From 48cb5021c6bd7e65a13a0ff50a9e76f72da7d3a1 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 1 Feb 2010 16:28:52 -0800 Subject: Add the scheduler component to the admin maintenance screen. --- modules/gallery/controllers/admin_maintenance.php | 2 ++ modules/gallery/views/admin_maintenance.html.php | 8 ++++++++ 2 files changed, 10 insertions(+) (limited to 'modules/gallery') diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php index 3062ea09..d9363d30 100644 --- a/modules/gallery/controllers/admin_maintenance.php +++ b/modules/gallery/controllers/admin_maintenance.php @@ -44,6 +44,8 @@ class Admin_Maintenance_Controller extends Admin_Controller { $view->content->task_definitions = task::get_definitions(); $view->content->running_tasks = ORM::factory("task") ->where("done", "=", 0)->order_by("updated", "DESC")->find_all(); + $view->content->schedule_definitions = + module::is_active("scheduler") ? scheduler::get_definitions() : ""; $view->content->finished_tasks = ORM::factory("task") ->where("done", "=", 1)->order_by("updated", "DESC")->find_all(); print $view; diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php index ac597715..15d04caa 100644 --- a/modules/gallery/views/admin_maintenance.html.php +++ b/modules/gallery/views/admin_maintenance.html.php @@ -33,12 +33,20 @@ class="g-dialog-link g-button ui-icon-left ui-state-default ui-corner-all"> + + callback?csrf=$csrf") ?>" + class="g-dialog-link g-button ui-icon-left ui-state-default ui-corner-all"> + + + + + count()): ?>

-- cgit v1.2.3 From 5ded9e8ac5935e41c08d1766974ce31890efd7f0 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 1 Feb 2010 16:31:24 -0800 Subject: Refactor starting a task into the task helper so we can call it multiple times. --- modules/gallery/controllers/admin_maintenance.php | 5 +---- modules/gallery/helpers/task.php | 9 +++++++++ 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php index d9363d30..487e77a6 100644 --- a/modules/gallery/controllers/admin_maintenance.php +++ b/modules/gallery/controllers/admin_maintenance.php @@ -58,13 +58,10 @@ class Admin_Maintenance_Controller extends Admin_Controller { public function start($task_callback) { access::verify_csrf(); - $tasks = task::get_definitions(); - $task = task::create($tasks[$task_callback], array()); + $task = task::start($task_callback); $view = new View("admin_maintenance_task.html"); $view->task = $task; - $task->log(t("Task %task_name started (task id %task_id)", - array("task_name" => $task->name, "task_id" => $task->id))); log::info("tasks", t("Task %task_name started (task id %task_id)", array("task_name" => $task->name, "task_id" => $task->id)), html::anchor("admin/maintenance", t("maintenance"))); diff --git a/modules/gallery/helpers/task.php b/modules/gallery/helpers/task.php index 645850d1..aa0eb94d 100644 --- a/modules/gallery/helpers/task.php +++ b/modules/gallery/helpers/task.php @@ -35,6 +35,15 @@ class task_Core { return $tasks; } + static function start($task_callback, $context=array()) { + $tasks = task::get_definitions(); + $task = task::create($tasks[$task_callback], array()); + + $task->log(t("Task %task_name started (task id %task_id)", + array("task_name" => $task->name, "task_id" => $task->id))); + return $task; + } + static function create($task_def, $context) { $task = ORM::factory("task"); $task->callback = $task_def->callback; -- cgit v1.2.3 From 81a1df4a504fdd7cdbef2b92e2b1257a65da98f9 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 1 Feb 2010 21:41:16 -0800 Subject: Localize the name "conflict" validation error when creating a new album. --- modules/gallery/helpers/album.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/helpers/album.php b/modules/gallery/helpers/album.php index 389f6e48..15e0c3ca 100644 --- a/modules/gallery/helpers/album.php +++ b/modules/gallery/helpers/album.php @@ -36,7 +36,8 @@ class album_Core { $group->input("name")->label(t("Directory name")) ->error_messages("no_slashes", t("The directory name can't contain the \"/\" character")) ->error_messages("required", t("You must provide a directory name")) - ->error_messages("length", t("Your directory name is too long")); + ->error_messages("length", t("Your directory name is too long")) + ->error_messages("conflict", t("There is already a movie, photo or album with this name")); $group->input("slug")->label(t("Internet Address")) ->error_messages( "not_url_safe", @@ -51,7 +52,8 @@ class album_Core { } static function get_edit_form($parent) { - $form = new Forge("albums/update/{$parent->id}", "", "post", array("id" => "g-edit-album-form")); + $form = new Forge( + "albums/update/{$parent->id}", "", "post", array("id" => "g-edit-album-form")); $form->hidden("from_id"); $group = $form->group("edit_item")->label(t("Edit Album")); @@ -61,8 +63,7 @@ class album_Core { $group->textarea("description")->label(t("Description"))->value($parent->description); if ($parent->id != 1) { $group->input("name")->label(t("Directory Name"))->value($parent->name) - ->error_messages( - "conflict", t("There is already a movie, photo or album with this name")) + ->error_messages("conflict", t("There is already a movie, photo or album with this name")) ->error_messages("no_slashes", t("The directory name can't contain a \"/\"")) ->error_messages("no_trailing_period", t("The directory name can't end in \".