Commit Graph
146 Commits
Author SHA1 Message Date
Bharat Mediratta dd854379c2 Sanitize all data we return via json_encode() to guard against XSS and
other data leaks.
2009-06-03 17:08:23 -07:00
Bharat Mediratta 43abcd9386 Security pass over all controller code. Mostly adding CSRF checking
and verifying user permissions, but there are several above-the-bar
changes:

1) Server add is now only available to admins.  This is a hard
   requirement because we have to limit server access (eg:
   server_add::children) to a user subset and the current permission
   model doesn't include that.  Easiest fix is to restrict to admins.
   Got rid of the server_add permission.

2) We now know check permissions at every level, which means in
   controllers AND in helpers.  This "belt and suspenders" approach will
   give us defense in depth in case we overlook it in one area.

3) We now do CSRF checking in every controller method that changes the
   code, in addition to the Forge auto-check.  Again, defense in depth
   and it makes scanning the code for security much simpler.

4) Moved Simple_Uploader_Controller::convert_filename_to_title to
   item:convert_filename_to_title

5) Fixed a bug in sending notification emails.

6) Fixed the Organize code to verify that you only have access to your
   own tasks.  In general, added permission checks to organize which had
   pretty much no validation code.

I did my best to verify every feature that I touched.
2009-06-01 22:40:22 -07:00
Bharat Mediratta 708f27f483 Run p::clean() on any variables that contain data entered by users. 2009-05-31 00:11:48 -07:00
Bharat Mediratta 7aed923908 Restructure the module lifecycle.
Install: <module>_installer::install() is called, any necessary tables
are created.

Activate: <module>_installer::activate() is called.  Module
controllers are routable, helpers are accessible, etc.  The module is
in use.

Deactivate: <module>_installer::deactivate() is called.  Module code
is not accessible or routable.  Module is *not* in use, but its tables
are still around.

Uninstall: <module>_installer::uninstall() is called.  Module is
completely removed from the database.

Admin > Modules will install and activate modules, but will only
deactivate (will NOT uninstall modules).
2009-05-26 05:28:59 +00:00
Chad Kieffer 730cc7aabb Rolled back r20813 to restore jump to comments, at least for now 2009-05-19 04:20:52 +00:00
Bharat Mediratta 7f77c676fe Get rid of the 'View comments on this item' menu option for photos.
It doesn't fit in with the others and as Jakob points out, the scroll
wheel on the mouse is perfectly sufficient.  I'll leave the icon around, though.
2009-05-14 23:41:49 +00:00
Bharat Mediratta 5495037a3d Gee it's May already. Update copyright to 2009. 2009-05-13 20:04:58 +00:00
Bharat Mediratta de812e1e82 Refactor to support pagination and simplify the code.
- Simplify the public controller methods
- Fix a bug where missing thumbnails would cause a divide by zero error
- actually pay attention to the page # for pagination and limit the query accordingly.
2009-05-11 20:15:24 +00:00
Bharat Mediratta 977963444a Remove direct call to item_before_delete since r20647 moved it into Item_Model 2009-05-02 19:28:05 +00:00
Bharat Mediratta dd0e69ba3a Delete any comments associated with deleted items 2009-04-23 01:32:35 +00:00
Bharat Mediratta 8ae2305289 Hide the "no comments yet" text after the first comment is posted.
Fixes ticket #196.
2009-04-06 00:27:24 +00:00
Bharat Mediratta cdf873f1b3 Remove extra blank line. 2009-04-05 17:50:57 +00:00
Bharat Mediratta 802f2431c7 Concatenate chopped up internationalized string. 2009-04-03 23:12:52 +00:00
Bharat Mediratta 921f3a2eee Put csrf token into Admin_View and Theme_View by default, then use it
directly wherever possible instead of access::csrf_token().
2009-03-27 03:43:21 +00:00
Tim Almdal 8082060434 Forgot to remove a back tick 2009-03-18 01:24:54 +00:00
Tim Almdal 8e1817d4e4 Couple of sql statements that had incorrect prefix handling or no
prefix handling.
2009-03-18 01:20:30 +00:00
Tim Almdal c04ff8e02f Change the pattern to identify tables that need prefix substitution to
mirror the drupal pattern of using braces {}.
2009-02-28 06:37:28 +00:00
Tim Almdal bd15853708 This implements table prefix for all the queries in core, user, exif,
tag, search, comment and notification modules (Ticket #68)
2009-02-27 21:07:18 +00:00
Chad Kieffer cd8d1c6582 Temp fix for photostreamin admin dashboard, other miscellaneous css fixes. Apply jQuery UI button css to submit inputs in the admin theme. 2009-02-23 05:14:05 +00:00
Jakob Hilden 7d96448ecb added additional comment link, if no comments have been made yet. 2009-02-23 00:46:25 +00:00
Bharat Mediratta f5169dd451 Leave the comments title around, but add the "Be the first to comment"
message below it.
2009-02-22 20:16:56 +00:00
Bharat Mediratta a83b6e9180 Adjust the title based on whether or not there are comments. 2009-02-22 20:09:17 +00:00
Tim Almdal 95fc61c9a8 Standardize to uppercase DESC in the order by method calls 2009-02-22 17:36:58 +00:00
Chad Kieffer 5dcf2794c5 Fixes to comment admin buttons. 2009-02-20 07:10:20 +00:00
Chad Kieffer d04dbadfa1 Apply buttons to comment moderation and action buttons, beginnings of a photo stream carousel block in admin dashboard. 2009-02-15 22:36:51 +00:00
Chad Kieffer 9bbe8053c7 Added a show comment form button. Add comment form is revealed when the button is clicked. Used jQuery UI Effect to .highlight() to bring attention to newly added comments. Also added a named anchor to our block library to allow direct linking/scrolling to those blocks on the page. 2009-02-12 07:07:11 +00:00
Tim Almdal 421129d7a8 Resolve Trac Ticket #32 2009-02-02 19:18:43 +00:00
Tim Almdal 89edd4d3ff Fix trac issue: #31 2009-02-02 15:36:43 +00:00
Bharat Mediratta a30c28b5fc Make the comment -> recaptcha binding happen via an event dispatch as
opposed to a direct call.
2009-01-27 08:21:54 +00:00
Tim Almdal bfb5c42124 Adding Recaptcha to the comment module. Recaptcha integration consists of a Form_Recaptcha class derived from Form_Input that can be added to any class that requires Recaptcha verfication. 2009-01-26 16:12:57 +00:00
Tim Almdal a8233ed979 Undo the adding underscores to the id on forge generated forms 2009-01-25 06:28:04 +00:00
Chad Kieffer 55cd2afde5 Admin theme style cleanup. Merged separate selected, available, unavailable into a single set of reusable classes. Applied alternating row bg colors. Removed inline CSS from admin views. Moved user admin css into admin_default theme style sheet. 2009-01-24 20:06:13 +00:00
Tim Almdal cbff78daa8 Supply a form id on all forms. This id can be used by modules other
than the originating module to provide additional functionality to the form.
2009-01-24 17:26:47 +00:00
Bharat Mediratta 1cc7b3f4be Don't force validation anymore; we're clearing the form properly in
the controller on successful add.
2009-01-18 23:27:26 +00:00
Bharat Mediratta b39be71a4e We don't need to reset the form anymore, since it's reset on the server side. 2009-01-18 23:26:53 +00:00
Bharat Mediratta f0eb8cb641 Reset the form before sending it back on success so that we clear the values. 2009-01-18 23:25:42 +00:00
Bharat Mediratta 7b68ca9946 Refactor dashboard -> block_manager since it'll manage blocks site
wide, not just in the dashboard.
2009-01-18 06:55:04 +00:00
Bharat Mediratta 3d1ea2904d Rename theme callback helpers from xxx_block to xxx_theme to make room
for us to rename the dashboard helper to be a block helper since
sidebar blocks are not just in the dashboard.
2009-01-18 05:01:00 +00:00
Bharat Mediratta d568a1e9fd Implement relevance ranked boolean searching on a full text index of
item and comment data.  Whew!

