From 1e90e40d3a9fe2cb826b56686f23a33879418048 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 28 Jul 2009 13:47:22 -0700 Subject: Use events to generate menus, instead of having xxx_menu helpers. This is the first step towards having a simple, lightweight and unified API for module interaction. --- modules/slideshow/helpers/slideshow_event.php | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'modules/slideshow/helpers/slideshow_event.php') diff --git a/modules/slideshow/helpers/slideshow_event.php b/modules/slideshow/helpers/slideshow_event.php index c6cd7dc7..cf79f71a 100644 --- a/modules/slideshow/helpers/slideshow_event.php +++ b/modules/slideshow/helpers/slideshow_event.php @@ -29,4 +29,34 @@ class slideshow_event_Core { site_status::clear("slideshow_needs_rss"); } } + + static function album_menu($menu, $theme) { + $menu + ->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") + ->css_id("gSlideshowLink")); + } + + static function photo_menu($menu, $theme) { + $menu + ->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") + ->css_id("gSlideshowLink")); + } + + static function tag_menu($menu, $theme) { + $menu + ->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") + ->css_id("gSlideshowLink")); + } } -- cgit v1.2.3 From 93138f6ae78fd5ef11ea5095156827592f61bc56 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 27 Aug 2009 15:04:14 -0700 Subject: Don't display the slideshow icon if there are no descendants. ticket #660 --- modules/slideshow/helpers/slideshow_event.php | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'modules/slideshow/helpers/slideshow_event.php') diff --git a/modules/slideshow/helpers/slideshow_event.php b/modules/slideshow/helpers/slideshow_event.php index cf79f71a..1b881de4 100644 --- a/modules/slideshow/helpers/slideshow_event.php +++ b/modules/slideshow/helpers/slideshow_event.php @@ -31,13 +31,17 @@ class slideshow_event_Core { } static function album_menu($menu, $theme) { - $menu - ->append(Menu::factory("link") - ->id("slideshow") - ->label(t("View slideshow")) - ->url("javascript:PicLensLite.start(" . - "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") - ->css_id("gSlideshowLink")); + $descendants_count = ORM::factory("item", $theme->item->id) + ->descendants_count(array("type" => "photo")); + if ($descendants_count > 1) { + $menu + ->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") + ->css_id("gSlideshowLink")); + } } static function photo_menu($menu, $theme) { -- cgit v1.2.3 From 8312eb116e65195e3fc70d59b3b0817b9c807287 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 31 Aug 2009 02:12:01 -0700 Subject: XSS review fixes (mostly adding missing html::mark_clean()) calls. --- modules/akismet/controllers/admin_akismet.php | 3 +- .../controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/admin_maintenance.php | 2 +- modules/gallery/controllers/albums.php | 238 ++++++++++----------- modules/gallery/controllers/photos.php | 3 +- modules/gallery/helpers/graphics.php | 4 +- modules/notification/controllers/notification.php | 4 +- modules/slideshow/helpers/slideshow_event.php | 2 +- 8 files changed, 130 insertions(+), 128 deletions(-) (limited to 'modules/slideshow/helpers/slideshow_event.php') diff --git a/modules/akismet/controllers/admin_akismet.php b/modules/akismet/controllers/admin_akismet.php index 9ba89bd4..ca3a1473 100644 --- a/modules/akismet/controllers/admin_akismet.php +++ b/modules/akismet/controllers/admin_akismet.php @@ -45,7 +45,8 @@ class Admin_Akismet_Controller extends Admin_Controller { message::success(t("Your Akismet key has been saved.")); } - log::success("akismet", t("Akismet key changed to $new_key")); + log::success("akismet", t("Akismet key changed to %new_key", + array("new_key" => $new_key))); module::set_var("akismet", "api_key", $new_key); akismet::check_config(); url::redirect("admin/akismet"); diff --git a/modules/gallery/controllers/admin_advanced_settings.php b/modules/gallery/controllers/admin_advanced_settings.php index 43c77340..79bc1183 100644 --- a/modules/gallery/controllers/admin_advanced_settings.php +++ b/modules/gallery/controllers/admin_advanced_settings.php @@ -46,7 +46,7 @@ class Admin_Advanced_Settings_Controller extends Admin_Controller { module::set_var($module_name, $var_name, Input::instance()->post("value")); message::success( t("Saved