Commit Graph
282 Commits
Author SHA1 Message Date
Bharat MedirattaandTim Almdal 0fc96621d5 Don't show the ajaxy login link in the top right corner if we're on the login page itself. 2009-08-06 19:19:14 -07:00
Tim Almdal 5997f57323 Cleanup the javascript for enabling dialog or panel links.
1) We don't need to loop over the elements to bind the event handler.
2) Just include gallery.panel.js for all the admin pages.
2009-08-06 07:22:24 -07:00
Bharat Mediratta 7ad0808a11 Change the API for getting to the original state of an ORM.
Old API:  $obj->original("field_name")
  New API:  $obj->original()->field_name

This allows us to revert the varous xxx_updated events back to passing
an original ORM as well as the the updated one.  This makes for a
cleaner event API.

  Old API:  comment_updated($comment) { $comment->original("field_name") }
  Old API:  comment_updated($old, $new) { $old->field_name }
2009-08-02 12:09:00 -07:00
Bharat Mediratta 67d4ae21d5 Clean up user form events. Thanks to Ben Smith (glooper). 2009-07-29 17:43:12 -07:00
Bharat Mediratta 1e90e40d3a Use events to generate menus, instead of having xxx_menu helpers.
This is the first step towards having a simple, lightweight and
unified API for module interaction.
2009-07-28 13:47:22 -07:00
Tim Almdal 00cd2b646d fix for ticket #574. The user->url database wasn't being set when the user was updated via the admin panel. 2009-07-25 15:00:57 -07:00
Tim Almdal 7a6952720c Pass the variable when the "user_edit_form" event is fired. 2009-07-25 14:48:10 -07:00
Bharat Mediratta 1fbdf1a1e0 Add form processing events:
user_add_form_admin            admin adding a user
 user_edit_form_admin           admin editing a user
 user_add_form_admin_completed  successfully added a user (admin)
 user_edit_form                 user editing their own settings
 user_edit_form_completed       successfully edited a user (admin and user editing own settings)
2009-07-23 10:35:52 -07:00
Bharat Mediratta 41b8f943a6 Convert instances of theme_url() to just url() to match the API change
made in dbeadc1407
2009-07-23 10:20:49 -07:00
Bharat Mediratta dbeadc1407 Use the Kohana cascading filesystem to locate resources loaded by the
theme.  Because the theme comes first, this means that themes can
override any module resources, at the cost that we no longer have
namespacing for JS and CSS files.

The only file getting used outside of this model is
themes/default/screen.css which is used in the admin theme.  I fixed
that by copying screen.css into admin_default and renaming its
screen.css to admin_screen.css.  I also copied over all the images
that it was referencing.

Fixes tickets #48 and #539.

Theme API changes:
- theme_script(), theme_url() and theme_css() are no longer needed
- script(), url() and css() now refer to the first matching asset in
  the module load path, where gallery3/lib is at the end of the path
2009-07-22 14:27:57 -07:00
Bharat Mediratta 80f48b084a In the logout link, urlencode the continue url so that ampersands, etc
don't break encapsulation.  In the logout controller, don't run the
url through url::redirect because that uses url::site().  Just set the
Location header directly.

This fixes ticket #483.
2009-07-21 13:02:20 -07:00
Bharat Mediratta 050c82cf80 Escape bare & symbols so that we use valid entities. Fixes ticket #577. 2009-07-21 11:09:23 -07:00
Bharat Mediratta 51dca582cd More thorough fix for #421. Create User_Model::display_name() which
uses the full name if there is one, or falls back to the name if
that's all we have.
2009-07-19 16:50:35 -07:00
Shai Ben-NaphtaliandBharat Mediratta fb7d99740d Changed "Forgot Your Password" text to use capital 'Y' on the word Your
Signed-off-by: Bharat Mediratta <bharat@menalto.com>
2009-07-21 00:09:06 +08:00
Bharat Mediratta df22832a5b Rename "locale" helper to "locales" to avoid conflicting with PHP 5.3.
Fixes ticket #194
2009-07-17 18:35:06 -07:00
Bharat Mediratta 0f766b149d Second non-trivial change to the event code. We now publish model
related events from within the model handling code.  The only
exception to this currently is item_created which is challenging
because we have to save the item using ORM_MPTT::add_to_parent()
before the object itself is fully set up.  When we get that down to
one call to save() we can publish that event from within the model
also.
2009-07-16 12:31:40 -07:00
Bharat Mediratta 5b3b675b6d Non-trivial changes to the event handling code:
1) The item_updated event no longer takes the old and new items.
   Instead we overload ORM to track the original data and make
   that available via the item.  This will allow us to move event
   publishing down into the API methods which in turn will give us
   more stability since we won't require each controller to remember
   to do it.

