From 04b90c3bdef9b2f4daf8bffc1e814b0bac9912f4 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Sat, 15 May 2010 23:42:55 -0700 Subject: Remove the item id from the rest/gallery/items url as that was inconsistent. Add the query parameter ancestors_for= to provide a restful way to retrieve the ancestors of an item. (cherry picked from commit e9c8a8ae532e785ab95e6b43864c93b485785d6c) Conflicts: modules/gallery/helpers/items_rest.php --- modules/gallery/helpers/items_rest.php | 60 ++++++++++--- modules/gallery/tests/Items_Rest_Helper_Test.php | 103 +++++++++++++++++++++++ 2 files changed, 149 insertions(+), 14 deletions(-) create mode 100644 modules/gallery/tests/Items_Rest_Helper_Test.php (limited to 'modules') diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 5d8e80b2..4f50e434 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -18,28 +18,60 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class items_rest_Core { + /** + * To retrieve a collection of items, you can specify the following query parameters to specify the + * type of the collection. If both are specified, then the url parameter is used and the + * ancestor_for is ignored. + * + * urls=url1,url2,url3 + * return items that match the specified urls. Typically used to return the member detail + * + * ancestor_for=url + * return the ancestors of the specified item + */ static function get($request) { - $items = array(); - if (isset($request->params->url)) { - foreach (json_decode($request->params->url) as $url) { + if (isset($request->params->urls)) { + foreach (json_decode($request->params->urls) as $url) { $item = rest::resolve($url); if (access::can("view", $item)) { - $item_rest = array("url" => $url, - "entity" => $item->as_restful_array(), - "relationship" => rest::relationships("item", $item)); - if ($item->type == "album") { - $members = array(); - foreach ($item->children() as $child) { - $members[] = rest::url("item", $child); - } - $item_rest["members"] = $members; - } - $items[] = $item_rest; + $items[] = items_rest::format_restful_item($item); } } + } else if (isset($request->params->ancestor_for)) { + $item = rest::resolve($request->params->ancestor_for); + if (!access::can("view", $item)) { + throw new Kohana_404_Exception(); + } + $items[] = items_rest::format_restful_item($item); + while (($item = $item->parent()) != null) { + array_unshift($items, items_rest::format_restful_item($item)); + }; } return $items; } + + static function resolve($id) { + $item = ORM::factory("item", $id); + if (!access::can("view", $item)) { + throw new Kohana_404_Exception(); + } + return $item; + } + + private static function format_restful_item($item) { + $item_rest = array("url" => rest::url("item", $item), + "entity" => $item->as_restful_array(), + "relationships" => rest::relationships("item", $item)); + if ($item->type == "album") { + $members = array(); + foreach ($item->children() as $child) { + $members[] = rest::url("item", $child); + } + $item_rest["members"] = $members; + } + + return $item_rest; + } } diff --git a/modules/gallery/tests/Items_Rest_Helper_Test.php b/modules/gallery/tests/Items_Rest_Helper_Test.php new file mode 100644 index 00000000..cd01ae0c --- /dev/null +++ b/modules/gallery/tests/Items_Rest_Helper_Test.php @@ -0,0 +1,103 @@ +reload(); + $album2->reload(); + + $request = new stdClass(); + $request->params = new stdClass(); + $request->params->urls = json_encode(array( + rest::url("item", $photo1), + rest::url("item", $album2))); + $this->assert_equal_array( + array( + array("url" => rest::url("item", $photo1), + "entity" => $photo1->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $photo1), + "members" => array()))), + array("url" => rest::url("item", $album2), + "entity" => $album2->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $album2), + "members" => array())), + "members" => array( + rest::url("item", $photo2)))), + items_rest::get($request)); + } + + public function get_ancestor_test() { + $album1 = test::random_album(); + $photo1 = test::random_photo($album1); + $album2 = test::random_album($album1); + $photo2 = test::random_photo($album2); + $album1->reload(); + $album2->reload(); + + $root = ORM::factory("item", 1); + $restful_root = array( + "url" => rest::url("item", $root), + "entity" => $root->as_restful_array(), + "relationships" => rest::relationships("item", $root)); + $restful_root["members"] = array(); + foreach ($root->children() as $child) { + $restful_root["members"][] = rest::url("item", $child); + } + + $request = new stdClass(); + $request->params = new stdClass(); + $request->params->ancestor_for = rest::url("item", $photo2); + $this->assert_equal_array( + array( + $restful_root, + array("url" => rest::url("item", $album1), + "entity" => $album1->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $album1), + "members" => array())), + "members" => array( + rest::url("item", $photo1), + rest::url("item", $album2)), + ), + array("url" => rest::url("item", $album2), + "entity" => $album2->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $album2), + "members" => array())), + "members" => array( + rest::url("item", $photo2))), + array("url" => rest::url("item", $photo2), + "entity" => $photo2->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $photo2), + "members" => array())))), + items_rest::get($request)); + } +} -- cgit v1.2.3 From a600185b605a37ca1b60cb6d9814d5441f54cd88 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 10 May 2010 06:31:38 -0700 Subject: Allow the use of the type query parameter to filter the results of a rest/gallery/items?urls=... request. This allows the client to pass the entire list of member urls and have the rest server filter the results based on the specified types. (cherry picked from commit 3fe10b15cf9359b66452c24965df575203e8af8e) --- modules/gallery/helpers/items_rest.php | 22 ++++-- modules/gallery/tests/Items_Rest_Helper_Test.php | 85 ++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 4f50e434..32597a65 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -19,23 +19,37 @@ */ class items_rest_Core { /** - * To retrieve a collection of items, you can specify the following query parameters to specify the - * type of the collection. If both are specified, then the url parameter is used and the - * ancestor_for is ignored. + * To retrieve a collection of items, you can specify the following query parameters to specify + * the type of the collection. If both are specified, then the url parameter is used and the + * ancestor_for is ignored. Specifying the "type" parameter with the urls parameter, will + * filter the results based on the specified type. Using the type parameter with the + * ancestor_for parameter makes no sense and will be ignored. * * urls=url1,url2,url3 * return items that match the specified urls. Typically used to return the member detail * * ancestor_for=url * return the ancestors of the specified item + * + * type= + * limit the type to types in this list. eg, "type=photo,movie" */ static function get($request) { $items = array(); if (isset($request->params->urls)) { foreach (json_decode($request->params->urls) as $url) { + if (isset($request->params->type)) { + $types = explode(",", $request->params->type); + } $item = rest::resolve($url); if (access::can("view", $item)) { - $items[] = items_rest::format_restful_item($item); + if (isset($types)) { + if (in_array($item->type, $types)) { + $items[] = items_rest::format_restful_item($item); + } + } else { + $items[] = items_rest::format_restful_item($item); + } } } } else if (isset($request->params->ancestor_for)) { diff --git a/modules/gallery/tests/Items_Rest_Helper_Test.php b/modules/gallery/tests/Items_Rest_Helper_Test.php index cd01ae0c..94bf912a 100644 --- a/modules/gallery/tests/Items_Rest_Helper_Test.php +++ b/modules/gallery/tests/Items_Rest_Helper_Test.php @@ -50,6 +50,91 @@ class Items_Rest_Helper_Test extends Gallery_Unit_Test_Case { items_rest::get($request)); } + public function get_url_filter_album_test() { + $album1 = test::random_album(); + $photo1 = test::random_photo($album1); + $album2 = test::random_album($album1); + $photo2 = test::random_photo($album2); + $album1->reload(); + $album2->reload(); + + $request = new stdClass(); + $request->params = new stdClass(); + $request->params->urls = json_encode(array( + rest::url("item", $photo1), + rest::url("item", $album2))); + $request->params->type = "album"; + $this->assert_equal_array( + array( + array("url" => rest::url("item", $album2), + "entity" => $album2->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $album2), + "members" => array())), + "members" => array( + rest::url("item", $photo2)))), + items_rest::get($request)); + } + + public function get_url_filter_photo_test() { + $album1 = test::random_album(); + $photo1 = test::random_photo($album1); + $album2 = test::random_album($album1); + $photo2 = test::random_photo($album2); + $album1->reload(); + $album2->reload(); + + $request = new stdClass(); + $request->params = new stdClass(); + $request->params->urls = json_encode(array( + rest::url("item", $photo1), + rest::url("item", $album2))); + $request->params->type = "photo"; + $this->assert_equal_array( + array( + array("url" => rest::url("item", $photo1), + "entity" => $photo1->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $photo1), + "members" => array())))), + items_rest::get($request)); + } + + public function get_url_filter_albums_photos_test() { + $album1 = test::random_album(); + $photo1 = test::random_photo($album1); + $album2 = test::random_album($album1); + $photo2 = test::random_photo($album2); + $album1->reload(); + $album2->reload(); + + $request = new stdClass(); + $request->params = new stdClass(); + $request->params->urls = json_encode(array( + rest::url("item", $photo1), + rest::url("item", $album2))); + $request->params->type = "photo,album"; + $this->assert_equal_array( + array( + array("url" => rest::url("item", $photo1), + "entity" => $photo1->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $photo1), + "members" => array()))), + array("url" => rest::url("item", $album2), + "entity" => $album2->as_restful_array(), + "relationships" => array( + "tags" => array( + "url" => rest::url("item_tags", $album2), + "members" => array())), + "members" => array( + rest::url("item", $photo2)))), + items_rest::get($request)); + } + public function get_ancestor_test() { $album1 = test::random_album(); $photo1 = test::random_photo($album1); -- cgit v1.2.3 From 686da5a3e069d180e198fcc8dc3e2ed422f725b9 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 18 May 2010 06:16:47 -0700 Subject: Save the item before updating the order of the children. Also always increment the weight count (even if it is equal to the weight of the current child) --- modules/gallery/helpers/item_rest.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php index 36d2ca62..298c2f4a 100644 --- a/modules/gallery/helpers/item_rest.php +++ b/modules/gallery/helpers/item_rest.php @@ -126,18 +126,19 @@ class item_rest_Core { } } } + $item->save(); - $weight = 0; if (isset($request->params->members)) { + $weight = 0; foreach ($request->params->members as $url) { $child = rest::resolve($url); if ($child->parent_id == $item->id && $child->weight != $weight) { - $child->weight = $weight++; + $child->weight = $weight; $child->save(); } + $weight++; } } - $item->save(); } static function post($request) { -- cgit v1.2.3 From ed1905d3f94847a64656e52858de8c363c001df7 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 4 Jun 2010 11:22:51 -0700 Subject: Change the name of the private format_restful_item to _format_restful_item so that the File_Structure_Test will pass. --- modules/gallery/helpers/items_rest.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 32597a65..32f6c036 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -45,10 +45,10 @@ class items_rest_Core { if (access::can("view", $item)) { if (isset($types)) { if (in_array($item->type, $types)) { - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); } } else { - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); } } } @@ -57,9 +57,9 @@ class items_rest_Core { if (!access::can("view", $item)) { throw new Kohana_404_Exception(); } - $items[] = items_rest::format_restful_item($item); + $items[] = items_rest::_format_restful_item($item); while (($item = $item->parent()) != null) { - array_unshift($items, items_rest::format_restful_item($item)); + array_unshift($items, items_rest::_format_restful_item($item)); }; } @@ -74,7 +74,7 @@ class items_rest_Core { return $item; } - private static function format_restful_item($item) { + private static function _format_restful_item($item) { $item_rest = array("url" => rest::url("item", $item), "entity" => $item->as_restful_array(), "relationships" => rest::relationships("item", $item)); -- cgit v1.2.3 From fd437aec2bbd3e65b330b0790af970ca7e078636 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 4 Jun 2010 13:58:49 -0700 Subject: Correct XSS Security Test golden file for recent changes. Update the controller_auth data file for the rename of admin_comments to admin_manage_comments. --- modules/gallery/tests/controller_auth_data.txt | 2 +- modules/gallery/tests/xss_data.txt | 37 +++++++++++++------------- 2 files changed, 19 insertions(+), 20 deletions(-) (limited to 'modules') diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt index 0aa26057..94e7a07f 100644 --- a/modules/gallery/tests/controller_auth_data.txt +++ b/modules/gallery/tests/controller_auth_data.txt @@ -1,4 +1,4 @@ -modules/comment/controllers/admin_comments.php queue DIRTY_CSRF +modules/comment/controllers/admin_manage_comments.php queue DIRTY_CSRF modules/comment/helpers/comment_rss.php feed DIRTY_AUTH modules/digibug/controllers/digibug.php print_proxy DIRTY_CSRF|DIRTY_AUTH modules/digibug/controllers/digibug.php close_window DIRTY_AUTH diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index afad9e13..0a75d6f7 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -4,21 +4,21 @@ modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR urle modules/comment/views/admin_block_recent_comments.html.php 4 DIRTY_ATTR text::alternate("g-even","g-odd") modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(32,$theme->url(,true)) modules/comment/views/admin_block_recent_comments.html.php 10 DIRTY