From d698a19e0e9acdcb81c5245d1f681546b604a1f3 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 10 Sep 2010 08:40:30 -0700 Subject: Transfer deleted files to the active user. Or at least say that's what we're going to do, we actually transfer them to one of the admins --- modules/user/views/admin_users_delete_user.html.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/user/views/admin_users_delete_user.html.php b/modules/user/views/admin_users_delete_user.html.php index 4b79a305..44777ae5 100644 --- a/modules/user/views/admin_users_delete_user.html.php +++ b/modules/user/views/admin_users_delete_user.html.php @@ -1,7 +1,7 @@

- %name? Any photos, movies or albums owned by this user will transfer ownership to %new_owner.", array("name" => $user->display_name(), "new_owner" => identity::admin_user()->display_name())) ?> + %name? Any photos, movies or albums owned by this user will transfer ownership to %new_owner.", array("name" => $user->display_name(), "new_owner" => identity::active_user()->display_name())) ?>

-- cgit v1.2.3 From 5892712b237cb1e585b2cc7a6820d2cf3a8c1a34 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 10 Sep 2010 23:01:47 -0700 Subject: If the user is not an admin, don't 403 -- instead just redirect them to the root album. Fixes ticket #1356. --- modules/gallery/controllers/reauthenticate.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index 0486c0fe..53a96374 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -19,12 +19,19 @@ */ class Reauthenticate_Controller extends Controller { public function index() { + $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax()); if (!identity::active_user()->admin) { - access::forbidden(); + if ($is_ajax) { + // We should never be able to get here since Admin_Controller::_reauth_check() won't work + // for non-admins. + access::forbidden(); + } else { + url::redirect(item::root()->abs_url()); + } } + // On redirects from the admin controller, the ajax request indicator is lost, // so we store it in the session. - $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax()); if ($is_ajax) { $v = new View("reauthenticate.html"); $v->form = self::_form(); -- cgit v1.2.3 From a88b3f580812e7670933a6d695c89ef93f0142d4 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 00:47:48 -0700 Subject: Implement IdentityProvider_Gallery_Driver::admin_user() properly such that it's not hardcoded to return the user with id 2. Create user::admin_user() which finds an appropriate admin and returns it. Fixes #1358. --- modules/user/helpers/user.php | 14 ++++++++++++++ .../user/libraries/drivers/IdentityProvider/Gallery.php | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php index 55153263..be50d6d1 100644 --- a/modules/user/helpers/user.php +++ b/modules/user/helpers/user.php @@ -35,6 +35,20 @@ class user_Core { return model_cache::get("user", 1); } + /** + * Return an admin user. Prefer the currently logged in user, if possible. + * + * @return User_Model + */ + static function admin_user() { + $active = identity::active_user(); + if ($active->admin) { + return $active; + } + + return ORM::factory("user")->where("admin", "=", 1)->order_by("id", "ASC")->find(); + } + /** * Is the password provided correct? * diff --git a/modules/user/libraries/drivers/IdentityProvider/Gallery.php b/modules/user/libraries/drivers/IdentityProvider/Gallery.php index 44433ad7..73ac9bd0 100644 --- a/modules/user/libraries/drivers/IdentityProvider/Gallery.php +++ b/modules/user/libraries/drivers/IdentityProvider/Gallery.php @@ -32,7 +32,7 @@ class IdentityProvider_Gallery_Driver implements IdentityProvider_Driver { * @see IdentityProvider_Driver::guest. */ public function admin_user() { - return self::lookup_user(2); + return user::admin_user(); } /** -- cgit v1.2.3 From 67f45cfa781ef4b446676e199470e421f5463812 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 01:46:45 -0700 Subject: Add CSRF protection to the upgrader. And update the CLI output so that it tells you which modules failed to upgrade properly. Fixes ticket #1359. --- modules/gallery/controllers/upgrader.php | 21 ++++++++++++++++++--- modules/gallery/views/upgrader.html.php | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php index 6613d671..b2646874 100644 --- a/modules/gallery/controllers/upgrader.php +++ b/modules/gallery/controllers/upgrader.php @@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; - } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { - access::forbidden(); + } else { + if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { + access::forbidden(); + } + + try { + access::verify_csrf(); + } catch (Exception $e) { + url::redirect("upgrader"); + } } $available = module::available(); @@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller { site_status::clear("upgrade_now"); if (php_sapi_name() == "cli") { - print "Upgrade complete\n"; + if ($failed) { + print "Upgrade completed ** WITH FAILURES **\n"; + print "The following modules were not successfully upgraded:\n"; + print " " . implode($failed, "\n ") . "\n"; + print "Try getting newer versions or deactivating those modules\n"; + } else { + print "Upgrade complete\n"; + } } else { url::redirect("upgrader?failed=" . join(",", $failed)); } diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index c2d8a552..554cf30d 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -84,7 +84,7 @@ -- cgit v1.2.3 From 509b647c65d0b56760952ff886eed06625f4ac5f Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 01:48:26 -0700 Subject: upgrader/index does not require CSRF --- modules/gallery/tests/controller_auth_data.