It's not pretty yet.  And you have to manually update the index
currently in admin/maintenance.  But it works.
2009-01-17 00:52:50 +00:00
Bharat Mediratta 2920640c2b Fix validation when adding new comments.
Fire off the appropriate item_related_update events as appropriate.
2009-01-16 04:06:03 +00:00
Andy Staudacher e4a9b19bf9 Changing t() placeholder syntax from {{replace_me}} to %replace_me. 2009-01-15 10:02:41 +00:00
Andy Staudacher e53916dd06 Simplifying the way t() is called. Refactoring localization function t($message, $options=array()) into 2 separate functions:
- the new t($message, $options=array()) is for simple strings, optionally with placeholder interpolation.
- t2($singular, $plural, $count, $options=array()) is for plurals.
2009-01-15 09:30:15 +00:00
Bharat Mediratta 5bfde5ceb8 Rename 'xxx_changed' events to 'xxx_updated' 2009-01-15 02:53:13 +00:00
Bharat Mediratta f3ba69c1d6 Make sure that helper functions are all static. Add new
File_Structure_Test to make sure we don't regress.

According to the PHP docs, the "public" keyword is implied on static
functions, so remove it.  Also, require private static functions to
start with an _.

http://php.net/manual/en/language.oop5.visibility.php
2009-01-14 04:12:02 +00:00
Bharat Mediratta c5f77510a7 Refactor dashboard block handling out into a dashboard helper so that
module installers don't have to know the grotty details of how it works.
2009-01-12 08:51:54 +00:00
Bharat Mediratta bc421a615a Implement deleting dashboard blocks.
* Refactor blocks so that they have a separate id vs css_id.  This way
  we can have a unique identifier for each visual block.

* Store blocks with a random id as their unique identifier

* Add Admin_Dashboard::remove_block() and modify
  themes/admin_default/views/block.html.php to call it when you click the
  remove box.
2009-01-12 08:26:38 +00:00
Bharat Mediratta ae73ef3d57 Updated for new Form_Submit API.
OLD:
  $form->submit("Foo")  -->  <input type="submit" value="Foo">

New:
  $form->submit("foo_button")->("Foo") --> <input type="submit" name="foo_button" value="Foo">

Mostly we don't care what the button is so we leave the name blank.
2009-01-12 07:50:04 +00:00
Bharat Mediratta b19729435c Dashboard blocks are now data driven, and you can add new blocks to
both the sidebar and the center content area from a dropdown at the
top of the dashboard sidebar.
2009-01-12 07:39:53 +00:00
Bharat Mediratta 66fe884cb5 Use the author's avatar, not the logged in user's one. 2009-01-11 22:47:54 +00:00
Andy Staudacher 3df7889128 Increase length for user-agent and accept fields in comments table.
And truncate strings before passing them to MySQL.
2009-01-11 05:36:31 +00:00