\"")) ->error_messages("required", t("You must provide a directory name")) -- cgit v1.2.3 From 370faf5f265e634b0828be9695cd6eb9676ff6f7 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 10:55:22 -0800 Subject: Display the error message for the in place edit. Also improve the double click guard. Fixes ticket #1000. --- lib/gallery.in_place_edit.js | 44 ++++++++++++---------------- modules/gallery/views/in_place_edit.html.php | 6 ++++ 2 files changed, 24 insertions(+), 26 deletions(-) (limited to 'modules/gallery') diff --git a/lib/gallery.in_place_edit.js b/lib/gallery.in_place_edit.js index c10400e3..5a815dac 100644 --- a/lib/gallery.in_place_edit.js +++ b/lib/gallery.in_place_edit.js @@ -10,10 +10,10 @@ }, _show: function(target) { - if ($(this).data("gallery_in_place_edit") == true) { + if ($(target).data("gallery_in_place_edit") == true) { return; } - $(this).data("gallery_in_place_edit", true); + $(target).data("gallery_in_place_edit", true); var self = this; var tag_width = $(target).width(); $(self).data("tag_width", tag_width); @@ -27,26 +27,28 @@ var parent = $(target).parent(); parent.children().hide(); parent.append(data); - parent.find("form :text") - .width(tag_width) - .focus(); - $(".g-short-form").gallery_short_form(); - parent.find("form .g-cancel").click(function(event) { - self._cancel(); - event.preventDefault(); - return false; - }); - self._ajaxify_edit(); + self._setup_form(parent.find("form")); }); + }, + _setup_form: function(form) { + var self = this; + var width = $(self).data("tag_width"); + form.find(":text").width(width).focus(); + form.find(".g-cancel").click(function(event) { + self._cancel(); + event.preventDefault(); + return false; + }); + $(".g-short-form").gallery_short_form(); + this._ajaxify_edit(); }, _cancel: function() { var parent = $("#g-in-place-edit-form").parent(); - $(parent).find("form").remove(); + $("#g-in-place-edit-form").remove(); $(parent).children().show(); - $("#g-in-place-edit-message").remove(); - $(this).data("gallery_in_place_edit", false); + $(parent).find(".g-editable").data("gallery_in_place_edit", false); }, _ajaxify_edit: function() { @@ -60,17 +62,7 @@ } else { var parent = $(form).parent(); $(form).replaceWith(data.form); - var width = $(self).data("tag_width"); - $(parent).find("form :text") - .width(width) - .focus(); - $(".g-short-form").gallery_short_form(); - $(parent).find("form .g-cancel").click(function(event) { - self._cancel(); - event.preventDefault(); - return false; - }); - self._ajaxify_edit(); + self._setup_form(parent.find("form")); } } }); diff --git a/modules/gallery/views/in_place_edit.html.php b/modules/gallery/views/in_place_edit.html.php index 05a16ad4..2d6cbe90 100644 --- a/modules/gallery/views/in_place_edit.html.php +++ b/modules/gallery/views/in_place_edit.html.php @@ -9,7 +9,13 @@ "submit ui-state-default"), t("Save")) ?>
    • + +
  • +

    +
    • + + -- cgit v1.2.3 From fe11e34cea8ea31c048af5f38d63220850b0293d Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 11:42:13 -0800 Subject: Change the view to display 'empty' when the variable value is a null string(""). Fixes ticket #987. --- modules/gallery/views/admin_advanced_settings.html.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/views/admin_advanced_settings.html.php b/modules/gallery/views/admin_advanced_settings.html.php index 2d4b11a1..1f7d2f64 100644 --- a/modules/gallery/views/admin_advanced_settings.html.php +++ b/modules/gallery/views/admin_advanced_settings.html.php @@ -25,10 +25,10 @@ module_name/" . html::clean($var->name)) ?>" class="g-dialog-link" title=" $var->name, "module_name" => $var->module_name))->for_html_attr() ?>"> - value)): ?> - value) ?> - + value) || $var->value === ""): ?> + + value) ?