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt index 212577c7..03032fd9 100644 --- a/modules/gallery/tests/controller_auth_data.txt +++ b/modules/gallery/tests/controller_auth_data.txt @@ -15,7 +15,7 @@ modules/gallery/controllers/login.php html modules/gallery/controllers/login.php auth_html DIRTY_AUTH modules/gallery/controllers/logout.php index DIRTY_AUTH modules/gallery/controllers/quick.php form_edit DIRTY_CSRF -modules/gallery/controllers/upgrader.php index DIRTY_AUTH +modules/gallery/controllers/upgrader.php index DIRTY_CSRF|DIRTY_AUTH modules/gallery/controllers/uploader.php start DIRTY_AUTH modules/gallery/controllers/uploader.php status DIRTY_AUTH modules/gallery/controllers/uploader.php finish DIRTY_AUTH -- cgit v1.2.3 From 34a71e7cd34bc184abbf9060ec4b316ba1c66bc5 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 01:48:44 -0700 Subject: Verified. --- modules/gallery/tests/xss_data.txt | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) (limited to 'modules') diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 8d26092b..6821c963 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -42,7 +42,7 @@ modules/digibug/views/digibug_form.html.php 4 DIRTY form:: modules/digibug/views/digibug_form.html.php 6 DIRTY form::hidden($key,$value) modules/exif/views/exif_dialog.html.php 14 DIRTY $details[$i]["caption"] modules/exif/views/exif_dialog.html.php 21 DIRTY $details[$i]["caption"] -modules/g2_import/views/admin_g2_import.html.php 30 DIRTY $form +modules/g2_import/views/admin_g2_import.html.php 9 DIRTY $form modules/gallery/views/admin_advanced_settings.html.php 21 DIRTY_ATTR text::alternate("g-odd","g-even") modules/gallery/views/admin_advanced_settings.html.php 22 DIRTY $var->module_name modules/gallery/views/admin_block_log_entries.html.php 4 DIRTY_ATTR log::severity_class($entry->severity) @@ -248,14 +248,15 @@ modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $permi modules/gallery/views/permissions_form.html.php 80 DIRTY_JS $item->id modules/gallery/views/quick_delete_confirm.html.php 11 DIRTY $form modules/gallery/views/reauthenticate.html.php 9 DIRTY $form -modules/gallery/views/upgrader.html.php 59 DIRTY_ATTR $done?"muted":"" -modules/gallery/views/upgrader.html.php 63 DIRTY_ATTR $done?"muted":"" -modules/gallery/views/upgrader.html.php 71 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable" -modules/gallery/views/upgrader.html.php 72 DIRTY_ATTR $id -modules/gallery/views/upgrader.html.php 76 DIRTY $module->version -modules/gallery/views/upgrader.html.php 79 DIRTY $module->code_version -modules/gallery/views/upgrader.html.php 101 DIRTY_ATTR $done?"muted":"" -modules/gallery/views/upgrader.html.php 104 DIRTY_ATTR $done?"muted":"" +modules/gallery/views/upgrader.html.php 76 DIRTY_ATTR $done?"muted":"" +modules/gallery/views/upgrader.html.php 94 DIRTY_ATTR $done?"muted":"" +modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR $module->version==$module->code_version?"current":"upgradeable" +modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR in_array($id,$failed)?"failed":"" +modules/gallery/views/upgrader.html.php 103 DIRTY_ATTR $id +modules/gallery/views/upgrader.html.php 107 DIRTY $module->version +modules/gallery/views/upgrader.html.php 110 DIRTY $module->code_version +modules/gallery/views/upgrader.html.php 120 DIRTY_ATTR $done?"muted":"" +modules/gallery/views/upgrader.html.php 123 DIRTY_ATTR $done?"muted":"" modules/gallery/views/user_languages_block.html.php 2 DIRTY form::dropdown("g-select-session-locale",$installed_locales,$selected) modules/gallery/views/user_profile.html.php 34 DIRTY_ATTR $user->avatar_url(40,$theme->url(,true)) modules/gallery/views/user_profile.html.php 43 DIRTY $info->view @@ -338,15 +339,17 @@ modules/tag/views/tag_cloud.html.php 6 DIRTY_JS $tag-> modules/user/views/admin_users.html.php 3 DIRTY_JS url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") modules/user/views/admin_users.html.php 26 DIRTY_JS url::site("admin/users/group/__GROUPID__") modules/user/views/admin_users.html.php 36 DIRTY_JS url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") -modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->id -modules/user/views/admin_users.html.php 71 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->admin?"g-admin":"" modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->id -modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true)) -modules/user/views/admin_users.html.php 87 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login) -modules/user/views/admin_users.html.php 123 DIRTY_ATTR $group->id -modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($group->special?"g-default-group":"") -modules/user/views/admin_users.html.php 125 DIRTY $v +modules/user/views/admin_users.html.php 72 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->admin?"g-admin":"" +modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->id +modules/user/views/admin_users.html.php 74 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true)) +modules/user/views/admin_users.html.php 88 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login) +modules/user/views/admin_users.html.php 91 DIRTY db::build()->from("items")->where("owner_id","=",$user->id)->count_records() +modules/user/views/admin_users.html.php 127 DIRTY_ATTR $group->id +modules/user/views/admin_users.html.php 127 DIRTY_ATTR ($group->special?"g-default-group":"") +modules/user/views/admin_users.html.php 129 DIRTY $v +modules/user/views/admin_users_delete_user.html.php 6 DIRTY $form modules/user/views/admin_users_group.html.php 24 DIRTY_JS $user->id modules/user/views/admin_users_group.html.php 24 DIRTY_JS $group->id modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width -- cgit v1.2.3 From cef7ca9cf27dc7bcdbc92e754cfe9ae3a30ae3b0 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 10:26:48 -0700 Subject: Change tag url form to be /tag/{name} from /tags/show/{id}. This is a much friendlier url format. Fixes ticket #1363. --- modules/tag/controllers/tag.php | 49 ++++++++++++++++++++++++++++++++++++++++ modules/tag/controllers/tags.php | 28 ----------------------- modules/tag/models/tag.php | 2 +- 3 files changed, 50 insertions(+), 29 deletions(-) create mode 100644 modules/tag/controllers/tag.php (limited to 'modules') diff --git a/modules/tag/controllers/tag.php b/modules/tag/controllers/tag.php new file mode 100644 index 00000000..0e924f3d --- /dev/null +++ b/modules/tag/controllers/tag.php @@ -0,0 +1,49 @@ +where("name", "=", $tag_name)->find(); + $page_size = module::get_var("gallery", "page_size", 9); + $page = (int) Input::instance()->get("page", "1"); + $children_count = $tag->items_count(); + $offset = ($page-1) * $page_size; + $max_pages = max(ceil($children_count / $page_size), 1); + + // Make sure that the page references a valid offset + if ($page < 1) { + url::redirect($album->abs_url()); + } else if ($page > $max_pages) { + url::redirect($album->abs_url("page=$max_pages")); + } + + $template = new Theme_View("page.html", "collection", "tag"); + $template->set_global("page", $page); + $template->set_global("max_pages", $max_pages); + $template->set_global("page_size", $page_size); + $template->set_global("tag", $tag); + $template->set_global("children", $tag->items($page_size, $offset)); + $template->set_global("children_count", $children_count); + $template->content = new View("dynamic.html"); + $template->content->title = t("Tag: %tag_name", array("tag_name" => $tag->name)); + + print $template; + } +} diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index bc657644..aa39b6cd 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -18,34 +18,6 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Tags_Controller extends Controller { - public function show($tag_id) { - $tag = ORM::factory("tag", $tag_id); - $page_size = module::get_var("gallery", "page_size", 9); - $page = (int) Input::instance()->get("page", "1"); - $children_count = $tag->items_count(); - $offset = ($page-1) * $page_size; - $max_pages = max(ceil($children_count / $page_size), 1); - - // Make sure that the page references a valid offset - if ($page < 1) { - url::redirect($album->abs_url()); - } else if ($page > $max_pages) { - url::redirect($album->abs_url("page=$max_pages")); - } - - $template = new Theme_View("page.html", "collection", "tag"); - $template->set_global("page", $page); - $template->set_global("max_pages", $max_pages); - $template->set_global("page_size", $page_size); - $template->set_global("tag", $tag); - $template->set_global("children", $tag->items($page_size, $offset)); - $template->set_global("children_count", $children_count); - $template->content = new View("dynamic.html"); - $template->content->title = t("Tag: %tag_name", array("tag_name" => $tag->name)); - - print $template; - } - public function index() { // Far from perfection, but at least require view permission for the root album $album = ORM::factory("item", 1); diff --git a/modules/tag/models/tag.php b/modules/tag/models/tag.php index e8bd69c5..269a0f39 100644 --- a/modules/tag/models/tag.php +++ b/modules/tag/models/tag.php @@ -124,7 +124,7 @@ class Tag_Model extends ORM { * @param string $query the query string (eg "page=3") */ public function url($query=null) { - $url = url::site("tags/show/$this->id"); + $url = url::site("tag/{$this->name}"); if ($query) { $url .