2) ORM class now tracks the original values.  It doesn't track
   the original relationships (no need for that, yet)

3) Added new events:
     item_deleted
     group_deleted
     user_deleted
2009-07-16 11:19:34 -07:00
Bharat Mediratta 2864aceb81 Add missing ) dropped in 8f9a943f. 2009-07-16 10:58:42 -07:00
Bharat Mediratta e2a9a1d284 Add quotes around all values that contain spaces in them, and add a
test to make sure that we continue to do so.

This makes sure that we don't have problems with 5.3 which treats the
literal "on" as a boolean.
2009-07-13 10:36:55 -07:00
Andy Staudacher 93e9efed97 Use Unicode characters (looks better to translator, and fixes normalization issue in translation server) 2009-07-02 20:49:47 -07:00
Bharat Mediratta 8f9a943f55 Fix a bunch of XSS vulnerabilities turned up by manual inspection
using the checklist in ticket #385.
2009-07-01 17:57:39 -07:00
Bharat Mediratta 6e8a8c53e6 Rename $theme->url() to $theme->theme_url() for consistency wiht
$theme->theme_script().
2009-06-28 19:49:48 -07:00
Tim Almdal 5e83ebd6d0 Use $theme->script() method to render module javascript files 2009-06-28 16:50:55 -07:00
Bharat Mediratta bfca0c7903 Refactor the install/upgrade code to be more flexible.
Add xxx_installer::upgrade($version) method so that upgrade stanzas
are separate from install stanzas.  In the old code, to do an upgrade
meant that you had to re-evolve everything from the initial install
because we'd step through each version's changes.  But what we really
want is for the initial install to start off in the perfect initial
state, and the upgrades to do the work behind the scenes.  So now the
install() function gets things set up properly the first time, and the
upgrade() function does any work to catch you up to the latest code.
See gallery_installer.php for a good example.
2009-06-23 12:00:49 -07:00
unostar 08a5b75345 Add string to localizer 2009-06-15 02:02:25 -07:00
Bharat Medirattaand 3d89951c77 Create gallery::date_time(), gallery::date() and gallery::time()
functions that format a unix timestamp into a date+time/date/time
string.

Partial fix for ticket #347.

Signed-off-by:  <unostar@danalan.info>
2009-06-13 20:10:24 +08:00
Bharat Medirattaand 547a4c39d7 Actually save the url when editing user information.
Fixes ticket #363.

Signed-off-by:  <unostar@danalan.info>
2009-06-11 15:51:08 +08:00
Tim Almdal 1fc7904656 Create a new method in MY_url.php "get_item_from_uri" which loads the item
based on the uri.  Then use this helper method in logout.php to insure that
the guest user has access to the "continue" uri.  If they don't redirect to
the root album and let it deal with access issues.
2009-06-09 06:35:35 -07:00
Bharat Mediratta d5d5284f05 Don't ask for CSRF token when trying to view the password reset form. 2009-06-06 12:52:44 -07:00
Bharat Mediratta 277d72d9fa Fix formatting. 2009-06-06 12:50:38 -07:00
Bharat Mediratta 43abcd9386 Security pass over all controller code. Mostly adding CSRF checking
and verifying user permissions, but there are several above-the-bar
changes:

1) Server add is now only available to admins.  This is a hard
   requirement because we have to limit server access (eg:
   server_add::children) to a user subset and the current permission
   model doesn't include that.  Easiest fix is to restrict to admins.
   Got rid of the server_add permission.

