40,8 @@ class notification_event_Core { } } - static function comment_updated($old, $new) { - if ($new->state == "published" && $old->state != "published") { + static function comment_updated($item) { + if ($item->state == "published" && $item->original("state") != "published") { notification::send_comment_published($new); } } diff --git a/modules/notification/helpers/notification_menu.php b/modules/notification/helpers/notification_menu.php index 696aad62..87478b8a 100644 --- a/modules/notification/helpers/notification_menu.php +++ b/modules/notification/helpers/notification_menu.php @@ -21,7 +21,7 @@ class notification_menu_Core { static function site($menu, $theme) { if (!user::active()->guest) { $item = $theme->item(); - + if ($item && $item->is_album()) { $watching = notification::is_watching($item); diff --git a/modules/notification/views/item_updated.html.php b/modules/notification/views/item_updated.html.php index 0620c50c..39f9113b 100644 --- a/modules/notification/views/item_updated.html.php +++ b/modules/notification/views/item_updated.html.php @@ -7,27 +7,27 @@

- title != $new->title): ?> + original("title") != $item->title): ?> - + - + - + - description != $new->description): ?> + original("description") != $item->description): ?> - + - description)): ?> + description)): ?> - +
title) ?>title) ?> title) ?>title) ?>
url(array(), true) ?>url(array(), true) ?>
description) ?>description) ?>
description) ?>description) ?>
diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 6792573d..54e04071 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -279,7 +279,7 @@ class Organize_Controller extends Controller { $item->rename($form->dirname->value); $item->save(); - module::event("item_updated", $orig, $item); + module::event("item_updated", $item); if ($item->is_album()) { log::success("content", "Updated album", "id\">view"); @@ -322,7 +322,7 @@ class Organize_Controller extends Controller { $item->sort_order = $form->direction->value; $item->save(); - module::event("item_updated", $orig, $item); + module::event("item_updated", $item); log::success("content", "Updated album", "id\">view"); $message = t("Saved album %album_title", array("album_title" => p::purify($item->title))); diff --git a/modules/search/helpers/search_event.php b/modules/search/helpers/search_event.php index b9657395..764fdd18 100644 --- a/modules/search/helpers/search_event.php +++ b/modules/search/helpers/search_event.php @@ -22,11 +22,11 @@ class search_event_Core { search::update($item); } - static function item_updated($old_item, $new_item) { - search::update($new_item); + static function item_updated($item) { + search::update($item); } - static function item_before_delete($item) { + static function item_deleted($item) { ORM::factory("search_record") ->where("item_id", $item->id) ->delete_all(); diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php index 7a170bf8..0164f556 100644 --- a/modules/tag/helpers/tag_event.php +++ b/modules/tag/helpers/tag_event.php @@ -59,7 +59,7 @@ class tag_event_Core { return; } - static function item_before_delete($item) { + static function item_deleted($item) { $db = Database::instance(); $db->query("UPDATE {tags} SET `count` = `count` - 1 WHERE `count` > 0 " . "AND `id` IN (SELECT `tag_id` from {items_tags} WHERE `item_id` = $item->id)"); diff --git a/modules/user/models/group.php b/modules/user/models/group.php index 45948887..e0724e30 100644 --- a/modules/user/models/group.php +++ b/modules/user/models/group.php @@ -27,7 +27,9 @@ class Group_Model extends ORM { * @see ORM::delete() */ public function delete($id=null) { + $old = clone $this; module::event("group_before_delete", $this); parent::delete($id); + module::event("group_deleted", $old); } } \ No newline at end of file diff --git a/modules/user/models/user.php b/modules/user/models/user.php index b447892e..e3260270 100644 --- a/modules/user/models/user.php +++ b/modules/user/models/user.php @@ -44,8 +44,10 @@ class User_Model extends ORM { * @see ORM::delete() */ public function delete($id=null) { + $old = clone $this; module::event("user_before_delete", $this); parent::delete($id); + module::event("user_deleted", $old); } /** -- cgit v1.2.3 From 43324fd12a23b35707300ff110f207552c3811f1 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 16 Jul 2009 12:29:01 -0700 Subject: Update golden file to match recent changes in event code. --- modules/gallery/tests/xss_data.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index d1167555..e6f3721b 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -326,12 +326,12 @@ modules/notification/views/item_deleted.html.php 18 DIRTY $item->pa modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->url(array(), true) modules/notification/views/item_updated.html.php 4 $subject modules/notification/views/item_updated.html.php 7 $subject -modules/notification/views/item_updated.html.php 12 $new->title -modules/notification/views/item_updated.html.php 15 $new->title -modules/notification/views/item_updated.html.php 20 DIRTY $new->url(array(), true) -modules/notification/views/item_updated.html.php 20 DIRTY $new->url(array(), true) -modules/notification/views/item_updated.html.php 25 $new->description -modules/notification/views/item_updated.html.php 30 $new->description +modules/notification/views/item_updated.html.php 12 $item->title +modules/notification/views/item_updated.html.php 15 $item->title +modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(), true) +modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(), true) +modules/notification/views/item_updated.html.php 25 $item->description +modules/notification/views/item_updated.html.php 30 $item->description modules/organize/views/organize.html.php 10 DIRTY $item->id modules/organize/views/organize.html.php 12 DIRTY $csrf modules/organize/views/organize.html.php 13 DIRTY $csrf -- cgit v1.2.3 From 8a6556b30bc34d69284df6246f4010a8835f3bc2 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 17 Jul 2009 08:14:08 -0700 Subject: Fix a bug where moved items don't properly inherit permissions from their new target. After each move, recalculate the permissions for the new parent's hierarchy. Fixes ticket #552 --- modules/gallery/helpers/access.php | 15 ++++++++++++ modules/gallery/helpers/gallery_event.php | 4 ++++ modules/gallery/models/item.php | 6 +++-- modules/gallery/tests/Access_Helper_Test.php | 36 ++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index c48f0b79..5dd1e465 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -243,6 +243,21 @@ class access_Core { self::_set($group, $perm_name, $item, null); } + /** + * Recalculate the permissions for a given item and its hierarchy. $item must be an album. + */ + static function recalculate_permissions($item) { + foreach (self::_get_all_groups() as $group) { + foreach (ORM::factory("permission")->find_all() as $perm) { + if ($perm->name == "view") { + self::_update_access_view_cache($group, $item); + } else { + self::_update_access_non_view_cache($group, $perm->name, $item); + } + } + } + } + /** * Register a permission so that modules can use it. * diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 2f3a64d3..1cd96372 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -35,6 +35,10 @@ class gallery_event_Core { access::delete_item($item); } + static function item_moved($item, $old_parent) { + access::recalculate_permissions($item->parent()); + } + static function user_login($user) { // If this user is an admin, check to see if there are any post-install tasks that we need // to run and take care of those now. diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 94e2fcf7..6512e9e5 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -122,8 +122,8 @@ class Item_Model extends ORM_MPTT { /** * Move this item to the specified target. * @chainable - * @param Item_Model $target Target item (must be an album - * @return ORM_MTPP + * @param Item_Model $target Target item (must be an album) + * @return ORM_MPTT */ function move_to($target) { if (!$target->is_album()) { @@ -137,6 +137,7 @@ class Item_Model extends ORM_MPTT { $original_path = $this->file_path(); $original_resize_path = $this->resize_path(); $original_thumb_path = $this->thumb_path(); + $original_parent = $this->parent(); parent::move_to($target, true); $this->relative_path_cache = null; @@ -154,6 +155,7 @@ class Item_Model extends ORM_MPTT { @rename($original_thumb_path, $this->thumb_path()); } + module::event("item_moved", $this, $original_parent); return $this; } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index d71bf971..1352b493 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -324,4 +324,40 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(file_exists($album->resize_path() . "/.htaccess")); $this->assert_false(file_exists($album->thumb_path() . "/.htaccess")); } + + public function moved_items_inherit_new_permissions_test() { + user::set_active(user::lookup_by_name("admin")); + + $root = ORM::factory("item", 1); + $public_album = album::create($root, rand(), "public album"); + $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); + access::allow(group::everybody(), "view", $public_album); + + $root->reload(); // Account for MPTT changes + + $private_album = album::create($root, rand(), "private album"); + access::deny(group::everybody(), "view", $private_album); + $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); + + // Make sure that we now have a public photo and private photo. + $this->assert_true(access::group_can(group::everybody(), "view", $public_photo)); + $this->assert_false(access::group_can(group::everybody(), "view", $private_photo)); + + // Swap the photos + item::move($public_photo, $private_album); + $private_album->reload(); // Reload to get new MPTT pointers and cached perms. + $public_album->reload(); + $private_photo->reload(); + $public_photo->reload(); + + item::move($private_photo, $public_album); + $private_album->reload(); // Reload to get new MPTT pointers and cached perms. + $public_album->reload(); + $private_photo->reload(); + $public_photo->reload(); + + // Make sure that the public_photo is now private, and the private_photo is now public. + $this->assert_false(access::group_can(group::everybody(), "view", $public_photo)); + $this->assert_true(access::group_can(group::everybody(), "view", $private_photo)); + } } -- cgit v1.2.3 From 59e410bb792cf1d8703c17f9034b681d4114f8fc Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 21 Jul 2009 07:25:34 -0700 Subject: Updated for movieplayer.html.php update --- modules/gallery/tests/xss_data.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index e6f3721b..ce2fa2a5 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -237,7 +237,7 @@ modules/gallery/views/move_tree.html.php 15 DIRTY $child->i modules/gallery/views/move_tree.html.php 15 $child->title modules/gallery/views/movieplayer.html.php 2 DIRTY $item->file_url(true) modules/gallery/views/movieplayer.html.php 2 DIRTY $attrs -modules/gallery/views/movieplayer.html.php 4 DIRTY $attrs +modules/gallery/views/movieplayer.html.php 5 DIRTY $attrs modules/gallery/views/permissions_browse.html.php 15 DIRTY $csrf modules/gallery/views/permissions_browse.html.php 37 DIRTY $parent->id modules/gallery/views/permissions_browse.html.php 38 $parent->title -- cgit v1.2.3 From d4104a23ec504e451e7a96f9798ea4ed695e9d97 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 22 Jul 2009 15:16:56 -0700 Subject: Add explicit unit tests for access::user_can --- modules/gallery/helpers/access.php | 1 + modules/gallery/tests/Access_Helper_Test.php | 37 ++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 65316a8a..956b4e5c 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -209,6 +209,7 @@ class access_Core { $access = model_cache::get("access_intent", $album->id, "item_id"); $access->__set("{$perm_name}_{$group->id}", $value); $access->save(); + $album->reload(); if ($perm_name == "view") { self::_update_access_view_cache($group, $album); diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 1352b493..59cec453 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -64,6 +64,43 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(array_key_exists("access_test_{$group->id}", $fields)); } + public function user_can_access_test() { + $access_test = group::create("access_test"); + + $root = ORM::factory("item", 1); + access::allow($access_test, "view", $root); + + $item = album::create($root, rand(), "test album"); + + access::deny(group::everybody(), "view", $item); + access::deny(group::registered_users(), "view", $item); + + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->add($access_test); + $user->save(); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function user_can_no_access_test() { + $root = ORM::factory("item", 1); + $item = album::create($root, rand(), "test album"); + + access::deny(group::everybody(), "view", $item); + access::deny(group::registered_users(), "view", $item); + + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); + } + public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); -- cgit v1.2.3 From 0e9b80d2efb942167fef269441e65722abac5f54 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 23 Jul 2009 16:20:40 -0700 Subject: Updated golden file --- modules/gallery/tests/xss_data.txt | 86 +++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 44 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index ce2fa2a5..5a05d4ef 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -2,7 +2,7 @@ modules/akismet/views/admin_akismet.html.php 14 DIRTY $form modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY $api_key modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY $blog_url modules/comment/views/admin_block_recent_comments.html.php 4 DIRTY $i -modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY $comment->author()->avatar_url(32, $theme->theme_url("images/avatar.jpg", true)) +modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY $comment->author()->avatar_url(32, $theme->url("images/avatar.jpg", true)) modules/comment/views/admin_block_recent_comments.html.php 7 $comment->author_name() modules/comment/views/admin_block_recent_comments.html.php 10 DIRTY $comment->created modules/comment/views/admin_block_recent_comments.html.php 12 $comment->author_name() @@ -15,7 +15,7 @@ modules/comment/views/admin_comments.html.php 72 DIRTY $counts-> modules/comment/views/admin_comments.html.php 75 DIRTY $csrf modules/comment/views/admin_comments.html.php 106 DIRTY $comment->id modules/comment/views/admin_comments.html.php 106 DIRTY $i -modules/comment/views/admin_comments.html.php 109 DIRTY $comment->author()->avatar_url(40, $theme->theme_url("images/avatar.jpg", true)) +modules/comment/views/admin_comments.html.php 109 DIRTY $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) modules/comment/views/admin_comments.html.php 111 $comment->author_name() modules/comment/views/admin_comments.html.php 115 $comment->author_email() modules/comment/views/admin_comments.html.php 116 $comment->author_email() @@ -35,7 +35,7 @@ modules/comment/views/admin_comments.html.php 175 DIRTY $comment- modules/comment/views/admin_comments.html.php 183 DIRTY $comment->id modules/comment/views/admin_comments.html.php 196 DIRTY $pager modules/comment/views/comment.html.php 2 DIRTY $comment->id -modules/comment/views/comment.html.php 5 DIRTY $comment->author()->avatar_url(40, $theme->theme_url("images/avatar.jpg", true)) +modules/comment/views/comment.html.php 5 DIRTY $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) modules/comment/views/comment.html.php 7 $comment->author_name() modules/comment/views/comment.html.php 12 DIRTY $comment->created modules/comment/views/comment.html.php 13 $comment->author_name() @@ -58,7 +58,7 @@ modules/comment/views/comment.mrss.php 34 DIRTY $child->t modules/comment/views/comment.mrss.php 35 DIRTY $child->thumb_height modules/comment/views/comment.mrss.php 35 DIRTY $child->thumb_width modules/comment/views/comments.html.php 10 DIRTY $comment->id -modules/comment/views/comments.html.php 13 DIRTY $comment->author()->avatar_url(40, $theme->theme_url("images/avatar.jpg", true)) +modules/comment/views/comments.html.php 13 DIRTY $comment->author()->avatar_url(40, $theme->url("images/avatar.jpg", true)) modules/comment/views/comments.html.php 15 $comment->author_name() modules/comment/views/comments.html.php 20 DIRTY $comment->created modules/comment/views/comments.html.php 21 $comment->author_name() @@ -108,7 +108,7 @@ modules/gallery/views/admin_block_photo_stream.html.php 6 DIRTY $photo->w modules/gallery/views/admin_block_photo_stream.html.php 6 DIRTY $photo->height modules/gallery/views/admin_block_photo_stream.html.php 7 DIRTY $photo->thumb_url() modules/gallery/views/admin_block_photo_stream.html.php 7 $photo->title -modules/gallery/views/admin_block_platform.html.php 16 DIRTY $load_average +modules/gallery/views/admin_block_platform.html.php 19 DIRTY $load_average modules/gallery/views/admin_block_stats.html.php 7 DIRTY $album_count modules/gallery/views/admin_block_stats.html.php 10 DIRTY $photo_count modules/gallery/views/admin_dashboard.html.php 5 DIRTY $csrf @@ -303,8 +303,8 @@ modules/info/views/info_block.html.php 10 $item->de modules/info/views/info_block.html.php 16 $item->name modules/info/views/info_block.html.php 22 DIRTY $item->captured modules/info/views/info_block.html.php 29 DIRTY $item->owner->url -modules/info/views/info_block.html.php 29 $item->owner->full_name -modules/info/views/info_block.html.php 31 $item->owner->name +modules/info/views/info_block.html.php 29 $item->owner->display_name() +modules/info/views/info_block.html.php 31 $item->owner->display_name() modules/notification/views/comment_published.html.php 4 $subject modules/notification/views/comment_published.html.php 7 $subject modules/notification/views/comment_published.html.php 11 $comment->text @@ -454,7 +454,7 @@ modules/user/views/admin_users.html.php 36 DIRTY $csrf modules/user/views/admin_users.html.php 67 DIRTY $user->id modules/user/views/admin_users.html.php 67 DIRTY $user->admin modules/user/views/admin_users.html.php 68 DIRTY $user->id -modules/user/views/admin_users.html.php 69 DIRTY $user->avatar_url(20, $theme->theme_url("images/avatar.jpg", true)) +modules/user/views/admin_users.html.php 69 DIRTY $user->avatar_url(20, $theme->url("images/avatar.jpg", true)) modules/user/views/admin_users.html.php 71 $user->name modules/user/views/admin_users.html.php 74 $user->name modules/user/views/admin_users.html.php 77 $user->full_name @@ -475,9 +475,7 @@ modules/user/views/admin_users_group.html.php 22 DIRTY $group->i modules/user/views/admin_users_group.html.php 25 $user->name modules/user/views/admin_users_group.html.php 25 $group->name modules/user/views/login.html.php 12 DIRTY $user->id -modules/user/views/login.html.php 15 $user->full_name -modules/user/views/login.html.php 15 $user->name -modules/user/views/login.html.php 15 $user->full_name +modules/user/views/login.html.php 15 $user->display_name() modules/user/views/login.html.php 18 DIRTY $csrf modules/user/views/login_ajax.html.php 37 DIRTY $form modules/user/views/reset_password.html.php 9 $user->full_name @@ -488,20 +486,20 @@ modules/watermark/views/admin_watermarks.html.php 19 DIRTY $width modules/watermark/views/admin_watermarks.html.php 19 DIRTY $height modules/watermark/views/admin_watermarks.html.php 19 DIRTY $url modules/watermark/views/admin_watermarks.html.php 21 DIRTY $position -themes/admin_default/views/admin.html.php 10 DIRTY $theme->css("lib/yui/reset-fonts-grids.css") -themes/admin_default/views/admin.html.php 11 DIRTY $theme->css("lib/themeroller/ui.base.css") -themes/admin_default/views/admin.html.php 12 DIRTY $theme->css("lib/superfish/css/superfish.css") -themes/admin_default/views/admin.html.php 13 DIRTY $theme->css("themes/default/css/screen.css") -themes/admin_default/views/admin.html.php 14 DIRTY $theme->theme_css("css/screen.css") -themes/admin_default/views/admin.html.php 16 DIRTY $theme->theme_url("css/fix-ie.css") -themes/admin_default/views/admin.html.php 20 DIRTY $theme->script("lib/jquery.js") -themes/admin_default/views/admin.html.php 21 DIRTY $theme->script("lib/jquery.form.js") -themes/admin_default/views/admin.html.php 22 DIRTY $theme->script("lib/jquery-ui.js") -themes/admin_default/views/admin.html.php 23 DIRTY $theme->script("lib/gallery.common.js") -themes/admin_default/views/admin.html.php 28 DIRTY $theme->script("lib/gallery.dialog.js") -themes/admin_default/views/admin.html.php 29 DIRTY $theme->script("lib/superfish/js/superfish.js") -themes/admin_default/views/admin.html.php 30 DIRTY $theme->theme_script("js/jquery.dropshadow.js") -themes/admin_default/views/admin.html.php 31 DIRTY $theme->theme_script("js/ui.init.js") +themes/admin_default/views/admin.html.php 10 DIRTY $theme->css("yui/reset-fonts-grids.css") +themes/admin_default/views/admin.html.php 11 DIRTY $theme->css("themeroller/ui.base.css") +themes/admin_default/views/admin.html.php 12 DIRTY $theme->css("superfish/css/superfish.css") +themes/admin_default/views/admin.html.php 13 DIRTY $theme->css("screen.css") +themes/admin_default/views/admin.html.php 14 DIRTY $theme->css("admin_screen.css") +themes/admin_default/views/admin.html.php 16 DIRTY $theme->url("fix-ie.css") +themes/admin_default/views/admin.html.php 20 DIRTY $theme->script("jquery.js") +themes/admin_default/views/admin.html.php 21 DIRTY $theme->script("jquery.form.js") +themes/admin_default/views/admin.html.php 22 DIRTY $theme->script("jquery-ui.js") +themes/admin_default/views/admin.html.php 23 DIRTY $theme->script("gallery.common.js") +themes/admin_default/views/admin.html.php 28 DIRTY $theme->script("gallery.dialog.js") +themes/admin_default/views/admin.html.php 29 DIRTY $theme->script("superfish/js/superfish.js") +themes/admin_default/views/admin.html.php 30 DIRTY $theme->script("jquery.dropshadow.js") +themes/admin_default/views/admin.html.php 31 DIRTY $theme->script("ui.init.js") themes/admin_default/views/admin.html.php 33 DIRTY $theme->admin_head() themes/admin_default/views/admin.html.php 36 DIRTY $theme->body_attributes() themes/admin_default/views/admin.html.php 37 DIRTY $theme->admin_page_top() @@ -569,7 +567,7 @@ themes/default/views/footer.html.php 4 DIRTY $footer_t themes/default/views/footer.html.php 9 DIRTY $theme->credits() themes/default/views/header.html.php 2 DIRTY $theme->header_top() themes/default/views/header.html.php 4 DIRTY $header_text -themes/default/views/header.html.php 7 DIRTY $theme->theme_url("images/logo.png") +themes/default/views/header.html.php 7 DIRTY $theme->url("images/logo.png") themes/default/views/header.html.php 12 DIRTY $theme->site_menu() themes/default/views/header.html.php 15 DIRTY $theme->header_bottom() themes/default/views/header.html.php 21 DIRTY $parent->id @@ -590,27 +588,27 @@ themes/default/views/page.html.php 13 $theme->i themes/default/views/page.html.php 15 $theme->item()->title themes/default/views/page.html.php 17 $theme->item()->title themes/default/views/page.html.php 20 $theme->tag()->name -themes/default/views/page.html.php 26 DIRTY $theme->theme_url("images/favicon.ico") -themes/default/views/page.html.php 27 DIRTY $theme->css("lib/yui/reset-fonts-grids.css") -themes/default/views/page.html.php 28 DIRTY $theme->css("lib/superfish/css/superfish.css") -themes/default/views/page.html.php 29 DIRTY $theme->css("lib/themeroller/ui.base.css") -themes/default/views/page.html.php 30 DIRTY $theme->theme_css("css/screen.css") -themes/default/views/page.html.php 32 DIRTY $theme->theme_url("css/fix-ie.css") +themes/default/views/page.html.php 26 DIRTY $theme->url("images/favicon.ico") +themes/default/views/page.html.php 27 DIRTY $theme->css("yui/reset-fonts-grids.css") +themes/default/views/page.html.php 28 DIRTY $theme->css("superfish/css/superfish.css") +themes/default/views/page.html.php 29 DIRTY $theme->css("themeroller/ui.base.css") +themes/default/views/page.html.php 30 DIRTY $theme->css("screen.css") +themes/default/views/page.html.php 32 DIRTY $theme->url("css/fix-ie.css") themes/default/views/page.html.php 41 DIRTY $new_width themes/default/views/page.html.php 42 DIRTY $new_height themes/default/views/page.html.php 43 DIRTY $thumb_proportion -themes/default/views/page.html.php 48 DIRTY $theme->script("lib/jquery.js") -themes/default/views/page.html.php 49 DIRTY $theme->script("lib/jquery.form.js") -themes/default/views/page.html.php 50 DIRTY $theme->script("lib/jquery-ui.js") -themes/default/views/page.html.php 51 DIRTY $theme->script("lib/gallery.common.js") -themes/default/views/page.html.php 56 DIRTY $theme->script("lib/gallery.dialog.js") -themes/default/views/page.html.php 57 DIRTY $theme->script("lib/gallery.form.js") -themes/default/views/page.html.php 58 DIRTY $theme->script("lib/superfish/js/superfish.js") -themes/default/views/page.html.php 59 DIRTY $theme->script("lib/jquery.localscroll.js") -themes/default/views/page.html.php 60 DIRTY $theme->theme_script("js/ui.init.js") -themes/default/views/page.html.php 64 DIRTY $theme->script("lib/jquery.scrollTo.js") -themes/default/views/page.html.php 65 DIRTY $theme->script("lib/gallery.show_full_size.js") -themes/default/views/page.html.php 67 DIRTY $theme->script("lib/flowplayer.js") +themes/default/views/page.html.php 48 DIRTY $theme->script("jquery.js") +themes/default/views/page.html.php 49 DIRTY $theme->script("jquery.form.js") +themes/default/views/page.html.php 50 DIRTY $theme->script("jquery-ui.js") +themes/default/views/page.html.php 51 DIRTY $theme->script("gallery.common.js") +themes/default/views/page.html.php 56 DIRTY $theme->script("gallery.dialog.js") +themes/default/views/page.html.php 57 DIRTY $theme->script("gallery.form.js") +themes/default/views/page.html.php 58 DIRTY $theme->script("superfish/js/superfish.js") +themes/default/views/page.html.php 59 DIRTY $theme->script("jquery.localscroll.js") +themes/default/views/page.html.php 60 DIRTY $theme->script("ui.init.js") +themes/default/views/page.html.php 64 DIRTY $theme->script("jquery.scrollTo.js") +themes/default/views/page.html.php 65 DIRTY $theme->script("gallery.show_full_size.js") +themes/default/views/page.html.php 67 DIRTY $theme->script("flowplayer.js") themes/default/views/page.html.php 70 DIRTY $theme->head() themes/default/views/page.html.php 73 DIRTY $theme->body_attributes() themes/default/views/page.html.php 74 DIRTY $theme->page_top() -- cgit v1.2.3 From fa1d32e6466d8c6ffe77d163e2da9c71688a3c61 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 24 Jul 2009 11:24:43 -0700 Subject: Partial implementation of ticket #80. Provide auto complete and suggestions on the tag add form in the tag sidebar block. Updated the xss golden file as well. Still to do figure out how toget it into the edit popup dialog --- modules/gallery/tests/xss_data.txt | 4 ++-- modules/tag/controllers/tags.php | 17 +++++++++++++++++ modules/tag/helpers/tag.php | 2 +- modules/tag/helpers/tag_theme.php | 2 ++ modules/tag/js/tag.js | 15 +++++++++++++++ modules/tag/views/tag_block.html.php | 10 ++++++++++ 6 files changed, 47 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 5a05d4ef..981bf31e 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -442,8 +442,8 @@ modules/tag/views/admin_tags.html.php 50 DIRTY $tag->id modules/tag/views/admin_tags.html.php 50 $tag->name modules/tag/views/admin_tags.html.php 51 DIRTY $tag->count modules/tag/views/admin_tags.html.php 52 DIRTY $tag->id -modules/tag/views/tag_block.html.php 3 DIRTY $cloud -modules/tag/views/tag_block.html.php 5 DIRTY $form +modules/tag/views/tag_block.html.php 13 DIRTY $cloud +modules/tag/views/tag_block.html.php 15 DIRTY $form modules/tag/views/tag_cloud.html.php 4 DIRTY $tag->count modules/tag/views/tag_cloud.html.php 4 DIRTY $max_count modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index 5dd07935..a600ea1a 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -78,4 +78,21 @@ class Tags_Controller extends REST_Controller { return tag::get_add_form($item); } + + public function autocomplete() { + $tags = array(); + $tag_parts = preg_split("#[,\s;]+# ", $this->input->get("q")); + $limit = $this->input->get("limit"); + $tag_part = end($tag_parts); + $tag_list = ORM::factory("tag") + ->like("name", "{$tag_part}%", false) + ->orderby("name", "ASC") + ->limit($limit) + ->find_all(); + foreach ($tag_list as $tag) { + $tags[] = $tag->name; + } + + print implode("\n", $tags); + } } diff --git a/modules/tag/helpers/tag.php b/modules/tag/helpers/tag.php index 5efa6a19..be5461a4 100644 --- a/modules/tag/helpers/tag.php +++ b/modules/tag/helpers/tag.php @@ -104,7 +104,7 @@ class tag_Core { ($item->is_photo() ? t("Add tag to photo") : t("Add tag to movie")); $group = $form->group("add_tag")->label("Add Tag"); - $group->input("name")->label($label)->rules("required|length[1,64]"); + $group->input("name")->label($label)->rules("required"); $group->hidden("item_id")->value($item->id); $group->submit("")->value(t("Add Tag")); return $form; diff --git a/modules/tag/helpers/tag_theme.php b/modules/tag/helpers/tag_theme.php index d46a91e9..1bce9bd8 100644 --- a/modules/tag/helpers/tag_theme.php +++ b/modules/tag/helpers/tag_theme.php @@ -19,6 +19,8 @@ */ class tag_theme_Core { static function head($theme) { + $theme->css("jquery.autocomplete.css"); + $theme->script("jquery.autocomplete.js"); $theme->script("tag.js"); } diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index a5aaa3f8..282da1ea 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -66,3 +66,18 @@ function editInPlace(element) { }; ajaxify_editInPlaceForm(); } + +function formatTagAutoCompleteResult(row) { + var text = $("#gAddTagForm input:text").val(); + if (/[\s,;]/.test(text)) { + for (var i= text.length - 1; i >= 0; i--) { + var chr = text.charAt(i); + if (chr == " " || chr == "," || chr == ";") { + break; + } + } + return text.substr(0, i + 1) + row[0]; + } else { + return row[0]; + } +} diff --git a/modules/tag/views/tag_block.html.php b/modules/tag/views/tag_block.html.php index 12c90857..233eb361 100644 --- a/modules/tag/views/tag_block.html.php +++ b/modules/tag/views/tag_block.html.php @@ -1,4 +1,14 @@ +
">
-- cgit v1.2.3 From 078c77a62b623322956457bfd7bfbdaf56203b00 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 24 Jul 2009 14:18:15 -0700 Subject: Add tag autocomplete to the album and photo edit pop up dialogs. This required putting a wrapper view around the forms and passing this view as the parameter to the item_edit_form event. The view contains a $script variable that the modules can add script to be included in the form html when rendered as part of the ajax response. --- modules/gallery/controllers/albums.php | 5 +++-- modules/gallery/controllers/movies.php | 5 +++-- modules/gallery/controllers/photos.php | 5 +++-- modules/gallery/helpers/album.php | 14 ++++++++------ modules/gallery/helpers/photo.php | 14 ++++++++------ modules/gallery/tests/xss_data.txt | 2 ++ modules/gallery/views/item_edit.html.php | 9 +++++++++ modules/tag/helpers/tag_event.php | 10 ++++++++-- modules/tag/js/tag.js | 2 +- 9 files changed, 45 insertions(+), 21 deletions(-) create mode 100644 modules/gallery/views/item_edit.html.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 56b74cb1..4fefd3a1 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -166,7 +166,8 @@ class Albums_Controller extends Items_Controller { access::required("view", $album); access::required("edit", $album); - $form = album::get_edit_form($album); + $view = album::get_edit_form($album); + $form = $view->form; if ($valid = $form->validate()) { // Make sure that there's not a conflict if ($album->id != 1 && @@ -202,7 +203,7 @@ class Albums_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $form->__toString())); + "form" => $view->__toString())); } } diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index c8227d74..1391c4b4 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -70,7 +70,8 @@ class Movies_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $form = photo::get_edit_form($photo); + $view = photo::get_edit_form($photo); + $form = $view->form; if ($valid = $form->validate()) { // Make sure that there's not a conflict if (Database::instance() @@ -101,7 +102,7 @@ class Movies_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $form->__toString())); + "form" => $view->__toString())); } } diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 8ee24da8..9d9b25a1 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -61,7 +61,8 @@ class Photos_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $form = photo::get_edit_form($photo); + $view = photo::get_edit_form($photo); + $form = $view->form; if ($valid = $form->validate()) { if ($form->edit_item->filename->value != $photo->name) { // Make sure that there's not a conflict @@ -94,7 +95,7 @@ class Photos_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $form->__toString())); + "form" => $view->__toString())); } } diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index 5f10bd02..0263e0e1 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -94,9 +94,11 @@ class album_Core { } static function get_edit_form($parent) { - $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); - $form->hidden("_method")->value("put"); - $group = $form->group("edit_item")->label(t("Edit Album")); + $view = new View("item_edit.html"); + $view->script = array(); + $view->form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); + $view->form->hidden("_method")->value("put"); + $group = $view->form->group("edit_item")->label(t("Edit Album")); $group->input("title")->label(t("Title"))->value($parent->title); $group->textarea("description")->label(t("Description"))->value($parent->description); @@ -127,11 +129,11 @@ class album_Core { "DESC" => t("Descending"))) ->selected($parent->sort_order); - module::event("item_edit_form", $parent, $form); + module::event("item_edit_form", $parent, $view); $group->hidden("type")->value("album"); $group->submit("")->value(t("Modify")); - $form->add_rules_from(ORM::factory("item")); - return $form; + $view->form->add_rules_from(ORM::factory("item")); + return $view; } } diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php index 5cf37de1..299195e9 100644 --- a/modules/gallery/helpers/photo.php +++ b/modules/gallery/helpers/photo.php @@ -135,9 +135,11 @@ class photo_Core { } static function get_edit_form($photo) { - $form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); - $form->hidden("_method")->value("put"); - $group = $form->group("edit_item")->label(t("Edit Photo")); + $view = new View("item_edit.html"); + $view->script = array(); + $view->form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); + $view->form->hidden("_method")->value("put"); + $group = $view->form->group("edit_item")->label(t("Edit Photo")); $group->input("title")->label(t("Title"))->value($photo->title); $group->textarea("description")->label(t("Description"))->value($photo->description); $group->input("filename")->label(t("Filename"))->value($photo->name) @@ -147,11 +149,11 @@ class photo_Core { ->callback("item::validate_no_trailing_period") ->error_messages("no_trailing_period", t("The photo name can't end in \".\"")); - module::event("item_edit_form", $photo, $form); + module::event("item_edit_form", $photo, $view); $group->submit("")->value(t("Modify")); - $form->add_rules_from(ORM::factory("item")); - return $form; + $view->form->add_rules_from(ORM::factory("item")); + return $view; } /** diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 981bf31e..2940a8df 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -207,6 +207,8 @@ modules/gallery/views/admin_themes_preview.html.php 4 DIRTY $info->na modules/gallery/views/admin_themes_preview.html.php 7 DIRTY $url modules/gallery/views/after_install.html.php 11 $user->name modules/gallery/views/after_install.html.php 15 DIRTY $user->id +modules/gallery/views/item_edit.html.php 4 DIRTY $script +modules/gallery/views/item_edit.html.php 8 DIRTY $form modules/gallery/views/kohana_error_page.php 102 DIRTY $message modules/gallery/views/kohana_error_page.php 104 DIRTY $file modules/gallery/views/kohana_error_page.php 104 DIRTY $line diff --git a/modules/gallery/views/item_edit.html.php b/modules/gallery/views/item_edit.html.php new file mode 100644 index 00000000..9aa2fb64 --- /dev/null +++ b/modules/gallery/views/item_edit.html.php @@ -0,0 +1,9 @@ + + + + +
+ +