value for %var (%module_name)", - array("var" => html::clean($var_name), "module_name" => $module_name))); + array("var" => $var_name, "module_name" => $module_name))); print json_encode(array("result" => "success")); } diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php index 543961a1..66bcce55 100644 --- a/modules/gallery/controllers/admin_maintenance.php +++ b/modules/gallery/controllers/admin_maintenance.php @@ -34,7 +34,7 @@ class Admin_Maintenance_Controller extends Admin_Controller { "%count tasks are stalled", $stalled_count), t('view', - array("url" => url::site("admin/maintenance")))); + array("url" => html::mark_clean(url::site("admin/maintenance"))))); } $view = new Admin_View("admin.html"); diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index ec3eb426..78f12c80 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -1,118 +1,118 @@ -id == 1) { - $view = new Theme_View("page.html", "login"); - $view->page_title = t("Log in to Gallery"); - $view->content = user::get_login_form("login/auth_html"); - print $view; - return; - } else { - access::forbidden(); - } - } - - $show = $this->input->get("show"); - - if ($show) { - $index = $album->get_position($show); - $page = ceil($index / $page_size); - if ($page == 1) { - url::redirect("albums/$album->id"); - } else { - url::redirect("albums/$album->id?page=$page"); - } - } - - $page = $this->input->get("page", "1"); - $children_count = $album->viewable()->children_count(); - $offset = ($page - 1) * $page_size; - $max_pages = max(ceil($children_count / $page_size), 1); - - // Make sure that the page references a valid offset - if ($page < 1) { - url::redirect("albums/$album->id"); - } else if ($page > $max_pages) { - url::redirect("albums/$album->id?page=$max_pages"); - } - - $template = new Theme_View("page.html", "album"); - $template->set_global("page_size", $page_size); - $template->set_global("item", $album); - $template->set_global("children", $album->viewable()->children($page_size, $offset)); - $template->set_global("children_count", $children_count); - $template->set_global("parents", $album->parents()); - $template->content = new View("album.html"); - - // We can't use math in ORM or the query builder, so do this by hand. It's important - // that we do this with math, otherwise concurrent accesses will damage accuracy. - Database::instance()->query( - "UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id"); - - print $template; - } - - /** - * @see REST_Controller::_create($resource) - */ - public function _create($album) { - access::verify_csrf(); - access::required("view", $album); - access::required("add", $album); - - switch ($this->input->post("type")) { - case "album": - return $this->_create_album($album); - - case "photo": - return $this->_create_photo($album); - - default: - access::forbidden(); - } - } - - private function _create_album($album) { - access::required("view", $album); - access::required("add", $album); - - $form = album::get_add_form($album); - if ($form->validate()) { - $new_album = album::create( - $album, - $this->input->post("name"), - $this->input->post("title", $this->input->post("name")), - $this->input->post("description"), - user::active()->id); - - log::success("content", "Created an album", - html::anchor("albums/$new_album->id", "view album")); - message::success( - t("Created album %album_title", array("album_title" => $new_album->title))); + id == 1) { + $view = new Theme_View("page.html", "login"); + $view->page_title = t("Log in to Gallery"); + $view->content = user::get_login_form("login/auth_html"); + print $view; + return; + } else { + access::forbidden(); + } + } + + $show = $this->input->get("show"); + + if ($show) { + $index = $album->get_position($show); + $page = ceil($index / $page_size); + if ($page == 1) { + url::redirect("albums/$album->id"); + } else { + url::redirect("albums/$album->id?page=$page"); + } + } + + $page = $this->input->get("page", "1"); + $children_count = $album->viewable()->children_count(); + $offset = ($page - 1) * $page_size; + $max_pages = max(ceil($children_count / $page_size), 1); + + // Make sure that the page references a valid offset + if ($page < 1) { + url::redirect("albums/$album->id"); + } else if ($page > $max_pages) { + url::redirect("albums/$album->id?page=$max_pages"); + } + + $template = new Theme_View("page.html", "album"); + $template->set_global("page_size", $page_size); + $template->set_global("item", $album); + $template->set_global("children", $album->viewable()->children($page_size, $offset)); + $template->set_global("children_count", $children_count); + $template->set_global("parents", $album->parents()); + $template->content = new View("album.html"); + + // We can't use math in ORM or the query builder, so do this by hand. It's important + // that we do this with math, otherwise concurrent accesses will damage accuracy. + Database::instance()->query( + "UPDATE {items} SET `view_count` = `view_count` + 1 WHERE `id` = $album->id"); + + print $template; + } + + /** + * @see REST_Controller::_create($resource) + */ + public function _create($album) { + access::verify_csrf(); + access::required("view", $album); + access::required("add", $album); + + switch ($this->input->post("type")) { + case "album": + return $this->_create_album($album); + + case "photo": + return $this->_create_photo($album); + + default: + access::forbidden(); + } + } + + private function _create_album($album) { + access::required("view", $album); + access::required("add", $album); + + $form = album::get_add_form($album); + if ($form->validate()) { + $new_album = album::create( + $album, + $this->input->post("name"), + $this->input->post("title", $this->input->post("name")), + $this->input->post("description"), + user::active()->id); + + log::success("content", "Created an album", + html::anchor("albums/$new_album->id", "view album")); + message::success(t("Created album %album_title", + array("album_title" => html::purify($new_album->title)))); print json_encode( array("result" => "success", @@ -144,8 +144,8 @@ class Albums_Controller extends Items_Controller { user::active()->id); log::success("content", "Added a photo", html::anchor("photos/$photo->id", "view photo")); - message::success( - t("Added photo %photo_title", array("photo_title" => $photo->title))); + message::success(t("Added photo %photo_title", + array("photo_title" => html::purify($photo->title)))); print json_encode( array("result" => "success", @@ -193,8 +193,8 @@ class Albums_Controller extends Items_Controller { module::event("item_edit_form_completed", $album, $form); log::success("content", "Updated album", "id\">view"); - message::success( - t("Saved album %album_title", array("album_title" => $album->title))); + message::success(t("Saved album %album_title", + array("album_title" => html::purify($album->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 3447b4c6..3b9662c7 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -86,7 +86,8 @@ class Photos_Controller extends Items_Controller { log::success("content", "Updated photo", "id\">view"); message::success( - t("Saved photo %photo_title", array("photo_title" => $photo->title))); + t("Saved photo %photo_title", + array("photo_title" => html::purify($photo->title)))); print json_encode( array("result" => "success", diff --git a/modules/gallery/helpers/graphics.php b/modules/gallery/helpers/graphics.php index acbcb9b2..521dc5a4 100644 --- a/modules/gallery/helpers/graphics.php +++ b/modules/gallery/helpers/graphics.php @@ -326,9 +326,9 @@ class graphics_Core { t2("One of your photos is out of date. Click here to fix it", "%count of your photos are out of date. Click here to fix them", $count, - array("attrs" => sprintf( + array("attrs" => html::mark_clean(sprintf( 'href="%s" class="gDialogLink"', - url::site("admin/maintenance/start/gallery_task::rebuild_dirty_images?csrf=__CSRF__")))), + url::site("admin/maintenance/start/gallery_task::rebuild_dirty_images?csrf=__CSRF__"))))), "graphics_dirty"); } } diff --git a/modules/notification/controllers/notification.php b/modules/notification/controllers/notification.php index ffb4b46a..5745de5d 100644 --- a/modules/notification/controllers/notification.php +++ b/modules/notification/controllers/notification.php @@ -26,10 +26,10 @@ class Notification_Controller extends Controller { if (notification::is_watching($item)) { notification::remove_watch($item); - message::success(sprintf(t("You are no longer watching %s"), $item->title)); + message::success(sprintf(t("You