2) We now know check permissions at every level, which means in
   controllers AND in helpers.  This "belt and suspenders" approach will
   give us defense in depth in case we overlook it in one area.

3) We now do CSRF checking in every controller method that changes the
   code, in addition to the Forge auto-check.  Again, defense in depth
   and it makes scanning the code for security much simpler.

4) Moved Simple_Uploader_Controller::convert_filename_to_title to
   item:convert_filename_to_title

5) Fixed a bug in sending notification emails.

6) Fixed the Organize code to verify that you only have access to your
   own tasks.  In general, added permission checks to organize which had
   pretty much no validation code.

I did my best to verify every feature that I touched.
2009-06-01 22:40:22 -07:00
Bharat Mediratta 8ebd941c81 Properly call user::login when we automatically login the admin user
immediately after install.  Fixes ticket #323.
2009-05-31 21:48:43 -07:00
Bharat Mediratta 9322f51e23 Localize a string 2009-05-31 19:31:55 -07:00
jhilden 277c96c2f6 user admin facelift
* added drag & drop help message for empty groups
* fixed overflow issue with more than ~10 members in one group
* CSS improvements
2009-05-31 18:25:43 -04:00
Bharat Mediratta 712fdb5545 Clean up view variables 2009-05-31 01:03:24 -07:00
Bharat Mediratta 9369ccab7f Run all variables that come from user-entered data through p::clean() 2009-05-31 01:02:51 -07:00
Bharat Mediratta cc6cd7e1f3 Regenerate the session id every time through login::_auth() to avoid session trapping. 2009-05-27 01:58:46 -07:00
Bharat Mediratta 0a66ddd2b4 Use a random value for the password reset hash to reduce the chances
that it can be guessed by an attacker.
2009-05-27 00:50:24 -07:00
Bharat Mediratta 7aed923908 Restructure the module lifecycle.
Install: <module>_installer::install() is called, any necessary tables
are created.

Activate: <module>_installer::activate() is called.  Module
controllers are routable, helpers are accessible, etc.  The module is
in use.

Deactivate: <module>_installer::deactivate() is called.  Module code
is not accessible or routable.  Module is *not* in use, but its tables
are still around.

Uninstall: <module>_installer::uninstall() is called.  Module is
completely removed from the database.

Admin > Modules will install and activate modules, but will only
deactivate (will NOT uninstall modules).
2009-05-26 05:28:59 +00:00
Chad Kieffer 2966289b14 Quick fix for ticket #144. Reapply event handler for delete link gDialog when group is refreshed. 2009-05-26 05:05:04 +00:00
Chad Kieffer 94e36344b2 Link to gallery.panel.js from the head, not body. 2009-05-26 05:00:19 +00:00
Chad Kieffer 88e1f02c1a Split out re-used JavaScript for common functions (messages, valign), panel toggle, and forms to external files. 2009-05-26 03:59:35 +00:00
Chad Kieffer 916405bc4b White space fixes 2009-05-26 01:53:18 +00:00
Chad Kieffer 30592cabd2 Changed name to username in user admin form labels 2009-05-25 20:46:19 +00:00
Bharat Mediratta 3756c849c4 Use phpass as our hashing mechanism, and check for it first (instead
of checking G1/G2 techniquew first).
2009-05-24 06:11:20 +00:00
Chad Kieffer cc329526c0 Changed Name label to Username, closes ticket #93 2009-05-21 04:48:53 +00:00
Bharat Mediratta f24c8f66ea Move the first-admin-login steps out of the user module and into an event listener in core 2009-05-20 16:49:06 +00:00
Bharat Mediratta 5f853b9a1b Get rid of trailing whitespace in security preamble 2009-05-18 04:13:09 +00:00
Bharat Mediratta 39bfe5ee74 Add security preamble 2009-05-18 03:51:15 +00:00
Bharat Mediratta 993742feb3 Move 3rd party PasswordHash library into the "lib" dir for
consistency.  No 3rd party libs in "libraries", at least for now.
2009-05-18 03:39:42 +00:00