\ No newline at end of file diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php index e1ab1b73..58034900 100644 --- a/modules/tag/helpers/tag_event.php +++ b/modules/tag/helpers/tag_event.php @@ -64,9 +64,15 @@ class tag_event_Core { tag::compact(); } - static function item_edit_form($item, $form) { + static function item_edit_form($item, $view) { + $url = url::site("tags/autocomplete"); + $view->script[] = "$('#gEditFormContainer form').ready(function() { + $('#gEditFormContainer form input[id=tags]').autocomplete( + '$url', {max: 30, formatResult: formatTagAutoCompleteResult} + ); + });"; $tag_value = implode("; ", tag::item_tags($item)); - $form->edit_item->input("tags")->label(t("Tags (separate by , or ;)")) + $view->form->edit_item->input("tags")->label(t("Tags (separate by , or ;)")) ->value($tag_value); } diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index 282da1ea..bbf44166 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -68,7 +68,7 @@ function editInPlace(element) { } function formatTagAutoCompleteResult(row) { - var text = $("#gAddTagForm input:text").val(); + var text = $(".ac_loading").val(); if (/[\s,;]/.test(text)) { for (var i= text.length - 1; i >= 0; i--) { var chr = text.charAt(i); -- cgit v1.2.3 From 23bb6eb7e35637c8a2124216dbb6d3246ad3d702 Mon Sep 17 00:00:00 2001 From: Romain LE DISEZ Date: Sat, 25 Jul 2009 19:06:54 +0200 Subject: Rename columns that use reserved SQL words : items.left and items.right --- installer/install.sql | 72 +------------------- modules/gallery/helpers/access.php | 40 +++++------ modules/gallery/helpers/gallery_installer.php | 16 +++-- modules/gallery/libraries/ORM_MPTT.php | 84 ++++++++++++------------ modules/gallery/models/item.php | 10 +-- modules/gallery/module.info | 2 +- modules/gallery/tests/Database_Test.php | 8 +-- modules/gallery/tests/Gallery_Installer_Test.php | 10 +-- modules/gallery/tests/ORM_MPTT_Test.php | 14 ++-- modules/gallery/tests/Photo_Helper_Test.php | 4 +- modules/notification/helpers/notification.php | 4 +- 11 files changed, 102 insertions(+), 162 deletions(-) (limited to 'modules/gallery/tests') diff --git a/installer/install.sql b/installer/install.sql index 36ccaaff..fc5f967a 100755 --- a/installer/install.sql +++ b/installer/install.sql @@ -1,6 +1,4 @@ DROP TABLE IF EXISTS {access_caches}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {access_caches} ( `id` int(9) NOT NULL auto_increment, `item_id` int(9) default NULL, @@ -12,11 +10,8 @@ CREATE TABLE {access_caches} ( `add_2` binary(1) NOT NULL default '0', PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {access_caches} VALUES (1,1,'1','0','0','1','0','0'); DROP TABLE IF EXISTS {access_intents}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {access_intents} ( `id` int(9) NOT NULL auto_increment, `item_id` int(9) default NULL, @@ -30,11 +25,8 @@ CREATE TABLE {access_intents} ( `add_2` binary(1) default NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {access_intents} VALUES (1,1,'1','1','0','0','1','1','0','0'); DROP TABLE IF EXISTS {caches}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {caches} ( `id` int(9) NOT NULL auto_increment, `key` varchar(255) NOT NULL, @@ -44,10 +36,7 @@ CREATE TABLE {caches} ( PRIMARY KEY (`id`), KEY `tags` (`tags`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {comments}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {comments} ( `author_id` int(9) default NULL, `created` int(9) NOT NULL, @@ -73,10 +62,7 @@ CREATE TABLE {comments} ( `updated` int(9) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {graphics_rules}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {graphics_rules} ( `id` int(9) NOT NULL auto_increment, `active` tinyint(1) default '0', @@ -87,12 +73,9 @@ CREATE TABLE {graphics_rules} ( `target` varchar(32) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {graphics_rules} VALUES (1,1,'a:3:{s:5:\"width\";i:200;s:6:\"height\";i:200;s:6:\"master\";i:2;}','gallery','resize',100,'thumb'); INSERT INTO {graphics_rules} VALUES (2,1,'a:3:{s:5:\"width\";i:640;s:6:\"height\";i:480;s:6:\"master\";i:2;}','gallery','resize',100,'resize'); DROP TABLE IF EXISTS {groups}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {groups} ( `id` int(9) NOT NULL auto_increment, `name` char(64) default NULL, @@ -100,25 +83,19 @@ CREATE TABLE {groups} ( PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {groups} VALUES (1,'Everybody',1); INSERT INTO {groups} VALUES (2,'Registered Users',1); DROP TABLE IF EXISTS {groups_users}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {groups_users} ( `group_id` int(9) NOT NULL, `user_id` int(9) NOT NULL, PRIMARY KEY (`group_id`,`user_id`), UNIQUE KEY `user_id` (`user_id`,`group_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {groups_users} VALUES (1,1); INSERT INTO {groups_users} VALUES (1,2); INSERT INTO {groups_users} VALUES (2,2); DROP TABLE IF EXISTS {incoming_translations}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {incoming_translations} ( `id` int(9) NOT NULL auto_increment, `key` char(32) NOT NULL, @@ -130,10 +107,7 @@ CREATE TABLE {incoming_translations} ( UNIQUE KEY `key` (`key`,`locale`), KEY `locale_key` (`locale`,`key`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {items}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {items} ( `id` int(9) NOT NULL auto_increment, `album_cover_item_id` int(9) default NULL, @@ -141,7 +115,7 @@ CREATE TABLE {items} ( `created` int(9) default NULL, `description` varchar(2048) default NULL, `height` int(9) default NULL, - `left` int(9) NOT NULL, + `left_ptr` int(9) NOT NULL, `level` int(9) NOT NULL, `mime_type` varchar(64) default NULL, `name` varchar(255) default NULL, @@ -152,7 +126,7 @@ CREATE TABLE {items} ( `resize_dirty` tinyint(1) default '1', `resize_height` int(9) default NULL, `resize_width` int(9) default NULL, - `right` int(9) NOT NULL, + `right_ptr` int(9) NOT NULL, `sort_column` varchar(64) default NULL, `sort_order` char(4) default 'ASC', `thumb_dirty` tinyint(1) default '1', @@ -171,11 +145,8 @@ CREATE TABLE {items} ( KEY `type` (`type`), KEY `random` (`rand_key`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {items} VALUES (1,NULL,NULL,UNIX_TIMESTAMP(),'',NULL,1,1,NULL,NULL,NULL,0,NULL,'',1,NULL,NULL,2,'weight','ASC',1,NULL,NULL,'Gallery','album',UNIX_TIMESTAMP(),0,1,NULL,'1','1'); DROP TABLE IF EXISTS {items_tags}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {items_tags} ( `id` int(9) NOT NULL auto_increment, `item_id` int(9) NOT NULL, @@ -184,10 +155,7 @@ CREATE TABLE {items_tags} ( KEY `tag_id` (`tag_id`,`id`), KEY `item_id` (`item_id`,`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {logs}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {logs} ( `id` int(9) NOT NULL auto_increment, `category` varchar(64) default NULL, @@ -200,10 +168,7 @@ CREATE TABLE {logs} ( `user_id` int(9) default '0', PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {messages}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {messages} ( `id` int(9) NOT NULL auto_increment, `key` varchar(255) default NULL, @@ -212,10 +177,7 @@ CREATE TABLE {messages} ( PRIMARY KEY (`id`), UNIQUE KEY `key` (`key`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {modules}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {modules} ( `id` int(9) NOT NULL auto_increment, `active` tinyint(1) default '0', @@ -224,8 +186,7 @@ CREATE TABLE {modules} ( PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; -INSERT INTO {modules} VALUES (1,1,'gallery',7); +INSERT INTO {modules} VALUES (1,1,'gallery',9); INSERT INTO {modules} VALUES (2,1,'user',1); INSERT INTO {modules} VALUES (3,1,'comment',2); INSERT INTO {modules} VALUES (4,1,'organize',1); @@ -235,8 +196,6 @@ INSERT INTO {modules} VALUES (7,1,'search',1); INSERT INTO {modules} VALUES (8,1,'slideshow',1); INSERT INTO {modules} VALUES (9,1,'tag',1); DROP TABLE IF EXISTS {outgoing_translations}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {outgoing_translations} ( `id` int(9) NOT NULL auto_increment, `base_revision` int(9) default NULL, @@ -248,10 +207,7 @@ CREATE TABLE {outgoing_translations} ( UNIQUE KEY `key` (`key`,`locale`), KEY `locale_key` (`locale`,`key`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {permissions}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {permissions} ( `id` int(9) NOT NULL auto_increment, `display_name` varchar(64) default NULL, @@ -259,14 +215,11 @@ CREATE TABLE {permissions} ( PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {permissions} VALUES (1,'View','view'); INSERT INTO {permissions} VALUES (2,'View Full Size','view_full'); INSERT INTO {permissions} VALUES (3,'Edit','edit'); INSERT INTO {permissions} VALUES (4,'Add','add'); DROP TABLE IF EXISTS {search_records}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {search_records} ( `id` int(9) NOT NULL auto_increment, `item_id` int(9) default NULL, @@ -276,21 +229,15 @@ CREATE TABLE {search_records} ( KEY `item_id` (`item_id`), FULLTEXT KEY `data` (`data`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {search_records} VALUES (1,1,0,' Gallery'); DROP TABLE IF EXISTS {sessions}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {sessions} ( `session_id` varchar(127) NOT NULL, `data` text NOT NULL, `last_activity` int(10) unsigned NOT NULL, PRIMARY KEY (`session_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {tags}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {tags} ( `id` int(9) NOT NULL auto_increment, `name` varchar(64) NOT NULL, @@ -298,10 +245,7 @@ CREATE TABLE {tags} ( PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {tasks}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {tasks} ( `id` int(9) NOT NULL auto_increment, `callback` varchar(128) default NULL, @@ -316,10 +260,7 @@ CREATE TABLE {tasks} ( PRIMARY KEY (`id`), KEY `owner_id` (`owner_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS {themes}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {themes} ( `id` int(9) NOT NULL auto_increment, `name` varchar(64) default NULL, @@ -327,12 +268,9 @@ CREATE TABLE {themes} ( PRIMARY KEY (`id`), UNIQUE KEY `name` (`name`) ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {themes} VALUES (1,'default',1); INSERT INTO {themes} VALUES (2,'admin_default',1); DROP TABLE IF EXISTS {users}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {users} ( `id` int(9) NOT NULL auto_increment, `name` varchar(32) NOT NULL, @@ -350,12 +288,9 @@ CREATE TABLE {users} ( UNIQUE KEY `name` (`name`), UNIQUE KEY `hash` (`hash`) ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {users} VALUES (1,'guest','Guest User','',0,0,NULL,0,1,NULL,NULL,NULL); INSERT INTO {users} VALUES (2,'admin','Gallery Administrator','',0,0,NULL,1,0,NULL,NULL,NULL); DROP TABLE IF EXISTS {vars}; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; CREATE TABLE {vars} ( `id` int(9) NOT NULL auto_increment, `module_name` varchar(64) NOT NULL, @@ -364,7 +299,6 @@ CREATE TABLE {vars} ( PRIMARY KEY (`id`), UNIQUE KEY `module_name` (`module_name`,`name`) ) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=utf8; -SET character_set_client = @saved_cs_client; INSERT INTO {vars} VALUES (1,'gallery','active_site_theme','default'); INSERT INTO {vars} VALUES (2,'gallery','active_admin_theme','admin_default'); INSERT INTO {vars} VALUES (3,'gallery','page_size','9'); diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index c84527f4..949aea84 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -166,8 +166,8 @@ class access_Core { // For view permissions, if any parent is self::DENY, then those parents lock this one. // Return $lock = ORM::factory("item") - ->where("`left` <= $item->left") - ->where("`right` >= $item->right") + ->where("`left_ptr` <= $item->left_ptr") + ->where("`right_ptr` >= $item->right_ptr") ->where("items.id <> $item->id") ->join("access_intents", "items.id", "access_intents.item_id") ->where("access_intents.view_$group->id", self::DENY) @@ -490,11 +490,11 @@ class access_Core { // item, then its safe to propagate from here. if ($access->$field !== self::DENY) { $tmp_item = ORM::factory("item") - ->where("left <", $item->left) - ->where("right >", $item->right) + ->where("left_ptr <", $item->left_ptr) + ->where("right_ptr >", $item->right_ptr) ->join("access_intents", "access_intents.item_id", "items.id") ->where("access_intents.$field", self::DENY) - ->orderby("left", "DESC") + ->orderby("left_ptr", "DESC") ->limit(1) ->find(); if ($tmp_item->loaded) { @@ -507,13 +507,13 @@ class access_Core { // them according the rule above. So mark every permission below this level as UNKNOWN so // that we can tell which permissions have been changed, and which ones need to be updated. $db->update("items", array($field => self::UNKNOWN), - array("left >=" => $item->left, "right <=" => $item->right)); + array("left_ptr >=" => $item->left_ptr, "right_ptr <=" => $item->right_ptr)); $query = ORM::factory("access_intent") - ->select(array("access_intents.$field", "items.left", "items.right", "items.id")) + ->select(array("access_intents.$field", "items.left_ptr", "items.right_ptr", "items.id")) ->join("items", "items.id", "access_intents.item_id") - ->where("left >=", $item->left) - ->where("right <=", $item->right) + ->where("left_ptr >=", $item->left_ptr) + ->where("right_ptr <=", $item->right_ptr) ->where("type", "album") ->where("access_intents.$field IS NOT", self::INHERIT) ->orderby("level", "DESC") @@ -522,11 +522,11 @@ class access_Core { if ($row->$field == self::ALLOW) { // Propagate ALLOW for any row that is still UNKNOWN. $db->update("items", array($field => $row->$field), - array($field => self::UNKNOWN, "left >=" => $row->left, "right <=" => $row->right)); + array($field => self::UNKNOWN, "left_ptr >=" => $row->left_ptr, "right_ptr <=" => $row->right_ptr)); } else if ($row->$field == self::DENY) { // DENY overwrites everything below it $db->update("items", array($field => $row->$field), - array("left >=" => $row->left, "right <=" => $row->right)); + array("left_ptr >=" => $row->left_ptr, "right_ptr <=" => $row->right_ptr)); } } @@ -534,7 +534,7 @@ class access_Core { // DENY parent in the hierarchy to propagate from. So we'll still have a UNKNOWN values in // the hierarchy, and all of those are safe to change to ALLOW. $db->update("items", array($field => self::ALLOW), - array($field => self::UNKNOWN, "left >=" => $item->left, "right <=" => $item->right)); + array($field => self::UNKNOWN, "left_ptr >=" => $item->left_ptr, "right_ptr <=" => $item->right_ptr)); } /** @@ -562,10 +562,10 @@ class access_Core { if ($access->$field === self::INHERIT) { $tmp_item = ORM::factory("item") ->join("access_intents", "items.id", "access_intents.item_id") - ->where("left <", $item->left) - ->where("right >", $item->right) + ->where("left_ptr <", $item->left_ptr) + ->where("right_ptr >", $item->right_ptr) ->where("$field IS NOT", self::UNKNOWN) - ->orderby("left", "DESC") + ->orderby("left_ptr", "DESC") ->limit(1) ->find(); if ($tmp_item->loaded) { @@ -576,10 +576,10 @@ class access_Core { // With non-view permissions, each level can override any permissions that came above it // so start at the top and work downwards, overlaying permissions as we go. $query = ORM::factory("access_intent") - ->select(array("access_intents.$field", "items.left", "items.right")) + ->select(array("access_intents.$field", "items.left_ptr", "items.right_ptr")) ->join("items", "items.id", "access_intents.item_id") - ->where("left >=", $item->left) - ->where("right <=", $item->right) + ->where("left_ptr >=", $item->left_ptr) + ->where("right_ptr <=", $item->right_ptr) ->where("$field IS NOT", self::INHERIT) ->orderby("level", "ASC") ->find_all(); @@ -589,8 +589,8 @@ class access_Core { "UPDATE {access_caches} SET `$field` = $value " . "WHERE `item_id` IN " . " (SELECT `id` FROM {items} " . - " WHERE `left` >= $row->left " . - " AND `right` <= $row->right)"); + " WHERE `left_ptr` >= $row->left_ptr " . + " AND `right_ptr` <= $row->right_ptr)"); } } diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index db13307f..760bec31 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -72,7 +72,7 @@ class gallery_installer { `created` int(9) default NULL, `description` varchar(2048) default NULL, `height` int(9) default NULL, - `left` int(9) NOT NULL, + `left_ptr` int(9) NOT NULL, `level` int(9) NOT NULL, `mime_type` varchar(64) default NULL, `name` varchar(255) default NULL, @@ -83,7 +83,7 @@ class gallery_installer { `resize_dirty` boolean default 1, `resize_height` int(9) default NULL, `resize_width` int(9) default NULL, - `right` int(9) NOT NULL, + `right_ptr` int(9) NOT NULL, `sort_column` varchar(64) default NULL, `sort_order` char(4) default 'ASC', `thumb_dirty` boolean default 1, @@ -204,8 +204,8 @@ class gallery_installer { $root->type = "album"; $root->title = "Gallery"; $root->description = ""; - $root->left = 1; - $root->right = 2; + $root->left_ptr = 1; + $root->right_ptr = 2; $root->parent_id = 0; $root->level = 1; $root->thumb_dirty = 1; @@ -258,7 +258,7 @@ class gallery_installer { module::set_var("gallery", "show_credits", 1); // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); - module::set_version("gallery", 7); + module::set_version("gallery", 9); } static function upgrade($version) { @@ -323,6 +323,12 @@ class gallery_installer { } module::set_version("gallery", $version = 8); } + + if ($version == 8) { + $db->query("ALTER TABLE {items} CHANGE COLUMN `left` `left_ptr` INT(9) NOT NULL;"); + $db->query("ALTER TABLE {items} CHANGE COLUMN `right` `right_ptr` INT(9) NOT NULL;"); + module::set_version("gallery", $version = 9); + } } static function uninstall() { diff --git a/modules/gallery/libraries/ORM_MPTT.php b/modules/gallery/libraries/ORM_MPTT.php index e371f159..1917d738 100644 --- a/modules/gallery/libraries/ORM_MPTT.php +++ b/modules/gallery/libraries/ORM_MPTT.php @@ -52,14 +52,14 @@ class ORM_MPTT_Core extends ORM { try { // Make a hole in the parent for this new item $this->db->query( - "UPDATE {{$this->table_name}} SET `left` = `left` + 2 WHERE `left` >= {$parent->right}"); + "UPDATE {{$this->table_name}} SET `left_ptr` = `left_ptr` + 2 WHERE `left_ptr` >= {$parent->right_ptr}"); $this->db->query( - "UPDATE {{$this->table_name}} SET `right` = `right` + 2 WHERE `right` >= {$parent->right}"); - $parent->right += 2; + "UPDATE {{$this->table_name}} SET `right_ptr` = `right_ptr` + 2 WHERE `right_ptr` >= {$parent->right_ptr}"); + $parent->right_ptr += 2; // Insert this item into the hole - $this->left = $parent->right - 2; - $this->right = $parent->right - 1; + $this->left_ptr = $parent->right_ptr - 2; + $this->right_ptr = $parent->right_ptr - 1; $this->parent_id = $parent->id; $this->level = $parent->level + 1; $this->save(); @@ -81,7 +81,7 @@ class ORM_MPTT_Core extends ORM { if ($children) { foreach ($this->children() as $item) { // Deleting children affects the MPTT tree, so we have to reload each child before we - // delete it so that we have current left/right pointers. This is inefficient. + // delete it so that we have current left_ptr/right_ptr pointers. This is inefficient. // @todo load each child once, not twice. $item->reload()->delete(); } @@ -93,9 +93,9 @@ class ORM_MPTT_Core extends ORM { $this->lock(); try { $this->db->query( - "UPDATE {{$this->table_name}} SET `left` = `left` - 2 WHERE `left` > {$this->right}"); + "UPDATE {{$this->table_name}} SET `left_ptr` = `left_ptr` - 2 WHERE `left_ptr` > {$this->right_ptr}"); $this->db->query( - "UPDATE {{$this->table_name}} SET `right` = `right` - 2 WHERE `right` > {$this->right}"); + "UPDATE {{$this->table_name}} SET `right_ptr` = `right_ptr` - 2 WHERE `right_ptr` > {$this->right_ptr}"); } catch (Exception $e) { $this->unlock(); throw $e; @@ -111,7 +111,7 @@ class ORM_MPTT_Core extends ORM { * @return boolean */ function is_descendant($target) { - return ($this->left <= $target->left && $this->right >= $target->right); + return ($this->left_ptr <= $target->left_ptr && $this->right_ptr >= $target->right_ptr); } /** @@ -133,10 +133,10 @@ class ORM_MPTT_Core extends ORM { */ function parents() { return $this - ->where("`left` <= {$this->left}") - ->where("`right` >= {$this->right}") + ->where("`left_ptr` <= {$this->left_ptr}") + ->where("`right_ptr` >= {$this->right_ptr}") ->where("id <> {$this->id}") - ->orderby("left", "ASC") + ->orderby("left_ptr", "ASC") ->find_all(); } @@ -181,8 +181,8 @@ class ORM_MPTT_Core extends ORM { * @return object ORM_Iterator */ function descendants($limit=null, $offset=0, $type=null, $orderby=null) { - $this->where("left >", $this->left) - ->where("right <=", $this->right); + $this->where("left_ptr >", $this->left_ptr) + ->where("right_ptr <=", $this->right_ptr); if ($type) { $this->where("type", $type); } @@ -203,8 +203,8 @@ class ORM_MPTT_Core extends ORM { * @return integer child count */ function descendants_count($type=null) { - $this->where("left >", $this->left) - ->where("right <=", $this->right); + $this->where("left_ptr >", $this->left_ptr) + ->where("right_ptr <=", $this->right_ptr); if ($type) { $this->where("type", $type); } @@ -219,16 +219,16 @@ class ORM_MPTT_Core extends ORM { * @return ORM_MTPP */ function move_to($target) { - if ($this->left <= $target->left && - $this->right >= $target->right) { + if ($this->left_ptr <= $target->left_ptr && + $this->right_ptr >= $target->right_ptr) { throw new Exception("@todo INVALID_TARGET can't move item inside itself"); } - $number_to_move = (int)(($this->right - $this->left) / 2 + 1); + $number_to_move = (int)(($this->right_ptr - $this->left_ptr) / 2 + 1); $size_of_hole = $number_to_move * 2; - $original_left = $this->left; - $original_right = $this->right; - $target_right = $target->right; + $original_left_ptr = $this->left_ptr; + $original_right_ptr = $this->right_ptr; + $target_right_ptr = $target->right_ptr; $level_delta = ($target->level + 1) - $this->level; $this->lock(); @@ -237,45 +237,45 @@ class ORM_MPTT_Core extends ORM { // Update the levels for the to-be-moved items $this->db->query( "UPDATE {{$this->table_name}} SET `level` = `level` + $level_delta" . - " WHERE `left` >= $original_left AND `right` <= $original_right"); + " WHERE `left_ptr` >= $original_left_ptr AND `right_ptr` <= $original_right_ptr"); } // Make a hole in the target for the move $target->db->query( - "UPDATE {{$this->table_name}} SET `left` = `left` + $size_of_hole" . - " WHERE `left` >= $target_right"); + "UPDATE {{$this->table_name}} SET `left_ptr` = `left_ptr` + $size_of_hole" . + " WHERE `left_ptr` >= $target_right_ptr"); $target->db->query( - "UPDATE {{$this->table_name}} SET `right` = `right` + $size_of_hole" . - " WHERE `right` >= $target_right"); + "UPDATE {{$this->table_name}} SET `right_ptr` = `right_ptr` + $size_of_hole" . + " WHERE `right_ptr` >= $target_right_ptr"); // Change the parent. $this->db->query( "UPDATE {{$this->table_name}} SET `parent_id` = {$target->id}" . " WHERE `id` = {$this->id}"); - // If the source is to the right of the target then we just adjusted its left and right above. - $left = $original_left; - $right = $original_right; - if ($original_left > $target_right) { - $left += $size_of_hole; - $right += $size_of_hole; + // If the source is to the right of the target then we just adjusted its left_ptr and right_ptr above. + $left_ptr = $original_left_ptr; + $right_ptr = $original_right_ptr; + if ($original_left_ptr > $target_right_ptr) { + $left_ptr += $size_of_hole; + $right_ptr += $size_of_hole; } - $new_offset = $target->right - $left; + $new_offset = $target->right_ptr - $left_ptr; $this->db->query( "UPDATE {{$this->table_name}}" . - " SET `left` = `left` + $new_offset," . - " `right` = `right` + $new_offset" . - " WHERE `left` >= $left" . - " AND `right` <= $right"); + " SET `left_ptr` = `left_ptr` + $new_offset," . + " `right_ptr` = `right_ptr` + $new_offset" . + " WHERE `left_ptr` >= $left_ptr" . + " AND `right_ptr` <= $right_ptr"); // Close the hole in the source's parent after the move $this->db->query( - "UPDATE {{$this->table_name}} SET `left` = `left` - $size_of_hole" . - " WHERE `left` > $right"); + "UPDATE {{$this->table_name}} SET `left_ptr` = `left_ptr` - $size_of_hole" . + " WHERE `left_ptr` > $right_ptr"); $this->db->query( - "UPDATE {{$this->table_name}} SET `right` = `right` - $size_of_hole" . - " WHERE `right` > $right"); + "UPDATE {{$this->table_name}} SET `right_ptr` = `right_ptr` - $size_of_hole" . + " WHERE `right_ptr` > $right_ptr"); } catch (Exception $e) { $this->unlock(); throw $e; diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 58ac8f18..d9dd88f5 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -150,7 +150,7 @@ class Item_Model extends ORM_MPTT { Database::instance() ->update("items", array("relative_path_cache" => null), - array("left >" => $this->left, "right <" => $this->right)); + array("left_ptr >" => $this->left_ptr, "right_ptr <" => $this->right_ptr)); } else { @rename($original_resize_path, $this->resize_path()); @rename($original_thumb_path, $this->thumb_path()); @@ -186,7 +186,7 @@ class Item_Model extends ORM_MPTT { Database::instance() ->update("items", array("relative_path_cache" => null), - array("left >" => $this->left, "right <" => $this->right)); + array("left_ptr >" => $this->left_ptr, "right_ptr <" => $this->right_ptr)); } return $this; @@ -302,10 +302,10 @@ class Item_Model extends ORM_MPTT { foreach (Database::instance() ->select("name") ->from("items") - ->where("left <=", $this->left) - ->where("right >=", $this->right) + ->where("left_ptr <=", $this->left_ptr) + ->where("right_ptr >=", $this->right_ptr) ->where("id <>", 1) - ->orderby("left", "ASC") + ->orderby("left_ptr", "ASC") ->get() as $row) { $paths[] = $row->name; } diff --git a/modules/gallery/module.info b/modules/gallery/module.info index ba367878..c5a9d25d 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,3 +1,3 @@ name = "Gallery 3" description = "Gallery core application" -version = 8 +version = 9 diff --git a/modules/gallery/tests/Database_Test.php b/modules/gallery/tests/Database_Test.php index bd3d2f53..d83212ad 100644 --- a/modules/gallery/tests/Database_Test.php +++ b/modules/gallery/tests/Database_Test.php @@ -103,15 +103,15 @@ class Database_Test extends Unit_Test_Case { $sql = "UPDATE {test_tables} SET `name` = '{test string}' " . "WHERE `item_id` IN " . " (SELECT `id` FROM {items} " . - " WHERE `left` >= 1 " . - " AND `right` <= 6)"; + " WHERE `left_ptr` >= 1 " . + " AND `right_ptr` <= 6)"; $sql = $db->add_table_prefixes($sql); $expected = "UPDATE g3test_test_tables SET `name` = '{test string}' " . "WHERE `item_id` IN " . " (SELECT `id` FROM g3test_items " . - " WHERE `left` >= 1 " . - " AND `right` <= 6)"; + " WHERE `left_ptr` >= 1 " . + " AND `right_ptr` <= 6)"; $this->assert_same($expected, $sql); } diff --git a/modules/gallery/tests/Gallery_Installer_Test.php b/modules/gallery/tests/Gallery_Installer_Test.php index 27157d6e..36ced2bb 100644 --- a/modules/gallery/tests/Gallery_Installer_Test.php +++ b/modules/gallery/tests/Gallery_Installer_Test.php @@ -34,13 +34,13 @@ class Gallery_Installer_Test extends Unit_Test_Case { } public function install_creates_root_item_test() { - $max_right = ORM::factory("item") - ->select("MAX(`right`) AS `right`") - ->find()->right; + $max_right_ptr = ORM::factory("item") + ->select("MAX(`right_ptr`) AS `right_ptr`") + ->find()->right_ptr; $root = ORM::factory('item')->find(1); $this->assert_equal("Gallery", $root->title); - $this->assert_equal(1, $root->left); - $this->assert_equal($max_right, $root->right); + $this->assert_equal(1, $root->left_ptr); + $this->assert_equal($max_right_ptr, $root->right_ptr); $this->assert_equal(null, $root->parent_id); $this->assert_equal(1, $root->level); } diff --git a/modules/gallery/tests/ORM_MPTT_Test.php b/modules/gallery/tests/ORM_MPTT_Test.php index 200c8a74..943810c3 100644 --- a/modules/gallery/tests/ORM_MPTT_Test.php +++ b/modules/gallery/tests/ORM_MPTT_Test.php @@ -33,8 +33,8 @@ class ORM_MPTT_Test extends Unit_Test_Case { $album->sort_order = "ASC"; $album->add_to_parent($root); - $this->assert_equal($album->parent()->right - 2, $album->left); - $this->assert_equal($album->parent()->right - 1, $album->right); + $this->assert_equal($album->parent()->right_ptr - 2, $album->left_ptr); + $this->assert_equal($album->parent()->right_ptr - 1, $album->right_ptr); $this->assert_equal($album->parent()->level + 1, $album->level); $this->assert_equal($album->parent()->id, $album->parent_id); } @@ -48,10 +48,10 @@ class ORM_MPTT_Test extends Unit_Test_Case { $album1_1_2 = self::create_item_and_add_to_parent($album1_1); $album1->reload(); - $this->assert_equal(9, $album1->right - $album1->left); + $this->assert_equal(9, $album1->right_ptr - $album1->left_ptr); $album1_1->reload(); - $this->assert_equal(5, $album1_1->right - $album1_1->left); + $this->assert_equal(5, $album1_1->right_ptr - $album1_1->left_ptr); } public function delete_hierarchy_test() { @@ -66,7 +66,7 @@ class ORM_MPTT_Test extends Unit_Test_Case { $album1->reload(); // Now album1 contains only album1_2 - $this->assert_equal(3, $album1->right - $album1->left); + $this->assert_equal(3, $album1->right_ptr - $album1->left_ptr); } public function move_to_test() { @@ -85,8 +85,8 @@ class ORM_MPTT_Test extends Unit_Test_Case { $album1_1->reload(); $album1_2->reload(); - $this->assert_equal(3, $album1_1->right - $album1_1->left); - $this->assert_equal(3, $album1_2->right - $album1_2->left); + $this->assert_equal(3, $album1_1->right_ptr - $album1_1->left_ptr); + $this->assert_equal(3, $album1_2->right_ptr - $album1_2->left_ptr); $this->assert_equal( array($album1_1_2->id => "move_to_test_1_1_2"), diff --git a/modules/gallery/tests/Photo_Helper_Test.php b/modules/gallery/tests/Photo_Helper_Test.php index cc1f20da..c0641ef4 100644 --- a/modules/gallery/tests/Photo_Helper_Test.php +++ b/modules/gallery/tests/Photo_Helper_Test.php @@ -43,8 +43,8 @@ class Photo_Helper_Test extends Unit_Test_Case { $this->assert_equal($image_info[0], $photo->width); $this->assert_equal($image_info[1], $photo->height); - $this->assert_equal($photo->parent()->right - 2, $photo->left); - $this->assert_equal($photo->parent()->right - 1, $photo->right); + $this->assert_equal($photo->parent()->right_ptr - 2, $photo->left_ptr); + $this->assert_equal($photo->parent()->right_ptr - 1, $photo->right_ptr); } public function create_conflicting_photo_test() { diff --git a/modules/notification/helpers/notification.php b/modules/notification/helpers/notification.php index d91a37e8..92c40d4f 100644 --- a/modules/notification/helpers/notification.php +++ b/modules/notification/helpers/notification.php @@ -73,8 +73,8 @@ class notification { ->join("subscriptions", "users.id", "subscriptions.user_id") ->join("items", "subscriptions.item_id", "items.id") ->where("email IS NOT", null) - ->where("items.left <=", $item->left) - ->where("items.right >", $item->right) + ->where("items.left_ptr <=", $item->left_ptr) + ->where("items.right_ptr >", $item->right_ptr) ->find_all(); $subscribers = array(); -- cgit v1.2.3 From 0b97cfd6f098be08be5f3cf1dbca1cce580ae330 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Sun, 26 Jul 2009 09:29:29 -0700 Subject: Changed access::user_can to force the owner of an item to have view permission on the parent. Added a whitelist of allowable owner permissions. If the requested permission is view and the user requesting access is the owner, check that they have view permission to the parent. --- modules/gallery/helpers/access.php | 17 +++++++++-- modules/gallery/tests/Access_Helper_Test.php | 42 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 2faa922b..4f737c7f 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -95,13 +95,24 @@ class access_Core { return false; } - if ($user->admin && $item->owner_id == $user->id) { + if ($user->admin) { return true; } - $resource = $perm_name == "view" ? - $item : model_cache::get("access_cache", $item->id, "item_id"); + print "Before owner id check\n"; + if ($item->owner_id == $user->id && + in_array($perm_name, array("view_full", "edit", "add"))) { + return true; + } + + if ($perm_name == "view") { + $resource = $item->owner_id == $user->id ? $item->parent() : $item; + } else { + $resource = model_cache::get("access_cache", $item->id, "item_id"); + } + print Kohana::debug($resource->as_array()) . "\n"; foreach ($user->groups as $group) { + print "$group->name\n"; if ($resource->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 59cec453..737ed8a6 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -101,6 +101,48 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); } + public function owner_can_view_album_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $item = album::create($root, rand(), "test album", $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_can_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album", $user->id); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); + } + + public function owner_cant_view_photo_test() { + $user = user::create("access_test", "Access Test", ""); + foreach ($user->groups as $group) { + $user->remove($group); + } + $user->save(); + + $root = ORM::factory("item", 1); + $album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view", $album); + $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); + + $this->assert_false(access::user_can($user, "view", $item), "Should not be able to view"); + } + public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); -- cgit v1.2.3 From 5fd82a2edea41209a6936f89c56bbd53083ed182 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 27 Jul 2009 11:13:20 -0700 Subject: Back out the fix for ticket #452 Revert "Changed access::user_can to force the owner of an item to have" This reverts commit 0b97cfd6f098be08be5f3cf1dbca1cce580ae330. --- modules/gallery/helpers/access.php | 17 ++--------- modules/gallery/tests/Access_Helper_Test.php | 42 ---------------------------- 2 files changed, 3 insertions(+), 56 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 79394d35..8c6f5d54 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -95,24 +95,13 @@ class access_Core { return false; } - if ($user->admin) { + if ($user->admin && $item->owner_id == $user->id) { return true; } - print "Before owner id check\n"; - if ($item->owner_id == $user->id && - in_array($perm_name, array("view_full", "edit", "add"))) { - return true; - } - - if ($perm_name == "view") { - $resource = $item->owner_id == $user->id ? $item->parent() : $item; - } else { - $resource = model_cache::get("access_cache", $item->id, "item_id"); - } - print Kohana::debug($resource->as_array()) . "\n"; + $resource = $perm_name == "view" ? + $item : model_cache::get("access_cache", $item->id, "item_id"); foreach ($user->groups as $group) { - print "$group->name\n"; if ($resource->__get("{$perm_name}_{$group->id}") === self::ALLOW) { return true; } diff --git a/modules/gallery/tests/Access_Helper_Test.php b/modules/gallery/tests/Access_Helper_Test.php index 737ed8a6..59cec453 100644 --- a/modules/gallery/tests/Access_Helper_Test.php +++ b/modules/gallery/tests/Access_Helper_Test.php @@ -101,48 +101,6 @@ class Access_Helper_Test extends Unit_Test_Case { $this->assert_false(access::user_can($user, "view", $item), "Should be unable to view"); } - public function owner_can_view_album_test() { - $user = user::create("access_test", "Access Test", ""); - foreach ($user->groups as $group) { - $user->remove($group); - } - $user->save(); - - $root = ORM::factory("item", 1); - $item = album::create($root, rand(), "test album", $user->id); - - $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); - } - - public function owner_can_view_photo_test() { - $user = user::create("access_test", "Access Test", ""); - foreach ($user->groups as $group) { - $user->remove($group); - } - $user->save(); - - $root = ORM::factory("item", 1); - $album = album::create($root, rand(), "test album", $user->id); - $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); - - $this->assert_true(access::user_can($user, "view", $item), "Should be able to view"); - } - - public function owner_cant_view_photo_test() { - $user = user::create("access_test", "Access Test", ""); - foreach ($user->groups as $group) { - $user->remove($group); - } - $user->save(); - - $root = ORM::factory("item", 1); - $album = album::create($root, rand(), "test album"); - access::deny(group::everybody(), "view", $album); - $item = photo::create($album, MODPATH . "gallery/images/gallery.png", "", "", null, $user->id); - - $this->assert_false(access::user_can($user, "view", $item), "Should not be able to view"); - } - public function adding_and_removing_items_adds_ands_removes_rows_test() { $root = ORM::factory("item", 1); $item = album::create($root, rand(), "test album"); -- cgit v1.2.3 From b3fe70e654c1519f8f1d54a80f99d0af7a8f2e49 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 27 Jul 2009 11:34:27 -0700 Subject: Updated. --- modules/gallery/tests/xss_data.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 2940a8df..45f7c7ec 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -163,9 +163,9 @@ modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $task->id modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $csrf modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_show_log.html.php 15 $task->get_log() -modules/gallery/views/admin_maintenance_task.html.php 5 DIRTY $task->id -modules/gallery/views/admin_maintenance_task.html.php 5 DIRTY $csrf -modules/gallery/views/admin_maintenance_task.html.php 26 DIRTY $task->name +modules/gallery/views/admin_maintenance_task.html.php 23 DIRTY $task->id +modules/gallery/views/admin_maintenance_task.html.php 23 DIRTY $csrf +modules/gallery/views/admin_maintenance_task.html.php 47 DIRTY $task->name modules/gallery/views/admin_modules.html.php 19 DIRTY $i modules/gallery/views/admin_modules.html.php 22 DIRTY $data modules/gallery/views/admin_modules.html.php 22 DIRTY $module_name @@ -567,11 +567,11 @@ themes/default/views/dynamic.html.php 29 DIRTY $theme->p themes/default/views/footer.html.php 2 DIRTY $theme->footer() themes/default/views/footer.html.php 4 DIRTY $footer_text themes/default/views/footer.html.php 9 DIRTY $theme->credits() -themes/default/views/header.html.php 2 DIRTY $theme->header_top() -themes/default/views/header.html.php 4 DIRTY $header_text -themes/default/views/header.html.php 7 DIRTY $theme->url("images/logo.png") +themes/default/views/header.html.php 3 DIRTY $theme->header_top() +themes/default/views/header.html.php 5 DIRTY $header_text +themes/default/views/header.html.php 8 DIRTY $theme->url("images/logo.png") themes/default/views/header.html.php 12 DIRTY $theme->site_menu() -themes/default/views/header.html.php 15 DIRTY $theme->header_bottom() +themes/default/views/header.html.php 14 DIRTY $theme->header_bottom() themes/default/views/header.html.php 21 DIRTY $parent->id themes/default/views/header.html.php 21 DIRTY $item->id themes/default/views/header.html.php 22 $parent->title -- cgit v1.2.3 From 1f014aae6c16bbda62d8f5937180f11ccb0eb1b1 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 27 Jul 2009 12:39:12 -0700 Subject: Allow a theme to override the page refresh mechanism. Create a new javascript lib (gallery.reload.js) which defines the functions gallery_reload() and gallery_location(new_location). They just do a window.location.reload() and window.location = new_location. This change breaks the assumption that all themes will handle page reloads the same and allows the theme to customize the page refresh. --- lib/gallery.dialog.js | 4 +- lib/gallery.panel.js | 4 +- lib/gallery.reload.js | 16 +++++ modules/gallery/js/quick.js | 4 +- modules/gallery/tests/xss_data.txt | 68 +++++++++++----------- .../views/admin_maintenance_show_log.html.php | 2 +- .../gallery/views/admin_maintenance_task.html.php | 2 +- modules/organize/js/organize.js | 2 +- .../views/server_add_tree_dialog.html.php | 2 +- modules/tag/js/tag.js | 2 +- themes/admin_default/views/admin.html.php | 2 + themes/default/views/page.html.php | 2 + 12 files changed, 66 insertions(+), 44 deletions(-) create mode 100644 lib/gallery.reload.js (limited to 'modules/gallery/tests') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 74c2f20e..0efcf120 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -25,9 +25,9 @@ function ajaxify_dialog() { } if (data.result == "success") { if (data.location) { - window.location = data.location; + $.gallery_location(data.location); } else { - window.location.reload(); + $.gallery_reload(); } } } diff --git a/lib/gallery.panel.js b/lib/gallery.panel.js index 022e4878..26be11ad 100644 --- a/lib/gallery.panel.js +++ b/lib/gallery.panel.js @@ -40,9 +40,9 @@ function togglePanel(element, on_success) { if (on_success) { on_success(); } else if (data.location) { - window.location = data.location; + $.gallery_location(data.location); } else { - window.location.reload(); + $.gallery_reload(); } } } diff --git a/lib/gallery.reload.js b/lib/gallery.reload.js new file mode 100644 index 00000000..2c8752a0 --- /dev/null +++ b/lib/gallery.reload.js @@ -0,0 +1,16 @@ +/** + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +(function ($) { + $.gallery_reload = function() { + window.location.reload(); + }; +})(jQuery); + +// Vertically align a block element's content +(function ($) { + $.gallery_location = function(location) { + window.location = location; + }; +})(jQuery); diff --git a/modules/gallery/js/quick.js b/modules/gallery/js/quick.js index fda6470f..4753808e 100644 --- a/modules/gallery/js/quick.js +++ b/modules/gallery/js/quick.js @@ -67,9 +67,9 @@ var quick_do = function(cont, pane, img) { img.css("margin-top", 0); } } else if (data.location) { - window.location = data.location; + $.gallery_location(data.location); } else if (data.reload) { - window.location.reload(); + $.gallery_reload(); } } }); diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 45f7c7ec..b1cb295b 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -498,24 +498,25 @@ themes/admin_default/views/admin.html.php 20 DIRTY $theme->s themes/admin_default/views/admin.html.php 21 DIRTY $theme->script("jquery.form.js") themes/admin_default/views/admin.html.php 22 DIRTY $theme->script("jquery-ui.js") themes/admin_default/views/admin.html.php 23 DIRTY $theme->script("gallery.common.js") -themes/admin_default/views/admin.html.php 28 DIRTY $theme->script("gallery.dialog.js") -themes/admin_default/views/admin.html.php 29 DIRTY $theme->script("superfish/js/superfish.js") -themes/admin_default/views/admin.html.php 30 DIRTY $theme->script("jquery.dropshadow.js") -themes/admin_default/views/admin.html.php 31 DIRTY $theme->script("ui.init.js") -themes/admin_default/views/admin.html.php 33 DIRTY $theme->admin_head() -themes/admin_default/views/admin.html.php 36 DIRTY $theme->body_attributes() -themes/admin_default/views/admin.html.php 37 DIRTY $theme->admin_page_top() -themes/admin_default/views/admin.html.php 43 DIRTY $theme->site_status() -themes/admin_default/views/admin.html.php 45 DIRTY $theme->admin_header_top() -themes/admin_default/views/admin.html.php 48 DIRTY $csrf -themes/admin_default/views/admin.html.php 54 DIRTY $theme->admin_menu() -themes/admin_default/views/admin.html.php 56 DIRTY $theme->admin_header_bottom() -themes/admin_default/views/admin.html.php 62 DIRTY $theme->messages() -themes/admin_default/views/admin.html.php 63 DIRTY $content -themes/admin_default/views/admin.html.php 69 DIRTY $sidebar -themes/admin_default/views/admin.html.php 74 DIRTY $theme->admin_footer() -themes/admin_default/views/admin.html.php 76 DIRTY $theme->admin_credits() -themes/admin_default/views/admin.html.php 80 DIRTY $theme->admin_page_bottom() +themes/admin_default/views/admin.html.php 25 DIRTY $theme->script("gallery.reload.js") +themes/admin_default/views/admin.html.php 30 DIRTY $theme->script("gallery.dialog.js") +themes/admin_default/views/admin.html.php 31 DIRTY $theme->script("superfish/js/superfish.js") +themes/admin_default/views/admin.html.php 32 DIRTY $theme->script("jquery.dropshadow.js") +themes/admin_default/views/admin.html.php 33 DIRTY $theme->script("ui.init.js") +themes/admin_default/views/admin.html.php 35 DIRTY $theme->admin_head() +themes/admin_default/views/admin.html.php 38 DIRTY $theme->body_attributes() +themes/admin_default/views/admin.html.php 39 DIRTY $theme->admin_page_top() +themes/admin_default/views/admin.html.php 45 DIRTY $theme->site_status() +themes/admin_default/views/admin.html.php 47 DIRTY $theme->admin_header_top() +themes/admin_default/views/admin.html.php 50 DIRTY $csrf +themes/admin_default/views/admin.html.php 56 DIRTY $theme->admin_menu() +themes/admin_default/views/admin.html.php 58 DIRTY $theme->admin_header_bottom() +themes/admin_default/views/admin.html.php 64 DIRTY $theme->messages() +themes/admin_default/views/admin.html.php 65 DIRTY $content +themes/admin_default/views/admin.html.php 71 DIRTY $sidebar +themes/admin_default/views/admin.html.php 76 DIRTY $theme->admin_footer() +themes/admin_default/views/admin.html.php 78 DIRTY $theme->admin_credits() +themes/admin_default/views/admin.html.php 82 DIRTY $theme->admin_page_bottom() themes/admin_default/views/block.html.php 2 DIRTY $id themes/admin_default/views/block.html.php 2 DIRTY $css_id themes/admin_default/views/block.html.php 5 DIRTY $id @@ -603,21 +604,22 @@ themes/default/views/page.html.php 48 DIRTY $theme->s themes/default/views/page.html.php 49 DIRTY $theme->script("jquery.form.js") themes/default/views/page.html.php 50 DIRTY $theme->script("jquery-ui.js") themes/default/views/page.html.php 51 DIRTY $theme->script("gallery.common.js") -themes/default/views/page.html.php 56 DIRTY $theme->script("gallery.dialog.js") -themes/default/views/page.html.php 57 DIRTY $theme->script("gallery.form.js") -themes/default/views/page.html.php 58 DIRTY $theme->script("superfish/js/superfish.js") -themes/default/views/page.html.php 59 DIRTY $theme->script("jquery.localscroll.js") -themes/default/views/page.html.php 60 DIRTY $theme->script("ui.init.js") -themes/default/views/page.html.php 64 DIRTY $theme->script("jquery.scrollTo.js") -themes/default/views/page.html.php 65 DIRTY $theme->script("gallery.show_full_size.js") -themes/default/views/page.html.php 67 DIRTY $theme->script("flowplayer.js") -themes/default/views/page.html.php 70 DIRTY $theme->head() -themes/default/views/page.html.php 73 DIRTY $theme->body_attributes() -themes/default/views/page.html.php 74 DIRTY $theme->page_top() -themes/default/views/page.html.php 76 DIRTY $theme->site_status() -themes/default/views/page.html.php 84 DIRTY $theme->messages() -themes/default/views/page.html.php 85 DIRTY $content -themes/default/views/page.html.php 99 DIRTY $theme->page_bottom() +themes/default/views/page.html.php 53 DIRTY $theme->script("gallery.reload.js") +themes/default/views/page.html.php 58 DIRTY $theme->script("gallery.dialog.js") +themes/default/views/page.html.php 59 DIRTY $theme->script("gallery.form.js") +themes/default/views/page.html.php 60 DIRTY $theme->script("superfish/js/superfish.js") +themes/default/views/page.html.php 61 DIRTY $theme->script("jquery.localscroll.js") +themes/default/views/page.html.php 62 DIRTY $theme->script("ui.init.js") +themes/default/views/page.html.php 66 DIRTY $theme->script("jquery.scrollTo.js") +themes/default/views/page.html.php 67 DIRTY $theme->script("gallery.show_full_size.js") +themes/default/views/page.html.php 69 DIRTY $theme->script("flowplayer.js") +themes/default/views/page.html.php 72 DIRTY $theme->head() +themes/default/views/page.html.php 75 DIRTY $theme->body_attributes() +themes/default/views/page.html.php 76 DIRTY $theme->page_top() +themes/default/views/page.html.php 78 DIRTY $theme->site_status() +themes/default/views/page.html.php 86 DIRTY $theme->messages() +themes/default/views/page.html.php 87 DIRTY $content +themes/default/views/page.html.php 101 DIRTY $theme->page_bottom() themes/default/views/pager.html.php 13 DIRTY $url themes/default/views/pager.html.php 20 DIRTY $previous_page themes/default/views/pager.html.php 20 DIRTY $url diff --git a/modules/gallery/views/admin_maintenance_show_log.html.php b/modules/gallery/views/admin_maintenance_show_log.html.php index 9d850986..ac593de7 100644 --- a/modules/gallery/views/admin_maintenance_show_log.html.php +++ b/modules/gallery/views/admin_maintenance_show_log.html.php @@ -1,7 +1,7 @@