> -- cgit v1.2.3 From 3c3671cff25f28e21a702b1f665a6baa282d045f Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 12:30:23 -0800 Subject: Remove the test-transform:uppercase from the l10n css as it was causing problems with other text fields in IE and it violates our case standards. Fixes ticket #912 --- modules/gallery/css/l10n_client.css | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/css/l10n_client.css b/modules/gallery/css/l10n_client.css index 053b4432..90034d0c 100644 --- a/modules/gallery/css/l10n_client.css +++ b/modules/gallery/css/l10n_client.css @@ -45,7 +45,6 @@ display:block; position:absolute; right:0em; height:2em; line-height:2em; - text-transform:uppercase; text-align:center; background:#000; } #l10n-client-toggler a { @@ -62,7 +61,7 @@ height:1em; line-height:1em; padding: .5em; margin:0px; font-size:1em; - text-transform:uppercase;} +} #l10n-client .strings h2 { border:0px;} -- cgit v1.2.3 From 19fee6b5e4ceb8a5f90cafe4ad770856ece108ef Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 14:34:50 -0800 Subject: Refactor the admin maintenance screen so that events are used to pupluate the action buttons and other content such as the list of scheduled tasks. --- modules/gallery/controllers/admin_maintenance.php | 11 +++++++++-- modules/gallery/views/admin_maintenance.html.php | 16 +++++++--------- 2 files changed, 16 insertions(+), 11 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php index 487e77a6..8e4845a9 100644 --- a/modules/gallery/controllers/admin_maintenance.php +++ b/modules/gallery/controllers/admin_maintenance.php @@ -44,10 +44,17 @@ class Admin_Maintenance_Controller extends Admin_Controller { $view->content->task_definitions = task::get_definitions(); $view->content->running_tasks = ORM::factory("task") ->where("done", "=", 0)->order_by("updated", "DESC")->find_all(); - $view->content->schedule_definitions = - module::is_active("scheduler") ? scheduler::get_definitions() : ""; $view->content->finished_tasks = ORM::factory("task") ->where("done", "=", 1)->order_by("updated", "DESC")->find_all(); + $task_buttons = + new ArrayObject(array((object)array("text" => t("run"), + "url" =>url::site("admin/maintenance/start")))); + module::event("admin_maintenance_task_buttons", $task_buttons); + $view->content->task_buttons = $task_buttons; + + $maintenance_content = new ArrayObject(); + module::event("admin_maintenance_content", $maintenance_content); + $view->content->task_maintenance_content = $maintenance_content; print $view; } diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php index 15d04caa..444bf1fe 100644 --- a/modules/gallery/views/admin_maintenance.html.php +++ b/modules/gallery/views/admin_maintenance.html.php @@ -29,23 +29,21 @@ description ?> - callback?csrf=$csrf") ?>" + + url}/$task->callback?csrf=$csrf" ?>" class="g-dialog-link g-button ui-icon-left ui-state-default ui-corner-all"> - + text) ?> - - callback?csrf=$csrf") ?>" - class="g-dialog-link g-button ui-icon-left ui-state-default ui-corner-all"> - - - +
    - + + + count()): ?>
    -- cgit v1.2.3 From f69493d1384108bf65fc2b92d25fc3b854dee929 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 14:51:06 -0800 Subject: Update the xss golden file to reflect the changes to the admin screen. --- modules/gallery/tests/xss_data.txt | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 65b45a08..8d7236fa 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -81,18 +81,20 @@ modules/gallery/views/admin_maintenance.html.php 24 DIRTY_ATTR log: modules/gallery/views/admin_maintenance.html.php 25 DIRTY_ATTR log::severity_class($task->severity) modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 29 DIRTY $task->description -modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 70 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 71 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" -modules/gallery/views/admin_maintenance.html.php 72 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 75 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 90 DIRTY $task->status -modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/gallery/views/admin_maintenance.html.php 141 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 142 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" -modules/gallery/views/admin_maintenance.html.php 143 DIRTY gallery::date_time($task->updated) -modules/gallery/views/admin_maintenance.html.php 146 DIRTY $task->name -modules/gallery/views/admin_maintenance.html.php 158 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 33 DIRTY_JS "{$button->url}/$task->callback?csrf=$csrf" +modules/gallery/views/admin_maintenance.html.php 45 DIRTY $content +modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 77 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" +modules/gallery/views/admin_maintenance.html.php 78 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 81 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 96 