while. This fixes ticket #342.
The bug is that we were using $item instead of $theme->item(). But we
were also not special casing tags properly, and they are effectively
first class citizens (at least for now) so treat them properly. Also,
set page_title by default in the theme so that we don't have to do an
empty() check on it (makes the theme easier to read) and move the
title out of Tags_Controller so that the theme has more control over
it.
and verifying user permissions, but there are several above-the-bar
changes:
1) Server add is now only available to admins. This is a hard
requirement because we have to limit server access (eg:
server_add::children) to a user subset and the current permission
model doesn't include that. Easiest fix is to restrict to admins.
Got rid of the server_add permission.
2) We now know check permissions at every level, which means in
controllers AND in helpers. This "belt and suspenders" approach will
give us defense in depth in case we overlook it in one area.
3) We now do CSRF checking in every controller method that changes the
code, in addition to the Forge auto-check. Again, defense in depth
and it makes scanning the code for security much simpler.
4) Moved Simple_Uploader_Controller::convert_filename_to_title to
item:convert_filename_to_title
5) Fixed a bug in sending notification emails.
6) Fixed the Organize code to verify that you only have access to your
own tasks. In general, added permission checks to organize which had
pretty much no validation code.
I did my best to verify every feature that I touched.
creating the page. Provide for a default page title if none is
set. This allows less changes to page.html.php as different modules
want to change the page title.
- And refactor printf to our string interpolation / pluralization syntax
- Also, a slight change to the translations_incomings table, using binary(16) instead of char(32) as message key.
dialog for deleting tags. Remove the 4 character restriction on tags
(it was getting ignored by the add form anyway since it was mistakenly
referred to as tag_name there).
communicate. Almost all controllers now use JSON to speak to the
theme when we're dealing with form processing. This means tht we only
send the form back and forth, but we use a JSON protocol to tell the
browser success/error status as well as the location of any newly
created resources, or where the browser should redirect the user.
Lots of small changes:
1) Admin -> Edit Profile is gone. Instead I fixed the "Modify Profile" link
in the top right corner to be a modal dialog
2) We use json_encode everywhere. No more Atom/XML for now. We can bring those
back later, though. For now there's a lot of code duplication but that'll be
easy to clean up.
3) REST_Controller is no longer abstract. All methods its subclasses should create
throw exceptions, which means that subclasses don't have to implement stubs for
those methods.
4) New pattern: helper method get_add_form calls take an Item_Model,
not an id since we have to load the Item_Model in the controller
anyway to check permissions.
5) User/Groups REST resources are separate from User/Group in the site
admin. They do different things, we should avoid confusing overlap.
their results, as opposed to having them return their view back
upstream. This is a little more code in every controller, but it's
much less magical and more consistent.
Look up the active_theme and active_admin_theme inside the view
itself, no need to do that in the controllers. This makes view
initialization easier in the controllers.
just items viewable by the active user. Ie:
ORM::factory("item")
->where("name", "foo")
->find_all()
Would get all items with the name "foo".
ORM::factory("item")
->viewable()
->where("name", "foo")
->find_all()
Restricts it to just the set of items that the user is allowed to see.
1) Generate the form in Tags_Controller::_form_add()
2) Process the form submit in Tags_Controller::_create()
3) Create the tag properly
This required me to limit our scope to adding one tag at a time, which
I think is fine if we're doing Ajax style tag addition.
Create the concept of "page types" which let us specify the kind of
page that we're rendering in high level terms. Currently there are
three page types: album, photo and tag.
The tag page type uses slightly different variables. It has a $tag
but no $item. Adjust all sidebar_block() functions to avoid printing
stuff that's dependent on the item if there is no item.
Simplify the tag code to stop trying to fake an item.
Update the theme slightly to use $item and $tag where appropriate
(notably, for making the <title> element).