diff --git a/modules/organize/js/organize.js b/modules/organize/js/organize.js index f10cbcc9..12d8a5b5 100644 --- a/modules/organize/js/organize.js +++ b/modules/organize/js/organize.js @@ -374,7 +374,7 @@ function organize_dialog_init() { } $("#gDialog").bind("organize_close", function(target) { - document.location.reload(); + $.gallery_reload(); }); heightMicroThumbPanel -= 2 * parseFloat($("#gDialog").css("padding-top")); diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php index 21952849..8dfd2c38 100644 --- a/modules/server_add/views/server_add_tree_dialog.html.php +++ b/modules/server_add/views/server_add_tree_dialog.html.php @@ -34,7 +34,7 @@ - diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index bbf44166..22a1a7a3 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -59,7 +59,7 @@ function editInPlace(element) { closeEditInPlaceForms(); // close form $("#gTag-" + data.tag_id).text(data.new_tagname); // update tagname console.log(data); - window.location.reload(); + $.gallery_reload(); } } }); diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php index d27f9260..63fc45b5 100644 --- a/themes/admin_default/views/admin.html.php +++ b/themes/admin_default/views/admin.html.php @@ -21,6 +21,8 @@ script("jquery.form.js") ?> script("jquery-ui.js") ?> script("gallery.common.js") ?> + + script("gallery.reload.js") ?> \n"; + } + + return implode("\n", $script); + } + +} // End Form Script \ No newline at end of file diff --git a/modules/gallery/tests/DrawForm_Test.php b/modules/gallery/tests/DrawForm_Test.php index 2c5aaba4..dde54257 100644 --- a/modules/gallery/tests/DrawForm_Test.php +++ b/modules/gallery/tests/DrawForm_Test.php @@ -80,5 +80,44 @@ class DrawForm_Test extends Unit_Test_Case { $this->assert_same($expected, $rendered); } + function form_script_test() { + $form = new Forge("test/controller", "", "post", array("id" => "gTestGroupForm")); + $group = $form->group("test_group")->label(t("Test Group")); + $group->input("title")->label(t("Title")); + $group->textarea("description")->label(t("Text Area")); + $form->script("") + ->url(url::file("test.js")) + ->text("alert('Test Javascript');"); + $group->submit("")->value(t("Submit")); + $rendered = $form->__toString(); + + $expected = "
\n" . + "\n" . + "
\n" . + " Test Group\n" . + "
    \n" . + "
  • \n" . + " \n" . + " \n" . + "
    • \n" . + "
  • \n" . + " \n" . + " \n" . + "
    • \n" . + "
  • \n" . + " \n" . + "
    • \n" . + "
\n" . + "
\n" . + "\n\n" . + "\n" . + "
\n"; + $this->assert_same($expected, $rendered); + } } diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index b1cb295b..f3d50e71 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -444,8 +444,8 @@ modules/tag/views/admin_tags.html.php 50 DIRTY $tag->id modules/tag/views/admin_tags.html.php 50 $tag->name modules/tag/views/admin_tags.html.php 51 DIRTY $tag->count modules/tag/views/admin_tags.html.php 52 DIRTY $tag->id -modules/tag/views/tag_block.html.php 13 DIRTY $cloud -modules/tag/views/tag_block.html.php 15 DIRTY $form +modules/tag/views/tag_block.html.php 15 DIRTY $cloud +modules/tag/views/tag_block.html.php 17 DIRTY $form modules/tag/views/tag_cloud.html.php 4 DIRTY $tag->count modules/tag/views/tag_cloud.html.php 4 DIRTY $max_count modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count diff --git a/modules/gallery/views/form.html.php b/modules/gallery/views/form.html.php index ec2a56a9..730d77cb 100644 --- a/modules/gallery/views/form.html.php +++ b/modules/gallery/views/form.html.php @@ -40,6 +40,8 @@ if (!function_exists("DrawForm")) { print "$prefix {$hidden->render()}\n"; } print "$prefix\n"; + } else if ($input->type == 'script') { + print $input->render(); } else { if ($input->error_messages()) { print "$prefix
  • \n"; -- cgit v1.2.3 From 2f969c80eb2e228f2c5729c6f4660c99555f9c9f Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 28 Jul 2009 11:59:58 +0800 Subject: Create A Forge Script element. Form_Script allows the specification of either a url to a script file or in line text which will be included in a script block. Signed-off-by: Tim Almdal --- modules/gallery/libraries/Form_Script.php | 66 +++++++++++++++++++++++++++++++ modules/gallery/tests/DrawForm_Test.php | 39 ++++++++++++++++++ modules/gallery/tests/xss_data.txt | 4 +- modules/gallery/views/form.html.php | 2 + 4 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 modules/gallery/libraries/Form_Script.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/libraries/Form_Script.php b/modules/gallery/libraries/Form_Script.php new file mode 100644 index 00000000..e841408d --- /dev/null +++ b/modules/gallery/libraries/Form_Script.php @@ -0,0 +1,66 @@ + false, + "type" => "script", + "url" => "", + "text" => ""); + + public function __construct($name) { + // Set dummy data so we don"t get errors + $this->attr["action"] = ""; + $this->attr["method"] = "post"; + $this->data["name"] = $name; + } + + public function __get($key) { + return isset($this->data[$key]) ? $this->data[$key] : null; + } + + /** + * Sets url attribute + */ + public function url($url) { + $this->data["url"] = $url; + + return $this; + } + + public function text($script_text) { + $this->data["text"] = $script_text; + + return $this; + } + + public function render() { + $script = array(); + if (!empty($this->data["url"])) { + $script[] = html::script($this->data["url"]); + } + + if (!empty($this->data["text"])) { + $script[] = "\n"; + } + + return implode("\n", $script); + } + +} // End Form Script \ No newline at end of file diff --git a/modules/gallery/tests/DrawForm_Test.php b/modules/gallery/tests/DrawForm_Test.php index 2c5aaba4..dde54257 100644 --- a/modules/gallery/tests/DrawForm_Test.php +++ b/modules/gallery/tests/DrawForm_Test.php @@ -80,5 +80,44 @@ class DrawForm_Test extends Unit_Test_Case { $this->assert_same($expected, $rendered); } + function form_script_test() { + $form = new Forge("test/controller", "", "post", array("id" => "gTestGroupForm")); + $group = $form->group("test_group")->label(t("Test Group")); + $group->input("title")->label(t("Title")); + $group->textarea("description")->label(t("Text Area")); + $form->script("") + ->url(url::file("test.js")) + ->text("alert('Test Javascript');"); + $group->submit("")->value(t("Submit")); + $rendered = $form->__toString(); + + $expected = "
    \n" . + "\n" . + "
    \n" . + " Test Group\n" . + "
      \n" . + "
    • \n" . + " \n" . + " \n" . + "
      • \n" . + "
    • \n" . + " \n" . + " \n" . + "
      • \n" . + "
    • \n" . + " \n" . + "
      • \n" . + "
    \n" . + "
    \n" . + "\n\n" . + "\n" . + "
    \n"; + $this->assert_same($expected, $rendered); + } } diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 45f7c7ec..cc9261e5 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -444,8 +444,8 @@ modules/tag/views/admin_tags.html.php 50 DIRTY $tag->id modules/tag/views/admin_tags.html.php 50 $tag->name modules/tag/views/admin_tags.html.php 51 DIRTY $tag->count modules/tag/views/admin_tags.html.php 52 DIRTY $tag->id -modules/tag/views/tag_block.html.php 13 DIRTY $cloud -modules/tag/views/tag_block.html.php 15 DIRTY $form +modules/tag/views/tag_block.html.php 15 DIRTY $cloud +modules/tag/views/tag_block.html.php 17 DIRTY $form modules/tag/views/tag_cloud.html.php 4 DIRTY $tag->count modules/tag/views/tag_cloud.html.php 4 DIRTY $max_count modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count diff --git a/modules/gallery/views/form.html.php b/modules/gallery/views/form.html.php index ec2a56a9..730d77cb 100644 --- a/modules/gallery/views/form.html.php +++ b/modules/gallery/views/form.html.php @@ -40,6 +40,8 @@ if (!function_exists("DrawForm")) { print "$prefix {$hidden->render()}\n"; } print "$prefix\n"; + } else if ($input->type == 'script') { + print $input->render(); } else { if ($input->error_messages()) { print "$prefix
  • \n"; -- cgit v1.2.3 From 2e8f73d4e96e4e114493f703a5c2c0207fad5cf5 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 28 Jul 2009 05:40:28 -0700 Subject: Revert commit 078c77a62b623322956457bfd7bfbdaf56203b00 and change the tag_event:item_edit_form to use the new Form_Script library to inject script into a form. --- modules/gallery/controllers/albums.php | 5 ++--- modules/gallery/controllers/movies.php | 5 ++--- modules/gallery/controllers/photos.php | 5 ++--- modules/gallery/helpers/album.php | 14 ++++++-------- modules/gallery/helpers/photo.php | 14 ++++++-------- modules/gallery/tests/xss_data.txt | 2 -- modules/gallery/views/item_edit.html.php | 9 --------- modules/tag/helpers/tag_event.php | 18 +++++++----------- modules/tag/js/tag.js | 1 + 9 files changed, 26 insertions(+), 47 deletions(-) delete mode 100644 modules/gallery/views/item_edit.html.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 4fefd3a1..56b74cb1 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -166,8 +166,7 @@ class Albums_Controller extends Items_Controller { access::required("view", $album); access::required("edit", $album); - $view = album::get_edit_form($album); - $form = $view->form; + $form = album::get_edit_form($album); if ($valid = $form->validate()) { // Make sure that there's not a conflict if ($album->id != 1 && @@ -203,7 +202,7 @@ class Albums_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 1391c4b4..c8227d74 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -70,8 +70,7 @@ class Movies_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $view = photo::get_edit_form($photo); - $form = $view->form; + $form = photo::get_edit_form($photo); if ($valid = $form->validate()) { // Make sure that there's not a conflict if (Database::instance() @@ -102,7 +101,7 @@ class Movies_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 9d9b25a1..8ee24da8 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -61,8 +61,7 @@ class Photos_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $view = photo::get_edit_form($photo); - $form = $view->form; + $form = photo::get_edit_form($photo); if ($valid = $form->validate()) { if ($form->edit_item->filename->value != $photo->name) { // Make sure that there's not a conflict @@ -95,7 +94,7 @@ class Photos_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index f146bfb3..6065f580 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -94,11 +94,9 @@ class album_Core { } static function get_edit_form($parent) { - $view = new View("item_edit.html"); - $view->script = array(); - $view->form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); - $view->form->hidden("_method")->value("put"); - $group = $view->form->group("edit_item")->label(t("Edit Album")); + $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); + $form->hidden("_method")->value("put"); + $group = $form->group("edit_item")->label(t("Edit Album")); $group->input("title")->label(t("Title"))->value($parent->title); $group->textarea("description")->label(t("Description"))->value($parent->description); @@ -130,11 +128,11 @@ class album_Core { "DESC" => t("Descending"))) ->selected($parent->sort_order); - module::event("item_edit_form", $parent, $view); + module::event("item_edit_form", $parent, $form); $group->hidden("type")->value("album"); $group->submit("")->value(t("Modify")); - $view->form->add_rules_from(ORM::factory("item")); - return $view; + $form->add_rules_from(ORM::factory("item")); + return $form; } } diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php index 299195e9..5cf37de1 100644 --- a/modules/gallery/helpers/photo.php +++ b/modules/gallery/helpers/photo.php @@ -135,11 +135,9 @@ class photo_Core { } static function get_edit_form($photo) { - $view = new View("item_edit.html"); - $view->script = array(); - $view->form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); - $view->form->hidden("_method")->value("put"); - $group = $view->form->group("edit_item")->label(t("Edit Photo")); + $form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); + $form->hidden("_method")->value("put"); + $group = $form->group("edit_item")->label(t("Edit Photo")); $group->input("title")->label(t("Title"))->value($photo->title); $group->textarea("description")->label(t("Description"))->value($photo->description); $group->input("filename")->label(t("Filename"))->value($photo->name) @@ -149,11 +147,11 @@ class photo_Core { ->callback("item::validate_no_trailing_period") ->error_messages("no_trailing_period", t("The photo name can't end in \".\"")); - module::event("item_edit_form", $photo, $view); + module::event("item_edit_form", $photo, $form); $group->submit("")->value(t("Modify")); - $view->form->add_rules_from(ORM::factory("item")); - return $view; + $form->add_rules_from(ORM::factory("item")); + return $form; } /** diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index f3d50e71..5335a812 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -207,8 +207,6 @@ modules/gallery/views/admin_themes_preview.html.php 4 DIRTY $info->na modules/gallery/views/admin_themes_preview.html.php 7 DIRTY $url modules/gallery/views/after_install.html.php 11 $user->name modules/gallery/views/after_install.html.php 15 DIRTY $user->id -modules/gallery/views/item_edit.html.php 4 DIRTY $script -modules/gallery/views/item_edit.html.php 8 DIRTY $form modules/gallery/views/kohana_error_page.php 102 DIRTY $message modules/gallery/views/kohana_error_page.php 104 DIRTY $file modules/gallery/views/kohana_error_page.php 104 DIRTY $line diff --git a/modules/gallery/views/item_edit.html.php b/modules/gallery/views/item_edit.html.php deleted file mode 100644 index 9aa2fb64..00000000 --- a/modules/gallery/views/item_edit.html.php +++ /dev/null @@ -1,9 +0,0 @@ - - - - -
    - -
    \ No newline at end of file diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php index 0cb49ffa..0fe8a393 100644 --- a/modules/tag/helpers/tag_event.php +++ b/modules/tag/helpers/tag_event.php @@ -64,19 +64,15 @@ class tag_event_Core { tag::compact(); } - static function item_edit_form($item, $view) { + static function item_edit_form($item, $form) { $url = url::site("tags/autocomplete"); - $view->script[] = "$('#gEditFormContainer form').ready(function() { - $('#gEditFormContainer form input[id=tags]').autocomplete( - '$url', - {max: 30, - multiple: true, - multipleSeparator: ',', - cacheLength: 1} - ); - });"; + $form->script("") + ->text("$('form input[id=tags]').ready(function() { + $('form input[id=tags]').autocomplete( + '$url', {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1}); + });"); $tag_value = implode(", ", tag::item_tags($item)); - $view->form->edit_item->input("tags")->label(t("Tags (comma separated)")) + $form->edit_item->input("tags")->label(t("Tags (comma separated)")) ->value($tag_value); } diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index 5a435ecf..564de393 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -66,3 +66,4 @@ function editInPlace(element) { }; ajaxify_editInPlaceForm(); } + -- cgit v1.2.3 From a7f4d7aced009007d36e48685648e9bc3382f8cb Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 28 Jul 2009 20:40:28 +0800 Subject: Revert commit 078c77a62b623322956457bfd7bfbdaf56203b00 and change the tag_event:item_edit_form to use the new Form_Script library to inject script into a form. Signed-off-by: Tim Almdal --- modules/gallery/controllers/albums.php | 5 ++--- modules/gallery/controllers/movies.php | 5 ++--- modules/gallery/controllers/photos.php | 5 ++--- modules/gallery/helpers/album.php | 14 ++++++-------- modules/gallery/helpers/photo.php | 14 ++++++-------- modules/gallery/tests/xss_data.txt | 2 -- modules/gallery/views/item_edit.html.php | 9 --------- modules/tag/helpers/tag_event.php | 18 +++++++----------- modules/tag/js/tag.js | 1 + 9 files changed, 26 insertions(+), 47 deletions(-) delete mode 100644 modules/gallery/views/item_edit.html.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 4fefd3a1..56b74cb1 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -166,8 +166,7 @@ class Albums_Controller extends Items_Controller { access::required("view", $album); access::required("edit", $album); - $view = album::get_edit_form($album); - $form = $view->form; + $form = album::get_edit_form($album); if ($valid = $form->validate()) { // Make sure that there's not a conflict if ($album->id != 1 && @@ -203,7 +202,7 @@ class Albums_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 1391c4b4..c8227d74 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -70,8 +70,7 @@ class Movies_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $view = photo::get_edit_form($photo); - $form = $view->form; + $form = photo::get_edit_form($photo); if ($valid = $form->validate()) { // Make sure that there's not a conflict if (Database::instance() @@ -102,7 +101,7 @@ class Movies_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 9d9b25a1..8ee24da8 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -61,8 +61,7 @@ class Photos_Controller extends Items_Controller { access::required("view", $photo); access::required("edit", $photo); - $view = photo::get_edit_form($photo); - $form = $view->form; + $form = photo::get_edit_form($photo); if ($valid = $form->validate()) { if ($form->edit_item->filename->value != $photo->name) { // Make sure that there's not a conflict @@ -95,7 +94,7 @@ class Photos_Controller extends Items_Controller { } else { print json_encode( array("result" => "error", - "form" => $view->__toString())); + "form" => $form->__toString())); } } diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index f146bfb3..6065f580 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -94,11 +94,9 @@ class album_Core { } static function get_edit_form($parent) { - $view = new View("item_edit.html"); - $view->script = array(); - $view->form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); - $view->form->hidden("_method")->value("put"); - $group = $view->form->group("edit_item")->label(t("Edit Album")); + $form = new Forge("albums/{$parent->id}", "", "post", array("id" => "gEditAlbumForm")); + $form->hidden("_method")->value("put"); + $group = $form->group("edit_item")->label(t("Edit Album")); $group->input("title")->label(t("Title"))->value($parent->title); $group->textarea("description")->label(t("Description"))->value($parent->description); @@ -130,11 +128,11 @@ class album_Core { "DESC" => t("Descending"))) ->selected($parent->sort_order); - module::event("item_edit_form", $parent, $view); + module::event("item_edit_form", $parent, $form); $group->hidden("type")->value("album"); $group->submit("")->value(t("Modify")); - $view->form->add_rules_from(ORM::factory("item")); - return $view; + $form->add_rules_from(ORM::factory("item")); + return $form; } } diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php index 299195e9..5cf37de1 100644 --- a/modules/gallery/helpers/photo.php +++ b/modules/gallery/helpers/photo.php @@ -135,11 +135,9 @@ class photo_Core { } static function get_edit_form($photo) { - $view = new View("item_edit.html"); - $view->script = array(); - $view->form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); - $view->form->hidden("_method")->value("put"); - $group = $view->form->group("edit_item")->label(t("Edit Photo")); + $form = new Forge("photos/$photo->id", "", "post", array("id" => "gEditPhotoForm")); + $form->hidden("_method")->value("put"); + $group = $form->group("edit_item")->label(t("Edit Photo")); $group->input("title")->label(t("Title"))->value($photo->title); $group->textarea("description")->label(t("Description"))->value($photo->description); $group->input("filename")->label(t("Filename"))->value($photo->name) @@ -149,11 +147,11 @@ class photo_Core { ->callback("item::validate_no_trailing_period") ->error_messages("no_trailing_period", t("The photo name can't end in \".\"")); - module::event("item_edit_form", $photo, $view); + module::event("item_edit_form", $photo, $form); $group->submit("")->value(t("Modify")); - $view->form->add_rules_from(ORM::factory("item")); - return $view; + $form->add_rules_from(ORM::factory("item")); + return $form; } /** diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index cc9261e5..82b039d7 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -207,8 +207,6 @@ modules/gallery/views/admin_themes_preview.html.php 4 DIRTY $info->na modules/gallery/views/admin_themes_preview.html.php 7 DIRTY $url modules/gallery/views/after_install.html.php 11 $user->name modules/gallery/views/after_install.html.php 15 DIRTY $user->id -modules/gallery/views/item_edit.html.php 4 DIRTY $script -modules/gallery/views/item_edit.html.php 8 DIRTY $form modules/gallery/views/kohana_error_page.php 102 DIRTY $message modules/gallery/views/kohana_error_page.php 104 DIRTY $file modules/gallery/views/kohana_error_page.php 104 DIRTY $line diff --git a/modules/gallery/views/item_edit.html.php b/modules/gallery/views/item_edit.html.php deleted file mode 100644 index 9aa2fb64..00000000 --- a/modules/gallery/views/item_edit.html.php +++ /dev/null @@ -1,9 +0,0 @@ - - - - -
    - -
    \ No newline at end of file diff --git a/modules/tag/helpers/tag_event.php b/modules/tag/helpers/tag_event.php index 0cb49ffa..0fe8a393 100644 --- a/modules/tag/helpers/tag_event.php +++ b/modules/tag/helpers/tag_event.php @@ -64,19 +64,15 @@ class tag_event_Core { tag::compact(); } - static function item_edit_form($item, $view) { + static function item_edit_form($item, $form) { $url = url::site("tags/autocomplete"); - $view->script[] = "$('#gEditFormContainer form').ready(function() { - $('#gEditFormContainer form input[id=tags]').autocomplete( - '$url', - {max: 30, - multiple: true, - multipleSeparator: ',', - cacheLength: 1} - ); - });"; + $form->script("") + ->text("$('form input[id=tags]').ready(function() { + $('form input[id=tags]').autocomplete( + '$url', {max: 30, multiple: true, multipleSeparator: ',', cacheLength: 1}); + });"); $tag_value = implode(", ", tag::item_tags($item)); - $view->form->edit_item->input("tags")->label(t("Tags (comma separated)")) + $form->edit_item->input("tags")->label(t("Tags (comma separated)")) ->value($tag_value); } diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index a5aaa3f8..765c2a35 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -66,3 +66,4 @@ function editInPlace(element) { }; ajaxify_editInPlaceForm(); } + -- cgit v1.2.3 From 031a19724ae361825f18d3e29d3fdf1fa9f9b303 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 30 Jul 2009 09:55:09 -0700 Subject: Update golden file --- modules/gallery/tests/xss_data.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 82b039d7..0e118ce7 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -163,9 +163,9 @@ modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $task->id modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY $csrf modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_show_log.html.php 15 $task->get_log() -modules/gallery/views/admin_maintenance_task.html.php 23 DIRTY $task->id -modules/gallery/views/admin_maintenance_task.html.php 23 DIRTY $csrf -modules/gallery/views/admin_maintenance_task.html.php 47 DIRTY $task->name +modules/gallery/views/admin_maintenance_task.html.php 30 DIRTY $task->id +modules/gallery/views/admin_maintenance_task.html.php 30 DIRTY $csrf +modules/gallery/views/admin_maintenance_task.html.php 54 DIRTY $task->name modules/gallery/views/admin_modules.html.php 19 DIRTY $i modules/gallery/views/admin_modules.html.php 22 DIRTY $data modules/gallery/views/admin_modules.html.php 22 DIRTY $module_name -- cgit v1.2.3 From 19d89f94f9939bbd879d6c8ead4e802f592ec808 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 30 Jul 2009 09:57:24 -0700 Subject: Remove debug statements --- modules/gallery/tests/Item_Model_Test.php | 6 ------ 1 file changed, 6 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index a21cdc13..c2773097 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -142,17 +142,11 @@ class Item_Model_Test extends Unit_Test_Case { } public function save_original_values_test() { - print "START\n"; $item = $this->create_random_item(); $item->title = "ORIGINAL_VALUE"; $item->save(); - - print "CHANGE\n"; $item->title = "NEW_VALUE"; - //printf("
    %s
    ",print_r($item,1));flush(); - - print "COMPARE\n"; $this->assert_same("ORIGINAL_VALUE", $item->original("title")); $this->assert_same("NEW_VALUE", $item->title); } -- cgit v1.2.3 From 7ad0808a117fd1db4e94da8d7763ccca1d69350a Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 2 Aug 2009 12:09:00 -0700 Subject: Change the API for getting to the original state of an ORM. Old API: $obj->original("field_name") New API: $obj->original()->field_name This allows us to revert the varous xxx_updated events back to passing an original ORM as well as the the updated one. This makes for a cleaner event API. Old API: comment_updated($comment) { $comment->original("field_name") } Old API: comment_updated($old, $new) { $old->field_name } --- modules/akismet/helpers/akismet_event.php | 6 +++--- modules/comment/models/comment.php | 8 ++++---- modules/gallery/libraries/MY_ORM.php | 12 ++++++------ modules/gallery/models/item.php | 2 +- modules/gallery/tests/Item_Model_Test.php | 2 +- modules/notification/helpers/notification_event.php | 8 ++++---- modules/search/helpers/search_event.php | 4 ++-- modules/user/models/group.php | 2 +- modules/user/models/user.php | 2 +- 9 files changed, 23 insertions(+), 23 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/akismet/helpers/akismet_event.php b/modules/akismet/helpers/akismet_event.php index d6cde222..cec6d95d 100644 --- a/modules/akismet/helpers/akismet_event.php +++ b/modules/akismet/helpers/akismet_event.php @@ -40,14 +40,14 @@ class akismet_event_Core { $comment->save(); } - static function comment_updated($comment) { + static function comment_updated($original, $new) { if (!module::get_var("akismet", "api_key")) { return; } - if ($comment->original("state") != "spam" && $comment->state == "spam") { + if ($original->state != "spam" && $new->state == "spam") { akismet::submit_spam($new); - } else if ($comment->original("state") == "spam" && $comment->state != "spam") { + } else if ($original->state == "spam" && $new->state != "spam") { akismet::submit_ham($new); } } diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php index d052a39c..83d0888a 100644 --- a/modules/comment/models/comment.php +++ b/modules/comment/models/comment.php @@ -64,17 +64,17 @@ class Comment_Model extends ORM { $created = true; } } + $visible_change = $this->original()->state == "published" || $this->state == "published"; parent::save(); if (isset($created)) { module::event("comment_created", $this); } else { - module::event("comment_updated", $this); + module::event("comment_updated", $this->original(), $this); } - // We only notify on the related items if we're making a visible change, which means moving in - // or out of a published state - if ($this->original("state") == "published" || $this->state == "published") { + // We only notify on the related items if we're making a visible change. + if ($visible_change) { module::event("item_related_update", $this->item()); } diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php index 1d3c1ef3..de8adc1d 100644 --- a/modules/gallery/libraries/MY_ORM.php +++ b/modules/gallery/libraries/MY_ORM.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class ORM extends ORM_Core { - // Track the original value of this ORM instance so that we can look it up in ORM::original() + // Track the original value of this ORM so that we can look it up in ORM::original() protected $original = null; public function open_paren() { @@ -34,13 +34,13 @@ class ORM extends ORM_Core { public function save() { model_cache::clear(); $result = parent::save(); - $this->original = $this->object; + $this->original = clone $this; return $result; } public function __set($column, $value) { if (!isset($this->original)) { - $this->original = $this->object; + $this->original = clone $this; } return parent::__set($column, $value); @@ -48,14 +48,14 @@ class ORM extends ORM_Core { public function __unset($column) { if (!isset($this->original)) { - $this->original = $this->object; + $this->original = clone $this; } return parent::__unset($column); } - public function original($column) { - return $this->original[$column]; + public function original() { + return $this->original; } } diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index b3c7998b..f3e6b8f3 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -365,7 +365,7 @@ class Item_Model extends ORM_MPTT { } parent::save(); if (isset($send_event)) { - module::event("item_updated", $this); + module::event("item_updated", $this->original(), $this); } return $this; } diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index c2773097..0940d076 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -147,7 +147,7 @@ class Item_Model_Test extends Unit_Test_Case { $item->save(); $item->title = "NEW_VALUE"; - $this->assert_same("ORIGINAL_VALUE", $item->original("title")); + $this->assert_same("ORIGINAL_VALUE", $item->original()->title); $this->assert_same("NEW_VALUE", $item->title); } } diff --git a/modules/notification/helpers/notification_event.php b/modules/notification/helpers/notification_event.php index c6e770a7..d1b76e93 100644 --- a/modules/notification/helpers/notification_event.php +++ b/modules/notification/helpers/notification_event.php @@ -18,8 +18,8 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class notification_event_Core { - static function item_updated($item) { - notification::send_item_updated($item); + static function item_updated($original, $new) { + notification::send_item_updated($new); } static function item_created($item) { @@ -40,8 +40,8 @@ class notification_event_Core { } } - static function comment_updated($item) { - if ($item->state == "published" && $item->original("state") != "published") { + static function comment_updated($original, $new) { + if ($new->state == "published" && $original->state != "published") { notification::send_comment_published($new); } } diff --git a/modules/search/helpers/search_event.php b/modules/search/helpers/search_event.php index 764fdd18..b65763af 100644 --- a/modules/search/helpers/search_event.php +++ b/modules/search/helpers/search_event.php @@ -22,8 +22,8 @@ class search_event_Core { search::update($item); } - static function item_updated($item) { - search::update($item); + static function item_updated($original, $new) { + search::update($new); } static function item_deleted($item) { diff --git a/modules/user/models/group.php b/modules/user/models/group.php index bb3fb58b..8af78012 100644 --- a/modules/user/models/group.php +++ b/modules/user/models/group.php @@ -41,7 +41,7 @@ class Group_Model extends ORM { if (isset($created)) { module::event("group_created", $this); } else { - module::event("group_updated", $this); + module::event("group_updated", $this->original(), $this); } return $this; } diff --git a/modules/user/models/user.php b/modules/user/models/user.php index def65a6f..4b43adff 100644 --- a/modules/user/models/user.php +++ b/modules/user/models/user.php @@ -68,7 +68,7 @@ class User_Model extends ORM { if (isset($created)) { module::event("user_created", $this); } else { - module::event("user_updated", $this); + module::event("user_updated", $this->original(), $this); } return $this; } -- cgit v1.2.3 From 9f396178cedc96abb282e72ff0e843e255c8225a Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 5 Aug 2009 09:24:27 -0700 Subject: Revert "Allow a theme to override the page refresh mechanism. Create a new" This reverts commit 1f014aae6c16bbda62d8f5937180f11ccb0eb1b1. --- lib/gallery.dialog.js | 4 +- lib/gallery.panel.js | 4 +- lib/gallery.reload.js | 16 ----- modules/gallery/js/quick.js | 4 +- modules/gallery/tests/xss_data.txt | 68 +++++++++++----------- .../views/admin_maintenance_show_log.html.php | 2 +- .../gallery/views/admin_maintenance_task.html.php | 2 +- modules/organize/js/organize.js | 2 +- .../views/server_add_tree_dialog.html.php | 2 +- modules/tag/js/tag.js | 2 +- themes/admin_default/views/admin.html.php | 2 - themes/default/views/page.html.php | 2 - 12 files changed, 44 insertions(+), 66 deletions(-) delete mode 100644 lib/gallery.reload.js (limited to 'modules/gallery/tests') diff --git a/lib/gallery.dialog.js b/lib/gallery.dialog.js index 0efcf120..74c2f20e 100644 --- a/lib/gallery.dialog.js +++ b/lib/gallery.dialog.js @@ -25,9 +25,9 @@ function ajaxify_dialog() { } if (data.result == "success") { if (data.location) { - $.gallery_location(data.location); + window.location = data.location; } else { - $.gallery_reload(); + window.location.reload(); } } } diff --git a/lib/gallery.panel.js b/lib/gallery.panel.js index 26be11ad..022e4878 100644 --- a/lib/gallery.panel.js +++ b/lib/gallery.panel.js @@ -40,9 +40,9 @@ function togglePanel(element, on_success) { if (on_success) { on_success(); } else if (data.location) { - $.gallery_location(data.location); + window.location = data.location; } else { - $.gallery_reload(); + window.location.reload(); } } } diff --git a/lib/gallery.reload.js b/lib/gallery.reload.js deleted file mode 100644 index 2c8752a0..00000000 --- a/lib/gallery.reload.js +++ /dev/null @@ -1,16 +0,0 @@ -/** - * To change this template, choose Tools | Templates - * and open the template in the editor. - */ -(function ($) { - $.gallery_reload = function() { - window.location.reload(); - }; -})(jQuery); - -// Vertically align a block element's content -(function ($) { - $.gallery_location = function(location) { - window.location = location; - }; -})(jQuery); diff --git a/modules/gallery/js/quick.js b/modules/gallery/js/quick.js index 4753808e..fda6470f 100644 --- a/modules/gallery/js/quick.js +++ b/modules/gallery/js/quick.js @@ -67,9 +67,9 @@ var quick_do = function(cont, pane, img) { img.css("margin-top", 0); } } else if (data.location) { - $.gallery_location(data.location); + window.location = data.location; } else if (data.reload) { - $.gallery_reload(); + window.location.reload(); } } }); diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 29d223b7..0e118ce7 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -496,25 +496,24 @@ themes/admin_default/views/admin.html.php 20 DIRTY $theme->s themes/admin_default/views/admin.html.php 21 DIRTY $theme->script("jquery.form.js") themes/admin_default/views/admin.html.php 22 DIRTY $theme->script("jquery-ui.js") themes/admin_default/views/admin.html.php 23 DIRTY $theme->script("gallery.common.js") -themes/admin_default/views/admin.html.php 25 DIRTY $theme->script("gallery.reload.js") -themes/admin_default/views/admin.html.php 30 DIRTY $theme->script("gallery.dialog.js") -themes/admin_default/views/admin.html.php 31 DIRTY $theme->script("superfish/js/superfish.js") -themes/admin_default/views/admin.html.php 32 DIRTY $theme->script("jquery.dropshadow.js") -themes/admin_default/views/admin.html.php 33 DIRTY $theme->script("ui.init.js") -themes/admin_default/views/admin.html.php 35 DIRTY $theme->admin_head() -themes/admin_default/views/admin.html.php 38 DIRTY $theme->body_attributes() -themes/admin_default/views/admin.html.php 39 DIRTY $theme->admin_page_top() -themes/admin_default/views/admin.html.php 45 DIRTY $theme->site_status() -themes/admin_default/views/admin.html.php 47 DIRTY $theme->admin_header_top() -themes/admin_default/views/admin.html.php 50 DIRTY $csrf -themes/admin_default/views/admin.html.php 56 DIRTY $theme->admin_menu() -themes/admin_default/views/admin.html.php 58 DIRTY $theme->admin_header_bottom() -themes/admin_default/views/admin.html.php 64 DIRTY $theme->messages() -themes/admin_default/views/admin.html.php 65 DIRTY $content -themes/admin_default/views/admin.html.php 71 DIRTY $sidebar -themes/admin_default/views/admin.html.php 76 DIRTY $theme->admin_footer() -themes/admin_default/views/admin.html.php 78 DIRTY $theme->admin_credits() -themes/admin_default/views/admin.html.php 82 DIRTY $theme->admin_page_bottom() +themes/admin_default/views/admin.html.php 28 DIRTY $theme->script("gallery.dialog.js") +themes/admin_default/views/admin.html.php 29 DIRTY $theme->script("superfish/js/superfish.js") +themes/admin_default/views/admin.html.php 30 DIRTY $theme->script("jquery.dropshadow.js") +themes/admin_default/views/admin.html.php 31 DIRTY $theme->script("ui.init.js") +themes/admin_default/views/admin.html.php 33 DIRTY $theme->admin_head() +themes/admin_default/views/admin.html.php 36 DIRTY $theme->body_attributes() +themes/admin_default/views/admin.html.php 37 DIRTY $theme->admin_page_top() +themes/admin_default/views/admin.html.php 43 DIRTY $theme->site_status() +themes/admin_default/views/admin.html.php 45 DIRTY $theme->admin_header_top() +themes/admin_default/views/admin.html.php 48 DIRTY $csrf +themes/admin_default/views/admin.html.php 54 DIRTY $theme->admin_menu() +themes/admin_default/views/admin.html.php 56 DIRTY $theme->admin_header_bottom() +themes/admin_default/views/admin.html.php 62 DIRTY $theme->messages() +themes/admin_default/views/admin.html.php 63 DIRTY $content +themes/admin_default/views/admin.html.php 69 DIRTY $sidebar +themes/admin_default/views/admin.html.php 74 DIRTY $theme->admin_footer() +themes/admin_default/views/admin.html.php 76 DIRTY $theme->admin_credits() +themes/admin_default/views/admin.html.php 80 DIRTY $theme->admin_page_bottom() themes/admin_default/views/block.html.php 2 DIRTY $id themes/admin_default/views/block.html.php 2 DIRTY $css_id themes/admin_default/views/block.html.php 5 DIRTY $id @@ -602,22 +601,21 @@ themes/default/views/page.html.php 48 DIRTY $theme->s themes/default/views/page.html.php 49 DIRTY $theme->script("jquery.form.js") themes/default/views/page.html.php 50 DIRTY $theme->script("jquery-ui.js") themes/default/views/page.html.php 51 DIRTY $theme->script("gallery.common.js") -themes/default/views/page.html.php 53 DIRTY $theme->script("gallery.reload.js") -themes/default/views/page.html.php 58 DIRTY $theme->script("gallery.dialog.js") -themes/default/views/page.html.php 59 DIRTY $theme->script("gallery.form.js") -themes/default/views/page.html.php 60 DIRTY $theme->script("superfish/js/superfish.js") -themes/default/views/page.html.php 61 DIRTY $theme->script("jquery.localscroll.js") -themes/default/views/page.html.php 62 DIRTY $theme->script("ui.init.js") -themes/default/views/page.html.php 66 DIRTY $theme->script("jquery.scrollTo.js") -themes/default/views/page.html.php 67 DIRTY $theme->script("gallery.show_full_size.js") -themes/default/views/page.html.php 69 DIRTY $theme->script("flowplayer.js") -themes/default/views/page.html.php 72 DIRTY $theme->head() -themes/default/views/page.html.php 75 DIRTY $theme->body_attributes() -themes/default/views/page.html.php 76 DIRTY $theme->page_top() -themes/default/views/page.html.php 78 DIRTY $theme->site_status() -themes/default/views/page.html.php 86 DIRTY $theme->messages() -themes/default/views/page.html.php 87 DIRTY $content -themes/default/views/page.html.php 101 DIRTY $theme->page_bottom() +themes/default/views/page.html.php 56 DIRTY $theme->script("gallery.dialog.js") +themes/default/views/page.html.php 57 DIRTY $theme->script("gallery.form.js") +themes/default/views/page.html.php 58 DIRTY $theme->script("superfish/js/superfish.js") +themes/default/views/page.html.php 59 DIRTY $theme->script("jquery.localscroll.js") +themes/default/views/page.html.php 60 DIRTY $theme->script("ui.init.js") +themes/default/views/page.html.php 64 DIRTY $theme->script("jquery.scrollTo.js") +themes/default/views/page.html.php 65 DIRTY $theme->script("gallery.show_full_size.js") +themes/default/views/page.html.php 67 DIRTY $theme->script("flowplayer.js") +themes/default/views/page.html.php 70 DIRTY $theme->head() +themes/default/views/page.html.php 73 DIRTY $theme->body_attributes() +themes/default/views/page.html.php 74 DIRTY $theme->page_top() +themes/default/views/page.html.php 76 DIRTY $theme->site_status() +themes/default/views/page.html.php 84 DIRTY $theme->messages() +themes/default/views/page.html.php 85 DIRTY $content +themes/default/views/page.html.php 99 DIRTY $theme->page_bottom() themes/default/views/pager.html.php 13 DIRTY $url themes/default/views/pager.html.php 20 DIRTY $previous_page themes/default/views/pager.html.php 20 DIRTY $url diff --git a/modules/gallery/views/admin_maintenance_show_log.html.php b/modules/gallery/views/admin_maintenance_show_log.html.php index ac593de7..9d850986 100644 --- a/modules/gallery/views/admin_maintenance_show_log.html.php +++ b/modules/gallery/views/admin_maintenance_show_log.html.php @@ -1,7 +1,7 @@
    diff --git a/modules/organize/js/organize.js b/modules/organize/js/organize.js index 12d8a5b5..f10cbcc9 100644 --- a/modules/organize/js/organize.js +++ b/modules/organize/js/organize.js @@ -374,7 +374,7 @@ function organize_dialog_init() { } $("#gDialog").bind("organize_close", function(target) { - $.gallery_reload(); + document.location.reload(); }); heightMicroThumbPanel -= 2 * parseFloat($("#gDialog").css("padding-top")); diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php index 8dfd2c38..21952849 100644 --- a/modules/server_add/views/server_add_tree_dialog.html.php +++ b/modules/server_add/views/server_add_tree_dialog.html.php @@ -34,7 +34,7 @@ - diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index 564de393..765c2a35 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -59,7 +59,7 @@ function editInPlace(element) { closeEditInPlaceForms(); // close form $("#gTag-" + data.tag_id).text(data.new_tagname); // update tagname console.log(data); - $.gallery_reload(); + window.location.reload(); } } }); diff --git a/themes/admin_default/views/admin.html.php b/themes/admin_default/views/admin.html.php index 63fc45b5..d27f9260 100644 --- a/themes/admin_default/views/admin.html.php +++ b/themes/admin_default/views/admin.html.php @@ -21,8 +21,6 @@ script("jquery.form.js") ?> script("jquery-ui.js") ?> script("gallery.common.js") ?> - - script("gallery.reload.js") ?> + * + * @return the string escaped for use in JavaScript. + */ + function for_js() { + return self::_escape_for_js($this->_raw_string); + } + + /** + * Safe for use HTML (purified HTML) + * + * Example:
    +   *   
    purified_html() ?> 
+   *
    + * @return the string escaped for use in HTML. + */ + function purified_html() { + if ($this->_is_safe_html) { + return $this; + } else { + return SafeString::of(self::_purify_for_html($this->_raw_string), true); + } + } + + /** + * Returns the raw, unsafe string. Do not use lightly. + */ + function unescaped() { + return $this->_raw_string; + } + + // Escapes special HTML chars ("<", ">", "&", etc.) to HTML entities. + private static function _escape_for_html($dirty_html) { + return html::specialchars($dirty_html); + } + + // Escapes special chars (quotes, backslash, etc.) with a backslash sequence. + private static function _escape_for_js($string) { + // From Smarty plugins/modifier.escape.php + // Might want to be stricter here. + return strtr($string, + array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n',''<\/')); + } + + // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript. + private static function _purify_for_html($dirty_html) { + if (empty(self::$_purifier)) { + require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php"); + $config = HTMLPurifier_Config::createDefault(); + foreach (Kohana::config('purifier') as $category => $key_value) { + foreach ($key_value as $key => $value) { + $config->set("$category.$key", $value); + } + } + self::$_purifier = new HTMLPurifier($config); + } + return self::$_purifier->purify($dirty_html); + } +} diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php new file mode 100644 index 00000000..cdae3e99 --- /dev/null +++ b/modules/gallery/tests/SafeString_Test.php @@ -0,0 +1,111 @@ +world