DIRTY $task->status +modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/gallery/views/admin_maintenance.html.php 147 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 148 DIRTY_ATTR $task->state=="success"?"g-success":"g-error" +modules/gallery/views/admin_maintenance.html.php 149 DIRTY gallery::date_time($task->updated) +modules/gallery/views/admin_maintenance.html.php 152 DIRTY $task->name +modules/gallery/views/admin_maintenance.html.php 164 DIRTY $task->status modules/gallery/views/admin_maintenance_show_log.html.php 8 DIRTY_JS url::site("admin/maintenance/save_log/$task->id?csrf=$csrf") modules/gallery/views/admin_maintenance_show_log.html.php 13 DIRTY $task->name modules/gallery/views/admin_maintenance_task.html.php 55 DIRTY $task->name -- cgit v1.2.3 From 1c0e5eaa0d9b65863c9fd04aff940c1a2b7e682d Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 2 Feb 2010 15:00:05 -0800 Subject: use html::purify to cleans the additional content on the admin maintence page. --- modules/gallery/tests/xss_data.txt | 1 - modules/gallery/views/admin_maintenance.html.php | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 8d7236fa..e53502ee 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -82,7 +82,6 @@ modules/gallery/views/admin_maintenance.html.php 25 DIRTY_ATTR log: modules/gallery/views/admin_maintenance.html.php 26 DIRTY $task->name modules/gallery/views/admin_maintenance.html.php 29 DIRTY $task->description modules/gallery/views/admin_maintenance.html.php 33 DIRTY_JS "{$button->url}/$task->callback?csrf=$csrf" -modules/gallery/views/admin_maintenance.html.php 45 DIRTY $content modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR text::alternate("g-odd","g-even") modules/gallery/views/admin_maintenance.html.php 76 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" modules/gallery/views/admin_maintenance.html.php 77 DIRTY_ATTR $task->state=="stalled"?"g-warning":"" diff --git a/modules/gallery/views/admin_maintenance.html.php b/modules/gallery/views/admin_maintenance.html.php index 444bf1fe..19375670 100644 --- a/modules/gallery/views/admin_maintenance.html.php +++ b/modules/gallery/views/admin_maintenance.html.php @@ -42,7 +42,7 @@
    - + count()): ?> -- cgit v1.2.3 From 225fe81ce0121176dc11a646d78b3c3dcc479fa9 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 2 Feb 2010 20:50:34 -0800 Subject: Add an upgrade path to prevent the item title field from being empty. --- modules/gallery/helpers/gallery_installer.php | 14 +++++++++++++- modules/gallery/module.info | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/helpers/gallery_installer.php b/modules/gallery/helpers/gallery_installer.php index bffef8e6..761843b0 100644 --- a/modules/gallery/helpers/gallery_installer.php +++ b/modules/gallery/helpers/gallery_installer.php @@ -287,7 +287,7 @@ class gallery_installer { // @todo this string needs to be picked up by l10n_scanner module::set_var("gallery", "credits", "Powered by Gallery %version"); module::set_var("gallery", "simultaneous_upload_limit", 5); - module::set_version("gallery", 25); + module::set_version("gallery", 26); } static function upgrade($version) { @@ -514,6 +514,18 @@ class gallery_installer { } module::set_version("gallery", $version = 25); } + + if ($version == 25) { + db::build() + ->update("items") + ->set("title", new Database_Expression("`name`")) + ->and_open() + ->where("title", "IS", null) + ->or_where("title", "=", "") + ->close() + ->execute(); + module::set_version("gallery", $version = 26); + } } static function uninstall() { diff --git a/modules/gallery/module.info b/modules/gallery/module.info index 50a1505f..fd241066 100644 --- a/modules/gallery/module.info +++ b/modules/gallery/module.info @@ -1,3 +1,3 @@ name = "Gallery 3" description = "Gallery core application" -version = 25 +version = 26 -- cgit v1.2.3 From 6e1b761b12e13566875804c33efe2ae130ffa32e Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 2 Feb 2010 21:36:01 -0800 Subject: Require the current password to change your password. Fixes ticket #585. Separate out the password change form from the regular edit user form. Require the old password to enter a new one. While I'm at it, roll the password strength javascript into a Form_Script element so that we can get rid of the old view (which incidentally fixes a bug where the password strength meter would go away on form errors). --- modules/gallery/views/user_profile.html.php | 7 ++- modules/user/controllers/users.php | 78 +++++++++++++++++++++++------ modules/user/helpers/user.php | 6 +++ modules/user/views/user_form.html.php | 7 --- 4 files changed, 75 insertions(+), 23 deletions(-) delete mode 100644 modules/user/views/user_form.html.php (limited to 'modules/gallery') diff --git a/modules/gallery/views/user_profile.html.php b/modules/gallery/views/user_profile.html.php index f35f8c3f..78e1c579 100644 --- a/modules/gallery/views/user_profile.html.php +++ b/modules/gallery/views/user_profile.html.php @@ -57,13 +57,16 @@ - id}") ?