Commit Graph
30 Commits
Author SHA1 Message Date
Bharat Mediratta 43abcd9386 Security pass over all controller code. Mostly adding CSRF checking
and verifying user permissions, but there are several above-the-bar
changes:

1) Server add is now only available to admins.  This is a hard
   requirement because we have to limit server access (eg:
   server_add::children) to a user subset and the current permission
   model doesn't include that.  Easiest fix is to restrict to admins.
   Got rid of the server_add permission.

2) We now know check permissions at every level, which means in
   controllers AND in helpers.  This "belt and suspenders" approach will
   give us defense in depth in case we overlook it in one area.

3) We now do CSRF checking in every controller method that changes the
   code, in addition to the Forge auto-check.  Again, defense in depth
   and it makes scanning the code for security much simpler.

4) Moved Simple_Uploader_Controller::convert_filename_to_title to
   item:convert_filename_to_title

5) Fixed a bug in sending notification emails.

6) Fixed the Organize code to verify that you only have access to your
   own tasks.  In general, added permission checks to organize which had
   pretty much no validation code.

I did my best to verify every feature that I touched.
2009-06-01 22:40:22 -07:00
Bharat Mediratta 5495037a3d Gee it's May already. Update copyright to 2009. 2009-05-13 20:04:58 +00:00
Bharat Mediratta 847de44996 Fix the logical inversion of the transparency field. Now, 100% is max
transparency and 1% is min transparency (no transparency at all).

Fixes ticket #204.
2009-05-13 00:09:43 +00:00
Tim Almdal 9bba87ddc5 remove the extension and just use the IMAGETYPE_xxx constants 2009-02-24 01:24:11 +00:00
Tim Almdal 679b8c3971 Include jpg as valid graphic files 2009-02-23 14:45:09 +00:00
Bharat Mediratta e83c2b3f8d Revert to using IMAGETYPE_XXX constants (at least for now) 2009-02-23 04:29:10 +00:00
Bharat Mediratta 2505bd1579 Hardcode extensions instead of using Image::$allowed_types because we
don't support TIFF files.  TIFF files are not viewable directly in
most browsers
2009-02-21 20:58:02 +00:00
Tim Almdal af2f7f2c56 Use Image::$allowed_types instead of array(IMAGETYPE_GIF,
IMAGETYPE_JPEG, IMAGETYPE_PNG) as IMAGETYPE_GIF, IMAGETYPE_JPEG and
IMAGETYPE_PNG are not defined as constants
2009-02-20 19:04:58 +00:00
Andy Staudacher a631fe29f3 i18n refactoring: Rename all _() (reserved by gettext) calls to t().
- And refactor printf to our string interpolation / pluralization syntax
- Also, a slight change to the translations_incomings table, using binary(16) instead of char(32) as message key.
2009-01-08 17:13:06 +00:00
Bharat Mediratta 6ab195854d Remove rest::JSON content type; it's causing lots of problems and it doesn't directly help since text/html works just as well for our JSON communications 2008-12-29 22:41:53 +00:00
Bharat Mediratta 776123496b Add transparency support 2008-12-29 22:30:19 +00:00
Bharat Mediratta 8102d8ea77 Clean up _update_graphics_rules() to make it more robust 2008-12-29 20:17:24 +00:00
Felix Rabinovich 6b1fa62173 Added content type to JSON output functions 2008-12-26 20:08:15 +00:00
Bharat Mediratta ecf7d46a67 Add the graphics rules for both thumbs and resizes (instead of just thumbs). 2008-12-26 05:44:02 +00:00
Bharat Mediratta dee20ed6a2 Added the concept of "permanent" messages that we show to admins. Use
this to show a "your thumbs/resizes are out of date" message whenever
we change the graphics rules.  Tweak watermark module to add graphics
rules whenever we make a change, which triggers the graphics module to
add the permanent message.
2008-12-26 05:43:06 +00:00
Bharat Mediratta e31ca19a06 Added graphics::mark_all_dirty(). The watermark code now marks images
as dirty if the admin changes the watermark at all.
2008-12-26 04:52:18 +00:00
Bharat Mediratta 837a5430b8 More watermark changes:
Change admin/watermarks/upload -> admin/watermarks/add for consistency.

Internationalize position text, store it as text in the database,
display it to the admin.

Make i18n strings consistent to reduce l10n load.
2008-12-26 04:34:20 +00:00
Bharat Mediratta 2011ee13ef Remove an HTTP redirect that was breaking the Ajax interface. 2008-12-26 04:02:55 +00:00
Bharat Mediratta 0fc14c1bfc Simplify the watermark module. We can now upload, edit and delete one
watermark.  The UI is rough and we don't yet apply the watermark to
images.. that's next.
2008-12-26 01:32:12 +00:00
Bharat Mediratta 2c91a7e9ce Rework log and message helpers to be parallel, but separate.
1) they now have their own matching severity constants
2) they both have convenience functions success(), info(), warning() and error()
3) they both have severity_class()
2008-12-25 23:43:44 +00:00
Bharat Mediratta 94e3ae2e0f Add edit/delete links (they're just stubs now, but they open a dialog).
Add active/position to Watermark_Model
2008-12-25 22:31:20 +00:00
Bharat Mediratta 75b9a7872c Remove extra uniquifying text that Forge adds to uploaded files. 2008-12-25 21:54:09 +00:00
Bharat Mediratta 526ac39697 Remove stray response:: (not yet time for this.. it's coming!) 2008-12-24 04:25:11 +00:00
Bharat Mediratta c7193f9b2e Normalize our Admin controllers so that functions always print out
their results, as opposed to having them return their view back
upstream.  This is a little more code in every controller, but it's
much less magical and more consistent.

Look up the active_theme and active_admin_theme inside the view
itself, no need to do that in the controllers.  This makes view
initialization easier in the controllers.
2008-12-24 04:22:22 +00:00
Bharat Mediratta ddcf10dfce Allow the site admin to upload watermark images. Can't do much with them yet. 2008-12-23 01:29:17 +00:00
Bharat Mediratta d330e4203a Step 1 of converting watermarks over to be an admin page. 2008-12-23 00:13:22 +00:00
Tim Almdal 04441e11cc 1) Remove the load watermark from the scaffolding... use the menu option
2) The set watermark dialog is now sizing properly.  @todo is recenter in the window
2008-12-16 17:30:18 +00:00
Tim Almdal 92e6ed8a8a Start of the dialog to specify the watermark placement. For convience, using the imagemagik nomicalture regarding watermark locations (east, west, center, etc.)
You can drag the watermark around but it doesn't stay in place.
Need to figure out how to resize the dialog box

and all of the supporting javascript
2008-12-15 23:08:18 +00:00
Tim Almdal db7e60da32 Change the watermark module to use forge.
Also the watermark file is now stored in varpath.
and the location is stored in the module vars table
2008-12-14 23:53:30 +00:00
Tim Almdal 4b4e9e8e45 The start of the watermark module. It doesn't save the watermark at this point. This is more of trying out the approach where Forge is not used for forms. Basic html and the Validation library. 2008-12-14 19:43:04 +00:00