    "); + $this->assert_true($safe_string instanceof SafeString); + $this->assert_equal("hello

    world

    ", + $safe_string->unescaped()); + } + + public function toString_escapes_for_html_test() { + $safe_string = new SafeString("hello

    world

    "); + $this->assert_equal("hello <p>world</p>", + $safe_string); + } + + public function toString_for_safe_string_test() { + $safe_string = new SafeString("hello

    world

    "); + $safe_string->mark_html_safe(); + $this->assert_equal("hello

    world

    ", + $safe_string); + } + + public function for_html_test() { + $safe_string = new SafeString("hello

    world

    "); + $this->assert_equal("hello <p>world</p>", + $safe_string->for_html()); + } + + public function safestring_of_safestring_test() { + $safe_string = new SafeString("hello

    world

    "); + $safe_string_2 = new SafeString($safe_string); + $this->assert_true($safe_string_2 instanceof SafeString); + $raw_string = $safe_string_2->unescaped(); + $this->assert_false(is_object($raw_string)); + $this->assert_equal("hello

    world

    ", $raw_string); + $this->assert_equal("hello <p>world</p>", $safe_string_2); + } + + public function for_js_test() { + $safe_string = new SafeString('"Foo\'s bar"'); + $js_string = $safe_string->for_js(); + $this->assert_equal('\\"Foo<\\/em>\\\'s bar\\"', + $js_string); + } + + public function string_safestring_equality_test() { + $safe_string = new SafeString("hello

    world

    "); + $this->assert_equal("hello

    world

    ", + $safe_string->unescaped()); + $escaped_string = "hello <p>world</p>"; + $this->assert_equal($escaped_string, $safe_string); + + $this->assert_true($escaped_string == $safe_string); + $this->assert_false($escaped_string === $safe_string); + $this->assert_false("meow" == $safe_string); + } + + public function of_test() { + $safe_string = SafeString::of("hello

    world

    "); + $this->assert_equal("hello

    world

    ", $safe_string->unescaped()); + } + + public function of_safe_html_test() { + $safe_string = SafeString::of("hello

    world

    ")->mark_html_safe(); + $this->assert_equal("hello

    world

    ", $safe_string->for_html()); + } + + public function of_fluid_api_test() { + $escaped_string = SafeString::of("Foo's bar")->for_js(); + $this->assert_equal("Foo\\'s bar", $escaped_string); + } + + public function safestring_of_safestring_preserves_safe_status_test() { + $safe_string = SafeString::of("hello's

    world

    ")->mark_html_safe(); + $safe_string_2 = new SafeString($safe_string); + $this->assert_equal("hello's

    world

    ", $safe_string_2); + $this->assert_equal("hello\\'s

    world<\\/p>", $safe_string_2->for_js()); + } + + public function safestring_of_safestring_preserves_html_safe_status_test() { + $safe_string = SafeString::of("hello's

    world

    ") + ->mark_html_safe(); + $safe_string_2 = new SafeString($safe_string); + $this->assert_equal("hello's

    world

    ", $safe_string_2); + $this->assert_equal("hello\\'s

    world<\\/p>", $safe_string_2->for_js()); + } + + public function safestring_of_safestring_safe_status_override_test() { + $safe_string = new SafeString("hello

    world

    "); + $safe_string_2 = SafeString::of($safe_string)->mark_html_safe(); + $this->assert_equal("hello

    world

    ", $safe_string_2); + } +} diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 9bde11dc..1d52237c 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -19,87 +19,278 @@ */ class Xss_Security_Test extends Unit_Test_Case { public function find_unescaped_variables_in_views_test() { + $found = array(); foreach (glob("*/*/views/*.php") as $view) { - $expr = null; - $level = 0; - $php = 0; - $str = null; - $in_p_clean = 0; + // List of all tokens without whitespace, simplifying parsing. + $tokens = array(); foreach (token_get_all(file_get_contents($view)) as $token) { - if (false /* useful for debugging */) { - if (is_array($token)) { - printf("[$str] [$in_p_clean] %-15s %s\n", token_name($token[0]), $token[1]); - } else { - printf("[$str] [$in_p_clean] %-15s %s\n", "", $token); - } - } - - // If we find a "(" after a "p::clean" then start counting levels of parens and assume - // that we're inside a p::clean() call until we find the matching close paren. - if ($token[0] == "(" && ($str == "p::clean" || $str == "p::purify")) { - $in_p_clean = 1; - } else if ($token[0] == "(" && $in_p_clean) { - $in_p_clean++; - } else if ($token[0] == ")" && $in_p_clean) { - $in_p_clean--; - } - - // Concatenate runs of strings for convenience, which we use above to figure out if we're - // inside a p::clean() call or not - if ($token[0] == T_STRING || $token[0] == T_DOUBLE_COLON) { - $str .= $token[1]; - } else { - $str = null; - } - - // Scan for any occurrences of < ? = $variable ? > and store it in $expr - if ($token[0] == T_OPEN_TAG_WITH_ECHO) { - $php++; - } else if ($php && $token[0] == T_CLOSE_TAG) { - $php--; - } else if ($php && $token[0] == T_VARIABLE) { - if (!$expr) { - $entry = array($token[2], $in_p_clean); - } - $expr .= $token[1]; - } else if ($expr) { - if ($token[0] == T_OBJECT_OPERATOR) { - $expr .= $token[1]; - } else if ($token[0] == T_STRING) { - $expr .= $token[1]; - } else if ($token == "(") { - $expr .= $token; - $level++; - } else if ($level > 0 && $token == ")") { - $expr .= $token; - $level--; - } else if ($level > 0) { - $expr .= is_array($token) ? $token[1] : $token; - } else { - $entry[] = $expr; - $found[$view][] = $entry; - $expr = null; - $entry = null; - } - } + if (!is_array($token) || ($token[0] != T_WHITESPACE)) { + $tokens[] = $token; + } + } + + $frame = null; + $script_block = 0; + $in_script_block = false; + + for ($token_number = 0; $token_number < count($tokens); $token_number++) { + $token = $tokens[$token_number]; + + // Are we in a block? + if (is_array($token) && $token[0] == T_INLINE_HTML) { + $inline_html = $token[1]; + // T_INLINE_HTML blocks can be split. Need to handle the case + // where one token has "expr_append($inline_html); + } + + // Note: This approach won't catch }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + $last_match = array_pop($matches[0]); + if (is_array($last_match)) { + $closing_script_pos = $last_match[1]; + } else { + $closing_script_pos = $last_match; + } + } + if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + $last_match = array_pop($matches[0]); + if (is_array($last_match)) { + $opening_script_pos = $last_match[1]; + } else { + $opening_script_pos = $last_match; + } + } + if ($opening_script_pos != $closing_script_pos) { + $in_script_block = $opening_script_pos > $closing_script_pos; + } + } + + // Look and report each instance of < ? = ... ? > + if (!is_array($token)) { + // A single char token, e.g: ; ( ) + if ($frame) { + $frame->expr_append($token); + } + } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) { + // No need for a stack here - assume < ? = cannot be nested. + $frame = self::_create_frame($token, $in_script_block); + } else if ($frame && $token[0] == T_CLOSE_TAG) { + // Store the < ? = ... ? > block that just ended here. + $found[$view][] = $frame; + $frame = null; + } else if ($frame && $token[0] == T_VARIABLE) { + $frame->expr_append($token[1]); + } else if ($frame && $token[0] == T_STRING) { + $frame->expr_append($token[1]); + // t() and t2() are special in that they're guaranteed to return a SafeString(). + if (in_array($token[1], array("t", "t2"))) { + if (self::_token_matches("(", $tokens, $token_number + 1)) { + $frame->is_safestring(true); + $frame->expr_append("("); + + $token_number++; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "SafeString") { + // Looking for SafeString::of(... + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING, "of"), $tokens, $token_number + 2) && + self::_token_matches("(", $tokens, $token_number + 3)) { + $frame->is_safestring(true); + $frame->expr_append("::of("); + + $token_number += 3; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "json_encode") { + if (self::_token_matches("(", $tokens, $token_number + 1)) { + $frame->json_encode_called(true); + $frame->expr_append("("); + + $token_number++; + $token = $tokens[$token_number]; + } + } + } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { + $frame->expr_append($token[1]); + + if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) && + in_array($tokens[$token_number + 1][1], + array("for_js", "for_html", "purified_html")) && + self::_token_matches("(", $tokens, $token_number + 2)) { + + $method = $tokens[$token_number + 1][1]; + $frame->expr_append("$method("); + + $token_number += 2; + $token = $tokens[$token_number]; + + if ("for_js" == $method) { + $frame->for_js_called(true); + } else if ("for_html" == $method) { + $frame->for_html_called(true); + } else if ("purified_html" == $method) { + $frame->purified_html_called(true); + } + } + } else if ($frame) { + $frame->expr_append($token[1]); + } } } - $canonical = MODPATH . "gallery/tests/xss_data.txt"; + // Generate the report. + /* + * States for uses of < ? = X ? >: + * JS_XSS: + * In + * + * @return the string escaped for use in HTML attributes. + */ + function for_html_attr() { + $string = (string) $this->for_html(); + return strtr($string, + array("'"=>"'", + '"'=>'"')); + } + /** * Safe for use HTML (purified HTML) * diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index cdae3e99..73d82c34 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -18,13 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class SafeString_Test extends Unit_Test_Case { - public function p_clean_returns_safestring_instance_test() { - $safe_string = p::clean("hello

    world

    "); - $this->assert_true($safe_string instanceof SafeString); - $this->assert_equal("hello

    world

    ", - $safe_string->unescaped()); - } - public function toString_escapes_for_html_test() { $safe_string = new SafeString("hello

    world

    "); $this->assert_equal("hello <p>world</p>", @@ -61,6 +54,20 @@ class SafeString_Test extends Unit_Test_Case { $js_string); } + public function for_html_attr_test() { + $safe_string = new SafeString('"Foo\'s bar"'); + $attr_string = $safe_string->for_html_attr(); + $this->assert_equal('"<em>Foo</em>'s bar"', + $attr_string); + } + + public function for_html_attr_with_safe_html_test() { + $safe_string = SafeString::of('"Foo\'s bar"')->mark_html_safe(); + $attr_string = $safe_string->for_html_attr(); + $this->assert_equal('"Foo's bar"', + $attr_string); + } + public function string_safestring_equality_test() { $safe_string = new SafeString("hello

    world

    "); $this->assert_equal("hello

    world

    ", -- cgit v1.2.3 From 0d16cc1c106dc324fde59cac54fa82e4a70e04e2 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 29 Aug 2009 12:12:53 -0700 Subject: Clean up the test and get it working. --- modules/gallery/tests/Item_Helper_Test.php | 69 ++++++++---------------------- 1 file changed, 17 insertions(+), 52 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php index 48fdd962..3f80733f 100644 --- a/modules/gallery/tests/Item_Helper_Test.php +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -18,65 +18,30 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Item_Helper_Test extends Unit_Test_Case { - private $_group; - private $_album; - private $_item; - //private $_user; - public function teardown() { - try { - $this->_group->delete(); - } catch (Exception $e) { } - - try { - $this->_album->delete(); - } catch (Exception $e) { } - - //try { - // $this->_user->delete(); - //} catch (Exception $e) { } - } - - public function setup() { - } - - public function viewable_item_test() { - $this->_group = group::create("access_test"); + public function viewable_test() { $root = ORM::factory("item", 1); - $this->_album = album::create($root, rand(), "visible_test"); - $this->_user = user::create("visible_test", "Visible Test", ""); - $this->_user->add($this->_group); - $this->_item = self::_create_random_item($this->_album); - comment::create($this->_item, $this->_user, "This is a comment"); - access::deny(group::everybody(), "view", $this->_album); - $active = user::active(); - - $items = ORM::factory("item") - ->where("id", $this->_album->id) - ->find_all(); - print Database::instance()->last_query() . "\n"; - $items = ORM::factory("item") - ->where("id", $this->_album->id) - ->viewable() - ->find_all(); - print Database::instance()->last_query() . "\n"; + $album = album::create($root, rand(), rand(), rand()); + $item = self::_create_random_item($album); + user::set_active(user::guest()); + + // We can see the item when permissions are granted + access::allow(group::everybody(), "view", $album); + $this->assert_equal( + 1, + ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); + + // We can't see the item when permissions are denied + access::deny(group::everybody(), "view", $album); + $this->assert_equal( + 0, + ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); } - //public function viewable_one_restrictions_test() { - // $item = self::create_random_item(); - // $this->assert_true(!empty($item->created)); - // $this->assert_true(!empty($item->updated)); - //} - //public function viewable_multiple_restrictions_test() { - // $item = self::create_random_item(); - // $this->assert_true(!empty($item->created)); - // $this->assert_true(!empty($item->updated)); - //} - private static function _create_random_item($album) { + // Set all required fields (values are irrelevant) $item = ORM::factory("item"); - /* Set all required fields (values are irrelevant) */ $item->name = rand(); $item->type = "photo"; return $item->add_to_parent($album); -- cgit v1.2.3 From a10063ff68cf5988297dcad889384ab2080c3850 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 12:34:09 -0700 Subject: Add more factory methods for convenience: SafeString::purify() and SafeString::of_safe_html(). Removing SafeString::mark_html_safe() since it's no longer needed. --- modules/gallery/helpers/MY_url.php | 10 +++++----- modules/gallery/libraries/I18n.php | 2 +- modules/gallery/libraries/SafeString.php | 27 +++++++++++++++++++++------ modules/gallery/tests/SafeString_Test.php | 19 +++++++++++-------- modules/gallery/tests/Xss_Security_Test.php | 7 +++++-- 5 files changed, 43 insertions(+), 22 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/MY_url.php b/modules/gallery/helpers/MY_url.php index b4b7f352..6092a9d8 100644 --- a/modules/gallery/helpers/MY_url.php +++ b/modules/gallery/helpers/MY_url.php @@ -31,7 +31,7 @@ class url extends url_Core { $uri = model_cache::get("item", $parts[1])->relative_path(); } $url = parent::site($uri . $query, $protocol); - return SafeString::of($url)->mark_html_safe(); + return SafeString::of_safe_html($url); } static function parse_url() { @@ -103,22 +103,22 @@ class url extends url_Core { public static function base($index=false, $protocol=false) { $url = parent::base($index, $protocol); - return SafeString::of($url)->mark_html_safe(); + return SafeString::of_safe_html($url); } public static function current($qs=false) { $url = parent::current($qs); - return SafeString::of($url)->mark_html_safe(); + return SafeString::of_safe_html($url); } public static function file($file, $index=false) { $url = parent::file($file, $index); - return SafeString::of($url)->mark_html_safe(); + return SafeString::of_safe_html($url); } public static function merge(array $arguments) { $url = parent::merge($arguments); - return SafeString::of($url)->mark_html_safe(); + return SafeString::of_safe_html($url); } } diff --git a/modules/gallery/libraries/I18n.php b/modules/gallery/libraries/I18n.php index 8dc42e04..a53d5ae9 100644 --- a/modules/gallery/libraries/I18n.php +++ b/modules/gallery/libraries/I18n.php @@ -116,7 +116,7 @@ class I18n_Core { $entry = $this->interpolate($locale, $entry, $values); - return SafeString::of($entry)->mark_html_safe(); + return SafeString::of_safe_html($entry); } private function lookup($locale, $message) { diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php index 709ab5f6..9a269ed4 100644 --- a/modules/gallery/libraries/SafeString.php +++ b/modules/gallery/libraries/SafeString.php @@ -24,6 +24,7 @@ class SafeString_Core { private $_raw_string; protected $_is_safe_html = false; + protected $_is_purified_html = false; private static $_purifier = null; @@ -44,11 +45,25 @@ class SafeString_Core { } /** - * Marks this string as safe to be used in HTML without any escaping. + * Factory method returning a new SafeString instance after HTML purifying + * the given string. */ - function mark_html_safe() { - $this->_is_safe_html = true; - return $this; + static function purify($string) { + if ($string instanceof SafeString) { + $string = $string->unescaped(); + } + $safe_string = self::of_safe_html(self::_purify_for_html($string)); + $safe_string->_is_purified_html = true; + return $safe_string; + } + + /** + * Factory method returning a new SafeString instance which won't HTML escape. + */ + static function of_safe_html($string) { + $safe_string = new SafeString($string); + $safe_string->_is_safe_html = true; + return $safe_string; } /** @@ -117,10 +132,10 @@ class SafeString_Core { * @return the string escaped for use in HTML. */ function purified_html() { - if ($this->_is_safe_html) { + if ($this->_is_purified_html) { return $this; } else { - return SafeString::of(self::_purify_for_html($this->_raw_string), true); + return self::purify($this); } } diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index 73d82c34..0fc7f6f3 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -25,8 +25,7 @@ class SafeString_Test extends Unit_Test_Case { } public function toString_for_safe_string_test() { - $safe_string = new SafeString("hello

    world

    "); - $safe_string->mark_html_safe(); + $safe_string = SafeString::of_safe_html("hello

    world

    "); $this->assert_equal("hello

    world

    ", $safe_string); } @@ -62,7 +61,7 @@ class SafeString_Test extends Unit_Test_Case { } public function for_html_attr_with_safe_html_test() { - $safe_string = SafeString::of('"Foo\'s bar"')->mark_html_safe(); + $safe_string = SafeString::of_safe_html('"Foo\'s bar"'); $attr_string = $safe_string->for_html_attr(); $this->assert_equal('"Foo's bar"', $attr_string); @@ -86,25 +85,29 @@ class SafeString_Test extends Unit_Test_Case { } public function of_safe_html_test() { - $safe_string = SafeString::of("hello

    world

    ")->mark_html_safe(); + $safe_string = SafeString::of_safe_html("hello

    world

    "); $this->assert_equal("hello

    world

    ", $safe_string->for_html()); } + public function purify_test() { + $safe_string = SafeString::purify("hello

    world

    "); + $this->assert_equal("hello

    world

    ", $safe_string); + } + public function of_fluid_api_test() { $escaped_string = SafeString::of("Foo's bar")->for_js(); $this->assert_equal("Foo\\'s bar", $escaped_string); } public function safestring_of_safestring_preserves_safe_status_test() { - $safe_string = SafeString::of("hello's