are no longer watching %s"), html::purify($item->title))); } else { notification::add_watch($item); - message::success(sprintf(t("You are now watching %s"), $item->title)); + message::success(sprintf(t("You are now watching %s"), html::purify($item->title))); } url::redirect($item->url(array(), true)); } diff --git a/modules/slideshow/helpers/slideshow_event.php b/modules/slideshow/helpers/slideshow_event.php index 1b881de4..77e296e8 100644 --- a/modules/slideshow/helpers/slideshow_event.php +++ b/modules/slideshow/helpers/slideshow_event.php @@ -23,7 +23,7 @@ class slideshow_event_Core { site_status::warning( t("The Slideshow module requires the RSS module. " . "Activate the RSS module now", - array("url" => url::site("admin/modules"))), + array("url" => html::mark_clean(url::site("admin/modules")))), "slideshow_needs_rss"); } else { site_status::clear("slideshow_needs_rss"); -- cgit v1.2.3 From 03c5c117759aca8a3d898c6c4f03da6ddf67e81d Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 1 Sep 2009 20:13:23 -0700 Subject: Allow the RSS feed page size to be customizeable, up to 100 items (to mitigate DoS attacks). Have PicLens request a 100-item page to mitigate the bug where it refuses to load the 2nd page. Mitigates #23. --- modules/rss/controllers/rss.php | 5 ++- modules/slideshow/helpers/slideshow_event.php | 52 +++++++++++++++------------ 2 files changed, 34 insertions(+), 23 deletions(-) (limited to 'modules/slideshow/helpers/slideshow_event.php') diff --git a/modules/rss/controllers/rss.php b/modules/rss/controllers/rss.php index e9dd9fff..b89bed40 100644 --- a/modules/rss/controllers/rss.php +++ b/modules/rss/controllers/rss.php @@ -26,13 +26,16 @@ class Rss_Controller extends Controller { url::redirect(url::merge(array("page" => 1))); } + // Configurable page size between 1 and 100, default 20 + $page_size = max(1, min(100, $this->input->get("page_size", self::$page_size))); + // Run the appropriate feed callback if (module::is_active($module_id)) { $class_name = "{$module_id}_rss"; if (method_exists($class_name, "feed")) { $feed = call_user_func( array($class_name, "feed"), $feed_id, - ($page - 1) * self::$page_size, self::$page_size, $id); + ($page - 1) * $page_size, $page_size, $id); } } if (empty($feed)) { diff --git a/modules/slideshow/helpers/slideshow_event.php b/modules/slideshow/helpers/slideshow_event.php index 77e296e8..ce26b189 100644 --- a/modules/slideshow/helpers/slideshow_event.php +++ b/modules/slideshow/helpers/slideshow_event.php @@ -31,36 +31,44 @@ class slideshow_event_Core { } static function album_menu($menu, $theme) { - $descendants_count = ORM::factory("item", $theme->item->id) + $descendants_count = ORM::factory("item", $theme->item()->id) ->descendants_count(array("type" => "photo")); if ($descendants_count > 1) { - $menu - ->append(Menu::factory("link") - ->id("slideshow") - ->label(t("View slideshow")) - ->url("javascript:PicLensLite.start(" . - "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") - ->css_id("gSlideshowLink")); + $menu->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})") + ->css_id("gSlideshowLink")); } } static function photo_menu($menu, $theme) { - $menu - ->append(Menu::factory("link") - ->id("slideshow") - ->label(t("View slideshow")) - ->url("javascript:PicLensLite.start(" . - "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") - ->css_id("gSlideshowLink")); + $menu->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})") + ->css_id("gSlideshowLink")); } static function tag_menu($menu, $theme) { - $menu - ->append(Menu::factory("link") - ->id("slideshow") - ->label(t("View slideshow")) - ->url("javascript:PicLensLite.start(" . - "{maxScale:0,feedUrl:PicLensLite.indexFeeds()[0].url})") - ->css_id("gSlideshowLink")); + $menu->append(Menu::factory("link") + ->id("slideshow") + ->label(t("View slideshow")) + ->url("javascript:PicLensLite.start(" . + "{maxScale:0,feedUrl:'" . self::_feed_url($theme) . "'})") + ->css_id("gSlideshowLink")); + } + + private static function _feed_url($theme) { + if ($item = $theme->item()) { + if (!$item->is_album()) { + $item = $item->parent(); + } + return rss::url("gallery/album/{$item->id}?page_size=100"); + } else { + return rss::url("tag/tag/{$theme->tag()->id}?page_size=100"); + } } } -- cgit v1.2.3