= "?$query"; } -- cgit v1.2.3 From 14ae1fde25eb8b22a2fc92453ba12c8e74aba433 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 10:41:47 -0700 Subject: Use the actual csrf token, not the placeholder (url::site doesn't replace that). Fixes ticket #1361 --- modules/gallery/views/upgrader.html.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index 554cf30d..1ec49c77 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -84,7 +84,7 @@ -- cgit v1.2.3 From c9c4f96100c5c8304f337f720da2e96b0a4d524a Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 21:35:51 -0700 Subject: Tune timeouts to work better on large installs. --- modules/exif/helpers/exif_task.php | 4 ++-- modules/search/helpers/search_task.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/exif/helpers/exif_task.php b/modules/exif/helpers/exif_task.php index a754865a..5963d03f 100644 --- a/modules/exif/helpers/exif_task.php +++ b/modules/exif/helpers/exif_task.php @@ -50,7 +50,7 @@ class exif_task_Core { ->where("exif_records.item_id", "IS", null) ->or_where("exif_records.dirty", "=", 1) ->close() - ->find_all() as $item) { + ->find_all(100) as $item) { // The query above can take a long time, so start the timer after its done // to give ourselves a little time to actually process rows. if (!isset($start)) { @@ -60,7 +60,7 @@ class exif_task_Core { exif::extract($item); $completed++; - if (microtime(true) - $start > 1.5) { + if (microtime(true) - $start > .75) { break; } } diff --git a/modules/search/helpers/search_task.php b/modules/search/helpers/search_task.php index 08f75d66..48a6688b 100644 --- a/modules/search/helpers/search_task.php +++ b/modules/search/helpers/search_task.php @@ -47,7 +47,7 @@ class search_task_Core { ->join("search_records", "items.id", "search_records.item_id", "left") ->where("search_records.item_id", "IS", null) ->or_where("search_records.dirty", "=", 1) - ->find_all() as $item) { + ->find_all(100) as $item) { // The query above can take a long time, so start the timer after its done // to give ourselves a little time to actually process rows. if (!isset($start)) { @@ -57,7 +57,7 @@ class search_task_Core { search::update($item); $completed++; - if (microtime(true) - $start > 1.5) { + if (microtime(true) - $start > .75) { break; } } -- cgit v1.2.3 From bfd92ac6f2d563106bc5906cc9fddb35bca44b58 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 21:38:38 -0700 Subject: Use $theme->item() instead of $theme->item, otherwise isset($theme->item) may return true even when we don't have an actual Item_Model in there. --- modules/gallery/helpers/gallery_event.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 0ba98025..81659b38 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -209,11 +209,12 @@ class gallery_event_Core { ->url(user_profile::url($user->id)) ->label($user->display_name())); + $item = $theme->item(); if (Router::$controller == "admin") { $continue_url = url::abs_site(""); - } else if (isset($theme->item)) { + } else if ($item) { if (access::user_can(identity::guest(), "view", $theme->item)) { - $continue_url = $theme->item->abs_url(); + $continue_url = $item->abs_url(); } else { $continue_url = item::root()->abs_url(); } -- cgit v1.2.3 From b4fb11f8d5f06aed612ea9d9c9699ce31e55b957 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 21:40:57 -0700 Subject: Only call $theme->item() if we're in a non admin theme. --- modules/gallery/helpers/gallery_event.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 81659b38..5b1db987 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -209,10 +209,9 @@ class gallery_event_Core { ->url(user_profile::url($user->id)) ->label($user->display_name())); - $item = $theme->item(); if (Router::$controller == "admin") { $continue_url = url::abs_site(""); - } else if ($item) { + } else if ($item = $theme->item()) { if (access::user_can(identity::guest(), "view", $theme->item)) { $continue_url = $item->abs_url(); } else { -- cgit v1.2.3 From cc4a54a3d65d5a6772cbf2d9670a0af0d6d52542 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 22:18:53 -0700 Subject: Fix bug introduced in b6fa33faf789749f4de3f4eadf8832748372c980. Don't try to use $(this).data("reload.location") if it hasn't been set, which can happen if Flash isn't available. Fixes #1362 --- modules/organize/views/organize_dialog.html.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/organize/views/organize_dialog.html.php b/modules/organize/views/organize_dialog.html.php index 769d6e9a..3ea1143d 100644 --- a/modules/organize/views/organize_dialog.html.php +++ b/modules/organize/views/organize_dialog.html.php @@ -19,7 +19,11 @@