    world

    ")->mark_html_safe(); + $safe_string = SafeString::of_safe_html("hello's

    world

    "); $safe_string_2 = new SafeString($safe_string); $this->assert_equal("hello's

    world

    ", $safe_string_2); $this->assert_equal("hello\\'s

    world<\\/p>", $safe_string_2->for_js()); } public function safestring_of_safestring_preserves_html_safe_status_test() { - $safe_string = SafeString::of("hello's

    world

    ") - ->mark_html_safe(); + $safe_string = SafeString::of_safe_html("hello's

    world

    "); $safe_string_2 = new SafeString($safe_string); $this->assert_equal("hello's

    world

    ", $safe_string_2); $this->assert_equal("hello\\'s

    world<\\/p>", $safe_string_2->for_js()); @@ -112,7 +115,7 @@ class SafeString_Test extends Unit_Test_Case { public function safestring_of_safestring_safe_status_override_test() { $safe_string = new SafeString("hello

    world

    "); - $safe_string_2 = SafeString::of($safe_string)->mark_html_safe(); + $safe_string_2 = SafeString::of_safe_html($safe_string); $this->assert_equal("hello

    world

    ", $safe_string_2); } } diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index e0e5bb86..fd596c69 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -110,10 +110,13 @@ class Xss_Security_Test extends Unit_Test_Case { } else if ($token[1] == "SafeString") { // Looking for SafeString::of(... if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING, "of"), $tokens, $token_number + 2) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], array("of", "of_safe_html", "purify")) && self::_token_matches("(", $tokens, $token_number + 3)) { $frame->is_safestring(true); - $frame->expr_append("::of("); + + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); $token_number += 3; $token = $tokens[$token_number]; -- cgit v1.2.3 From d5660d2d3ea6e8172272f1eb27e8071a1a42d87b Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 13:41:18 -0700 Subject: Fixing all detected XSS vectors in PHP->JS code. Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS. (using a different flag value to highlight potential XSS vectors in JS) --- modules/gallery/tests/Xss_Security_Test.php | 15 +++++-- modules/gallery/views/l10n_client.html.php | 4 +- modules/gallery/views/simple_uploader.html.php | 61 +++++++++++++------------- modules/organize/views/organize.html.php | 16 +++---- themes/admin_default/views/admin.html.php | 2 +- themes/default/views/movie.html.php | 2 +- themes/default/views/page.html.php | 2 +- themes/default/views/photo.html.php | 4 +- 8 files changed, 56 insertions(+), 50 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index fd596c69..690dc760 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -178,10 +178,10 @@ class Xss_Security_Test extends Unit_Test_Case { * Generate the report * * States for uses of < ? = X ? >: - * JS_XSS: + * DIRTY_JS: * In diff --git a/modules/gallery/views/simple_uploader.html.php b/modules/gallery/views/simple_uploader.html.php index 56e568f6..fc426e8f 100644 --- a/modules/gallery/views/simple_uploader.html.php +++ b/modules/gallery/views/simple_uploader.html.php @@ -82,27 +82,26 @@ diff --git a/modules/organize/views/organize.html.php b/modules/organize/views/organize.html.php index 1182a887..d2f0aa8c 100644 --- a/modules/organize/views/organize.html.php +++ b/modules/organize/views/organize.html.php @@ -1,16 +1,16 @@ script("gallery.dialog.js") ?> script("superfish/js/superfish.js") ?> diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php index 1f25a626..75d51eff 100644 --- a/themes/default/views/movie.html.php +++ b/themes/default/views/movie.html.php @@ -20,7 +20,7 @@
    photo_bottom() ?>
    • diff --git a/themes/default/views/page.html.php b/themes/default/views/page.html.php index ea2be37b..8d9f0caa 100644 --- a/themes/default/views/page.html.php +++ b/themes/default/views/page.html.php @@ -51,7 +51,7 @@ script("gallery.common.js") ?> script("gallery.dialog.js") ?> script("gallery.form.js") ?> diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php index 1f92e9ba..fcf597cf 100644 --- a/themes/default/views/photo.html.php +++ b/themes/default/views/photo.html.php @@ -5,7 +5,7 @@ photo_bottom() ?> -- cgit v1.2.3 From b4b638be44375c93f5222c7b48ed547845d6d7e5 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 16:28:30 -0700 Subject: Undo url helper changes - url methods no longer return a SafeString. Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2(). --- modules/akismet/helpers/akismet.php | 2 +- modules/digibug/views/admin_digibug.html.php | 2 +- modules/exif/helpers/exif.php | 2 +- modules/g2_import/views/admin_g2_import.html.php | 10 ++++----- modules/gallery/helpers/MY_url.php | 24 +--------------------- modules/gallery/helpers/graphics.php | 2 +- modules/gallery/tests/Xss_Security_Test.php | 15 +++++++++++--- modules/gallery/views/admin_block_welcome.html.php | 10 ++++----- modules/gallery/views/upgrader.html.php | 2 +- modules/recaptcha/helpers/recaptcha.php | 2 +- modules/search/helpers/search.php | 2 +- modules/server_add/helpers/server_add.php | 2 +- modules/user/views/reset_password.html.php | 4 +++- system/helpers/request.php | 2 +- 14 files changed, 35 insertions(+), 46 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/akismet/helpers/akismet.php b/modules/akismet/helpers/akismet.php index db45a6ab..abca78d2 100644 --- a/modules/akismet/helpers/akismet.php +++ b/modules/akismet/helpers/akismet.php @@ -94,7 +94,7 @@ class akismet_Core { if (empty($api_key)) { site_status::warning( t("Akismet is not quite ready! Please provide an API Key", - array("url" => url::site("admin/akismet"))), + array("url" => SafeString::of_safe_html(url::site("admin/akismet")))), "akismet_config"); } else { site_status::clear("akismet_config"); diff --git a/modules/digibug/views/admin_digibug.html.php b/modules/digibug/views/admin_digibug.html.php index 7e4436ff..5f27a3fd 100644 --- a/modules/digibug/views/admin_digibug.html.php +++ b/modules/digibug/views/admin_digibug.html.php @@ -16,7 +16,7 @@

    register with Digibug and enter your Digibug id in the Advanced Settings page you can make money off of your photos!", array("signup_url" => "http://www.digibug.com/signup.php", - "advanced_settings_url" => url::site("admin/advanced_settings"))) ?> + "advanced_settings_url" => SafeString::of_safe_html(url::site("admin/advanced_settings")))) ?>

    diff --git a/modules/exif/helpers/exif.php b/modules/exif/helpers/exif.php index 20ecd0cb..d4e60338 100644 --- a/modules/exif/helpers/exif.php +++ b/modules/exif/helpers/exif.php @@ -164,7 +164,7 @@ class exif_Core { if ($remaining) { site_status::warning( t('Your Exif index needs to be updated. Fix this now', - array("url" => url::site("admin/maintenance/start/exif_task::update_index?csrf=__CSRF__"))), + array("url" => SafeString::of_safe_html(url::site("admin/maintenance/start/exif_task::update_index?csrf=__CSRF__")))), "exif_index_out_of_date"); } } diff --git a/modules/g2_import/views/admin_g2_import.html.php b/modules/g2_import/views/admin_g2_import.html.php index da2bb5d1..f53510f6 100644 --- a/modules/g2_import/views/admin_g2_import.html.php +++ b/modules/g2_import/views/admin_g2_import.html.php @@ -37,9 +37,9 @@
  • Using the same value will speed up your import.", - array("g2_pixels" => $g2_sizes["thumb"]["size"], - "g3_pixels" => $thumb_size, - "url" => url::site("admin/theme_options"))) ?> + array("g2_pixels" => $g2_sizes["thumb"]["size"], + "g3_pixels" => $thumb_size, + "url" => SafeString::of_safe_html(url::site("admin/theme_options")))) ?>
    • @@ -47,8 +47,8 @@
  • Using the same value will speed up your import.", array("g2_pixels" => $g2_sizes["resize"]["size"], - "g3_pixels" => $resize_size, - "url" => url::site("admin/theme_options"))) ?> + "g3_pixels" => $resize_size, + "url" => SafeString::of_safe_html(url::site("admin/theme_options")))) ?>
    • diff --git a/modules/gallery/helpers/MY_url.php b/modules/gallery/helpers/MY_url.php index 6092a9d8..c4967c52 100644 --- a/modules/gallery/helpers/MY_url.php +++ b/modules/gallery/helpers/MY_url.php @@ -30,8 +30,7 @@ class url extends url_Core { if ($parts[0] == "albums" || $parts[0] == "photos") { $uri = model_cache::get("item", $parts[1])->relative_path(); } - $url = parent::site($uri . $query, $protocol); - return SafeString::of_safe_html($url); + return parent::site($uri . $query, $protocol); } static function parse_url() { @@ -100,25 +99,4 @@ class url extends url_Core { static function abs_current($qs=false) { return self::abs_site(url::current($qs)); } - - public static function base($index=false, $protocol=false) { - $url = parent::base($index, $protocol); - return SafeString::of_safe_html($url); - } - - public static function current($qs=false) { - $url = parent::current($qs); - return SafeString::of_safe_html($url); - } - - public static function file($file, $index=false) { - $url = parent::file($file, $index); - return SafeString::of_safe_html($url); - } - - public static function merge(array $arguments) { - $url = parent::merge($arguments); - return SafeString::of_safe_html($url); - } - } diff --git a/modules/gallery/helpers/graphics.php b/modules/gallery/helpers/graphics.php index 7dc46eeb..fbb85bec 100644 --- a/modules/gallery/helpers/graphics.php +++ b/modules/gallery/helpers/graphics.php @@ -442,7 +442,7 @@ class graphics_Core { if (!module::get_var("gallery", "graphics_toolkit")) { site_status::warning( t("Graphics toolkit missing! Please choose a toolkit", - array("url" => url::site("admin/graphics"))), + array("url" => SafeString::of_safe_html(url::site("admin/graphics")))), "missing_graphics_toolkit"); } } diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 690dc760..a2d3d59b 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -130,14 +130,14 @@ class Xss_Security_Test extends Unit_Test_Case { $token = $tokens[$token_number]; } } else if ($token[1] == "url") { - // url methods return a SafeString + // url methods return safe HTML if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && in_array($tokens[$token_number + 2][1], array("site", "current", "base", "file", "abs_site", "abs_current", "abs_file", "merge")) && self::_token_matches("(", $tokens, $token_number + 3)) { - $frame->is_safestring(true); + $frame->is_safe_html(true); $method = $tokens[$token_number + 2][1]; $frame->expr_append("::$method("); @@ -203,7 +203,8 @@ class Xss_Security_Test extends Unit_Test_Case { $state = "CLEAN"; } } else { - if ($frame->is_safestring() || $frame->purified_html_called() || $frame->for_html_called()) { + if ($frame->is_safe_html() || $frame->is_safestring() || + $frame->purified_html_called() || $frame->for_html_called()) { $state = "CLEAN"; } } @@ -259,6 +260,7 @@ class Xss_Security_Test_Frame { private $_for_html_called = false; private $_purified_html_called = false; private $_json_encode_called = false; + private $_is_safe_html = false; private $_line; function __construct($line_number, $in_script_block) { @@ -288,6 +290,13 @@ class Xss_Security_Test_Frame { return $this->_is_safestring; } + function is_safe_html($new_val=NULL) { + if ($new_val !== NULL) { + $this->_is_safe_html = (bool) $new_val; + } + return $this->_is_safe_html; + } + function json_encode_called($new_val=NULL) { if ($new_val !== NULL) { $this->_json_encode_called = (bool) $new_val; diff --git a/modules/gallery/views/admin_block_welcome.html.php b/modules/gallery/views/admin_block_welcome.html.php index 38d2bd56..c6ccdbf3 100644 --- a/modules/gallery/views/admin_block_welcome.html.php +++ b/modules/gallery/views/admin_block_welcome.html.php @@ -5,16 +5,16 @@
    • graphics and language settings.", - array("graphics_url" => url::site("admin/graphics"), - "language_url" => url::site("admin/languages"))) ?> + array("graphics_url" => SafeString::of_safe_html(url::site("admin/graphics")), + "language_url" => SafeString::of_safe_html(url::site("admin/languages")))) ?>
    • choose a theme, or customize the way it looks.", - array("theme_url" => url::site("admin/themes"), - "theme_options_url" => url::site("admin/theme_options"))) ?> + array("theme_url" => SafeString::of_safe_html(url::site("admin/themes")), + "theme_options_url" => SafeString::of_safe_html(url::site("admin/theme_options")))) ?>
    • install modules to add cool features!", - array("modules_url" => url::site("admin/modules"))) ?> + array("modules_url" => SafeString::of_safe_html(url::site("admin/modules")))) ?>
    diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index 37578855..ccc86da8 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -18,7 +18,7 @@

    Gallery is up to date.", - array("url" => url::site("albums/1"))) ?> + array("url" => SafeString::of_safe_html(url::site("albums/1")))) ?>

    diff --git a/modules/recaptcha/helpers/recaptcha.php b/modules/recaptcha/helpers/recaptcha.php index 501dd972..35d9febd 100644 --- a/modules/recaptcha/helpers/recaptcha.php +++ b/modules/recaptcha/helpers/recaptcha.php @@ -43,7 +43,7 @@ class recaptcha_Core { if (empty($public_key) || empty($private_key)) { site_status::warning( t("reCAPTCHA is not quite ready! Please configure the reCAPTCHA Keys", - array("url" => url::site("admin/recaptcha"))), + array("url" => SafeString::of_safe_html(url::site("admin/recaptcha")))), "recaptcha_config"); } else { site_status::clear("recaptcha_config"); diff --git a/modules/search/helpers/search.php b/modules/search/helpers/search.php index 355c4493..4be04039 100644 --- a/modules/search/helpers/search.php +++ b/modules/search/helpers/search.php @@ -58,7 +58,7 @@ class search_Core { if ($remaining) { site_status::warning( t('Your search index needs to be updated. Fix this now', - array("url" => url::site("admin/maintenance/start/search_task::update_index?csrf=__CSRF__"))), + array("url" => SafeString::of_safe_html(url::site("admin/maintenance/start/search_task::update_index?csrf=__CSRF__")))), "search_index_out_of_date"); } } diff --git a/modules/server_add/helpers/server_add.php b/modules/server_add/helpers/server_add.php index 74f51ad9..57afac12 100644 --- a/modules/server_add/helpers/server_add.php +++ b/modules/server_add/helpers/server_add.php @@ -25,7 +25,7 @@ class server_add_Core { if (empty($paths)) { site_status::warning( t("Server Add needs configuration. Configure it now!", - array("url" => url::site("admin/server_add"))), + array("url" => SafeString::of_safe_html(url::site("admin/server_add")))), "server_add_configuration"); } else { site_status::clear("server_add_configuration"); diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php index 3dc7aebf..6fa92d54 100644 --- a/modules/user/views/reset_password.html.php +++ b/modules/user/views/reset_password.html.php @@ -9,7 +9,9 @@ $user->full_name ? $user->full_name : $user->name)) ?>

    - %site_url. If you made this request, you can confirm it by clicking this link. If you didn't request this password reset, it's ok to ignore this mail.", array("site_url" => url::base(false, "http"), "confirm_url" => $confirm_url)) ?> + %site_url. If you made this request, you can confirm it by clicking this link. If you didn't request this password reset, it's ok to ignore this mail.", + array("site_url" => SafeString::of_safe_html(url::base(false, "http")), + "confirm_url" => $confirm_url)) ?>

    diff --git a/system/helpers/request.php b/system/helpers/request.php index 15b8edfa..4203d0e5 100644 --- a/system/helpers/request.php +++ b/system/helpers/request.php @@ -30,7 +30,7 @@ class request_Core { // Set referrer $ref = $_SERVER['HTTP_REFERER']; - if (strpos($ref, (string) url::base(FALSE)) === 0) + if (strpos($ref, url::base(FALSE)) === 0) { // Remove the base URL from the referrer $ref = substr($ref, strlen(url::base(FALSE))); -- cgit v1.2.3 From 952c8856098dcfd9673d344fc71be85b303c8fb1 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 22:31:23 -0700 Subject: Adding html::clean(), ::purify(), etc. --- modules/gallery/helpers/MY_html.php | 91 +++++++++++++++++++++++++++++ modules/gallery/tests/Html_Helper_Test.php | 55 +++++++++++++++++ modules/gallery/tests/Xss_Security_Test.php | 86 ++++++++++++--------------- 3 files changed, 182 insertions(+), 50 deletions(-) create mode 100644 modules/gallery/helpers/MY_html.php create mode 100644 modules/gallery/tests/Html_Helper_Test.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php new file mode 100644 index 00000000..eb388811 --- /dev/null +++ b/modules/gallery/helpers/MY_html.php @@ -0,0 +1,91 @@ + + *
    + * + */ + static function clean($html) { + return new SafeString($html); + } + + /** + * Returns a string that is safe to be used in HTML (XSS protection), + * purifying (filtering) the given HTML to ensure that the result contains + * only non-malicious HTML. + * + * Example:
    +   *   
    title) ?> 
+   *
    + */ + static function purify($html) { + return SafeString::purify($html); + } + + /** + * Flags the given string as safe to be used in HTML (free of malicious HTML/JS). + * + * Example:
    +   *   // Parameters to t() are automatically escaped by default.
+   *   // If the parameter is marked as safe, it won't get escaped.
+   *   t('Go there',
+   *     array("url" => html::mark_safe(url::current())))
+   *
    + */ + static function mark_safe($html) { + return SafeString::of_safe_html($html); + } + + /** + * Escapes the given string for use in JavaScript. + * + * Example:
    +   *   
+   *
    + * @return the string escaped for use in HTML attributes. + */ + static function clean_attribute($string) { + return self::clean($string)->for_html_attr(); + } +} diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php new file mode 100644 index 00000000..4d934ad5 --- /dev/null +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -0,0 +1,55 @@ +world

    "); + $this->assert_equal("hello <p >world</p>", + $safe_string); + $this->assert_true($safe_string instanceof SafeString); + } + + public function purify_test() { + $safe_string = html::purify("hello

    world

    "); + $this->assert_equal("hello

    world

    ", + $safe_string); + $this->assert_true($safe_string instanceof SafeString); + } + + public function mark_safe_test() { + $safe_string = html::mark_safe("hello

    world

    "); + $this->assert_true($safe_string instanceof SafeString); + $safe_string_2 = html::clean($safe_string); + $this->assert_equal("hello

    world

    ", + $safe_string_2); + } + + public function escape_for_js_test() { + $string = html::escape_for_js("hello's

    world

    "); + $this->assert_equal("hello\\'s

    world<\\/p>", + $string); + } + + public function clean_attribute_test() { + $safe_string = SafeString::of_safe_html("hello's

    world

    "); + $safe_string = html::clean_attribute($safe_string); + $this->assert_equal("hello's

    world

    ", + $safe_string); + } +} \ No newline at end of file diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index a2d3d59b..8e5f8354 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -101,7 +101,7 @@ class Xss_Security_Test extends Unit_Test_Case { // t() and t2() are special in that they're guaranteed to return a SafeString(). if (in_array($token[1], array("t", "t2"))) { if (self::_token_matches("(", $tokens, $token_number + 1)) { - $frame->is_safestring(true); + $frame->is_safe_html(true); $frame->expr_append("("); $token_number++; @@ -111,9 +111,11 @@ class Xss_Security_Test extends Unit_Test_Case { // Looking for SafeString::of(... if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], array("of", "of_safe_html", "purify")) && + in_array($tokens[$token_number + 2][1], array("of", "purify")) && self::_token_matches("(", $tokens, $token_number + 3)) { - $frame->is_safestring(true); + // Not checking for of_safe_html(). We want such calls to be marked dirty (thus reviewed). + + $frame->is_safe_html(true); $method = $tokens[$token_number + 2][1]; $frame->expr_append("::$method("); @@ -123,7 +125,7 @@ class Xss_Security_Test extends Unit_Test_Case { } } else if ($token[1] == "json_encode") { if (self::_token_matches("(", $tokens, $token_number + 1)) { - $frame->json_encode_called(true); + $frame->is_safe_js(true); $frame->expr_append("("); $token_number++; @@ -145,15 +147,34 @@ class Xss_Security_Test extends Unit_Test_Case { $token_number += 3; $token = $tokens[$token_number]; } + } else if ($token[1] == "html") { + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("clean", "purify", "escape_for_js", "clean_attribute_test")) && + self::_token_matches("(", $tokens, $token_number + 3)) { + // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed). + + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); + + $token_number += 3; + $token = $tokens[$token_number]; + + if ("escape_for_js" == $method) { + $frame->is_safe_js(true); + } else { + $frame->is_safe_html(true); + } + } } } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { $frame->expr_append($token[1]); if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) && in_array($tokens[$token_number + 1][1], - array("for_js", "for_html", "purified_html")) && + array("for_js", "for_html", "purified_html", "for_html_attr")) && self::_token_matches("(", $tokens, $token_number + 2)) { - $method = $tokens[$token_number + 1][1]; $frame->expr_append("$method("); @@ -161,11 +182,9 @@ class Xss_Security_Test extends Unit_Test_Case { $token = $tokens[$token_number]; if ("for_js" == $method) { - $frame->for_js_called(true); - } else if ("for_html" == $method) { - $frame->for_html_called(true); - } else if ("purified_html" == $method) { - $frame->purified_html_called(true); + $frame->is_safe_js(true); + } else { + $frame->is_safe_html(true); } } } else if ($frame) { @@ -199,12 +218,11 @@ class Xss_Security_Test extends Unit_Test_Case { $state = "DIRTY"; if ($frame->in_script_block()) { $state = "DIRTY_JS"; - if ($frame->for_js_called() || $frame->json_encode_called()) { + if ($frame->is_safe_js()) { $state = "CLEAN"; } } else { - if ($frame->is_safe_html() || $frame->is_safestring() || - $frame->purified_html_called() || $frame->for_html_called()) { + if ($frame->is_safe_html()) { $state = "CLEAN"; } } @@ -255,12 +273,8 @@ class Xss_Security_Test extends Unit_Test_Case { class Xss_Security_Test_Frame { private $_expr = ""; private $_in_script_block = false; - private $_is_safestring = false; - private $_for_js_called = false; - private $_for_html_called = false; - private $_purified_html_called = false; - private $_json_encode_called = false; private $_is_safe_html = false; + private $_is_safe_js = false; private $_line; function __construct($line_number, $in_script_block) { @@ -283,13 +297,6 @@ class Xss_Security_Test_Frame { return $this->_in_script_block; } - function is_safestring($new_val=NULL) { - if ($new_val !== NULL) { - $this->_is_safestring = (bool) $new_val; - } - return $this->_is_safestring; - } - function is_safe_html($new_val=NULL) { if ($new_val !== NULL) { $this->_is_safe_html = (bool) $new_val; @@ -297,32 +304,11 @@ class Xss_Security_Test_Frame { return $this->_is_safe_html; } - function json_encode_called($new_val=NULL) { - if ($new_val !== NULL) { - $this->_json_encode_called = (bool) $new_val; - } - return $this->_json_encode_called; - } - - function for_js_called($new_val=NULL) { - if ($new_val !== NULL) { - $this->_for_js_called = (bool) $new_val; - } - return $this->_for_js_called; - } - - function for_html_called($new_val=NULL) { - if ($new_val !== NULL) { - $this->_for_html_called = (bool) $new_val; - } - return $this->_for_html_called; - } - - function purified_html_called($new_val=NULL) { + function is_safe_js($new_val=NULL) { if ($new_val !== NULL) { - $this->_purified_html_called = (bool) $new_val; + $this->_is_safe_js = (bool) $new_val; } - return $this->_purified_html_called; + return $this->_is_safe_js; } function line() { -- cgit v1.2.3 From b9bd1681a3b1496c0f1bbe5e6254ab4fd0c9fe30 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 22:54:20 -0700 Subject: Update all code to use helper method html::clean(), html::purify(), ... instead of SafeString directly. --- modules/comment/controllers/comments.php | 8 ++++---- modules/comment/helpers/comment_rss.php | 8 ++++---- modules/comment/views/admin_block_recent_comments.html.php | 6 +++--- modules/comment/views/admin_comments.html.php | 10 +++++----- modules/comment/views/comment.html.php | 6 +++--- modules/comment/views/comment.mrss.php | 12 ++++++------ modules/comment/views/comments.html.php | 6 +++--- modules/digibug/controllers/digibug.php | 2 +- modules/exif/views/exif_dialog.html.php | 4 ++-- modules/g2_import/helpers/g2_import.php | 2 +- modules/gallery/controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/quick.php | 10 +++++----- modules/gallery/helpers/MY_html.php | 4 ++-- modules/gallery/helpers/gallery_rss.php | 4 ++-- modules/gallery/helpers/gallery_task.php | 4 ++-- modules/gallery/tests/Html_Helper_Test.php | 4 ++-- modules/gallery/tests/Xss_Security_Test.php | 4 ++-- modules/gallery/views/admin_advanced_settings.html.php | 6 +++--- modules/gallery/views/admin_block_log_entries.html.php | 2 +- modules/gallery/views/admin_block_photo_stream.html.php | 4 ++-- modules/gallery/views/admin_languages.html.php | 4 ++-- modules/gallery/views/admin_maintenance.html.php | 4 ++-- modules/gallery/views/admin_maintenance_show_log.html.php | 2 +- modules/gallery/views/move_tree.html.php | 8 ++++---- modules/gallery/views/permissions_browse.html.php | 4 ++-- modules/gallery/views/permissions_form.html.php | 2 +- modules/gallery/views/simple_uploader.html.php | 14 +++++++------- modules/info/views/info_block.html.php | 10 +++++----- modules/notification/views/comment_published.html.php | 12 ++++++------ modules/notification/views/item_added.html.php | 8 ++++---- modules/notification/views/item_deleted.html.php | 6 +++--- modules/notification/views/item_updated.html.php | 12 ++++++------ modules/organize/views/organize_dialog.html.php | 2 +- modules/organize/views/organize_tree.html.php | 6 +++--- modules/rss/views/feed.mrss.php | 14 +++++++------- modules/rss/views/rss_block.html.php | 2 +- modules/search/views/search.html.php | 6 +++--- modules/server_add/views/admin_server_add.html.php | 2 +- modules/server_add/views/server_add_tree.html.php | 4 ++-- modules/server_add/views/server_add_tree_dialog.html.php | 6 +++--- modules/tag/controllers/admin_tags.php | 2 +- modules/tag/views/admin_tags.html.php | 6 +++--- modules/tag/views/tag_cloud.html.php | 2 +- modules/user/controllers/logout.php | 2 +- modules/user/views/admin_users.html.php | 8 ++++---- modules/user/views/admin_users_group.html.php | 4 ++-- modules/user/views/login.html.php | 2 +- themes/default/views/album.html.php | 6 +++--- themes/default/views/dynamic.html.php | 4 ++-- themes/default/views/header.html.php | 4 ++-- themes/default/views/movie.html.php | 4 ++-- themes/default/views/photo.html.php | 6 +++--- 52 files changed, 143 insertions(+), 143 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 87633f4c..82b12893 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller { foreach ($comments as $comment) { $data[] = array( "id" => $comment->id, - "author_name" => SafeString::of($comment->author_name()), + "author_name" => html::clean($comment->author_name()), "created" => $comment->created, - "text" => nl2br(SafeString::purify($comment->text))); + "text" => nl2br(html::purify($comment->text))); } print json_encode($data); break; @@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller { array("result" => "success", "data" => array( "id" => $comment->id, - "author_name" => SafeString::of($comment->author_name()), + "author_name" => html::clean($comment->author_name()), "created" => $comment->created, - "text" => nl2br(SafeString::purify($comment->text))))); + "text" => nl2br(html::purify($comment->text))))); } else { $view = new Theme_View("comment.html", "fragment"); $view->comment = $comment; diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index 4151dcd0..b539887b 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -23,7 +23,7 @@ class comment_rss_Core { $feeds["comment/newest"] = t("All new comments"); if ($item) { $feeds["comment/item/$item->id"] = - t("Comments on %title", array("title" => SafeString::purify($item->title))); + t("Comments on %title", array("title" => html::purify($item->title))); } return $feeds; } @@ -49,13 +49,13 @@ class comment_rss_Core { $item = $comment->item(); $feed->children[] = new ArrayObject( array("pub_date" => date("D, d M Y H:i:s T", $comment->created), - "text" => nl2br(SafeString::purify($comment->text)), + "text" => nl2br(html::purify($comment->text)), "thumb_url" => $item->thumb_url(), "thumb_height" => $item->thumb_height, "thumb_width" => $item->thumb_width, "item_uri" => url::abs_site("{$item->type}s/$item->id"), - "title" => SafeString::purify($item->title), - "author" => SafeString::of($comment->author_name())), + "title" => html::purify($item->title), + "author" => html::clean($comment->author_name())), ArrayObject::ARRAY_AS_PROPS); } diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php index 2c7a5cf1..dc3975e0 100644 --- a/modules/comment/views/admin_block_recent_comments.html.php +++ b/modules/comment/views/admin_block_recent_comments.html.php @@ -4,13 +4,13 @@
  • "> " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="32" height="32" /> created) ?> %author_name said %comment_text', - array("author_name" => SafeString::of($comment->author_name()), - "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?> + array("author_name" => html::clean($comment->author_name()), + "comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
    • diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php index 8b0b4c29..801ce2b3 100644 --- a/modules/comment/views/admin_comments.html.php +++ b/modules/comment/views/admin_comments.html.php @@ -108,12 +108,12 @@ " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="40" height="40" /> -

    author_name()) ?>

    +

    author_name()) ?>

    @@ -122,7 +122,7 @@ has_thumb()): ?> <?= SafeString::purify($item->title) ?>thumb_width, $item->thumb_height, 75) ?> /> @@ -132,7 +132,7 @@

    created) ?>

    - text)) ?> + text)) ?>
      diff --git a/modules/comment/views/comment.html.php b/modules/comment/views/comment.html.php index 31bb7f4d..1d0786cb 100644 --- a/modules/comment/views/comment.html.php +++ b/modules/comment/views/comment.html.php @@ -4,15 +4,15 @@ " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="40" height="40" /> gallery::date_time($comment->created), - "author_name" => SafeString::of($comment->author_name()))) ?> + "author_name" => html::clean($comment->author_name()))) ?>

      - text)) ?> + text)) ?>
      diff --git a/modules/comment/views/comment.mrss.php b/modules/comment/views/comment.mrss.php index ae7762d9..c2a4b538 100644 --- a/modules/comment/views/comment.mrss.php +++ b/modules/comment/views/comment.mrss.php @@ -6,9 +6,9 @@ xmlns:fh="http://purl.org/syndication/history/1.0"> Gallery 3 - <?= SafeString::of($feed->title) ?> + <?= html::clean($feed->title) ?> uri ?> - description) ?> + description) ?> en-us @@ -22,14 +22,14 @@ children as $child): ?> - <?= SafeString::purify($child->title) ?> - item_uri) ?> - author) ?> + <?= html::purify($child->title) ?> + item_uri) ?> + author) ?> item_uri ?> pub_date ?> text)) ?>

      +

      text)) ?>

      diff --git a/modules/comment/views/comments.html.php b/modules/comment/views/comments.html.php index 9eac0502..1e45c946 100644 --- a/modules/comment/views/comments.html.php +++ b/modules/comment/views/comments.html.php @@ -18,16 +18,16 @@ " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="40" height="40" /> %name said', array("date" => date("Y-M-d H:i:s", $comment->created), - "name" => SafeString::of($comment->author_name()))); ?> + "name" => html::clean($comment->author_name()))); ?>

      - text)) ?> + text)) ?>
      diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index 509a8b70..0939704b 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -50,7 +50,7 @@ class Digibug_Controller extends Controller { "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, - "title_1" => SafeString::purify($item->title)); + "title_1" => html::purify($item->title)); print $v; } diff --git a/modules/exif/views/exif_dialog.html.php b/modules/exif/views/exif_dialog.html.php index a981ca09..11d1e212 100644 --- a/modules/exif/views/exif_dialog.html.php +++ b/modules/exif/views/exif_dialog.html.php @@ -14,14 +14,14 @@ - + - + diff --git a/modules/g2_import/helpers/g2_import.php b/modules/g2_import/helpers/g2_import.php index a01ca1db..7e5c6f75 100644 --- a/modules/g2_import/helpers/g2_import.php +++ b/modules/g2_import/helpers/g2_import.php @@ -590,7 +590,7 @@ class g2_import_Core { self::map($g2_comment->getId(), $comment->id); return t("Imported comment '%comment' for item with id: %id", array("id" => $comment->item_id, - "comment" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); + "comment" => text::limit_words(nl2br(html::purify($comment->text)), 50))); } /** diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index d727b654..43c77340 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { module::set_var($module_name, $var_name, Input::instance()->post("value")); message::success( t("Saved value for %var (%module_name)", - array("var" => SafeString::of($var_name), "module_name" => $module_name))); + array("var" => html::clean($var_name), "module_name" => $module_name))); print json_encode(array("result" => "success")); } diff --git a/modules/gallery/controllers/quick.php b/modules/gallery/controllers/quick.php index 8fddb563..20731f9c 100644 --- a/modules/gallery/controllers/quick.php +++ b/modules/gallery/controllers/quick.php @@ -75,7 +75,7 @@ class Quick_Controller extends Controller { access::required("view", $item->parent()); access::required("edit", $item->parent()); - $msg = t("Made %title this album's cover", array("title" => SafeString::purify($item->title))); + $msg = t("Made %title this album's cover", array("title" => html::purify($item->title))); item::make_album_cover($item); message::success($msg); @@ -91,10 +91,10 @@ class Quick_Controller extends Controller { if ($item->is_album()) { print t( "Delete the album %title? All photos and movies in the album will also be deleted.", - array("title" => SafeString::purify($item->title))); + array("title" => html::purify($item->title))); } else { print t("Are you sure you want to delete %title?", - array("title" => SafeString::purify($item->title))); + array("title" => html::purify($item->title))); } $form = item::get_delete_form($item); @@ -108,9 +108,9 @@ class Quick_Controller extends Controller { access::required("edit", $item); if ($item->is_album()) { - $msg = t("Deleted album %title", array("title" => SafeString::purify($item->title))); + $msg = t("Deleted album %title", array("title" => html::purify($item->title))); } else { - $msg = t("Deleted photo %title", array("title" => SafeString::purify($item->title))); + $msg = t("Deleted photo %title", array("title" => html::purify($item->title))); } $parent = $item->parent(); diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php index eb388811..75114898 100644 --- a/modules/gallery/helpers/MY_html.php +++ b/modules/gallery/helpers/MY_html.php @@ -65,11 +65,11 @@ class html extends html_Core { * * Example:
          *   
 
      
-  
       SafeString::purify($album->title))) ?>
      
+  
       html::purify($album->title))) ?>
      
   
      
     
      
       
      
diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php
index 387d5977..5b676889 100644
--- a/modules/organize/views/organize_tree.html.php
+++ b/modules/organize/views/organize_tree.html.php
@@ -5,7 +5,7 @@
   
   
   
-    title) ?>
+    title) ?>
   
   
        
     
@@ -17,7 +17,7 @@
       
       "
             ref="id ?>">
-        title) ?>
+        title) ?>
       
 
       id == $album->id): ?>
@@ -29,7 +29,7 @@
           
           
-            title) ?>
+            title) ?>
           
         
         
diff --git a/modules/rss/views/feed.mrss.php b/modules/rss/views/feed.mrss.php
index 7298b7f4..731703c7 100644
--- a/modules/rss/views/feed.mrss.php
+++ b/modules/rss/views/feed.mrss.php
@@ -6,9 +6,9 @@
    xmlns:fh="http://purl.org/syndication/history/1.0">
   
     gallery3
-    <?= SafeString::of($feed->title) ?>
+    <?= html::clean($feed->title) ?>
     uri ?>
-    description) ?>
+    description) ?>
     en-us
     
     
@@ -22,25 +22,25 @@
     
     children as $child): ?>
     
-      <?= SafeString::of($child->title) ?>
+      <?= html::clean($child->title) ?>
       type}s/{$child->id}") ?>
       type}s/{$child->id}") ?>
       created); ?>
       
         description) ?>
+          description) ?>
           
        
           type == "photo" || $child->type == "album"): ?>
             
        
           
             type}s/{$child->id}") ?>">
             
        
           
