From 82edd2a37bde6f42f5ff69c1363c5dbeb3cec599 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Mon, 17 Aug 2009 19:52:40 -0700
Subject: This patch adds some security to the organize dialog. 1) If images
 are dragged from the content pane and dropped on a branch in the    tree that
 the user only has view priviledges, then the drop is cancelled    and the
 images are reverted. 2) The user cannot click on a branch, to which they only
 have view priviledges,    the content pane does not change to the new album

---
 modules/organize/controllers/organize.php     |  1 +
 modules/organize/js/organize.js               | 22 +++++++++++++---------
 modules/organize/views/organize_tree.html.php |  2 +-
 3 files changed, 15 insertions(+), 10 deletions(-)

(limited to 'modules')

diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php
index 7d6b651e..76a22b73 100644
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -118,6 +118,7 @@ class Organize_Controller extends Controller {
     $v->album = $item;
     $keys = array_keys($parents);
     $v->selected = end($keys) == $item->id;
+    $v->can_edit= access::can("edit", $item);
     $v->children = array();
     $v->album_icon = "gBranchEmpty";
 
diff --git a/modules/organize/js/organize.js b/modules/organize/js/organize.js
index 7a70ea5e..0f8f7fa1 100644
--- a/modules/organize/js/organize.js
+++ b/modules/organize/js/organize.js
@@ -43,11 +43,6 @@
         } else if (ui.offset.top < top + 20) {
           $("#gMicroThumbPanel").get(0).scrollTop = Math.max(0, $("#gMicroThumbPanel").get(0).scrollTop - 100);
         }
-      },
-      // @todo delete this method when drop is implemented
-      stop: function(event, ui) {
-        $(".ui-state-selected").show();
-        $(".gMicroThumbGridCell").css("borderStyle", "none");
       }
     },
 
@@ -69,10 +64,15 @@
       tolerance: "pointer",
       greedy: true,
       drop: function(event, ui) {
-        $.organize.do_drop({
-          url: move_url.replace("__TARGET_ID__", $(event.target).attr("ref")),
-          source: $(ui.helper).children("img")
-        });
+        if ($(event.target).hasClass("gViewOnly")) {
+          $(".ui-state-selected").show();
+          $(".gMicroThumbGridCell").css("borderStyle", "none");
+        } else {
+          $.organize.do_drop({
+            url: move_url.replace("__TARGET_ID__", $(event.target).attr("ref")),
+            source: $(ui.helper).children("img")
+          });
+        }
       }
     },
 
@@ -200,6 +200,10 @@
       if ($(event.currentTarget).hasClass("gBranchSelected")) {
         return;
       }
+      var parent = $(event.currentTarget).parents(".gOrganizeBranch");
+      if ($(parent).hasClass("gViewOnly")) {
+        return;
+      }
       $("#gMicroThumbPanel").selectable("destroy");
       var id = $(event.currentTarget).attr("ref");
       $(".gBranchSelected").removeClass("gBranchSelected");
diff --git a/modules/organize/views/organize_tree.html.php b/modules/organize/views/organize_tree.html.php
index d2ef287a..823301fc 100644
--- a/modules/organize/views/organize_tree.html.php
+++ b/modules/organize/views/organize_tree.html.php
@@ -1,5 +1,5 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<li class="gOrganizeBranch ui-icon-left" ref="<?= $album->id ?>">
+<li class="gOrganizeBranch ui-icon-left <?= $can_edit ? "" : "gViewOnly" ?>" ref="<?= $album->id ?>">
   <div id="gOrganizeBranch-<?= $album->id ?>" ref="<?= $album->id ?>"
        class="<?= $selected ? "gBranchSelected" : "" ?>">
     <span id="gOrganizeIcon-<?= $album->id ?>" ref="<?= $album->id ?>"
-- 
cgit v1.2.3