From 391a90e3cedd1cca7631f9a4d786c6c513b1dd48 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 8 Sep 2010 20:36:22 -0700
Subject: Detect when a module fails to upgrade properly and put up an
 informative message to help the user know that she needs to get a newer copy
 of the module.  Fixes ticket #1189.

---
 modules/gallery/views/upgrader.html.php | 53 ++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 17 deletions(-)

(limited to 'modules/gallery/views/upgrader.html.php')

diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php
index 0ce24ef8..c2d8a552 100644
--- a/modules/gallery/views/upgrader.html.php
+++ b/modules/gallery/views/upgrader.html.php
@@ -10,7 +10,7 @@
   </head>
   <body<? if (locales::is_rtl()) { echo ' class="rtl"'; } ?>>
     <div id="outer">
-      <img src="<?= url::file("modules/gallery/images/gallery.png") ?>" />
+      <img id="logo" src="<?= url::file("modules/gallery/images/gallery.png") ?>" />
       <div id="inner">
         <? if ($can_upgrade): ?>
         <div id="dialog" style="visibility: hidden">
@@ -31,6 +31,12 @@
                     array("url" => html::mark_clean(url::base()))) ?>
             </p>
           </div>
+          <div id="failed" style="display: none">
+            <h1> <?= t("Some modules failed to upgrade!") ?> </h1>
+            <p>
+              <?= t("Failed modules are <span class=\"failed\">highlighted</span>.  Try getting newer versions or <a href=\"%admin_modules\">deactivating those modules</a>.", array("admin_modules" => url::site("admin/modules"))) ?>
+            </p>
+          </div>
         </div>
         <script type="text/javascript">
           $(document).ready(function() {
@@ -41,6 +47,10 @@
             <? if ($done): ?>
             show_done();
             <? endif ?>
+
+            <? if ($failed): ?>
+            show_failed();
+            <? endif ?>
           });
 
           var show_busy = function() {
@@ -55,10 +65,31 @@
             $("#done").show();
             $("#dialog_close_link").show();
           }
+
+          var show_failed = function() {
+            $("#dialog").css("visibility", "visible");
+            $("#failed").show();
+            $("#dialog_close_link").show();
+          }
         </script>
-        <p class="<?= $done ? "muted" : "" ?>">
-          <?= t("Welcome to the Gallery upgrader.  One click and you're done!") ?>
-        </p>
+        <div id="welcome_message">
+          <p class="<?= $done ? "muted" : "" ?>">
+            <?= t("Welcome to the Gallery upgrader.  One click and you're done!") ?>
+          </p>
+        </div>
+
+        <? if ($done): ?>
+        <div id="upgrade_button" class="button muted">
+          <?= t("Upgrade all") ?>
+        </div>
+        <? else: ?>
+        <div id="upgrade_button" class="button button-active">
+          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade") ?>">
+            <?= t("Upgrade all") ?>
+          </a>
+        </div>
+        <? endif ?>
+
         <table>
           <tr class="<?= $done ? "muted" : "" ?>">
             <th class="name"> <?= t("Module name") ?> </th>
@@ -68,7 +99,7 @@
 
           <? foreach ($available as $id => $module): ?>
           <? if ($module->active): ?>
-          <tr class="<?= $module->version == $module->code_version ? "current" : "upgradeable" ?>" >
+          <tr class="<?= $module->version == $module->code_version ? "current" : "upgradeable" ?> <?= in_array($id, $failed) ? "failed" : "" ?>" >
             <td class="name <?= $id ?>">
               <?= t($module->name) ?>
             </td>
@@ -85,18 +116,6 @@
           <? endforeach ?>
         </table>
 
-        <? if ($done): ?>
-        <div class="button muted">
-          <?= t("Upgrade all") ?>
-        </div>
-        <? else: ?>
-        <div class="button button-active">
-          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade") ?>">
-            <?= t("Upgrade all") ?>
-          </a>
-        </div>
-        <? endif ?>
-
         <? if (@$inactive): ?>
         <p class="<?= $done ? "muted" : "" ?>">
           <?= t("The following modules are inactive and don't require an upgrade.") ?>
-- 
cgit v1.2.3


From 67f45cfa781ef4b446676e199470e421f5463812 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 11 Sep 2010 01:46:45 -0700
Subject: Add CSRF protection to the upgrader.  And update the CLI output so
 that it tells you which modules failed to upgrade properly.  Fixes ticket
 #1359.

---
 modules/gallery/controllers/upgrader.php | 21 ++++++++++++++++++---
 modules/gallery/views/upgrader.html.php  |  2 +-
 2 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'modules/gallery/views/upgrader.html.php')

diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php
index 6613d671..b2646874 100644
--- a/modules/gallery/controllers/upgrader.php
+++ b/modules/gallery/controllers/upgrader.php
@@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller {
       // @todo this may screw up some module installers, but we don't have a better answer at
       // this time.
       $_SERVER["HTTP_HOST"] = "example.com";
-    } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
-      access::forbidden();
+    } else {
+      if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
+        access::forbidden();
+      }
+
+      try {
+        access::verify_csrf();
+      } catch (Exception $e) {
+        url::redirect("upgrader");
+      }
     }
 
     $available = module::available();
@@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller {
     site_status::clear("upgrade_now");
 
     if (php_sapi_name() == "cli") {
-      print "Upgrade complete\n";
+      if ($failed) {
+        print "Upgrade completed ** WITH FAILURES **\n";
+        print "The following modules were not successfully upgraded:\n";
+        print "  " . implode($failed, "\n  ") . "\n";
+        print "Try getting newer versions or deactivating those modules\n";
+      } else {
+        print "Upgrade complete\n";
+      }
     } else {
       url::redirect("upgrader?failed=" . join(",", $failed));
     }
diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php
index c2d8a552..554cf30d 100644
--- a/modules/gallery/views/upgrader.html.php
+++ b/modules/gallery/views/upgrader.html.php
@@ -84,7 +84,7 @@
         </div>
         <? else: ?>
         <div id="upgrade_button" class="button button-active">
-          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade") ?>">
+          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade?csrf=__CSRF__") ?>">
             <?= t("Upgrade all") ?>
           </a>
         </div>
-- 
cgit v1.2.3


From 14ae1fde25eb8b22a2fc92453ba12c8e74aba433 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sat, 11 Sep 2010 10:41:47 -0700
Subject: Use the actual csrf token, not the placeholder (url::site doesn't
 replace that).  Fixes ticket #1361

---
 modules/gallery/views/upgrader.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/gallery/views/upgrader.html.php')

diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php
index 554cf30d..1ec49c77 100644
--- a/modules/gallery/views/upgrader.html.php
+++ b/modules/gallery/views/upgrader.html.php
@@ -84,7 +84,7 @@
         </div>
         <? else: ?>
         <div id="upgrade_button" class="button button-active">
-          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade?csrf=__CSRF__") ?>">
+          <a id="upgrade_link" href="<?= url::site("upgrader/upgrade?csrf=" . access::csrf_token()) ?>">
             <?= t("Upgrade all") ?>
           </a>
         </div>
-- 
cgit v1.2.3