-            description) ?>
+            description) ?>
           
        
         ]]>
               
diff --git a/modules/rss/views/rss_block.html.php b/modules/rss/views/rss_block.html.php
index cd8db89d..737731b6 100644
--- a/modules/rss/views/rss_block.html.php
+++ b/modules/rss/views/rss_block.html.php
@@ -5,7 +5,7 @@
     
     
       
-      
+      
     
     
   
diff --git a/modules/search/views/search.html.php b/modules/search/views/search.html.php
index e5c7b4a6..7963948d 100644
--- a/modules/search/views/search.html.php
+++ b/modules/search/views/search.html.php
@@ -8,7 +8,7 @@
     
          
       
        • 
         
-        
+        
       
          • 
       
        • 
         for_html_attr() ?>" />
@@ -31,10 +31,10 @@
       id") ?>">
         thumb_img() ?>
         
          
-    title) ?>
+    title) ?>
         
          
         
          
-    description)) ?>
+    description)) ?>
         
          
                 
     
          • 
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index c4439bda..b48a19da 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -16,7 +16,7 @@
            class="gRemoveDir ui-icon ui-icon-trash">
           X
         
-        
+        
       
       
     
        
diff --git a/modules/server_add/views/server_add_tree.html.php b/modules/server_add/views/server_add_tree.html.php
index 2f65a590..dbae42c5 100644
--- a/modules/server_add/views/server_add_tree.html.php
+++ b/modules/server_add/views/server_add_tree.html.php
@@ -10,7 +10,7 @@
     
      • 
       
       
-        
+        
       
       
          
         
@@ -24,7 +24,7 @@
                 
                 file=" '\\"')) ?>"
                 >
-            
+            
           
         
         
diff --git a/modules/server_add/views/server_add_tree_dialog.html.php b/modules/server_add/views/server_add_tree_dialog.html.php
index 912e69b6..8eb6e4df 100644
--- a/modules/server_add/views/server_add_tree_dialog.html.php
+++ b/modules/server_add/views/server_add_tree_dialog.html.php
@@ -5,17 +5,17 @@
 
 
 
          
-  
           SafeString::purify($item->title))) ?>
          
+  
           html::purify($item->title))) ?>
          
 
   
          
   
            
     parents() as $parent): ?>
     
          • 
-      title) ?>
+      title) ?>
     
            • 
     
     
          • 
-      title) ?>
+      title) ?>
     
            • 
   
          
 
diff --git a/modules/tag/controllers/admin_tags.php b/modules/tag/controllers/admin_tags.php
index f1b4ca3a..8b8dde21 100644
--- a/modules/tag/controllers/admin_tags.php
+++ b/modules/tag/controllers/admin_tags.php
@@ -106,7 +106,7 @@ class Admin_Tags_Controller extends Admin_Controller {
         array("result" => "success",
               "location" => url::site("admin/tags"),
               "tag_id" => $tag->id,
-              "new_tagname" => SafeString::of($tag->name)));
+              "new_tagname" => html::clean($tag->name)));
     } else {
       print json_encode(
         array("result" => "error",
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index 30dd0728..3d805c5e 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -32,7 +32,7 @@
           name, 0, 1)) ?>
 
           
-            
+            
             
            
           
              $tags_per_column): /* new column */ ?>
@@ -42,12 +42,12 @@
             
 
             
          
-            
+            
             
diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php
index 4b141a1c..fc3ced56 100644
--- a/modules/user/controllers/logout.php
+++ b/modules/user/controllers/logout.php
@@ -24,7 +24,7 @@ class Logout_Controller extends Controller {
     $user = user::active();
     user::logout();
     log::info("user", t("User %name logged out", array("name" => $user->name)),
-              html::anchor("user/$user->id", SafeString::of($user->name)));
+              html::anchor("user/$user->id", html::clean($user->name)));
     if ($continue_url = $this->input->get("continue")) {
       $item = url::get_item_from_uri($continue_url);
       if (access::can("view", $item)) {
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 36c4f4fd..9455f9d9 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -68,16 +68,16 @@
         
           "
                title=""
-               alt="name) ?>"
+               alt="name) ?>"
                width="20"
                height="20" />
-          name) ?>
+          name) ?>
         
         
-          full_name) ?>
+          full_name) ?>
         
         
-          email) ?>
+          email) ?>
         
         
           last_login == 0) ? "" : gallery::date($user->last_login) ?>
diff --git a/modules/user/views/admin_users_group.html.php b/modules/user/views/admin_users_group.html.php
index f89a4392..8418ebc9 100644
--- a/modules/user/views/admin_users_group.html.php
+++ b/modules/user/views/admin_users_group.html.php
@@ -1,6 +1,6 @@
 
 
          
-  name) ?>
+  name) ?>
   special): ?>
   id") ?>"
     title=" $group->name)) ?>"
@@ -17,7 +17,7 @@
 
          
 
 
            
@@ -16,7 +16,7 @@
            width="thumb_width ?>"
            height="thumb_height ?>" />
     
-    
            title) ?>
            
+    
            title) ?>
            
     thumb_bottom($child) ?>
     
              
       thumb_info($child) ?>
diff --git a/themes/default/views/header.html.php b/themes/default/views/header.html.php
index 9e34401d..dcfa6fd8 100644
--- a/themes/default/views/header.html.php
+++ b/themes/default/views/header.html.php
@@ -19,10 +19,10 @@
   
   
            • 
     id}?show=$item->id") ?>">
-      title) ?>
+      title) ?>
     
   
              • 
   
-  
            • title) ?>
              • 
+  
            • title) ?>
              • 
 
            
 
diff --git a/themes/default/views/movie.html.php b/themes/default/views/movie.html.php
index 237743b7..910814dd 100644
--- a/themes/default/views/movie.html.php
+++ b/themes/default/views/movie.html.php
@@ -28,8 +28,8 @@
   movie_img(array("class" => "gMovie", "id" => "gMovieId-{$item->id}")) ?>
 
   
            
-    
            title) ?>
            
-       
            description)) ?>
            
+    
            title) ?>
            
+       
            description)) ?>
            
   
            
 
   photo_bottom() ?>
diff --git a/themes/default/views/photo.html.php b/themes/default/views/photo.html.php
index 5b5cb12b..c601c4cc 100644
--- a/themes/default/views/photo.html.php
+++ b/themes/default/views/photo.html.php
@@ -5,7 +5,7 @@
 
    *
      */ - static function clean_js($string) { + static function js_string($string) { return SafeString::of($string)->for_js(); } diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php index 9614a213..0767a665 100644 --- a/modules/gallery/libraries/SafeString.php +++ b/modules/gallery/libraries/SafeString.php @@ -92,17 +92,17 @@ class SafeString_Core { } /** - * Safe for use in JavaScript. + * Safe for use as JavaScript string. * * Example:
          *   
    *
      * @return the string escaped for use in JavaScript. */ function for_js() { - return self::_escape_for_js($this->_raw_string); + return json_encode((string) $this->_raw_string); } /** @@ -152,14 +152,6 @@ class SafeString_Core { return html::specialchars($dirty_html); } - // Escapes special chars (quotes, backslash, etc.) with a backslash sequence. - private static function _escape_for_js($string) { - // From Smarty plugins/modifier.escape.php - // Might want to be stricter here. - return strtr($string, - array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n',''<\/')); - } - // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript. private static function _purify_for_html($dirty_html) { if (empty(self::$_purifier)) { diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php index a9903256..f5ce7fa4 100644 --- a/modules/gallery/tests/Html_Helper_Test.php +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -40,9 +40,9 @@ class Html_Helper_Test extends Unit_Test_Case { $safe_string_2); } - public function clean_js_test() { - $string = html::clean_js("hello's

      world

      "); - $this->assert_equal("hello\\'s

      world<\\/p>", + public function js_string_test() { + $string = html::js_string("hello's

      world

      "); + $this->assert_equal('"hello\'s

      world<\\/p>"', $string); } diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index 0fc7f6f3..ede55240 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -49,7 +49,7 @@ class SafeString_Test extends Unit_Test_Case { public function for_js_test() { $safe_string = new SafeString('"Foo\'s bar"'); $js_string = $safe_string->for_js(); - $this->assert_equal('\\"Foo<\\/em>\\\'s bar\\"', + $this->assert_equal('"\\"Foo<\\/em>\'s bar\\""', $js_string); } @@ -96,21 +96,21 @@ class SafeString_Test extends Unit_Test_Case { public function of_fluid_api_test() { $escaped_string = SafeString::of("Foo's bar")->for_js(); - $this->assert_equal("Foo\\'s bar", $escaped_string); + $this->assert_equal('"Foo\'s bar"', $escaped_string); } public function safestring_of_safestring_preserves_safe_status_test() { $safe_string = SafeString::of_safe_html("hello's

      world

      "); $safe_string_2 = new SafeString($safe_string); $this->assert_equal("hello's

      world

      ", $safe_string_2); - $this->assert_equal("hello\\'s

      world<\\/p>", $safe_string_2->for_js()); + $this->assert_equal('"hello\'s

      world<\\/p>"', $safe_string_2->for_js()); } public function safestring_of_safestring_preserves_html_safe_status_test() { $safe_string = SafeString::of_safe_html("hello's

      world

      "); $safe_string_2 = new SafeString($safe_string); $this->assert_equal("hello's

      world

      ", $safe_string_2); - $this->assert_equal("hello\\'s

      world<\\/p>", $safe_string_2->for_js()); + $this->assert_equal('"hello\'s

      world<\\/p>"', $safe_string_2->for_js()); } public function safestring_of_safestring_safe_status_override_test() { diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index b385580d..3a22afc1 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -188,7 +188,7 @@ class Xss_Security_Test extends Unit_Test_Case { if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && in_array($tokens[$token_number + 2][1], - array("clean", "purify", "clean_js", "clean_attribute")) && + array("clean", "purify", "js_string", "clean_attribute")) && self::_token_matches("(", $tokens, $token_number + 3)) { // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed). @@ -198,7 +198,7 @@ class Xss_Security_Test extends Unit_Test_Case { $token_number += 3; $token = $tokens[$token_number]; - if ("clean_js" == $method) { + if ("js_string" == $method) { $frame->is_safe_js(true); } else { $frame->is_safe_html(true); -- cgit v1.2.3 From df38a890a64dd33eafe3aed51ce8fde732cf8b8b Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sun, 30 Aug 2009 18:07:13 -0700 Subject: Tabs to spaces cleanup --- modules/gallery/controllers/admin_languages.php | 32 +- modules/gallery/controllers/l10n_client.php | 8 +- modules/gallery/helpers/gallery.php | 6 +- modules/gallery/libraries/SafeString.php | 4 +- modules/gallery/tests/Html_Helper_Test.php | 10 +- modules/gallery/tests/SafeString_Test.php | 14 +- modules/gallery/tests/Xss_Security_Test.php | 380 ++++++++++++------------ modules/server_add/helpers/server_add_event.php | 2 +- 8 files changed, 228 insertions(+), 228 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/controllers/admin_languages.php b/modules/gallery/controllers/admin_languages.php index b1bc4cff..d85c47f9 100644 --- a/modules/gallery/controllers/admin_languages.php +++ b/modules/gallery/controllers/admin_languages.php @@ -21,10 +21,10 @@ class Admin_Languages_Controller extends Admin_Controller { public function index($share_translations_form=null) { $v = new Admin_View("admin.html"); $v->content = new View("admin_languages.html"); - $v->content->available_locales = locales::available(); + $v->content->available_locales = locales::available(); $v->content->installed_locales = locales::installed(); $v->content->default_locale = module::get_var("gallery", "default_locale"); - + if (empty($share_translations_form)) { $share_translations_form = $this->_share_translations_form(); } @@ -35,21 +35,21 @@ class Admin_Languages_Controller extends Admin_Controller { public function save() { access::verify_csrf(); - - locales::update_installed($this->input->post("installed_locales")); - - $installed_locales = array_keys(locales::installed()); + + locales::update_installed($this->input->post("installed_locales")); + + $installed_locales = array_keys(locales::installed()); $new_default_locale = $this->input->post("default_locale"); - if (!in_array($new_default_locale, $installed_locales)) { - if (!empty($installed_locales)) { - $new_default_locale = $installed_locales[0]; - } else { - $new_default_locale = "en_US"; - } - } - module::set_var("gallery", "default_locale", $new_default_locale); - - print json_encode(array("result" => "success")); + if (!in_array($new_default_locale, $installed_locales)) { + if (!empty($installed_locales)) { + $new_default_locale = $installed_locales[0]; + } else { + $new_default_locale = "en_US"; + } + } + module::set_var("gallery", "default_locale", $new_default_locale); + + print json_encode(array("result" => "success")); } public function share() { diff --git a/modules/gallery/controllers/l10n_client.php b/modules/gallery/controllers/l10n_client.php index 0775791e..16d39024 100644 --- a/modules/gallery/controllers/l10n_client.php +++ b/modules/gallery/controllers/l10n_client.php @@ -90,13 +90,13 @@ class L10n_Client_Controller extends Controller { } $session = Session::instance(); - $l10n_mode = $session->get("l10n_mode", false); + $l10n_mode = $session->get("l10n_mode", false); $session->set("l10n_mode", !$l10n_mode); $redirect_url = "admin/languages"; - if (!$l10n_mode) { - $redirect_url .= "#l10n-client"; - } + if (!$l10n_mode) { + $redirect_url .= "#l10n-client"; + } url::redirect($redirect_url); } diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php index 122227fc..035ed1da 100644 --- a/modules/gallery/helpers/gallery.php +++ b/modules/gallery/helpers/gallery.php @@ -92,7 +92,7 @@ class gallery_Core { $can_add = $item && access::can("add", $item); if ($can_add) { - $menu->append($add_menu = Menu::factory("submenu") + $menu->append($add_menu = Menu::factory("submenu") ->id("add_menu") ->label(t("Add"))); $add_menu->append(Menu::factory("dialog") @@ -100,11 +100,11 @@ class gallery_Core { ->label(t("Add photos")) ->url(url::site("simple_uploader/app/$item->id"))); if ($item->is_album()) { - $add_menu->append(Menu::factory("dialog") + $add_menu->append(Menu::factory("dialog") ->id("add_album_item") ->label(t("Add an album")) ->url(url::site("form/add/albums/$item->id?type=album"))); - } + } } $menu->append($options_menu = Menu::factory("submenu") diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php index 0767a665..cc542e01 100644 --- a/modules/gallery/libraries/SafeString.php +++ b/modules/gallery/libraries/SafeString.php @@ -120,8 +120,8 @@ class SafeString_Core { function for_html_attr() { $string = (string) $this->for_html(); return strtr($string, - array("'"=>"'", - '"'=>'"')); + array("'"=>"'", + '"'=>'"')); } /** diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php index f5ce7fa4..3623705e 100644 --- a/modules/gallery/tests/Html_Helper_Test.php +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -21,14 +21,14 @@ class Html_Helper_Test extends Unit_Test_Case { public function clean_test() { $safe_string = html::clean("hello

      world

      "); $this->assert_equal("hello <p >world</p>", - $safe_string); + $safe_string); $this->assert_true($safe_string instanceof SafeString); } public function purify_test() { $safe_string = html::purify("hello

      world

      "); $this->assert_equal("hello

      world

      ", - $safe_string); + $safe_string); $this->assert_true($safe_string instanceof SafeString); } @@ -37,19 +37,19 @@ class Html_Helper_Test extends Unit_Test_Case { $this->assert_true($safe_string instanceof SafeString); $safe_string_2 = html::clean($safe_string); $this->assert_equal("hello

      world

      ", - $safe_string_2); + $safe_string_2); } public function js_string_test() { $string = html::js_string("hello's

      world

      "); $this->assert_equal('"hello\'s

      world<\\/p>"', - $string); + $string); } public function clean_attribute_test() { $safe_string = SafeString::of_safe_html("hello's

      world

      "); $safe_string = html::clean_attribute($safe_string); $this->assert_equal("hello's

      world

      ", - $safe_string); + $safe_string); } } \ No newline at end of file diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index ede55240..0895b7dd 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -21,19 +21,19 @@ class SafeString_Test extends Unit_Test_Case { public function toString_escapes_for_html_test() { $safe_string = new SafeString("hello

      world

      "); $this->assert_equal("hello <p>world</p>", - $safe_string); + $safe_string); } public function toString_for_safe_string_test() { $safe_string = SafeString::of_safe_html("hello

      world

      "); $this->assert_equal("hello

      world

      ", - $safe_string); + $safe_string); } public function for_html_test() { $safe_string = new SafeString("hello

      world

      "); $this->assert_equal("hello <p>world</p>", - $safe_string->for_html()); + $safe_string->for_html()); } public function safestring_of_safestring_test() { @@ -50,27 +50,27 @@ class SafeString_Test extends Unit_Test_Case { $safe_string = new SafeString('"Foo\'s bar"'); $js_string = $safe_string->for_js(); $this->assert_equal('"\\"Foo<\\/em>\'s bar\\""', - $js_string); + $js_string); } public function for_html_attr_test() { $safe_string = new SafeString('"Foo\'s bar"'); $attr_string = $safe_string->for_html_attr(); $this->assert_equal('"<em>Foo</em>'s bar"', - $attr_string); + $attr_string); } public function for_html_attr_with_safe_html_test() { $safe_string = SafeString::of_safe_html('"Foo\'s bar"'); $attr_string = $safe_string->for_html_attr(); $this->assert_equal('"Foo's bar"', - $attr_string); + $attr_string); } public function string_safestring_equality_test() { $safe_string = new SafeString("hello

      world

      "); $this->assert_equal("hello

      world

      ", - $safe_string->unescaped()); + $safe_string->unescaped()); $escaped_string = "hello <p>world</p>"; $this->assert_equal($escaped_string, $safe_string); diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 3a22afc1..6c141c52 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -24,9 +24,9 @@ class Xss_Security_Test extends Unit_Test_Case { // List of all tokens without whitespace, simplifying parsing. $tokens = array(); foreach (token_get_all(file_get_contents($view)) as $token) { - if (!is_array($token) || ($token[0] != T_WHITESPACE)) { - $tokens[] = $token; - } + if (!is_array($token) || ($token[0] != T_WHITESPACE)) { + $tokens[] = $token; + } } $frame = null; @@ -34,199 +34,199 @@ class Xss_Security_Test extends Unit_Test_Case { $in_script_block = false; for ($token_number = 0; $token_number < count($tokens); $token_number++) { - $token = $tokens[$token_number]; - - // Are we in a block? - if (is_array($token) && $token[0] == T_INLINE_HTML) { - $inline_html = $token[1]; - // T_INLINE_HTML blocks can be split. Need to handle the case - // where one token has "expr_append($inline_html); - } - - // Note: This approach won't catch }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { - $last_match = array_pop($matches[0]); - if (is_array($last_match)) { - $closing_script_pos = $last_match[1]; - } else { - $closing_script_pos = $last_match; - } - } - if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { - $last_match = array_pop($matches[0]); - if (is_array($last_match)) { - $opening_script_pos = $last_match[1]; - } else { - $opening_script_pos = $last_match; - } - } - if ($opening_script_pos != $closing_script_pos) { - $in_script_block = $opening_script_pos > $closing_script_pos; - } - } - - // Look and report each instance of < ? = ... ? > - if (!is_array($token)) { - // A single char token, e.g: ; ( ) - if ($frame) { - $frame->expr_append($token); - } - } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) { - // No need for a stack here - assume < ? = cannot be nested. - $frame = self::_create_frame($token, $in_script_block); + $token = $tokens[$token_number]; + + // Are we in a block? + if (is_array($token) && $token[0] == T_INLINE_HTML) { + $inline_html = $token[1]; + // T_INLINE_HTML blocks can be split. Need to handle the case + // where one token has "expr_append($inline_html); + } + + // Note: This approach won't catch }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + $last_match = array_pop($matches[0]); + if (is_array($last_match)) { + $closing_script_pos = $last_match[1]; + } else { + $closing_script_pos = $last_match; + } + } + if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + $last_match = array_pop($matches[0]); + if (is_array($last_match)) { + $opening_script_pos = $last_match[1]; + } else { + $opening_script_pos = $last_match; + } + } + if ($opening_script_pos != $closing_script_pos) { + $in_script_block = $opening_script_pos > $closing_script_pos; + } + } + + // Look and report each instance of < ? = ... ? > + if (!is_array($token)) { + // A single char token, e.g: ; ( ) + if ($frame) { + $frame->expr_append($token); + } + } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) { + // No need for a stack here - assume < ? = cannot be nested. + $frame = self::_create_frame($token, $in_script_block); } else if ($frame && $token[0] == T_CLOSE_TAG) { - // Store the < ? = ... ? > block that just ended here. - $found[$view][] = $frame; - $frame = null; + // Store the < ? = ... ? > block that just ended here. + $found[$view][] = $frame; + $frame = null; } else if ($frame && $token[0] == T_VARIABLE) { - $frame->expr_append($token[1]); + $frame->expr_append($token[1]); if ($token[1] == '$theme') { - if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], - array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu", + if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu", "context_menu", "pager", "site_status", "messages", "album_blocks", "album_bottom", "album_top", "body_attributes", "credits", "dynamic_bottom", "dynamic_top", "footer", "head", "header_bottom", "header_top", "page_bottom", "page_top", "photo_blocks", "photo_bottom", "photo_top", "resize_bottom", "resize_top", "sidebar_blocks", "sidebar_bottom", "sidebar_top", "thumb_bottom", "thumb_info", "thumb_top")) && - self::_token_matches("(", $tokens, $token_number + 3)) { + self::_token_matches("(", $tokens, $token_number + 3)) { - $method = $tokens[$token_number + 2][1]; - $frame->expr_append("->$method("); + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("->$method("); - $token_number += 3; - $token = $tokens[$token_number]; + $token_number += 3; + $token = $tokens[$token_number]; $frame->is_safe_html(true); - } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], - array("css", "script", "url")) && - self::_token_matches("(", $tokens, $token_number + 3) && - // Only allow constant strings here - self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) { + } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("css", "script", "url")) && + self::_token_matches("(", $tokens, $token_number + 3) && + // Only allow constant strings here + self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) { - $method = $tokens[$token_number + 2][1]; - $frame->expr_append("->$method("); + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("->$method("); - $token_number += 4; - $token = $tokens[$token_number]; + $token_number += 4; + $token = $tokens[$token_number]; $frame->is_safe_html(true); - } + } } - } else if ($frame && $token[0] == T_STRING) { - $frame->expr_append($token[1]); - // t() and t2() are special in that they're guaranteed to return a SafeString(). - if (in_array($token[1], array("t", "t2"))) { - if (self::_token_matches("(", $tokens, $token_number + 1)) { - $frame->is_safe_html(true); - $frame->expr_append("("); - - $token_number++; - $token = $tokens[$token_number]; - } - } else if ($token[1] == "SafeString") { - // Looking for SafeString::of(... - if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], array("of", "purify")) && - self::_token_matches("(", $tokens, $token_number + 3)) { + } else if ($frame && $token[0] == T_STRING) { + $frame->expr_append($token[1]); + // t() and t2() are special in that they're guaranteed to return a SafeString(). + if (in_array($token[1], array("t", "t2"))) { + if (self::_token_matches("(", $tokens, $token_number + 1)) { + $frame->is_safe_html(true); + $frame->expr_append("("); + + $token_number++; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "SafeString") { + // Looking for SafeString::of(... + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], array("of", "purify")) && + self::_token_matches("(", $tokens, $token_number + 3)) { // Not checking for of_safe_html(). We want such calls to be marked dirty (thus reviewed). - $frame->is_safe_html(true); - - $method = $tokens[$token_number + 2][1]; - $frame->expr_append("::$method("); - - $token_number += 3; - $token = $tokens[$token_number]; - } - } else if ($token[1] == "json_encode") { - if (self::_token_matches("(", $tokens, $token_number + 1)) { - $frame->is_safe_js(true); - $frame->expr_append("("); - - $token_number++; - $token = $tokens[$token_number]; - } - } else if ($token[1] == "url") { - // url methods return safe HTML - if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], - array("site", "current", "base", "file", "abs_site", "abs_current", - "abs_file", "merge")) && - self::_token_matches("(", $tokens, $token_number + 3)) { - $frame->is_safe_html(true); - - $method = $tokens[$token_number + 2][1]; - $frame->expr_append("::$method("); - - $token_number += 3; - $token = $tokens[$token_number]; - } - } else if ($token[1] == "html") { - if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && - self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && - in_array($tokens[$token_number + 2][1], - array("clean", "purify", "js_string", "clean_attribute")) && - self::_token_matches("(", $tokens, $token_number + 3)) { + $frame->is_safe_html(true); + + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); + + $token_number += 3; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "json_encode") { + if (self::_token_matches("(", $tokens, $token_number + 1)) { + $frame->is_safe_js(true); + $frame->expr_append("("); + + $token_number++; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "url") { + // url methods return safe HTML + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("site", "current", "base", "file", "abs_site", "abs_current", + "abs_file", "merge")) && + self::_token_matches("(", $tokens, $token_number + 3)) { + $frame->is_safe_html(true); + + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); + + $token_number += 3; + $token = $tokens[$token_number]; + } + } else if ($token[1] == "html") { + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("clean", "purify", "js_string", "clean_attribute")) && + self::_token_matches("(", $tokens, $token_number + 3)) { // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed). - $method = $tokens[$token_number + 2][1]; - $frame->expr_append("::$method("); + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); - $token_number += 3; - $token = $tokens[$token_number]; + $token_number += 3; + $token = $tokens[$token_number]; if ("js_string" == $method) { $frame->is_safe_js(true); } else { $frame->is_safe_html(true); } - } - } - } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { - $frame->expr_append($token[1]); - - if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) && - in_array($tokens[$token_number + 1][1], - array("for_js", "for_html", "purified_html", "for_html_attr")) && - self::_token_matches("(", $tokens, $token_number + 2)) { - $method = $tokens[$token_number + 1][1]; - $frame->expr_append("$method("); - - $token_number += 2; - $token = $tokens[$token_number]; - - if ("for_js" == $method) { - $frame->is_safe_js(true); - } else { - $frame->is_safe_html(true); - } - } + } + } + } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { + $frame->expr_append($token[1]); + + if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) && + in_array($tokens[$token_number + 1][1], + array("for_js", "for_html", "purified_html", "for_html_attr")) && + self::_token_matches("(", $tokens, $token_number + 2)) { + $method = $tokens[$token_number + 1][1]; + $frame->expr_append("$method("); + + $token_number += 2; + $token = $tokens[$token_number]; + + if ("for_js" == $method) { + $frame->is_safe_js(true); + } else { + $frame->is_safe_html(true); + } + } } else if ($frame) { - $frame->expr_append($token[1]); - } + $frame->expr_append($token[1]); + } } } @@ -252,26 +252,26 @@ class Xss_Security_Test extends Unit_Test_Case { ksort($found); foreach ($found as $view => $frames) { foreach ($frames as $frame) { - $state = "DIRTY"; - if ($frame->in_script_block()) { - $state = "DIRTY_JS"; - if ($frame->is_safe_js()) { - $state = "CLEAN"; - } - } else { - if ($frame->is_safe_html()) { - $state = "CLEAN"; - } - } - - if ("CLEAN" == $state) { - // Don't print CLEAN instances - No need to update the golden - // file when adding / moving clean instances. - continue; - } - - fprintf($fd, "%-60s %-3s %-8s %s\n", - $view, $frame->line(), $state, $frame->expr()); + $state = "DIRTY"; + if ($frame->in_script_block()) { + $state = "DIRTY_JS"; + if ($frame->is_safe_js()) { + $state = "CLEAN"; + } + } else { + if ($frame->is_safe_html()) { + $state = "CLEAN"; + } + } + + if ("CLEAN" == $state) { + // Don't print CLEAN instances - No need to update the golden + // file when adding / moving clean instances. + continue; + } + + fprintf($fd, "%-60s %-3s %-8s %s\n", + $view, $frame->line(), $state, $frame->expr()); } } fclose($fd); @@ -280,7 +280,7 @@ class Xss_Security_Test extends Unit_Test_Case { $canonical = MODPATH . "gallery/tests/xss_data.txt"; exec("diff $canonical $new", $output, $return_value); $this->assert_false( - $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) ); + $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) ); } private static function _create_frame($token, $in_script_block) { @@ -296,9 +296,9 @@ class Xss_Security_Test extends Unit_Test_Case { if (is_array($expected_token)) { for ($i = 0; $i < count($expected_token); $i++) { - if ($expected_token[$i] != $token[$i]) { - return false; - } + if ($expected_token[$i] != $token[$i]) { + return false; + } } return true; } else { diff --git a/modules/server_add/helpers/server_add_event.php b/modules/server_add/helpers/server_add_event.php index 6b21ec2e..b2d55153 100644 --- a/modules/server_add/helpers/server_add_event.php +++ b/modules/server_add/helpers/server_add_event.php @@ -35,7 +35,7 @@ class server_add_event_Core { // turn that into a dropdown if there are two different ways to add things. Do that in a // portable way for now. If we find ourselves duplicating this pattern, we should make an // API method for this. - $add_menu = $menu->get("add_menu"); + $add_menu = $menu->get("add_menu"); $add_menu->append(Menu::factory("dialog") ->id("server_add") ->label(t("Server add")) -- cgit v1.2.3 From 3aef420d485871ed95be742bae0d971e637e4a75 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sun, 30 Aug 2009 18:37:01 -0700 Subject: Updating XSS golden file --- modules/gallery/tests/xss_data.txt | 73 ++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 38 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index de37d11e..5b43d1e5 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -61,12 +61,12 @@ modules/gallery/views/admin_graphics_imagemagick.html.php 2 DIRTY $is_ac modules/gallery/views/admin_graphics_imagemagick.html.php 2 DIRTY $tk->installed?" gInstalledToolkit":" gUnavailable" modules/gallery/views/admin_graphics_imagemagick.html.php 18 DIRTY $tk->error modules/gallery/views/admin_languages.html.php 9 DIRTY access::csrf_form_field() -modules/gallery/views/admin_languages.html.php 28 DIRTY (isset($installed_locales[$code]))?"installed":"" -modules/gallery/views/admin_languages.html.php 28 DIRTY ($default_locale==$code)?" default":"" -modules/gallery/views/admin_languages.html.php 29 DIRTY form::checkbox("installed_locales[]",$code,isset($installed_locales[$code])) -modules/gallery/views/admin_languages.html.php 30 DIRTY $display_name -modules/gallery/views/admin_languages.html.php 32 DIRTY form::radio("default_locale",$code,($default_locale==$code),((isset($installed_locales[$code]))?'':'disabled="disabled"')) -modules/gallery/views/admin_languages.html.php 104 DIRTY $share_translations_form +modules/gallery/views/admin_languages.html.php 27 DIRTY (isset($installed_locales[$code]))?"installed":"" +modules/gallery/views/admin_languages.html.php 27 DIRTY ($default_locale==$code)?" default":"" +modules/gallery/views/admin_languages.html.php 28 DIRTY form::checkbox("installed_locales[]",$code,isset($installed_locales[$code])) +modules/gallery/views/admin_languages.html.php 29 DIRTY $display_name +modules/gallery/views/admin_languages.html.php 31 DIRTY form::radio("default_locale",$code,($default_locale==$code),((isset($installed_locales[$code]))?'':'disabled="disabled"')) +modules/gallery/views/admin_languages.html.php 102 DIRTY $share_translations_form modules/gallery/views/admin_maintenance.html.php 24 DIRTY log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 24 DIRTY ($i%2==0)?"gOddRow":"gEvenRow" modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name @@ -105,20 +105,20 @@ modules/gallery/views/admin_themes_preview.html.php 7 DIRTY $url modules/gallery/views/kohana_error_page.php 102 DIRTY $message modules/gallery/views/kohana_error_page.php 116 DIRTY $trace modules/gallery/views/kohana_profiler.php 32 DIRTY $profile->render(); -modules/gallery/views/l10n_client.html.php 20 DIRTY $string["translation"]===""?"untranslated":"translated" -modules/gallery/views/l10n_client.html.php 22 DIRTY $string["source"]["one"] -modules/gallery/views/l10n_client.html.php 23 DIRTY $string["source"]["other"] -modules/gallery/views/l10n_client.html.php 25 DIRTY $string["source"] -modules/gallery/views/l10n_client.html.php 31 DIRTY $l10n_search_form -modules/gallery/views/l10n_client.html.php 40 DIRTY access::csrf_form_field() -modules/gallery/views/l10n_client.html.php 41 DIRTY form::hidden("l10n-message-key") -modules/gallery/views/l10n_client.html.php 42 DIRTY form::textarea("l10n-edit-translation","",' rows="5" class="translationField"') -modules/gallery/views/l10n_client.html.php 45 DIRTY form::textarea("l10n-edit-plural-translation-zero","",' rows="2"') -modules/gallery/views/l10n_client.html.php 49 DIRTY form::textarea("l10n-edit-plural-translation-one","",' rows="2"') -modules/gallery/views/l10n_client.html.php 53 DIRTY form::textarea("l10n-edit-plural-translation-two","",' rows="2"') -modules/gallery/views/l10n_client.html.php 57 DIRTY form::textarea("l10n-edit-plural-translation-few","",' rows="2"') -modules/gallery/views/l10n_client.html.php 61 DIRTY form::textarea("l10n-edit-plural-translation-many","",' rows="2"') -modules/gallery/views/l10n_client.html.php 66 DIRTY form::textarea("l10n-edit-plural-translation-other","",' rows="2"') +modules/gallery/views/l10n_client.html.php 21 DIRTY $string["translation"]===""?"untranslated":"translated" +modules/gallery/views/l10n_client.html.php 23 DIRTY $string["source"]["one"] +modules/gallery/views/l10n_client.html.php 24 DIRTY $string["source"]["other"] +modules/gallery/views/l10n_client.html.php 26 DIRTY $string["source"] +modules/gallery/views/l10n_client.html.php 32 DIRTY $l10n_search_form +modules/gallery/views/l10n_client.html.php 41 DIRTY access::csrf_form_field() +modules/gallery/views/l10n_client.html.php 42 DIRTY form::hidden("l10n-message-key") +modules/gallery/views/l10n_client.html.php 43 DIRTY form::textarea("l10n-edit-translation","",' rows="5" class="translationField"') +modules/gallery/views/l10n_client.html.php 46 DIRTY form::textarea("l10n-edit-plural-translation-zero","",' rows="2"') +modules/gallery/views/l10n_client.html.php 50 DIRTY form::textarea("l10n-edit-plural-translation-one","",' rows="2"') +modules/gallery/views/l10n_client.html.php 54 DIRTY form::textarea("l10n-edit-plural-translation-two","",' rows="2"') +modules/gallery/views/l10n_client.html.php 58 DIRTY form::textarea("l10n-edit-plural-translation-few","",' rows="2"') +modules/gallery/views/l10n_client.html.php 62 DIRTY form::textarea("l10n-edit-plural-translation-many","",' rows="2"') +modules/gallery/views/l10n_client.html.php 67 DIRTY form::textarea("l10n-edit-plural-translation-other","",' rows="2"') modules/gallery/views/maintenance.html.php 46 DIRTY user::get_login_form("login/auth_html") modules/gallery/views/move_browse.html.php 39 DIRTY $tree modules/gallery/views/move_browse.html.php 43 DIRTY access::csrf_form_field() @@ -132,11 +132,11 @@ modules/gallery/views/move_tree.html.php 13 DIRTY $child modules/gallery/views/move_tree.html.php 15 DIRTY $child->id modules/gallery/views/movieplayer.html.php 2 DIRTY html::anchor($item->file_url(true),"",$attrs) modules/gallery/views/movieplayer.html.php 5 DIRTY $attrs["id"] -modules/gallery/views/permissions_browse.html.php 40 DIRTY $parent->id modules/gallery/views/permissions_browse.html.php 41 DIRTY $parent->id -modules/gallery/views/permissions_browse.html.php 46 DIRTY $item->id +modules/gallery/views/permissions_browse.html.php 42 DIRTY $parent->id modules/gallery/views/permissions_browse.html.php 47 DIRTY $item->id -modules/gallery/views/permissions_browse.html.php 54 DIRTY $form +modules/gallery/views/permissions_browse.html.php 48 DIRTY $item->id +modules/gallery/views/permissions_browse.html.php 55 DIRTY $form modules/gallery/views/permissions_form.html.php 24 DIRTY $lock->id modules/gallery/views/permissions_form.html.php 32 DIRTY $group->id modules/gallery/views/permissions_form.html.php 32 DIRTY $permission->id @@ -178,25 +178,22 @@ modules/notification/views/item_deleted.html.php 18 DIRTY $item- modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->url(array(),true) modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(),true) modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(),true) -modules/organize/views/organize_dialog.html.php 21 DIRTY $album_tree -modules/organize/views/organize_dialog.html.php 28 DIRTY $micro_thumb_grid -modules/organize/views/organize_dialog.html.php 36 DIRTY form::dropdown(array("id"=>"gOrganizeSortColumn"),album::get_sort_order_options(),$album->sort_column) -modules/organize/views/organize_dialog.html.php 37 DIRTY form::dropdown(array("id"=>"gOrganizeSortOrder"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) +modules/organize/views/organize_dialog.html.php 22 DIRTY $album_tree +modules/organize/views/organize_dialog.html.php 29 DIRTY $micro_thumb_grid +modules/organize/views/organize_dialog.html.php 37 DIRTY form::dropdown(array("id"=>"gOrganizeSortColumn"),album::get_sort_order_options(),$album->sort_column) +modules/organize/views/organize_dialog.html.php 38 DIRTY form::dropdown(array("id"=>"gOrganizeSortOrder"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) modules/organize/views/organize_thumb_grid.html.php 3 DIRTY $child->id modules/organize/views/organize_thumb_grid.html.php 4 DIRTY $child->id modules/organize/views/organize_thumb_grid.html.php 5 DIRTY $child->is_album()?"gAlbum":"gPhoto" modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"gThumbnail","ref"=>$child->id),90,true) -modules/organize/views/organize_tree.html.php 3 DIRTY access::can("edit",$parent)?"":"gViewOnly" -modules/organize/views/organize_tree.html.php 4 DIRTY $parent->id -modules/organize/views/organize_tree.html.php 7 DIRTY $parent->id -modules/organize/views/organize_tree.html.php 14 DIRTY access::can("edit",$peer)?"":"gViewOnly" -modules/organize/views/organize_tree.html.php 15 DIRTY $peer->id -modules/organize/views/organize_tree.html.php 16 DIRTY $peer->id==$album->id?"ui-icon-minus":"ui-icon-plus" -modules/organize/views/organize_tree.html.php 18 DIRTY $peer->id==$album->id?"selected":"" -modules/organize/views/organize_tree.html.php 19 DIRTY $peer->id -modules/organize/views/organize_tree.html.php 26 DIRTY access::can("edit",$child)?"":"gViewOnly" -modules/organize/views/organize_tree.html.php 27 DIRTY $child->id -modules/organize/views/organize_tree.html.php 31 DIRTY $child->id +modules/organize/views/organize_tree.html.php 2 DIRTY access::can("edit",$album)?"":"gViewOnly" +modules/organize/views/organize_tree.html.php 3 DIRTY $album->id +modules/organize/views/organize_tree.html.php 7 DIRTY $selected&&$album->id==$selected->id?"selected":"" +modules/organize/views/organize_tree.html.php 9 DIRTY $album->id +modules/organize/views/organize_tree.html.php 15 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); +modules/organize/views/organize_tree.html.php 17 DIRTY access::can("edit",$child)?"":"gViewOnly" +modules/organize/views/organize_tree.html.php 18 DIRTY $child->id +modules/organize/views/organize_tree.html.php 21 DIRTY $child->id modules/recaptcha/views/admin_recaptcha.html.php 10 DIRTY $form modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY $public_key modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY $public_key -- cgit v1.2.3 From 0a0c7a78e6333728bad19611cccb095241545cc6 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sun, 30 Aug 2009 21:25:21 -0700 Subject: Check for href="" (malicious "javascript:..." string) --- modules/gallery/tests/Xss_Security_Test.php | 47 +++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 10 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 6c141c52..ef36f6b7 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -32,6 +32,7 @@ class Xss_Security_Test extends Unit_Test_Case { $frame = null; $script_block = 0; $in_script_block = false; + $inline_html = ""; for ($token_number = 0; $token_number < count($tokens); $token_number++) { $token = $tokens[$token_number]; @@ -81,6 +82,8 @@ class Xss_Security_Test extends Unit_Test_Case { } } + $href_attribute_start = preg_match('{href\s*=\s*[\'"]?\s*$}i', str_replace("\n", "", $inline_html)); + // Look and report each instance of < ? = ... ? > if (!is_array($token)) { // A single char token, e.g: ; ( ) @@ -89,7 +92,8 @@ class Xss_Security_Test extends Unit_Test_Case { } } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) { // No need for a stack here - assume < ? = cannot be nested. - $frame = self::_create_frame($token, $in_script_block); + $frame = self::_create_frame($token, $in_script_block, $href_attribute_start); + $href_attribute_start = false; } else if ($frame && $token[0] == T_CLOSE_TAG) { // Store the < ? = ... ? > block that just ended here. $found[$view][] = $frame; @@ -177,6 +181,7 @@ class Xss_Security_Test extends Unit_Test_Case { "abs_file", "merge")) && self::_token_matches("(", $tokens, $token_number + 3)) { $frame->is_safe_html(true); + $frame->is_safe_href_attr(true); $method = $tokens[$token_number + 2][1]; $frame->expr_append("::$method("); @@ -237,6 +242,8 @@ class Xss_Security_Test extends Unit_Test_Case { * DIRTY_JS: * In }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { $last_match = array_pop($matches[0]); if (is_array($last_match)) { @@ -75,7 +76,7 @@ class Xss_Security_Test extends Unit_Test_Case { $closing_script_pos = $last_match; } } - if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { + if (preg_match_all('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) { $last_match = array_pop($matches[0]); if (is_array($last_match)) { $opening_script_pos = $last_match[1]; -- cgit v1.2.3 From d2cea7905e342c2a9a7cec03058ab762d0d1ba7f Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Tue, 1 Sep 2009 00:53:17 -0700 Subject: Remove debugging code --- modules/gallery/tests/Xss_Security_Test.php | 1 - 1 file changed, 1 deletion(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 34ecc4fe..85624517 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -21,7 +21,6 @@ class Xss_Security_Test extends Unit_Test_Case { public function find_unescaped_variables_in_views_test() { $found = array(); foreach (glob("*/*/views/*.php") as $view) { - if ($view != "modules/tag/views/admin_tags.html.php") continue; // List of all tokens without whitespace, simplifying parsing. $tokens = array(); foreach (token_get_all(file_get_contents($view)) as $token) { -- cgit v1.2.3 From fe37483aca648b6f7de65f1eb53b8cfd49401f71 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Tue, 1 Sep 2009 01:29:42 -0700 Subject: Update XSS scanner golden file --- modules/gallery/tests/xss_data.txt | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index fa1f8cdf..7e536e90 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -50,7 +50,7 @@ modules/gallery/views/admin_block_news.html.php 5 DIRTY $entry modules/gallery/views/admin_block_news.html.php 7 DIRTY text::limit_words(strip_tags($entry["description"]),25); modules/gallery/views/admin_block_photo_stream.html.php 6 DIRTY photo::img_dimensions($photo->width,$photo->height,72) modules/gallery/views/admin_block_photo_stream.html.php 7 DIRTY_ATTR $photo->thumb_url() -modules/gallery/views/admin_dashboard.html.php 5 DIRTY $csrf +modules/gallery/views/admin_dashboard.html.php 5 DIRTY_JS $csrf modules/gallery/views/admin_dashboard.html.php 35 DIRTY $blocks modules/gallery/views/admin_graphics.html.php 22 DIRTY newView("admin_graphics_none.html") modules/gallery/views/admin_graphics.html.php 24 DIRTY newView("admin_graphics_$active.html",array("tk"=>$tk->$active,"is_active"=>true)) @@ -88,6 +88,7 @@ modules/gallery/views/admin_maintenance.html.php 146 DIRTY_ATTR $tas modules/gallery/views/admin_maintenance.html.php 147 DIRTY gallery::date_time($task->updated) modules/gallery/views/admin_maintenance.html.php 150 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 162 DIRTY $task->status +modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY_JS url::site("admin/maintenance/save_log/$task->id?csrf=$csrf") modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_task.html.php 55 DIRTY $task->name modules/gallery/views/admin_modules.html.php 9 DIRTY access::csrf_form_field() @@ -95,7 +96,8 @@ modules/gallery/views/admin_modules.html.php 19 DIRTY_ATTR ($i% modules/gallery/views/admin_modules.html.php 22 DIRTY form::checkbox($data,'1',module::is_active($module_name)) modules/gallery/views/admin_modules.html.php 24 DIRTY $module_info->version modules/gallery/views/admin_theme_options.html.php 5 DIRTY $form -modules/gallery/views/admin_themes.html.php 5 DIRTY $csrf +modules/gallery/views/admin_themes.html.php 3 DIRTY_JS url::site("admin/themes/choose") +modules/gallery/views/admin_themes.html.php 5 DIRTY_JS $csrf modules/gallery/views/admin_themes.html.php 20 DIRTY $themes[$site]->name modules/gallery/views/admin_themes.html.php 22 DIRTY $themes[$site]->description modules/gallery/views/admin_themes.html.php 36 DIRTY $info->name @@ -123,6 +125,7 @@ modules/gallery/views/l10n_client.html.php 58 DIRTY form:: modules/gallery/views/l10n_client.html.php 62 DIRTY form::textarea("l10n-edit-plural-translation-many","",' rows="2"') modules/gallery/views/l10n_client.html.php 67 DIRTY form::textarea("l10n-edit-plural-translation-other","",' rows="2"') modules/gallery/views/maintenance.html.php 46 DIRTY user::get_login_form("login/auth_html") +modules/gallery/views/move_browse.html.php 4 DIRTY_JS url::site("move/show_sub_tree/{$source->id}/__TARGETID__") modules/gallery/views/move_browse.html.php 39 DIRTY $tree modules/gallery/views/move_browse.html.php 43 DIRTY access::csrf_form_field() modules/gallery/views/move_tree.html.php 2 DIRTY $parent->thumb_img(array(),25); @@ -134,7 +137,11 @@ modules/gallery/views/move_tree.html.php 11 DIRTY $child modules/gallery/views/move_tree.html.php 13 DIRTY_JS $child->id modules/gallery/views/move_tree.html.php 15 DIRTY_JS $child->id modules/gallery/views/movieplayer.html.php 2 DIRTY html::anchor($item->file_url(true),"",$attrs) -modules/gallery/views/movieplayer.html.php 5 DIRTY $attrs["id"] +modules/gallery/views/movieplayer.html.php 5 DIRTY_JS $attrs["id"] +modules/gallery/views/movieplayer.html.php 7 DIRTY_JS url::abs_file("lib/flowplayer.swf") +modules/gallery/views/movieplayer.html.php 13 DIRTY_JS url::abs_file("lib/flowplayer.h264streaming.swf") +modules/gallery/views/permissions_browse.html.php 3 DIRTY_JS url::site("permissions/form/__ITEM__") +modules/gallery/views/permissions_browse.html.php 16 DIRTY_JS url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") modules/gallery/views/permissions_browse.html.php 41 DIRTY_ATTR $parent->id modules/gallery/views/permissions_browse.html.php 42 DIRTY_JS $parent->id modules/gallery/views/permissions_browse.html.php 47 DIRTY_ATTR $item->id @@ -181,6 +188,10 @@ modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item- modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->url(array(),true) modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->url(array(),true) modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(),true) +modules/organize/views/organize_dialog.html.php 3 DIRTY_JS url::site("organize/move_to/__ALBUM_ID__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::site("organize/rearrange/__TARGET_ID__/__BEFORE__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 6 DIRTY_JS url::site("organize/tree/__ALBUM_ID__") modules/organize/views/organize_dialog.html.php 22 DIRTY $album_tree modules/organize/views/organize_dialog.html.php 29 DIRTY $micro_thumb_grid modules/organize/views/organize_dialog.html.php 37 DIRTY form::dropdown(array("id"=>"gOrganizeSortColumn"),album::get_sort_order_options(),$album->sort_column) @@ -189,6 +200,7 @@ modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $chi modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"gAlbum":"gPhoto" modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"gThumbnail","ref"=>$child->id),90,true) +modules/organize/views/organize_thumb_grid.html.php 14 DIRTY_JS url::site("organize/content/$album->id/".($offset+25)) modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"gViewOnly" modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"selected":"" @@ -198,8 +210,8 @@ modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR acce modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id modules/organize/views/organize_tree.html.php 19 DIRTY_ATTR $child->id modules/recaptcha/views/admin_recaptcha.html.php 10 DIRTY $form -modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY $public_key -modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY $public_key +modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key +modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY_JS $public_key modules/rss/views/feed.mrss.php 10 DIRTY $feed->uri modules/rss/views/feed.mrss.php 13 DIRTY_JS $feed->uri modules/rss/views/feed.mrss.php 16 DIRTY_JS $feed->previous_page_uri @@ -239,14 +251,19 @@ modules/server_add/views/admin_server_add.html.php 15 DIRTY_ATTR $id modules/server_add/views/admin_server_add.html.php 24 DIRTY $form modules/server_add/views/server_add_tree.html.php 12 DIRTY_JS html::js_string($dir) modules/server_add/views/server_add_tree.html.php 20 DIRTY_ATTR is_dir($file)?"ui-icon-folder-collapsed":"ui-icon-document" +modules/server_add/views/server_add_tree_dialog.html.php 3 DIRTY_JS url::site("server_add/children?path=__PATH__") +modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY_JS url::site("server_add/start?item_id={$item->id}&csrf=$csrf") modules/server_add/views/server_add_tree_dialog.html.php 23 DIRTY $tree -modules/tag/views/admin_tags.html.php 13 DIRTY $csrf +modules/tag/views/admin_tags.html.php 13 DIRTY_JS $csrf modules/tag/views/admin_tags.html.php 50 DIRTY_ATTR $tag->id modules/tag/views/admin_tags.html.php 51 DIRTY $tag->count modules/tag/views/tag_block.html.php 15 DIRTY $cloud modules/tag/views/tag_block.html.php 17 DIRTY $form modules/tag/views/tag_cloud.html.php 4 DIRTY_ATTR (int)(($tag->count/$max_count)*7) modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count +modules/user/views/admin_users.html.php 3 DIRTY_JS url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") +modules/user/views/admin_users.html.php 26 DIRTY_JS url::site("admin/users/group/__GROUPID__") +modules/user/views/admin_users.html.php 36 DIRTY_JS url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") modules/user/views/admin_users.html.php 67 DIRTY_ATTR $user->id modules/user/views/admin_users.html.php 67 DIRTY_ATTR text::alternate("gOddRow","gEvenRow") modules/user/views/admin_users.html.php 67 DIRTY_ATTR $user->admin?"admin":"" @@ -258,6 +275,7 @@ modules/user/views/admin_users.html.php 121 DIRTY_ATTR ($gr modules/user/views/admin_users.html.php 123 DIRTY $v modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id +modules/user/views/login_ajax.html.php 6 DIRTY_JS url::site("password/reset") modules/user/views/login_ajax.html.php 37 DIRTY $form modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $height -- cgit v1.2.3 From b842a9d9ca21d07241b5fa11c5263e18f830c88b Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Wed, 2 Sep 2009 11:58:04 -0700 Subject: Fix formatting, and use a properly named file in change_photo_no_csrf_fails_test() so that GD doesn't bomb. --- modules/gallery/tests/Photos_Controller_Test.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index f7d3f72f..5c4802c2 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -33,8 +33,8 @@ class Photos_Controller_Test extends Unit_Test_Case { public function change_photo_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); - $this->_photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "test.jpeg", "test", - "test"); + $this->_photo = photo::create( + $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg", "test", "test"); $orig_name = $this->_photo->name; $_POST["filename"] = "test.jpeg"; @@ -63,7 +63,8 @@ class Photos_Controller_Test extends Unit_Test_Case { public function change_photo_no_csrf_fails_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); - $this->_photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "test", "test", "test"); + $this->_photo = photo::create( + $root, MODPATH . "gallery/tests/test.jpg", "test.jpg", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; -- cgit v1.2.3 From 33bcf11e2714f727f16136a1c09926cd5b6c8212 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 3 Sep 2009 01:05:03 -0700 Subject: Change the Html_Helper and SafeString tests to change the expeced results based on whether HtmlPurifier module is installed or not --- modules/gallery/tests/Html_Helper_Test.php | 5 +++-- modules/gallery/tests/SafeString_Test.php | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php index bfce6dcf..8f665e0c 100644 --- a/modules/gallery/tests/Html_Helper_Test.php +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -27,8 +27,9 @@ class Html_Helper_Test extends Unit_Test_Case { public function purify_test() { $safe_string = html::purify("hello