>"> + id}") ?>"> + id}") ?>"> + + - \ No newline at end of file + diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php index 43a92b44..c11f22ff 100644 --- a/modules/user/controllers/users.php +++ b/modules/user/controllers/users.php @@ -20,7 +20,6 @@ class Users_Controller extends Controller { public function update($id) { $user = user::lookup($id); - if ($user->guest || $user->id != identity::active_user()->id) { access::forbidden(); } @@ -29,9 +28,6 @@ class Users_Controller extends Controller { try { $valid = $form->validate(); $user->full_name = $form->edit_user->full_name->value; - if ($form->edit_user->password->value) { - $user->password = $form->edit_user->password->value; - } $user->email = $form->edit_user->email->value; $user->url = $form->edit_user->url->value; @@ -57,7 +53,38 @@ class Users_Controller extends Controller { $user->save(); module::event("user_edit_form_completed", $user, $form); - message::success(t("User information updated.")); + message::success(t("User information updated")); + print json_encode( + array("result" => "success", + "resource" => url::site("users/{$user->id}"))); + } else { + print json_encode(array("result" => "error", "form" => (string) $form)); + } + } + + public function change_password($id) { + $user = user::lookup($id); + if ($user->guest || $user->id != identity::active_user()->id) { + access::forbidden(); + } + + $form = $this->_get_change_password_form($user); + try { + $valid = $form->validate(); + $user->password = $form->change_password->password->value; + $user->validate(); + } catch (ORM_Validation_Exception $e) { + // Translate ORM validation errors into form error messages + foreach ($e->validation->errors() as $key => $error) { + $form->change_password->inputs[$key]->add_error($error, 1); + } + $valid = false; + } + + if ($valid) { + $user->save(); + module::event("user_change_password_form_completed", $user, $form); + message::success(t("Password changed")); print json_encode( array("result" => "success", "resource" => url::site("users/{$user->id}"))); @@ -72,22 +99,45 @@ class Users_Controller extends Controller { access::forbidden(); } - $v = new View("user_form.html"); - $v->form = $this->_get_edit_form($user); - print $v; + print $this->_get_edit_form($user); + } + + public function form_change_password($id) { + $user = user::lookup($id); + if ($user->guest || $user->id != identity::active_user()->id) { + access::forbidden(); + } + + print $this->_get_change_password_form($user); + } + + private function _get_change_password_form($user) { + $form = new Forge( + "users/change_password/$user->id", "", "post", array("id" => "g-change-password-user-form")); + $group = $form->group("change_password")->label(t("Change your password")); + $group->password("old_password")->label(t("Old password"))->id("g-password") + ->callback("user::valid_password") + ->error_messages("invalid", t("Incorrect password")); + $group->password("password")->label(t("New password"))->id("g-password") + ->error_messages("min_length", t("Your new password is too short")); + $group->script("") + ->text( + '$("form").ready(function(){$(\'input[name="password"]\').user_password_strength();});'); + $group->password("password2")->label(t("Confirm new password"))->id("g-password2") + ->matches($group->password) + ->error_messages("matches", t("The passwords you entered do not match")); + + module::event("user_change_password_form", $user, $form); + $group->submit("")->value(t("Save")); + return $form; } private function _get_edit_form($user) { $form = new Forge("users/update/$user->id", "", "post", array("id" => "g-edit-user-form")); - $group = $form->group("edit_user")->label(t("Edit User: %name", array("name" => $user->name))); + $group = $form->group("edit_user")->label(t("Edit your profile")); $group->input("full_name")->label(t("Full Name"))->id("g-fullname")->value($user->full_name) ->error_messages("length", t("Your name is too long")); self::_add_locale_dropdown($group, $user); - $group->password("password")->label(t("Password"))->id("g-password") - ->error_messages("min_length", t("Your password is too short")); - $group->password("password2")->label(t("Confirm Password"))->id("g-password2") - ->matches($group->password) - ->error_messages("matches", t("The passwords you entered do not match")); $group->input("email")->label(t("Email"))->id("g-email")->value($user->email) ->error_messages("email", t("You