gallery::date_time($comment->created) -modules/comment/views/admin_comments.html.php 43 DIRTY $menu->render() -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR $comment->id -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/comment/views/admin_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) -modules/comment/views/admin_comments.html.php 123 DIRTY_JS $item->url() -modules/comment/views/admin_comments.html.php 125 DIRTY_ATTR $item->thumb_url() -modules/comment/views/admin_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) -modules/comment/views/admin_comments.html.php 135 DIRTY gallery::date($comment->created) -modules/comment/views/admin_comments.html.php 142 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 151 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 160 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 169 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 176 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 184 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 197 DIRTY $pager +modules/comment/views/admin_manage_comments.html.php 43 DIRTY $menu->render() +modules/comment/views/admin_manage_comments.html.php 107 DIRTY_ATTR $comment->id +modules/comment/views/admin_manage_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/comment/views/admin_manage_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/admin_manage_comments.html.php 123 DIRTY_JS $item->url() +modules/comment/views/admin_manage_comments.html.php 125 DIRTY_ATTR $item->thumb_url() +modules/comment/views/admin_manage_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) +modules/comment/views/admin_manage_comments.html.php 135 DIRTY gallery::date($comment->created) +modules/comment/views/admin_manage_comments.html.php 142 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 151 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 160 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 169 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 176 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 184 DIRTY_JS $comment->id +modules/comment/views/admin_manage_comments.html.php 197 DIRTY $pager modules/comment/views/comment.html.php 2 DIRTY_ATTR $comment->id; modules/comment/views/comment.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) modules/comment/views/comment.mrss.php 10 DIRTY $feed->uri @@ -175,7 +175,7 @@ modules/gallery/views/move_tree.html.php 15 DIRTY_JS $child modules/gallery/views/movieplayer.html.php 2 DIRTY html::anchor($item->file_url(true),"",$attrs) modules/gallery/views/movieplayer.html.php 5 DIRTY_JS $attrs["id"] modules/gallery/views/movieplayer.html.php 7 DIRTY_JS url::abs_file("lib/flowplayer.swf") -modules/gallery/views/movieplayer.html.php 13 DIRTY_JS url::abs_file("lib/flowplayer.h264streaming.swf") +modules/gallery/views/movieplayer.html.php 14 DIRTY_JS url::abs_file("lib/flowplayer.pseudostreaming.swf") modules/gallery/views/permissions_browse.html.php 3 DIRTY_JS url::site("permissions/form/__ITEM__") modules/gallery/views/permissions_browse.html.php 16 DIRTY_JS url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") modules/gallery/views/permissions_browse.html.php 43 DIRTY_ATTR $parent->id @@ -320,7 +320,6 @@ modules/user/views/admin_users_group.html.php 24 DIRTY_JS $group modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -themes/admin_wind/views/admin.html.php 9 DIRTY $page_title themes/admin_wind/views/admin.html.php 22 DIRTY_JS $theme->url() themes/admin_wind/views/admin.html.php 39 DIRTY $theme->admin_head() themes/admin_wind/views/admin.html.php 43 DIRTY $theme->admin_page_top() @@ -363,7 +362,7 @@ themes/wind/views/dynamic.html.php 16 DIRTY_ATTR $chi themes/wind/views/dynamic.html.php 17 DIRTY_ATTR $child->thumb_height themes/wind/views/dynamic.html.php 29 DIRTY $theme->paginator() themes/wind/views/movie.html.php 5 DIRTY $theme->paginator() -themes/wind/views/movie.html.php 8 DIRTY $item->movie_img(array("class"=>"g-movie","id"=>"g-movie-id-{$item->id}")) +themes/wind/views/movie.html.php 8 DIRTY $item->movie_img(array("class"=>"g-movie","id"=>"g-item-id-{$item->id}")) themes/wind/views/page.html.php 9 DIRTY $page_title themes/wind/views/page.html.php 33 DIRTY_JS $theme->url() themes/wind/views/page.html.php 42 DIRTY $new_width @@ -384,4 +383,4 @@ themes/wind/views/photo.html.php 8 DIRTY_JS $theme themes/wind/views/photo.html.php 8 DIRTY_JS $theme->item()->height themes/wind/views/photo.html.php 18 DIRTY $theme->paginator() themes/wind/views/photo.html.php 23 DIRTY_JS $item->file_url() -themes/wind/views/photo.html.php 25 DIRTY $item->resize_img(array("id"=>"g-photo-id-{$item->id}","class"=>"g-resize")) +themes/wind/views/photo.html.php 25 DIRTY $item->resize_img(array("id"=>"g-item-id-{$item->id}","class"=>"g-resize")) -- cgit v1.2.3