      world

      "); - $this->assert_equal("hello

      world

      ", - $safe_string); + $expected = + module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $this->assert_equal($expected, $safe_string->unescaped()); $this->assert_true($safe_string instanceof SafeString); } diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index 0895b7dd..37a1865f 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -91,7 +91,9 @@ class SafeString_Test extends Unit_Test_Case { public function purify_test() { $safe_string = SafeString::purify("hello

      world

      "); - $this->assert_equal("hello

      world

      ", $safe_string); + $expected = + module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $this->assert_equal($expected, $safe_string->unescaped()); } public function of_fluid_api_test() { -- cgit v1.2.3 From 41e3773417a78949f44f463b28c41d55413c850b Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 3 Sep 2009 01:07:02 -0700 Subject: fix the expected return value of album controller --- modules/gallery/tests/Albums_Controller_Test.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php index 7674e85f..d65946c7 100644 --- a/modules/gallery/tests/Albums_Controller_Test.php +++ b/modules/gallery/tests/Albums_Controller_Test.php @@ -52,7 +52,7 @@ class Albums_Controller_Test extends Unit_Test_Case { ob_end_clean(); $this->assert_equal( - json_encode(array("result" => "success", "location" => "http://./index.php/test")), + json_encode(array("result" => "success")), $results); $this->assert_equal("new title", $this->_album->title); $this->assert_equal("new description", $this->_album->description); -- cgit v1.2.3 From dcdd44109b13a2cd2b29884edb6090e970178f32 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 3 Sep 2009 01:11:28 -0700 Subject: fix the expected return value of photos controller --- modules/gallery/tests/Photos_Controller_Test.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index 5c4802c2..ac5ecdfd 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -50,8 +50,7 @@ class Photos_Controller_Test extends Unit_Test_Case { ob_end_clean(); $this->assert_equal( - json_encode(array("result" => "success", - "location" => "http://./index.php/test.jpeg")), + json_encode(array("result" => "success")), $results); $this->assert_equal("new title", $this->_photo->title); $this->assert_equal("new description", $this->_photo->description); -- cgit v1.2.3 From 8f6a120b52360475859c361514500e46698f0e74 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Thu, 3 Sep 2009 08:39:44 -0700 Subject: Ensure that purify isn't applied twice for an already purified SafeString --- modules/gallery/libraries/SafeString.php | 6 +++++- modules/gallery/tests/SafeString_Test.php | 10 +++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php index 800647fa..e6f54add 100644 --- a/modules/gallery/libraries/SafeString.php +++ b/modules/gallery/libraries/SafeString.php @@ -51,7 +51,11 @@ class SafeString_Core { */ static function purify($string) { if ($string instanceof SafeString) { - $string = $string->unescaped(); + if ($string->_is_purified_html) { + return $string; + } else { + $string = $string->unescaped(); + } } $safe_string = self::of_safe_html(self::_purify_for_html($string)); $safe_string->_is_purified_html = true; diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index 37a1865f..57ac87b9 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -93,7 +93,15 @@ class SafeString_Test extends Unit_Test_Case { $safe_string = SafeString::purify("hello

      world

      "); $expected = module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; - $this->assert_equal($expected, $safe_string->unescaped()); + $this->assert_equal($expected, $safe_string); + } + + public function purify_twice_test() { + $safe_string = SafeString::purify("hello

      world

      "); + $safe_string_2 = SafeString::purify($safe_string); + $expected = + module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $this->assert_equal($expected, $safe_string_2); } public function of_fluid_api_test() { -- cgit v1.2.3 From 1dca0b9d6be5a96e79e3de776e231e21ed824589 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 3 Sep 2009 11:28:42 -0700 Subject: Fix test for new purifier API. --- modules/gallery/tests/Html_Helper_Test.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php index 8f665e0c..1662b866 100644 --- a/modules/gallery/tests/Html_Helper_Test.php +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -27,8 +27,9 @@ class Html_Helper_Test extends Unit_Test_Case { public function purify_test() { $safe_string = html::purify("hello

      world

      "); - $expected = - module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $expected = method_exists("purifier", "purify") + ? "hello

      world

      " + : "hello <p >world</p>"; $this->assert_equal($expected, $safe_string->unescaped()); $this->assert_true($safe_string instanceof SafeString); } -- cgit v1.2.3 From 1405e8ed9e2003d1b06853bae4ce3413de1910ce Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 3 Sep 2009 11:29:57 -0700 Subject: Fix tests for new purifier API. --- modules/gallery/tests/SafeString_Test.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index 57ac87b9..fdab5c58 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -91,16 +91,18 @@ class SafeString_Test extends Unit_Test_Case { public function purify_test() { $safe_string = SafeString::purify("hello

      world

      "); - $expected = - module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $expected = method_exists("purifier", "purify") + ? "hello

      world

      " + : "hello <p >world</p>"; $this->assert_equal($expected, $safe_string); } public function purify_twice_test() { $safe_string = SafeString::purify("hello

      world

      "); $safe_string_2 = SafeString::purify($safe_string); - $expected = - module::is_active("htmlpurifier") ? "hello

      world

      " : "hello <p >world</p>"; + $expected = method_exists("purifier", "purify") + ? "hello

      world

      " + : "hello <p >world</p>"; $this->assert_equal($expected, $safe_string_2); } -- cgit v1.2.3 From 1ffb5b24dff439b4a3e9e7f2df3af1a0f8e9e5a0 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 3 Sep 2009 11:34:02 -0700 Subject: Checkpoint. --- modules/gallery/tests/xss_data.txt | 40 ++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 21 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 7e536e90..00eba901 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -71,19 +71,19 @@ modules/gallery/views/admin_languages.html.php 28 DIRTY form:: modules/gallery/views/admin_languages.html.php 29 DIRTY $display_name modules/gallery/views/admin_languages.html.php 31 DIRTY form::radio("default_locale",$code,($default_locale==$code),((isset($installed_locales[$code]))?'':'disabled="disabled"')) modules/gallery/views/admin_languages.html.php 102 DIRTY $share_translations_form -modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR ($i%2==0)?"gOddRow":"gEvenRow" +modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 25 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 29 DIRTY $task->description -modules/gallery/views/admin_maintenance.html.php 72 DIRTY_ATTR $task->state=="stalled"?"gWarning":"" modules/gallery/views/admin_maintenance.html.php 72 DIRTY_ATTR ($i%2==0)?"gOddRow":"gEvenRow" +modules/gallery/views/admin_maintenance.html.php 72 DIRTY_ATTR $task->state=="stalled"?"gWarning":"" modules/gallery/views/admin_maintenance.html.php 73 DIRTY_ATTR $task->state=="stalled"?"gWarning":"" modules/gallery/views/admin_maintenance.html.php 74 DIRTY gallery::date_time($task->updated) modules/gallery/views/admin_maintenance.html.php 77 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 92 DIRTY $task->status -modules/gallery/views/admin_maintenance.html.php 145 DIRTY_ATTR $task->state=="success"?"gSuccess":"gError" modules/gallery/views/admin_maintenance.html.php 145 DIRTY_ATTR ($i%2==0)?"gOddRow":"gEvenRow" +modules/gallery/views/admin_maintenance.html.php 145 DIRTY_ATTR $task->state=="success"?"gSuccess":"gError" modules/gallery/views/admin_maintenance.html.php 146 DIRTY_ATTR $task->state=="success"?"gSuccess":"gError" modules/gallery/views/admin_maintenance.html.php 147 DIRTY gallery::date_time($task->updated) modules/gallery/views/admin_maintenance.html.php 150 DIRTY $task->name @@ -142,11 +142,11 @@ modules/gallery/views/movieplayer.html.php 7 DIRTY_JS url::a modules/gallery/views/movieplayer.html.php 13 DIRTY_JS url::abs_file("lib/flowplayer.h264streaming.swf") modules/gallery/views/permissions_browse.html.php 3 DIRTY_JS url::site("permissions/form/__ITEM__") modules/gallery/views/permissions_browse.html.php 16 DIRTY_JS url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") -modules/gallery/views/permissions_browse.html.php 41 DIRTY_ATTR $parent->id -modules/gallery/views/permissions_browse.html.php 42 DIRTY_JS $parent->id -modules/gallery/views/permissions_browse.html.php 47 DIRTY_ATTR $item->id -modules/gallery/views/permissions_browse.html.php 48 DIRTY_JS $item->id -modules/gallery/views/permissions_browse.html.php 55 DIRTY $form +modules/gallery/views/permissions_browse.html.php 42 DIRTY_ATTR $parent->id +modules/gallery/views/permissions_browse.html.php 43 DIRTY_JS $parent->id +modules/gallery/views/permissions_browse.html.php 48 DIRTY_ATTR $item->id +modules/gallery/views/permissions_browse.html.php 49 DIRTY_JS $item->id +modules/gallery/views/permissions_browse.html.php 56 DIRTY $form modules/gallery/views/permissions_form.html.php 24 DIRTY_JS $lock->id modules/gallery/views/permissions_form.html.php 32 DIRTY_JS $group->id modules/gallery/views/permissions_form.html.php 32 DIRTY_JS $permission->id @@ -280,17 +280,17 @@ modules/user/views/login_ajax.html.php 37 DIRTY $form modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $url -themes/admin_default/views/admin.html.php 16 DIRTY_JS $theme->url() -themes/admin_default/views/admin.html.php 34 DIRTY $theme->admin_head() -themes/admin_default/views/admin.html.php 38 DIRTY $theme->admin_page_top() -themes/admin_default/views/admin.html.php 46 DIRTY $theme->admin_header_top() -themes/admin_default/views/admin.html.php 55 DIRTY $theme->admin_menu() -themes/admin_default/views/admin.html.php 57 DIRTY $theme->admin_header_bottom() -themes/admin_default/views/admin.html.php 64 DIRTY $content -themes/admin_default/views/admin.html.php 70 DIRTY $sidebar -themes/admin_default/views/admin.html.php 75 DIRTY $theme->admin_footer() -themes/admin_default/views/admin.html.php 77 DIRTY $theme->admin_credits() -themes/admin_default/views/admin.html.php 81 DIRTY $theme->admin_page_bottom() +themes/admin_default/views/admin.html.php 15 DIRTY_JS $theme->url() +themes/admin_default/views/admin.html.php 32 DIRTY $theme->admin_head() +themes/admin_default/views/admin.html.php 36 DIRTY $theme->admin_page_top() +themes/admin_default/views/admin.html.php 44 DIRTY $theme->admin_header_top() +themes/admin_default/views/admin.html.php 53 DIRTY $theme->admin_menu() +themes/admin_default/views/admin.html.php 55 DIRTY $theme->admin_header_bottom() +themes/admin_default/views/admin.html.php 62 DIRTY $content +themes/admin_default/views/admin.html.php 68 DIRTY $sidebar +themes/admin_default/views/admin.html.php 73 DIRTY $theme->admin_footer() +themes/admin_default/views/admin.html.php 75 DIRTY $theme->admin_credits() +themes/admin_default/views/admin.html.php 79 DIRTY $theme->admin_page_bottom() themes/admin_default/views/block.html.php 2 DIRTY $id themes/admin_default/views/block.html.php 2 DIRTY_ATTR $css_id themes/admin_default/views/block.html.php 10 DIRTY $title @@ -319,13 +319,11 @@ themes/default/views/movie.html.php 8 DIRTY_JS $previ themes/default/views/movie.html.php 18 DIRTY_JS $next_item->url() themes/default/views/movie.html.php 28 DIRTY $item->movie_img(array("class"=>"gMovie","id"=>"gMovieId-{$item->id}")) themes/default/views/page.html.php 9 DIRTY $page_title -themes/default/views/page.html.php 26 DIRTY_JS $theme->url() themes/default/views/page.html.php 32 DIRTY_JS $theme->url() themes/default/views/page.html.php 41 DIRTY $new_width themes/default/views/page.html.php 42 DIRTY $new_height themes/default/views/page.html.php 43 DIRTY $thumb_proportion themes/default/views/page.html.php 82 DIRTY $header_text -themes/default/views/page.html.php 85 DIRTY_ATTR $theme->url() themes/default/views/page.html.php 112 DIRTY $content themes/default/views/page.html.php 118 DIRTY newView("sidebar.html") themes/default/views/page.html.php 125 DIRTY $footer_text -- cgit v1.2.3 From c453c0ef8239bc79e484dd3feb9e275e942e9d48 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Fri, 4 Sep 2009 10:11:42 -0700 Subject: Simplifying SafeString a bit: From a XSS HTML security point of view, treat clean() and purify() the same. No longer run a safe HTML string through the HTML purifier (since it's already marked as safe). This also addresses the issue of calling purify() when no purifier is installed. In that case, we'd run clean() on a clean string (double HTML encoding). If this approach doesn't work out, we can still modify the fallback code of purify() to check if the string is already clean before calling clean() instead of purify(). --- modules/gallery/libraries/SafeString.php | 11 ++--------- modules/gallery/tests/SafeString_Test.php | 6 ++++++ 2 files changed, 8 insertions(+), 9 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php index 3328fed5..ba3a8ffd 100644 --- a/modules/gallery/libraries/SafeString.php +++ b/modules/gallery/libraries/SafeString.php @@ -24,13 +24,11 @@ class SafeString_Core { private $_raw_string; protected $_is_safe_html = false; - protected $_is_purified_html = false; /** Constructor */ function __construct($string) { if ($string instanceof SafeString) { $this->_is_safe_html = $string->_is_safe_html; - $this->_is_purified_html = $string->_is_purified_html; $string = $string->unescaped(); } $this->_raw_string = (string) $string; @@ -49,14 +47,13 @@ class SafeString_Core { */ static function purify($string) { if ($string instanceof SafeString) { - if ($string->_is_purified_html) { + if ($string->_is_safe_html) { return $string; } else { $string = $string->unescaped(); } } $safe_string = self::of_safe_html(self::_purify_for_html($string)); - $safe_string->_is_purified_html = true; return $safe_string; } @@ -135,11 +132,7 @@ class SafeString_Core { * @return the string escaped for use in HTML. */ function purified_html() { - if ($this->_is_purified_html) { - return $this; - } else { - return self::purify($this); - } + return self::purify($this); } /** diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php index fdab5c58..2c07d934 100644 --- a/modules/gallery/tests/SafeString_Test.php +++ b/modules/gallery/tests/SafeString_Test.php @@ -106,6 +106,12 @@ class SafeString_Test extends Unit_Test_Case { $this->assert_equal($expected, $safe_string_2); } + public function purify_safe_html_test() { + $safe_string = SafeString::of_safe_html("hello