must enter a valid email address")) ->error_messages("length", t("Your email address is too long")) diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index 3561021f..7ceca6a5 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -70,6 +70,12 @@ class user_Core { return false; } + static function valid_password($password_input) { + if (!user::is_correct_password(identity::active_user(), $password_input->value)) { + $password_input->add_error("invalid", 1); + } + } + /** * Create the hashed passwords. * @param string $password a plaintext password diff --git a/modules/user/views/user_form.html.php b/modules/user/views/user_form.html.php deleted file mode 100644 index 4ce2b532..00000000 --- a/modules/user/views/user_form.html.php +++ /dev/null @@ -1,7 +0,0 @@ - - - -- cgit v1.2.3 From 99a7f470b93d35717f8d5979d05da6cf05a1dd20 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 2 Feb 2010 21:48:01 -0800 Subject: Protect password changes against brute force attacks. --- modules/gallery/helpers/auth.php | 10 ++++++++-- modules/gallery/helpers/gallery_event.php | 12 ++++++++++-- modules/user/controllers/users.php | 12 ++++++++++-- 3 files changed, 28 insertions(+), 6 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index 16f8915a..717cf40a 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -78,10 +78,16 @@ class auth_Core { } } + static function validate_too_many_failed_password_changes($password_input) { + if (self::too_many_failed_logins(identity::active_user()->name)) { + $password_input->add_error("too_many_failed_password_changes", 1); + } + } + /** * Record a failed login for this user */ - static function record_failed_login($name) { + static function record_failed_auth_attempts($name) { $failed_login = ORM::factory("failed_login") ->where("name", "=", $name) ->find(); @@ -96,7 +102,7 @@ class auth_Core { /** * Clear any failed logins for this user */ - static function record_successful_login($user) { + static function clear_failed_logins($user) { db::build() ->delete("failed_logins") ->where("name", "=", $user->name) diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 6479e2c3..7b538c49 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -110,11 +110,19 @@ class gallery_event_Core { graphics::choose_default_toolkit(); module::clear_var("gallery", "choose_default_tookit"); } - auth::record_successful_login($user); + auth::clear_failed_auth_attempts($user); } static function user_login_failed($name) { - auth::record_failed_login($name); + auth::record_failed_auth_attempts($name); + } + + static function user_password_changed($user) { + auth::clear_failed_auth_attempts($user); + } + + static function user_password_change_failed($name) { + auth::record_failed_auth_attempts($name); } static function item_index_data($item, $data) { diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php index c11f22ff..166ff8b2 100644 --- a/modules/user/controllers/users.php +++ b/modules/user/controllers/users.php @@ -77,7 +77,7 @@ class Users_Controller extends Controller { // Translate ORM validation errors into form error messages foreach ($e->validation->errors() as $key => $error) { $form->change_password->inputs[$key]->add_error($error, 1); - } + } $valid = false; } @@ -85,10 +85,14 @@ class Users_Controller extends Controller { $user->save(); module::event("user_change_password_form_completed", $user, $form); message::success(t("Password changed")); + module::event("user_password_change", $user); print json_encode( array("result" => "success", "resource" => url::site("users/{$user->id}"))); } else { + log::warning("user", t("Failed password change for %name", array("name" => $user->name))); + $name = $user->name; + module::event("user_password_change_failed", $name); print json_encode(array("result" => "error", "form" => (string) $form)); } } @@ -116,8 +120,12 @@ class Users_Controller extends Controller { "users/change_password/$user->id", "", "post", array("id" => "g-change-password-user-form")); $group = $form->group("change_password")->label(t("Change your password")); $group->password("old_password")->label(t("Old password"))->id("g-password") + ->callback("auth::validate_too_many_failed_password_changes") ->callback("user::valid_password") - ->error_messages("invalid", t("Incorrect password")); + ->error_messages("invalid", t("Incorrect password")) + ->error_messages( + "too_many_failed_password_changes", + t("Too many incorrect passwords. Try again later")); $group->password("password")->label(t("New password"))->id("g-password") ->error_messages("min_length", t("Your new password is too short")); $group->script("") -- cgit v1.2.3