      world

      "); + $actual = SafeString::purify($safe_string); + $this->assert_equal("hello

      world

      ", $actual); + } + public function of_fluid_api_test() { $escaped_string = SafeString::of("Foo's bar")->for_js(); $this->assert_equal('"Foo\'s bar"', $escaped_string); -- cgit v1.2.3 From f63766556a701c173f578caea58597ea7febb865 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Fri, 4 Sep 2009 11:20:02 -0700 Subject: XSS test golden data file update --- modules/gallery/tests/xss_data.txt | 1 + 1 file changed, 1 insertion(+) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 00eba901..a1a708df 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -277,6 +277,7 @@ modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user- modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id modules/user/views/login_ajax.html.php 6 DIRTY_JS url::site("password/reset") modules/user/views/login_ajax.html.php 37 DIRTY $form +modules/user/views/user_languages_block.html.php 2 DIRTY form::dropdown("gSelectSessionLocale",$installed_locales,$selected) modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 19 DIRTY_ATTR $url -- cgit v1.2.3 From b01596c0f08f00e5fc2d1019b3905fe5fd76a223 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 5 Sep 2009 18:19:13 -0700 Subject: Update XSS test golden data file. --- modules/gallery/tests/xss_data.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index a1a708df..ffd69eb1 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -200,7 +200,7 @@ modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $chi modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"gAlbum":"gPhoto" modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"gThumbnail","ref"=>$child->id),90,true) -modules/organize/views/organize_thumb_grid.html.php 14 DIRTY_JS url::site("organize/content/$album->id/".($offset+25)) +modules/organize/views/organize_thumb_grid.html.php 14 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"gViewOnly" modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"selected":"" -- cgit v1.2.3 From b3d0cb5a4c88c42e29e67f3b3eb4e91151802164 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 5 Sep 2009 18:55:44 -0700 Subject: Bugfixes for locales::locale_from_http_request(), and adding tests. (And the tests should illustrate that kohana 2.4's API doesn't quite fit our purpose of simply getting the best match between the accepted (client) and the installed (g3) locales.) --- modules/gallery/helpers/locales.php | 10 +++- modules/gallery/tests/Locales_Helper_Test.php | 86 +++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 3 deletions(-) create mode 100644 modules/gallery/tests/Locales_Helper_Test.php (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/locales.php b/modules/gallery/helpers/locales.php index 04fa8954..16dda2d7 100644 --- a/modules/gallery/helpers/locales.php +++ b/modules/gallery/helpers/locales.php @@ -56,6 +56,9 @@ class locales_Core { : array_merge($locales, array($default)); module::set_var("gallery", "installed_locales", join("|", $locales)); + + // Clear the cache + self::$locales = null; } // @todo Might want to add a localizable language name as well. @@ -167,7 +170,7 @@ class locales_Core { } // Compare and score requested locales with installed ones - $matched_locales = array(); + $scored_locales = array(); foreach ($locale_preferences as $requested_value) { $scored_locale_match = self::_locale_match_score($requested_value); if ($scored_locale_match) { @@ -175,7 +178,7 @@ class locales_Core { } } - usort($matched_locales, array("locales", "_compare_locale_by_qvalue")); + usort($scored_locales, array("locales", "_compare_locale_by_qvalue")); $best_match = array_shift($scored_locales); if ($best_match) { @@ -202,7 +205,8 @@ class locales_Core { return $requested_locale_and_qvalue; } list ($language) = explode("_", $requested_locale . "_"); - if (isset(self::$language_subtag_to_locale[$language])) { + if (isset(self::$language_subtag_to_locale[$language]) && + isset($installed[self::$language_subtag_to_locale[$language]])) { return array(self::$language_subtag_to_locale[$language], $qvalue * 0.66); } return null; diff --git a/modules/gallery/tests/Locales_Helper_Test.php b/modules/gallery/tests/Locales_Helper_Test.php new file mode 100644 index 00000000..85b8e206 --- /dev/null +++ b/modules/gallery/tests/Locales_Helper_Test.php @@ -0,0 +1,86 @@ +assert_equal("de_DE", $locale); + } + + public function locale_from_http_request_fallback_test() { + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "de"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("de_DE", $locale); + } + + public function locale_from_http_request_by_qvalue_test() { + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "de-de;q=0.8,fr-fr;q=0.9"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("fr_FR", $locale); + } + + public function locale_from_http_request_default_qvalue_test() { + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "de-de;q=0.8,it-it,fr-fr;q=0.9"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("it_IT", $locale); + } + + public function locale_from_http_request_lang_fallback_qvalue_adjustment_test() { + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = ",fr-fr;q=0.4,de-ch;q=0.8"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("de_DE", $locale); + } + + public function locale_from_http_request_best_match_vs_installed_test() { + locales::update_installed(array("no_NO", "pt_PT", "ja_JP")); + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "en,en-us,ja_JP;q=0.7,no-fr;q=0.9"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("ja_JP", $locale); + } + + public function locale_from_http_request_best_match_vs_installed_2_test() { + locales::update_installed(array("no_NO", "pt_PT", "ja_JP")); + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "en,en-us,ja_JP;q=0.5,no-fr;q=0.9"; + $locale = locales::locale_from_http_request(); + $this->assert_equal("no_NO", $locale); + } + + public function locale_from_http_request_no_match_vs_installed_test() { + locales::update_installed(array("no_NO", "pt_PT", "ja_JP")); + $_SERVER["HTTP_ACCEPT_LANGUAGE"] = "en,en-us,de"; + $locale = locales::locale_from_http_request(); + $this->assert_equal(null, $locale); + } +} \ No newline at end of file -- cgit v1.2.3 From 3f997562dee7fa45fec58604dd894d9c523a1113 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 7 Sep 2009 15:41:03 -0700 Subject: Add support for a per-item "slug" which will be the user-visible url component for that given item. Album hierarchies are represented by nested slugs. By default, we convert the filename to a slug when you create an album, photo or movie. --- modules/gallery/helpers/album.php | 17 +++++- modules/gallery/helpers/gallery_installer.php | 17 +++++- modules/gallery/helpers/item.php | 8 +++ modules/gallery/helpers/movie.php | 17 ++++-- modules/gallery/helpers/photo.php | 19 +++++-- modules/gallery/models/item.php | 72 ++++++++++++++++++-------- modules/gallery/module.info | 2 +- modules/gallery/tests/Movie_Helper_Test.php | 14 ++++- modules/gallery/tests/Photo_Helper_Test.php | 14 ++++- modules/gallery/tests/test.flv | Bin 0 -> 88722 bytes 10 files changed, 142 insertions(+), 38 deletions(-) create mode 100644 modules/gallery/tests/test.flv (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index d46f21ac..78c5062f 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -30,9 +30,10 @@ class album_Core { * @param string $name the name of this new album (it will become the directory name on disk) * @param integer $title the title of the new album * @param string $description (optional) the longer description of this album + * @param string $slug (optional) the url component for this photo * @return Item_Model */ - static function create($parent, $name, $title, $description=null, $owner_id=null) { + static function create($parent, $name, $title, $description=null, $owner_id=null, $slug=null) { if (!$parent->loaded || !$parent->is_album()) { throw new Exception("@todo INVALID_PARENT"); } @@ -47,6 +48,10 @@ class album_Core { throw new Exception("@todo NAME_CANNOT_END_IN_PERIOD"); } + if (empty($slug)) { + $slug = item::convert_filename_to_slug($name); + } + $album = ORM::factory("item"); $album->type = "album"; $album->title = $title; @@ -55,15 +60,23 @@ class album_Core { $album->owner_id = $owner_id; $album->thumb_dirty = 1; $album->resize_dirty = 1; + $album->slug = $slug; $album->rand_key = ((float)mt_rand()) / (float)mt_getrandmax(); $album->sort_column = "created"; $album->sort_order = "ASC"; + // Randomize the name or slug if there's a conflict + // @todo Improve this. Random numbers are not user friendly while (ORM::factory("item") ->where("parent_id", $parent->id) + ->open_paren() ->where("name", $album->name) + ->orwhere("slug", $album->slug) + ->close_paren() ->find()->id) { - $album->name = "{$name}-" . rand(); + $rand = rand(); + $album->name = "{$name}-$rand"; + $album->slug = "{$slug}-$rand"; } $album = $album->add_to_parent($parent); diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index 40830bc0..91654afe 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -80,10 +80,12 @@ class gallery_installer { `parent_id` int(9) NOT NULL, `rand_key` float default NULL, `relative_path_cache` varchar(255) default NULL, + `relative_url_cache` varchar(255) default NULL, `resize_dirty` boolean default 1, `resize_height` int(9) default NULL, `resize_width` int(9) default NULL, `right_ptr` int(9) NOT NULL, + `slug` varchar(255) default NULL, `sort_column` varchar(64) default NULL, `sort_order` char(4) default 'ASC', `thumb_dirty` boolean default 1, @@ -260,7 +262,7 @@ class gallery_installer { module::set_var("gallery", "show_credits", 1); // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); - module::set_version("gallery", 11); + module::set_version("gallery", 12); } static function upgrade($version) { @@ -343,7 +345,18 @@ class gallery_installer { module::set_version("gallery", $version = 11); } -} + + if ($version == 11) { + $db->query("ALTER TABLE {items} ADD COLUMN `relative_url_cache` varchar(255) DEFAULT NULL"); + $db->query("ALTER TABLE {items} ADD COLUMN `slug` varchar(255) DEFAULT NULL"); + + // This is imperfect since some of the slugs may contain invalid characters, but it'll do + // for now because we don't want a lengthy operation here. + $db->query("UPDATE {items} SET `slug` = `name`"); + $db->query("UPDATE {items} SET `relative_url_cache` = `relative_path_cache`"); + module::set_version("gallery", $version = 12); + } + } static function uninstall() { $db = Database::instance(); diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php index 8839861f..bf948731 100644 --- a/modules/gallery/helpers/item.php +++ b/modules/gallery/helpers/item.php @@ -120,6 +120,14 @@ class item_Core { return $title; } + /** + * Convert a filename into something we can use as a url component. + * @param string $filename + */ + static function convert_filename_to_slug($filename) { + return preg_replace("/[^A-Za-z0-9-_]+/", "-", pathinfo($filename, PATHINFO_FILENAME)); + } + /** * Display delete confirmation message and form * @param object $item diff --git a/modules/gallery/helpers/movie.php b/modules/gallery/helpers/movie.php index ec975cb0..59bf5c19 100644 --- a/modules/gallery/helpers/movie.php +++ b/modules/gallery/helpers/movie.php @@ -31,10 +31,11 @@ class movie_Core { * @param string $name the filename to use for this photo in the album * @param integer $title the title of the new photo * @param string $description (optional) the longer description of this photo + * @param string $slug (optional) the url component for this photo * @return Item_Model */ static function create($parent, $filename, $name, $title, - $description=null, $owner_id=null) { + $description=null, $owner_id=null, $slug=null) { if (!$parent->loaded || !$parent->is_album()) { throw new Exception("@todo INVALID_PARENT"); } @@ -67,6 +68,10 @@ class movie_Core { $name .= "." . $pi["extension"]; } + if (empty($slug)) { + $slug = item::convert_filename_to_slug($name); + } + $movie = ORM::factory("item"); $movie->type = "movie"; $movie->title = $title; @@ -79,15 +84,21 @@ class movie_Core { $movie->thumb_dirty = 1; $movie->resize_dirty = 1; $movie->sort_column = "weight"; + $movie->slug = $slug; $movie->rand_key = ((float)mt_rand()) / (float)mt_getrandmax(); // Randomize the name if there's a conflict + // @todo Improve this. Random numbers are not user friendly while (ORM::factory("item") ->where("parent_id", $parent->id) + ->open_paren() ->where("name", $movie->name) + ->orwhere("slug", $movie->slug) + ->close_paren() ->find()->id) { - // @todo Improve this. Random numbers are not user friendly - $movie->name = rand() . "." . $pi["extension"]; + $rand = rand(); + $movie->name = "{$name}.$rand.{$pi['extension']}"; + $movie->slug = "{$slug}-$rand"; } // This saves the photo diff --git a/modules/gallery/helpers/photo.php b/modules/gallery/helpers/photo.php index 40b645a2..c713fff9 100644 --- a/modules/gallery/helpers/photo.php +++ b/modules/gallery/helpers/photo.php @@ -31,10 +31,11 @@ class photo_Core { * @param string $name the filename to use for this photo in the album * @param integer $title the title of the new photo * @param string $description (optional) the longer description of this photo + * @param string $slug (optional) the url component for this photo * @return Item_Model */ static function create($parent, $filename, $name, $title, - $description=null, $owner_id=null) { + $description=null, $owner_id=null, $slug=null) { if (!$parent->loaded || !$parent->is_album()) { throw new Exception("@todo INVALID_PARENT"); } @@ -66,6 +67,10 @@ class photo_Core { $name .= "." . $pi["extension"]; } + if (empty($slug)) { + $slug = item::convert_filename_to_slug($name); + } + $photo = ORM::factory("item"); $photo->type = "photo"; $photo->title = $title; @@ -78,15 +83,21 @@ class photo_Core { $photo->thumb_dirty = 1; $photo->resize_dirty = 1; $photo->sort_column = "weight"; + $photo->slug = $slug; $photo->rand_key = ((float)mt_rand()) / (float)mt_getrandmax(); - // Randomize the name if there's a conflict + // Randomize the name or slug if there's a conflict + // @todo Improve this. Random numbers are not user friendly while (ORM::factory("item") ->where("parent_id", $parent->id) + ->open_paren() ->where("name", $photo->name) + ->orwhere("slug", $photo->slug) + ->close_paren() ->find()->id) { - // @todo Improve this. Random numbers are not user friendly - $photo->name = rand() . "." . $pi["extension"]; + $rand = rand(); + $photo->name = "{$name}.$rand.{$pi['extension']}"; + $photo->slug = "{$slug}-$rand"; } // This saves the photo diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index 8905a627..b679ebf1 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -117,7 +117,8 @@ class Item_Model extends ORM_MPTT { @rename(dirname($original_thumb_path), dirname($this->thumb_path())); Database::instance() ->update("items", - array("relative_path_cache" => null), + array("relative_path_cache" => null, + "relative_url_cache" => null), array("left_ptr >" => $this->left_ptr, "right_ptr <" => $this->right_ptr)); } else { @rename($original_resize_path, $this->resize_path()); @@ -153,7 +154,8 @@ class Item_Model extends ORM_MPTT { if ($this->is_album()) { Database::instance() ->update("items", - array("relative_path_cache" => null), + array("relative_path_cache" => null, + "relative_url_cache" => null), array("left_ptr >" => $this->left_ptr, "right_ptr <" => $this->right_ptr)); } @@ -188,8 +190,8 @@ class Item_Model extends ORM_MPTT { * photo: http://example.com/gallery3/var/albums/album1/photo.jpg */ public function file_url($full_uri=false) { - $relative_path = "var/albums/" . $this->relative_path(); - return $full_uri ? url::abs_file($relative_path) : url::file($relative_path); + $relative_url = "var/albums/" . $this->relative_url(); + return $full_uri ? url::abs_file($relative_url) : url::file($relative_url); } /** @@ -221,8 +223,8 @@ class Item_Model extends ORM_MPTT { */ public function thumb_url($full_uri=false) { $cache_buster = "?m=" . $this->updated; - $relative_path = "var/thumbs/" . $this->relative_path(); - $base = ($full_uri ? url::abs_file($relative_path) : url::file($relative_path)); + $relative_url = "var/thumbs/" . $this->relative_url(); + $base = ($full_uri ? url::abs_file($relative_url) : url::file($relative_url)); if ($this->is_photo()) { return $base . $cache_buster; } else if ($this->is_album()) { @@ -248,11 +250,33 @@ class Item_Model extends ORM_MPTT { * photo: http://example.com/gallery3/var/albums/album1/photo.resize.jpg */ public function resize_url($full_uri=false) { - $relative_path = "var/resizes/" . $this->relative_path(); - return ($full_uri ? url::abs_file($relative_path) : url::file($relative_path)) . + $relative_url = "var/resizes/" . $this->relative_url(); + return ($full_uri ? url::abs_file($relative_url) : url::file($relative_url)) . ($this->is_album() ? "/.album.jpg" : ""); } + /** + * Rebuild the relative_path_cache and relative_url_cache. + */ + private function _build_relative_caches() { + $names = array(); + $slugs = array(); + foreach (Database::instance() + ->select(array("name", "slug")) + ->from("items") + ->where("left_ptr <=", $this->left_ptr) + ->where("right_ptr >=", $this->right_ptr) + ->where("id <>", 1) + ->orderby("left_ptr", "ASC") + ->get() as $row) { + $names[] = $row->name; + $slugs[] = $row->slug; + } + $this->relative_path_cache = implode($names, "/"); + $this->relative_url_cache = implode($slugs, "/"); + $this->save(); + } + /** * Return the relative path to this item's file. * @return string @@ -263,23 +287,26 @@ class Item_Model extends ORM_MPTT { } if (!isset($this->relative_path_cache)) { - $paths = array(); - foreach (Database::instance() - ->select("name") - ->from("items") - ->where("left_ptr <=", $this->left_ptr) - ->where("right_ptr >=", $this->right_ptr) - ->where("id <>", 1) - ->orderby("left_ptr", "ASC") - ->get() as $row) { - $paths[] = $row->name; - } - $this->relative_path_cache = implode($paths, "/"); - $this->save(); + $this->_build_relative_caches(); } return $this->relative_path_cache; } + /** + * Return the relative url to this item's file. + * @return string + */ + public function relative_url() { + if (!$this->loaded) { + return; + } + + if (!isset($this->relative_url_cache)) { + $this->_build_relative_caches(); + } + return $this->relative_url_cache; + } + /** * @see ORM::__get() */ @@ -302,7 +329,8 @@ class Item_Model extends ORM_MPTT { */ public function __set($column, $value) { if ($column == "name") { - // Clear the relative path as it is no longer valid. + // Clear the relative path as it is no longer valid. The relative url cache does not need + // to be flushed because it's not tightly bound to the actual name of the file. $this->relative_path_cache = null; } parent::__set($column, $value); diff --git a/modules/gallery/module.info b/modules/gallery/module.info index 6b9dd1ba..70bd91e2 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,3 +1,3 @@ name = "Gallery 3" description = "Gallery core application" -version = 11 +version = 12 diff --git a/modules/gallery/tests/Movie_Helper_Test.php b/modules/gallery/tests/Movie_Helper_Test.php index 627651bb..23544934 100644 --- a/modules/gallery/tests/Movie_Helper_Test.php +++ b/modules/gallery/tests/Movie_Helper_Test.php @@ -22,7 +22,7 @@ class Movie_Helper_Test extends Unit_Test_Case { $rand = rand(); $root = ORM::factory("item", 1); try { - $movie = movie::create($root, MODPATH . "gallery/tests/test.jpg", "$rand/.jpg", $rand, $rand); + $movie = movie::create($root, MODPATH . "gallery/tests/test.flv", "$rand/.flv", $rand, $rand); } catch (Exception $e) { // pass return; @@ -35,7 +35,7 @@ class Movie_Helper_Test extends Unit_Test_Case { $rand = rand(); $root = ORM::factory("item", 1); try { - $movie = movie::create($root, MODPATH . "gallery/tests/test.jpg", "$rand.jpg.", $rand, $rand); + $movie = movie::create($root, MODPATH . "gallery/tests/test.flv", "$rand.flv.", $rand, $rand); } catch (Exception $e) { $this->assert_equal("@todo NAME_CANNOT_END_IN_PERIOD", $e->getMessage()); return; @@ -43,4 +43,14 @@ class Movie_Helper_Test extends Unit_Test_Case { $this->assert_true(false, "Shouldn't create a movie with trailing . in the name"); } + + public function create_movie_creates_reasonable_slug_test() { + $rand = rand(); + $root = ORM::factory("item", 1); + $album = album::create($root, $rand, $rand, $rand); + $movie = movie::create( + $album, MODPATH . "gallery/tests/test.flv", "This (is) my file%name.flv", $rand, $rand); + + $this->assert_equal("This-is-my-file-name", $movie->slug); + } } diff --git a/modules/gallery/tests/Photo_Helper_Test.php b/modules/gallery/tests/Photo_Helper_Test.php index c0641ef4..a261693f 100644 --- a/modules/gallery/tests/Photo_Helper_Test.php +++ b/modules/gallery/tests/Photo_Helper_Test.php @@ -69,7 +69,7 @@ class Photo_Helper_Test extends Unit_Test_Case { $rand = rand(); $root = ORM::factory("item", 1); $photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", $rand, $rand); - $this->assert_equal("http://./var/thumbs/{$rand}.jpg?m={$photo->updated}", $photo->thumb_url()); + $this->assert_equal("http://./var/thumbs/{$rand}?m={$photo->updated}", $photo->thumb_url()); } public function resize_url_test() { @@ -78,7 +78,17 @@ class Photo_Helper_Test extends Unit_Test_Case { $album = album::create($root, $rand, $rand, $rand); $photo = photo::create($album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", $rand, $rand); - $this->assert_equal("http://./var/resizes/{$rand}/{$rand}.jpg", $photo->resize_url()); + $this->assert_equal("http://./var/resizes/{$rand}/{$rand}", $photo->resize_url()); + } + + public function create_photo_creates_reasonable_slug_test() { + $rand = rand(); + $root = ORM::factory("item", 1); + $album = album::create($root, $rand, $rand, $rand); + $photo = photo::create( + $album, MODPATH . "gallery/tests/test.jpg", "This (is) my file%name.jpg", $rand, $rand); + + $this->assert_equal("This-is-my-file-name", $photo->slug); } public function create_photo_shouldnt_allow_names_with_slash_test() { diff --git a/modules/gallery/tests/test.flv b/modules/gallery/tests/test.flv new file mode 100644 index 00000000..799d137e Binary files /dev/null and b/modules/gallery/tests/test.flv differ -- cgit v1.2.3 From 991bb0c06319a4d1d0ed1194826f5438a97964b6 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 7 Sep 2009 15:45:18 -0700 Subject: Update golden file. --- modules/gallery/tests/xss_data.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index ffd69eb1..8c71740e 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -143,10 +143,10 @@ modules/gallery/views/movieplayer.html.php 13 DIRTY_JS url::a modules/gallery/views/permissions_browse.html.php 3 DIRTY_JS url::site("permissions/form/__ITEM__") modules/gallery/views/permissions_browse.html.php 16 DIRTY_JS url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") modules/gallery/views/permissions_browse.html.php 42 DIRTY_ATTR $parent->id -modules/gallery/views/permissions_browse.html.php 43 DIRTY_JS $parent->id -modules/gallery/views/permissions_browse.html.php 48 DIRTY_ATTR $item->id -modules/gallery/views/permissions_browse.html.php 49 DIRTY_JS $item->id -modules/gallery/views/permissions_browse.html.php 56 DIRTY $form +modules/gallery/views/permissions_browse.html.php 44 DIRTY_JS $parent->id +modules/gallery/views/permissions_browse.html.php 52 DIRTY_ATTR $item->id +modules/gallery/views/permissions_browse.html.php 53 DIRTY_JS $item->id +modules/gallery/views/permissions_browse.html.php 60 DIRTY $form modules/gallery/views/permissions_form.html.php 24 DIRTY_JS $lock->id modules/gallery/views/permissions_form.html.php 32 DIRTY_JS $group->id modules/gallery/views/permissions_form.html.php 32 DIRTY_JS $permission->id -- cgit v1.2.3 From 2f666f4c527a89df235c7fdaab4b5483c5dd2595 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 7 Sep 2009 19:52:47 -0700 Subject: Add item::validate_url_safe() with a test. --- modules/gallery/helpers/item.php | 7 +++++++ modules/gallery/tests/Item_Helper_Test.php | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php index bf948731..7ce6519e 100644 --- a/modules/gallery/helpers/item.php +++ b/modules/gallery/helpers/item.php @@ -90,6 +90,13 @@ class item_Core { } } + static function validate_url_safe($input) { + if (preg_match("/[^A-Za-z0-9-_]/", $input->value)) { + $input->add_error("not_url_safe", 1); + } + Kohana::log("alert",print_r($input,1)); + } + static function validate_no_name_conflict($input) { $itemid = Input::instance()->post("item"); if (is_array($itemid)) { diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php index 3f80733f..87859565 100644 --- a/modules/gallery/tests/Item_Helper_Test.php +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -38,6 +38,16 @@ class Item_Helper_Test extends Unit_Test_Case { ORM::factory("item")->viewable()->where("id", $item->id)->count_all()); } + public function validate_url_safe_test() { + $input = new MockInput(); + $input->value = "Ab_cd-ef-d9"; + item::validate_url_safe($input); + $this->assert_true(!isset($input->not_url_safe)); + + $input->value = "ab&cd"; + item::validate_url_safe($input); + $this->assert_equal(1, $input->not_url_safe); + } private static function _create_random_item($album) { // Set all required fields (values are irrelevant) @@ -47,3 +57,9 @@ class Item_Helper_Test extends Unit_Test_Case { return $item->add_to_parent($album); } } + +class MockInput { + function add_error($error, $value) { + $this->$error = $value; + } +} \ No newline at end of file -- cgit v1.2.3 From 48becbe017758fb6fb95f0806ece879764249f37 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 8 Sep 2009 20:03:55 -0700 Subject: Update item::convert_filename_to_slug() to eliminate leading and trailing hyphens. --- modules/gallery/helpers/item.php | 6 +++++- modules/gallery/tests/Item_Helper_Test.php | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/helpers/item.php b/modules/gallery/helpers/item.php index d907a177..e015cb72 100644 --- a/modules/gallery/helpers/item.php +++ b/modules/gallery/helpers/item.php @@ -113,7 +113,11 @@ class item_Core { * @param string $filename */ static function convert_filename_to_slug($filename) { - return preg_replace("/[^A-Za-z0-9-_]+/", "-", pathinfo($filename, PATHINFO_FILENAME)); + $result = pathinfo($filename, PATHINFO_FILENAME); + $result = preg_replace("/[^A-Za-z0-9-_]+/", "-", $result); + $result = preg_replace("/^-+/", "", $result); + $result = preg_replace("/-+$/", "", $result); + return $result; } /** diff --git a/modules/gallery/tests/Item_Helper_Test.php b/modules/gallery/tests/Item_Helper_Test.php index 87859565..33fcdb73 100644 --- a/modules/gallery/tests/Item_Helper_Test.php +++ b/modules/gallery/tests/Item_Helper_Test.php @@ -49,6 +49,11 @@ class Item_Helper_Test extends Unit_Test_Case { $this->assert_equal(1, $input->not_url_safe); } + public function convert_filename_to_slug_test() { + $this->assert_equal("foo", item::convert_filename_to_slug("{[foo]}")); + $this->assert_equal("foo-bar", item::convert_filename_to_slug("{[foo!@#!$@#^$@($!(@bar]}")); + } + private static function _create_random_item($album) { // Set all required fields (values are irrelevant) $item = ORM::factory("item"); -- cgit v1.2.3 From 5d76a73596eedd8e473c58dc69b1959e8736377f Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 8 Sep 2009 21:32:21 -0700 Subject: Fix test to support new slug code. --- modules/gallery/tests/Photos_Controller_Test.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index ac5ecdfd..48c85aac 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -41,6 +41,7 @@ class Photos_Controller_Test extends Unit_Test_Case { $_POST["name"] = "new name"; $_POST["title"] = "new title"; $_POST["description"] = "new description"; + $_POST["slug"] = "new-slug"; $_POST["csrf"] = access::csrf_token(); access::allow(group::everybody(), "edit", $root); @@ -49,9 +50,8 @@ class Photos_Controller_Test extends Unit_Test_Case { $results = ob_get_contents(); ob_end_clean(); - $this->assert_equal( - json_encode(array("result" => "success")), - $results); + $this->assert_equal(json_encode(array("result" => "success")), $results); + $this->assert_equal("new-slug", $this->_photo->slug); $this->assert_equal("new title", $this->_photo->title); $this->assert_equal("new description", $this->_photo->description); -- cgit v1.2.3 From 0709f7526d58ea239a55cbe3edd82a56ba9b5eb9 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 8 Sep 2009 21:33:45 -0700 Subject: Change $this->_photo to just $photo --- modules/gallery/tests/Photos_Controller_Test.php | 25 +++++++++++------------- 1 file changed, 11 insertions(+), 14 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index 48c85aac..0159b420 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -20,22 +20,19 @@ class Photos_Controller_Test extends Unit_Test_Case { public function setup() { $this->_post = $_POST; - $this->_photo = null; } public function teardown() { $_POST = $this->_post; - if ($this->_photo) { - $this->_photo->delete(); - } } public function change_photo_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); - $this->_photo = photo::create( - $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg", "test", "test"); - $orig_name = $this->_photo->name; + $photo = photo::create( + $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg", + "test", "test", user::active(), "slug"); + $orig_name = $photo->name; $_POST["filename"] = "test.jpeg"; $_POST["name"] = "new name"; @@ -46,23 +43,23 @@ class Photos_Controller_Test extends Unit_Test_Case { access::allow(group::everybody(), "edit", $root); ob_start(); - $controller->_update($this->_photo); + $controller->_update($photo); $results = ob_get_contents(); ob_end_clean(); $this->assert_equal(json_encode(array("result" => "success")), $results); - $this->assert_equal("new-slug", $this->_photo->slug); - $this->assert_equal("new title", $this->_photo->title); - $this->assert_equal("new description", $this->_photo->description); + $this->assert_equal("new-slug", $photo->slug); + $this->assert_equal("new title", $photo->title); + $this->assert_equal("new description", $photo->description); // We don't change the name, yet. - $this->assert_equal($orig_name, $this->_photo->name); + $this->assert_equal($orig_name, $photo->name); } public function change_photo_no_csrf_fails_test() { $controller = new Photos_Controller(); $root = ORM::factory("item", 1); - $this->_photo = photo::create( + $photo = photo::create( $root, MODPATH . "gallery/tests/test.jpg", "test.jpg", "test", "test"); $_POST["name"] = "new name"; $_POST["title"] = "new title"; @@ -70,7 +67,7 @@ class Photos_Controller_Test extends Unit_Test_Case { access::allow(group::everybody(), "edit", $root); try { - $controller->_update($this->_photo); + $controller->_update($photo); $this->assert_true(false, "This should fail"); } catch (Exception $e) { // pass -- cgit v1.2.3 From 6e65a8208ff374e46cdc2b212ba116a9146b803c Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 8 Sep 2009 21:52:15 -0700 Subject: Fix a thinko-- of course we want urls to be the path to the file itself. --- modules/gallery/tests/Photo_Helper_Test.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/Photo_Helper_Test.php b/modules/gallery/tests/Photo_Helper_Test.php index a261693f..da455bf8 100644 --- a/modules/gallery/tests/Photo_Helper_Test.php +++ b/modules/gallery/tests/Photo_Helper_Test.php @@ -69,7 +69,7 @@ class Photo_Helper_Test extends Unit_Test_Case { $rand = rand(); $root = ORM::factory("item", 1); $photo = photo::create($root, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", $rand, $rand); - $this->assert_equal("http://./var/thumbs/{$rand}?m={$photo->updated}", $photo->thumb_url()); + $this->assert_equal("http://./var/thumbs/{$rand}.jpg?m={$photo->updated}", $photo->thumb_url()); } public function resize_url_test() { @@ -78,7 +78,7 @@ class Photo_Helper_Test extends Unit_Test_Case { $album = album::create($root, $rand, $rand, $rand); $photo = photo::create($album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", $rand, $rand); - $this->assert_equal("http://./var/resizes/{$rand}/{$rand}", $photo->resize_url()); + $this->assert_equal("http://./var/resizes/{$rand}/{$rand}.jpg", $photo->resize_url()); } public function create_photo_creates_reasonable_slug_test() { -- cgit v1.2.3 From 752c85711659eb7f83e6556665175266db8f24f5 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 10 Sep 2009 10:28:43 -0700 Subject: Rename ORM_MPTT::is_descendant() to ORM_MPTT::contains() to make the API a little clearer. Write a test for it, too. --- modules/gallery/libraries/ORM_MPTT.php | 4 ++-- modules/gallery/tests/ORM_MPTT_Test.php | 13 +++++++++++++ modules/gallery/views/move_tree.html.php | 4 ++-- modules/organize/controllers/organize.php | 2 +- modules/organize/views/organize_tree.html.php | 2 +- 5 files changed, 19 insertions(+), 6 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/libraries/ORM_MPTT.php b/modules/gallery/libraries/ORM_MPTT.php index 9b3e1f2b..83d2445c 100644 --- a/modules/gallery/libraries/ORM_MPTT.php +++ b/modules/gallery/libraries/ORM_MPTT.php @@ -110,7 +110,7 @@ class ORM_MPTT_Core extends ORM { * @param ORM $target * @return boolean */ - function is_descendant($target) { + function contains($target) { return ($this->left_ptr <= $target->left_ptr && $this->right_ptr >= $target->right_ptr); } @@ -212,7 +212,7 @@ class ORM_MPTT_Core extends ORM { * @return ORM_MTPP */ function move_to($target) { - if ($this->is_descendant($target)) { + if ($this->contains($target)) { throw new Exception("@todo INVALID_TARGET can't move item inside itself"); } diff --git a/modules/gallery/tests/ORM_MPTT_Test.php b/modules/gallery/tests/ORM_MPTT_Test.php index f77f1f34..a749542b 100644 --- a/modules/gallery/tests/ORM_MPTT_Test.php +++ b/modules/gallery/tests/ORM_MPTT_Test.php @@ -97,6 +97,19 @@ class ORM_MPTT_Test extends Unit_Test_Case { $album1_2->children()->select_list()); } + public function cant_move_parent_into_own_subtree_test() { + $album1 = album::create(item::root(), "move_to_test", "move_to_test"); + $album2 = album::create($album1, "move_to_test", "move_to_test"); + $album3 = album::create($album2, "move_to_test", "move_to_test"); + + try { + $album1->move_to($album3); + $self->assert_true(false, "We should be unable to move an item inside its own hierarchy"); + } catch (Exception $e) { + // pass + } + } + public function parent_test() { $root = ORM::factory("item", 1); $album = self::create_item_and_add_to_parent($root); diff --git a/modules/gallery/views/move_tree.html.php b/modules/gallery/views/move_tree.html.php index 623f80ee..e629e1bb 100644 --- a/modules/gallery/views/move_tree.html.php +++ b/modules/gallery/views/move_tree.html.php @@ -1,6 +1,6 @@ thumb_img(array(), 25); ?> -is_descendant($parent)): ?> +contains($parent)): ?> title) ?> title) ?> @@ -9,7 +9,7 @@
    • thumb_img(array(), 25); ?> - is_descendant($child)): ?> + contains($child)): ?> title) ?> title) ?> diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php index 1fec6c9b..4639777c 100644 --- a/modules/organize/controllers/organize.php +++ b/modules/organize/controllers/organize.php @@ -47,7 +47,7 @@ class Organize_Controller extends Controller { $target_album = ORM::factory("item", $target_album_id); foreach ($this->input->post("source_ids") as $source_id) { $source = ORM::factory("item", $source_id); - if (!$source->is_descendant($target_album_)) { + if (!$source->contains($target_album)) { item::move($source, $target_album); } } diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php index c0c23f94..e5d91c04 100644 --- a/modules/organize/views/organize_tree.html.php +++ b/modules/organize/views/organize_tree.html.php @@ -9,7 +9,7 @@
        children(null, 0, array("type" => "album")) as $child): ?> - is_descendant($selected)): ?> + contains($selected)): ?> $selected, "album" => $child)); ?>
      • " -- cgit v1.2.3 From 7ec490b6009965920fea35e971b29f11df6e6bff Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 11 Sep 2009 11:04:35 -0700 Subject: rawurlencode() path components in relative_path_cache and relative_url_cache so that they're safe for browser use. --- modules/gallery/models/item.php | 4 ++-- modules/gallery/tests/Item_Model_Test.php | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/models/item.php b/modules/gallery/models/item.php index da1f6959..a87997c6 100644 --- a/modules/gallery/models/item.php +++ b/modules/gallery/models/item.php @@ -284,8 +284,8 @@ class Item_Model extends ORM_MPTT { ->where("id <>", 1) ->orderby("left_ptr", "ASC") ->get() as $row) { - $names[] = urlencode($row->name); - $slugs[] = urlencode($row->slug); + $names[] = rawurlencode($row->name); + $slugs[] = rawurlencode($row->slug); } $this->relative_path_cache = implode($names, "/"); $this->relative_url_cache = implode($slugs, "/"); diff --git a/modules/gallery/tests/Item_Model_Test.php b/modules/gallery/tests/Item_Model_Test.php index 585e247c..84210e4c 100644 --- a/modules/gallery/tests/Item_Model_Test.php +++ b/modules/gallery/tests/Item_Model_Test.php @@ -150,4 +150,14 @@ class Item_Model_Test extends Unit_Test_Case { $this->assert_same("ORIGINAL_VALUE", $item->original()->title); $this->assert_same("NEW_VALUE", $item->title); } + + public function urls_are_rawurlencoded_test() { + $item = self::_create_random_item(); + $item->slug = "foo bar"; + $item->name = "foo bar.jpg"; + $item->save(); + + $this->assert_equal("foo%20bar", $item->relative_url()); + $this->assert_equal("foo%20bar.jpg", $item->relative_path()); + } } -- cgit v1.2.3 From 823fa2fc8339a6638ef4f0fcdae7f96e99a4f0bd Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Sep 2009 10:33:46 -0700 Subject: Updated for url format changes applied in 2aad580f53dbc06bb170c710467b47a5a532c6c8. --- modules/gallery/tests/xss_data.txt | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'modules/gallery/tests') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 8c71740e..193d2ca1 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -48,6 +48,7 @@ modules/gallery/views/admin_block_log_entries.html.php 8 DIRTY $entry modules/gallery/views/admin_block_news.html.php 5 DIRTY_JS $entry["link"] modules/gallery/views/admin_block_news.html.php 5 DIRTY $entry["title"] modules/gallery/views/admin_block_news.html.php 7 DIRTY text::limit_words(strip_tags($entry["description"]),25); +modules/gallery/views/admin_block_photo_stream.html.php 5 DIRTY_JS $photo->url() modules/gallery/views/admin_block_photo_stream.html.php 6 DIRTY photo::img_dimensions($photo->width,$photo->height,72) modules/gallery/views/admin_block_photo_stream.html.php 7 DIRTY_ATTR $photo->thumb_url() modules/gallery/views/admin_dashboard.html.php 5 DIRTY_JS $csrf @@ -180,14 +181,14 @@ modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item- modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"gThumbnail")) modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) modules/info/views/info_block.html.php 29 DIRTY_JS $item->owner->url -modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->url(array(),true) -modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->url(array(),true) -modules/notification/views/item_added.html.php 16 DIRTY_JS $item->url(array(),true) -modules/notification/views/item_added.html.php 17 DIRTY $item->url(array(),true) -modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->url(array(),true) -modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->url(array(),true) -modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->url(array(),true) -modules/notification/views/item_updated.html.php 20 DIRTY $item->url(array(),true) +modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->abs_url() +modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->abs_url() +modules/notification/views/item_added.html.php 16 DIRTY_JS $item->abs_url() +modules/notification/views/item_added.html.php 17 DIRTY $item->abs_url() +modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->abs_url() +modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY $item->abs_url() modules/organize/views/organize_dialog.html.php 3 DIRTY_JS url::site("organize/move_to/__ALBUM_ID__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::site("organize/rearrange/__TARGET_ID__/__BEFORE__?csrf=$csrf") modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") @@ -246,6 +247,7 @@ modules/rss/views/feed.mrss.php 73 DIRTY_ATTR $chi modules/rss/views/feed.mrss.php 74 DIRTY_ATTR $child->mime_type modules/rss/views/rss_block.html.php 6 DIRTY_JS rss::url($url) modules/search/views/search.html.php 30 DIRTY_ATTR $item_class +modules/search/views/search.html.php 31 DIRTY_JS $item->url() modules/search/views/search.html.php 32 DIRTY $item->thumb_img() modules/server_add/views/admin_server_add.html.php 15 DIRTY_ATTR $id modules/server_add/views/admin_server_add.html.php 24 DIRTY $form @@ -285,6 +287,7 @@ themes/admin_default/views/admin.html.php 15 DIRTY_JS $theme themes/admin_default/views/admin.html.php 32 DIRTY $theme->admin_head() themes/admin_default/views/admin.html.php 36 DIRTY $theme->admin_page_top() themes/admin_default/views/admin.html.php 44 DIRTY $theme->admin_header_top() +themes/admin_default/views/admin.html.php 49 DIRTY_JS item::root()->url() themes/admin_default/views/admin.html.php 53 DIRTY $theme->admin_menu() themes/admin_default/views/admin.html.php 55 DIRTY $theme->admin_header_bottom() themes/admin_default/views/admin.html.php 62 DIRTY $content @@ -325,6 +328,8 @@ themes/default/views/page.html.php 41 DIRTY $new_w themes/default/views/page.html.php 42 DIRTY $new_height themes/default/views/page.html.php 43 DIRTY $thumb_proportion themes/default/views/page.html.php 82 DIRTY $header_text +themes/default/views/page.html.php 84 DIRTY_JS item::root()->url() +themes/default/views/page.html.php 98 DIRTY_JS $parent->url("show={$theme->item()->id}") themes/default/views/page.html.php 112 DIRTY $content themes/default/views/page.html.php 118 DIRTY newView("sidebar.html") themes/default/views/page.html.php 125 DIRTY $footer_text -- cgit v1.2.3